Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

R82 EA Program | Production

Naor_Nassi
Employee
Employee
21 25 17.4K

R82 EA Banner RRL.png

 

Introducing Check Point Software Technologies' groundbreaking release, R82. This cutting-edge software marks a pivotal moment in cybersecurity with many innovative features. R82 ushers in a new era of web security, offering complete protection for HTTP/3 over QUIC, setting an industry precedent. Moreover, it presents the world's first firewall tailored for effortless HTTPS Inspection deployment while maintaining exceptional performance. Not stopping there, R82 delivers an enhanced operational experience with simplified cluster deployment through ElasticXL and a versatile new VSX mode. The software, in addition, boasts a new version of the operating system with superior networking and routing capabilities. Additionally, R82 takes automation to new heights, allowing full dynamic policy layer configuration through API calls directly to the Security Gateway.

 

Stay ahead of the curve with R82 and experience the future of cybersecurity management and protection.

 

Enrollment | Production EA

Early Availability Production Programs let you experience and participate in shaping Check Point products by test driving pre-release versions and providing detailed feedback.

Following the enrollment survey submission, we will contact you in order to review the details, answer questions and agree on the process.

Enroll Now 

 Additional questions? contact us@ EA_SUPPORT@checkpoint.com 

 

Quantum Security Gateway and Gaia

Web Security

  • Added support of HTTP/3 protocol over QUIC transport (UDP) for Network Security, Threat Prevention and Sandboxing.

HTTPS Inspection

This release brings a significant milestone in performance, simplicity, and deployment of HTTPS Inspection. These capabilities allow customers to implement HTTPS Inspection without compromising performance and user experience.

  • Full Fail-open mode - A new capability that automatically detects a failure in the HTTPS Inspection

process because of client-side issues such as pinned certificates. When detected, the connection is automatically added to an exception list, ensuring zero connectivity issues for end-users.

  • Deployment assessment - Allows customers to gradually deploy HTTPS to a portion of the traffic (up to 30%), predicts the performance, and automatically detects and resolves connectivity issues.
  • Bypass under load - Optionally bypass HTTPS Inspection in case of high CPU load.
  • HTTPS Inspection monitoring - Inspection status overview and detailed advanced HTTPS Inspection statistics.
  • Enhanced HTTPS Inspection policy - An improved HTTPS policy with a default recommended inspection policy, separate inbound and outbound rules, and multiple outbound certificate support.

Automatic Zero Phishing Configuration

  • Introducing a new addition to the Zero Phishing Software Blade - the Automatic mode. The Automatic mode significantly simplifies the configuration process, providing a seamless experience. With the Automatic mode, the blade configuration is now effortless: simply enable the Software Blade, and you are ready to go.

Improved Threat Prevention Capabilities

  • Added configuration granularity for advanced DNS protections in Threat Prevention.
  • Added Advanced DNS protection against NXNS Attack.
  • Added support for DNS over HTTPS Inspection.
  • New Zero-Day prevention engine integrated into the Anti-Bot Blade. This engine detects and blocks advanced malware Zero-Day variants by automatically analyzing and identifying communication patterns.
  • Added Advanced DNS capability to block DNS queries to newly created domains.
  • DNS Security statistics are now available in the SmartView Dashboard.
  • It is now possible to load SNORT rules file as Custom Intelligence Feed automatically with 5-minute intervals to enforce them as IPS protections.

New Clustering Technology

  • ElasticXL - a new clustering technology delivering simplified operations with a Single Management Object and automatic sync of configuration and software between all cluster members.

Dynamic Policy Layer

  • Fully automated, API-controlled policy layer that allows dynamic policy changes to be implemented directly to the Security Gateway in seconds without involving Security Management.

Unified Configuration

  • Kernel parameters configuration is now performed in centralized database with Gaia Clish commands and Gaia REST API calls instead of fwkern.conf and simkern.conf files. See:
    • l The Local Gaia API Reference at "https://<IP Address of Gaia Management Interface>/gaia_docs/#introduction" > section "Global Parameters".

