R82.20 is a major leap forward in security, networking, performance, and operational
efficiency across Threat Prevention, Security Gateways, VPN, Hybrid Mesh, and Security
Management (Smart-1). This release brings broad IPv6 readiness, deep SASE integration,
improved clustering and routing scalability, and enhanced management capabilities, making it
one of the most substantial upgrades in recent versions.
FedRAMP-authorized mode
New optional FedRAMP mode for Security Gateways directs cloud-dependent security
blades to use FedRAMP-hosted and authorized services.
Higher Availability, Predictability & Resilience
R82.20 significantly improves system resilience and traffic continuity:
- Critical State Detection proactively identifies memory, CPU, disk, and congestion
issues.
- ElasticXL gains MACsec-encrypted synchronization and per VS clustering logic,
ensuring multitenant environments remain stable and isolated.
- VSX hardware acceleration now supports high-speed 40/100GbE and and
10/250GbEcards for line-rate throughput.
A More Secure & Modern Infrastructure
R82.20 delivers full-stack IPv6 expansion across Threat Prevention, ThreatCloud AI, DNS
security, VPN, Identity Awareness, VoIP, Dynamic Routing, and Gateway management.
This enables confident operations in modern dual-stack or IPv6-only networks without
compromising visibility, threat prevention, or operational control.
Security engines receive strong upgrades:
- DNS Trap and SNORT 3.x now support IPv6 and modern rule syntax for enhanced
threat detection.
- Cisco SGT enforcement adds granular zero-trust network segmentation.
Faster, More Scalable Networking
R82.20 introduces the largest routing and VPN upgrade set to date for higher application
performance and resilience, and operational simplicity:
|
Enrollment | Production EA
Early Availability Production Programs let you experience and participate in shaping Check Point products by test driving pre-release versions and providing detailed feedback.
|
|
Following the enrollment survey submission, we will contact you in order to review the details, answer questions and agree on the process.
Enroll Now
For more EA program you can visit our new SK here: Check Point Early Availability (EA) Programs - [sk183058]
This page provides comprehensive information about Check Point ‘Ongoing’ and ‘Upcoming’ EA programs, as well as the onboarding and support process.
Additional questions? contact us@ DL-Early_Availability@checkpoint.com
|
|
Threat Prevention
Threat Prevention Blades
- SNORT 3.x rules syntax is now supported in IoC feeds. This increases coverage of
supported SNORT rules and enables compatibility with the latest threat detection
content.
- DNS Trap now supports IPv6 connections, enabling DNS-based threat prevention
capabilities in IPv6 environments.
HTTPS Inspection
- New TLS Inspection Block Page – When HTTPS Inspection blocks a TLS connection
because of server certificate issues (revoked, expired, or untrusted), a notification page
explaining the reason for the block is now displayed
Security Gateway
Identity Awareness
- Security Gateways now support Cisco SGT (TrustSec) tagged traffic for pass-through
and identity enforcement. Access Role objects can now match a specific Cisco SGT for
access control directly from the network traffic.
Security Gateway Enhancements
- Introducing FedRAMP mode for Security Gateways. This new mode directs cloud-dependent services to use FedRAMP-hosted and authorized services. The supported
services are: URL Filtering, Application Control, Anti-Bot, Anti-Virus, Zero Phishing, and
Threat Emulation.
Note: Threat Extraction and IPS do not rely on cloud services and are therefore
compliant by default.
Security Gateway Operations
- Maestro, ElasticXL, and ClusterXL clustering health status have been refined to include
critical states such as high memory, low disk space, or packet drops because of
congestion. This will trigger an alert that is visible in SmartConsole, CPView, and AIOps.
Gaia OS
- Gaia OS introduces Unified Configuration, expanding and streamlining advanced
configuration management across the platform and related products, and deprecating
the use of Expert mode. Advanced system and feature configurations, including kernel
parameters and cross-feature settings, are now managed using the Gaia Portal, Gaia
Clish, or the Gaia Rest API, providing consistent access.
A new System Configuration tab in the Gaia Portal delivers a simplified, efficient
experience for managing commonly used settings across multiple features. All
configuration changes are processed through a unified API framework, ensuring
configuration persistence across reboots and upgrades, with full auditability and
traceability.
- Quantum Force 3900 Appliances now include integrated switching capabilities. LAN
ports can be segmented for switching groups, improving performance for traffic within
the same segment while maintaining full firewall inspection for traffic across segments or
to external networks.
Dynamic Routing
OSPFv3 enhancement:
- OSPFv3 authentication using ESP, providing secure routing exchanges and protection
against unauthorized route injection.
BGP enhancements:
- BGP support over multiple Virtual Tunnel Interfaces (VTIs) with the same local address,
enabling flexible routing across multiple tunnels.
- AS-path prepend on import, allowing control of inbound traffic by influencing path selection.
- BGP peer groups with auto-discovery, simplifying configuration for large-scale BGP deployments.
General routing enhancements:
- Wildcard mask support for more flexible route matching and filtering.