Identity Awareness

  • Quantum Gateways can now use Identity Providers defined in the Check Point Infinity Portal, allowing customers to centrally manage identities across multiple Check Point products.
  • Introducing a new mode for Identity Awareness Blade - "PDP-Only", where the Security Gateway acts only as Policy Decision Point (PDP) for identity acquisition and distribution and does not enforce the identity-based policy. The new mode improves scalability for PDPs and Identity Broker. To enable the "PDP-Only" mode, see sk181605.
  • Introduced Identity Sharing cache mode to improve resiliency in case of connectivity loss with the PDP.

IPsec VPN

  • Automatically detect configuration changes in AWS, Azure, and GCP public clouds and adjust the VPN settings ensuring connection stability.
  • Introducing the Advanced VPN Monitoring tool that shows information on each VPN Tunnel and tracks its health and performance.
  • Enhanced Tunneling:
    • Added support for Dead Peer Detection (DPD) with Link Selection.
    • Support for Tunnel IP address that is different from the Gateway Main IP, for enhanced
    • interoperability with third-party vendors. Introducing the capability to configure distinct external interfaces for different communities, enabling greater granularity.
    • Allow ISP links redundancy with third-party and cloud vendors VPN peers.

Remote Access VPN

  • Security Gateway now supports the IKEv2 protocol for connections from Remote Access VPN Clients (E87.70 and higher for Windows OS and E87.80 and higher for macOS).

Mobile Access

  • Mobile Access Policy and Capsule Workspace configurations are now available in SmartConsole.
  • SAML authentication support for Mobile Access clients that allows seamless integration with third-party Identity Providers.
  • New Management API calls for Capsule Workspace configuration. See the Local Management API Reference at "https://<IP Address of Gaia Management Interface on Management Server>/api_docs/" > section "Mobile Access".

Gaia Operating System

This release boosts Gaia OS with a new OS kernel and multiple new configuration options for better security, enhanced networking and a simpler experience.

The new capabilities are:

  • Enhance Gaia OS support with:
    • Support for VSX mode in Gaia Link Layer Discovery Protocol (LLDP).
    • DHCPv6 server, DHCPv6 client, and DHCPv6 client for prefix-delegation.
    • Ability to configure the order of the "AAA" authentication (TACACS, RADIUS, Local authentication) in Gaia Portal and Gaia Clish.
    • DNS Proxy forwarding domains, which allows configuring specific DNS servers per DNS suffix.
  • New Gaia Clish and Gaia Portal configuration items:
    • NTP pools and a larger number of NTP servers.
    • NFSv4 configuration.
    • Keyboard layout.
  • Support for storing a Gaia OS backup in and restoring it from Amazon S3 and Microsoft Azure. 

Dynamic Routing

Added support for new Dynamic Routing capabilities:

  • BGP Extended Communities (RFC 4360).
  • BGP Conditional Route Advertisement and Injection.
  • Routing Table Monitor for Event Triggers.
  • IPv4 and IPv6 Router Discovery on cluster members.
  • Router Preference and Route Information option.
  • IPv4 PIM-SSM with non-default prefixes.
  • IPv4 PIM with BFD.
  • IPv4 PIM neighbor filtering.
  • IPv6 Protocol Independent Multicast (PIM) and Multicast Listener Discovery (MLD).
  • REST API calls for BGP, PIM, Multicast Listener Discovery (MLD).
  • REST API calls for Route Redistribution, Inbound Route Filters, and NAT Pools.
  • REST API calls for IGMP.

See the Local Gaia API Reference at "https://<IP Address of Gaia Management Interface>/gaia_docs/#introduction" > section "Networking".

Performance and Infrastructure

  • Added elephant flow acceleration support for SMB/CIFS service in HyperFlow.
  • Quantum Security Gateway multi-core utilization for log sending, improving log output capacity by up to 100%.

Maestro Hyperscale

This release features improvements in managing and monitoring Maestro Hyperscale clusters, which include:

  • Support for SNMP Queries on each Security Group Member..
  • REST API on Quantum Maestro Orchestrator and ElasticXL Cluster Members:
    • New Quantum Maestro Orchestrator API calls for configuration and monitoring of Security Groups, Gateways, Sites, and Ports.
    • Support per member Gaia REST APIs for Quantum Maestro and ElasticXL Cluster Members.

See the Local Gaia API Reference at "https://<IP Address of Gaia Management Interface>/gaia_docs/#introduction" > section "Maestro".

VSX

Check Point VSX is enhanced with a new mode, allowing simpler configuration, easier provisioning, and a similar experience to a physical Security Gateway.

The benefits of the new VSX mode are:

  • Unified management experience between Check Point physical Security Gateways and Virtual Gateways, including the capability to manage each Virtual Gateway from a different Management Server.
  • Improves VSX provisioning performance and provisioning experience - creating, modifying, and deleting Virtual Gateways and Virtual Switches in Gaia Portal, Gaia Clish, or with Gaia REST API.
  • Management feature and API parity between Virtual Gateways (VGW) and physical Security Gateways.

Tools and Utilities

  • ConnView - a new consolidated troubleshooting tool for viewing connections information on the Security Gateway that works in the User Space Firewall (USFW). See the Local Gaia API Reference at "https://<IP Address of Gaia Management Interface>/gaia_docs/#introduction" > section "Diagnostics" > section"Connections" >command "show-connections". In the Expert mode, run the "connview" command.
  • New policy advisory tool "up_execute" (in the Expert mode), which performs virtual Access / NAT Rule Base execution. Given inputs based on logs or connections, the execution provides detailed information such as matched rules and classification information.

Quantum Security Management

Security Management Server Enhancements

  • The LDAP Account Unit object now uses the LDAP server name and CA certificate for LDAP trust. The trust is automatically renewed if an administrator renews or replaces the LDAP server certificate. As a result, Check Point servers keep their connectivity to the LDAP server.
  • Support for Management API to run the "vsx_provisioning_tool" operations to configure VSX Gateway and VSX Cluster objects. See the Local Management API Reference at "https://<IP Address of Gaia Management Interface on Management Server>/api_docs/" > section "VSX" > command "vsxprovisioning-tool".
  • Security Gateways can now be managed by a Security Management Server hosted behind a public cloud or third-party NAT device.

Central Deployment of Hotfixes and Version Upgrades in SmartConsole

Central Software Deployment through SmartConsole was enhanced and now supports:

  • Uninstall of Jumbo Hotfix Accumulators.
  • Installation of packages on ClusterXL High Availability mode in the "Switch to higher priority Cluster Member" configuration ("Primary Up").
  • Installation of packages on Secondary Management Servers.
  • Installation of packages on Dedicated Log Servers.
  • Installation of packages on Dedicated SmartEvent Servers.
  • Installation of packages on Clusters of Quantum Spark and Quantum Rugged Appliances.
  • Installation of packages from Standalone Servers.
  • Package Repository per Domain on a Multi-Domain Security Management Server.

SmartProvisioning

  • Star VPN Community now supports Quantum Maestro Security Groups, VSX Gateways, and VSX Clusters as Center Gateways (Corporate Office Gateway).

Multi-Domain Security Management Server

  • Ability to clone an existing Domain on the same Multi-Domain Security Management Server. See sk180631.
  • Improved upgrade time of large Multi-Domain Security Management Server environments by up to 50%.
  • New Management API for setting IPv6 address of Multi-Domain Security Management Server.