- IGMP and MLD blocked groups, preventing joins to restricted multicast groups and improving multicast security.
- Route-map configuration via WebUI, improving usability and simplifying the configuration of the routemaps feature.
- Monitoring of NAT Pools.
- Monitoring of IPv4 static multicast routes (static mroutes).
Cluster and Scalability
- ElasticXL synchronization traffic is now encrypted using L2 (MACsec) encryption. This
protects all traffic between ElasticXL Cluster Members.
- In VSNext mode, each Virtual Gateway now has an independent clustering state. A
"Down" cluster state on a specific Virtual Gateway does not affect the entire cluster
member state, so other Virtual Gateways on the affected member will remain "Active" on
that cluster member and will not failover.
|
VPN
- Remote Access VPN now offers enhanced policy management through the new Remote
Access VPN Community. This enables differentiated access policies for various user
groups, streamlined configuration, and a more intuitive management experience for
large and complex organizations.
- Carrier Grade NAT (CG-NAT) with auto-discovery VPN now enables direct VPN tunnels
between gateways behind CG-NAT, using broker-assisted discovery to create tunnels
with dynamic IP addresses.
- Introducing SmartConsole single-click IPSec tunnel setup between Security Gateway
and Check Point SASE. Providing best practices for both full mesh and hub-and-spoke
(star) topologies and supporting policy-based and route-based modes.
IPv6 Enhancements
Security Gateway
- Suspicious Activity Monitoring (SAM) has been redesigned and integrated with the Gaia
API, enabling dynamic, API-driven configuration similar to Dynamic Policy Layers. This enhancement includes full IPv6 support alongside the existing SAM commands.
- You can now configure the Security Gateway management interface for IPv4, dual-stack
(both IPv4 and IPv6), or single-stack IPv6-only operation during pre-installation or in the First Time Wizard, supporting single-stack IPv6 deployments from initial setup.
- Added support for IPv6 Dead Peer Detection (DPD)-based Tunnel Monitoring for Permanent Tunnels and IPv6 DPD-based Multiple Entry Point (MEP) topology. These
enhancements enable reliable VPN resilience and liveness checks over IPv6, including mixed IPv4/IPv6 tunnels in redundant and multi-entry point deployments.
- Identity enforcement (in Identity Awareness) IPv6 support using Identity Agent was
extended with support for multiple address types, including link-local, Global Unicast
Address (GUA), and Unique Local Address (ULA). It also fully supports Privacy Extension (RFC-8981), ensuring consistent identity-based policies even as IPv6 addresses change dynamically.
- Added support for Route-based VPN over IPv6. This enables dynamic routing protocols
and VTI-based VPN tunnels in IPv6 environments for improved flexibility and
compatibility.
Dynamic Routing
- Equal-Cost Multi-Path (ECMP) for static and dynamic routing protocols
- Policy-Based Routing (PBR) now supports IPv6. This enables administrators to define
custom routing decisions for IPv6 traffic based on source, destination, or other packet attributes.
- Static multicast routes (static mroutes)
- Multicast Listener Discover (MLD) group limit, protecting against DoS attacks by preventing excessive group joins
- MLDv1 SSM mapping, bridging legacy MLDv1 hosts to Source-Specific Multicast (SSM)
- IPv6 PIM Embedded RP eliminating the need for external RP-mapping mechanisms and
simplifying IPv6 PIM-SM multicast deployment
VoIP
- Added support for SIP traffic over IPv6.
Traditional VSX
- Traditional VSX, GRE, and IPSec can now be hardware-accelerated when using
40/100GbE and 10/250GbE cards, supporting line-rate throughput and low latency.
Tools
Improved performance of FW Monitor troubleshooting utility on Quantum Force 19100,
19200, 29100, and 29200 Appliances. The new flag provides exclusion filtering
capabilities, such as exclusion expression.
Hybrid Mesh Network
Management and Smart-1 Cloud
- Introducing Unified Management of Internet Access policies for Security Gateways and Check Point SASE environments. You can now manage SASE Internet Access directly from SmartConsole, providing a single point of policy management across your hybrid
infrastructure.
Smart-1
Upgrade
- Introducing a new background upgrade capability designed to significantly minimize downtime to a few minutes during Management Server upgrades. The "Prepare Upgrade" phase runs seamlessly in the background, allowing administrators to continue
working in SmartConsole, Web SmartConsole, or API without disruption. The "Complete Upgrade" phase then finalizes the changes, significantly reducing downtime compared to traditional upgrade methods.
Logging and Monitoring
- In this release, Log Exporter can be configured to export only the first and/or the latest update per event or connection. This enables more efficient log processing by external
SIEM (Security Information and Event Management) tools.
- Log Exporter can now be configured via the Management API. This enables you to automate Log Exporter deployment and configuration within your infrastructure-as-code workflows.
- Log Exporter can now be configured to send logs directly to AWS S3 buckets. This
enables seamless integration with your existing cloud storage and log analytics
workflows.
|