Compliance

  • Added support for Quantum Maestro and Quantum Spark Appliances:
    • Gaia OS Best Practice support for Maestro Security Groups by checking each Security Group Member individually and presenting a consolidated Best Practices status.
    • Applying relevant Gaia OS Best Practices on Quantum Spark Appliances.
  • Added Gaia OS Best Practice support for Log Servers.
  • Added new regulations:
    • Cyber Essentials v3.1 regulation
    • Israeli Cyber Defense Methodology 2.0

CloudGuard Network Security

CloudGuard Controller

  • CloudGuard Controller support for Identity Awareness PDP (Identity Sharing).
  • CloudGuard Controller for VMware NSX-T now uses Policy Mode APIs to import objects from an NSX-T Manager.
  • CloudGuard Controller for VMware NSX-T can import Virtual Machines and Tags from an NSX-Tb Manager.
  • Multi-Domain Security Management Server now supports Data Center objects and Data Center Query objects in the Global Policy.

CloudGuard Network

  • New Management API for CloudGuard Central License utility.

Harmony Endpoint

Harmony Endpoint Web Management enhancements:

  • Client optimization for Windows servers - Harmony Endpoint allows you to easily optimize the Endpoint Security clients for Windows servers, such as Exchange servers, Active Directory servers, Database servers, and so on, by manually assigning Windows server roles.
  • Run Diagnostics:
    • Runs performance checks on endpoint clients using Push Operation.
    • The performance report presents each client's CPU and RAM utilization, including the editable threshold.
    • Harmony Endpoint presents suggested exclusion for performance improvements.
    • You can easily add an exclusion as part of "Global Exclusion" or "Exclusion per Rule":
      • Exclusion description - You can now add comments for new or existing exclusions.
      • Global Exclusion - You can now easily add global exclusion that applies to all rules.
    • Application Control for macOS - Control which applications can run or use networking.
    • New Asset Management view:
      • Filters - A brand new look and functionality for filters that enhances operation and productivity,while using the Asset Management view.
      • Asset Management Table - Bigger asset management table to see all relevant data easily.
      • Columns reorder - New Column reorder option to customize the asset management table based on their specific needs by changing columns location.
    • Linux Offline Package - Supports upload and export package for Linux OS clients.
    • Added Harmony Endpoint Management API to support on-premises Endpoint Security Management Server.

The API is disabled by default for on-premises deployments. See the Harmony Endpoint

Management API article.

Software Changes

Note - To see the list of changes starting R80.40, see sk180180.

This section describes behavior changes from the previous version.

Gaia Operating System

This release boosts Gaia OS with a new OS kernel and multiple new configuration options for
better security, enhanced networking and a simpler experience.

  • Enhance Gaia OS with:
    • Support for VSX mode in Gaia Link Layer Discovery Protocol (LLDP).
    • DHCPv6 server, DHCPv6 client, and DHCPv6 client for prefix-delegation.
    • Ability to configure the order of the "AAA" authentication (TACACS, RADIUS, Local
      authentication) in Gaia Portal and Gaia Clish.
    • DNS Proxy forwarding domains, which allows configuring specific DNS servers per
      DNS suffix.
  • New Gaia Clish and Gaia Portal configuration items:
    • Two-Factor Authentication for Gaia OS login using time-based authenticator apps
      (Google Authenticator and Microsoft Authenticator).
    • NTP pools and a larger number of NTP servers.
    • NFSv4 configuration.
    • Keyboard layout.
  • Support for storing a Gaia OS backup in and restoring it from Amazon S3 and Microsoft
    Azure.

VSX

  • The default value for concurrent connections in the Virtual System object was increased from 15,000 to 50,000 (Optimizations section > Capacity Optimization page).
  • In the VSNext mode, the Expert mode command "clish -c" now supports the context of a Virtual Gateway / Virtual Switch with this syntax:

clish -v <Virtual Device ID> -c "<Gaia Clish Command>"

VPN

  • When a Check Point Management Server creates an IKE certificate, by default this certificate contains the "Server Authentication" attribute within the "Extended Key Usage" field.

Management Server

  • The default minimum TLS version was changed from TLS1.0 to TLS1.2 in the following Check Point communication types:
    • SIC communication between a Management Server and all managed servers and gateways.
    • SSL communication to the TCP port 18265 on a Management Server (the ICA Management Tool).
    • SSL communication to the TCP port 18194 on a Security Gateway configured for Local Threat Emulation.
  • Security Gateways R77.30 are not supported.

SmartConsole

  • Upgraded the SmartConsole.NET framework from 4.5 to 4.8.

Scalable Platforms

  • On the MaestroOrchestratorMHO-175 ports, increased the default MTU size from 9216 to 10240 bytes.
  • On a MaestroSecurity Group, in the output of the "asg if" command, the column header changed from "Link State (ch1)/(ch2)" to "Link State (site1)/(site2)".
25 Comments
Danny
Champion Champion
Champion

So happy to see the forthcoming of R82!
This triggers me the most:

  • ElasticXL
  • Central management of kernel parameters
  • Auto-update of Snort IPS rules
the_rock
Legend
Legend

I hope many more things will be available from smart console, rather than having to make custom modifications via user.def, .lib files. etc...

Cheers,

Andy

Magnus-Holmberg
Advisor

Hi,

"

       - Check Point VSX is enhanced with a new mode, allowing simpler configuration, easier provisioning, and a similar experience to a physical Security Gateway.

"

There are some things that are unique to VSX and more or less why atleast we uses it as a service provider.
Things like the VS is actually not required to reach the MGMT servers but can still be managed via vs0 / vsx cluster node with some magic.

And also that the routing etc is done in smartconsole instead of needing to provide CLI access.

In demos / info we have gotten before these things has been removed.
Have these things been changed within R82? 


"

  • Improves VSX provisioning performance and provisioning experience - creating, modifying, and deleting Virtual Gateways and Virtual Switches in Gaia Portal, Gaia Clish, or with Gaia REST API.

"

How dose this affect restore with VSX reconfigure?
Currently its very easy to restore a failed VSX node as all config is within the mgmt station.
Yes it has alot of drawbacks aswell.

Virtual switches / GW, do they then need to be created on all members or is there a "config sync"?



Some more specific info on how the VSX product now is would be great.
Dose it still requires only 1 IP for interfaces?
And as there seams to be many changes, can we still run it in the "old" mode or is it required to change due to R82?


/Magnus

Ruan_Kotze
Advisor

Also excited for what's coming in VSX. 

A while CP accidently published a  internal video on their youtube channel for something that was called "VSX Next" - and it was awesome:-) 

It removed the vast majorities of complexities from VSX and the management and configuration was aligned to how one would manage non-VSX gateway.

Exciting times:-)

 

Marcel_Gramalla
Advisor

Wow, this sounds huge! So many major features but also a few smaller ones that really makes life easier. We don't have time for this EA unfortunately but im excited to read through all the documentation of the new features etc.

Also really nice that the version number really indicates that this is a major release and not just R81.30 or something.

Daniel_
Advisor

Since the kernel is updated from 3.10 to 4.18: Do you switch from RHEL7 (kernel 3.10) to RHEL8 (kernel 4.18)?

Is it a 64 Bit only system or do we still have some 32 Bit binaries as in R81.20?
# file /usr/bin/ls
/usr/bin/ls: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.6.16, dynamically linked (uses shared libs), for GNU/Linux 2.6.16, stripped

sharonab
Employee
Employee
@Daniel_  we upgraded the kernel , and many packages , but there are still 32 bit binaries in R82 
PhoneBoy
Admin
Admin

One of the benefits of VSXnext is closer alignment of VSX to regular Security Gateway.
This includes the same or better level of API support as for regular Security Gateways today.
It also allows for some new deployment options (for example, having VSes managed by different MDS).
I’m sure we’ll show it off and have more to say about it at our upcoming CPX events.

Wolfgang
Authority
Authority

My favourites 

  • Full Fail-open mode - A new capability that automatically detects a failure in the HTTPS Inspection
  • New policy advisory tool "up_execute"
  • new VSXnext mode 
  • DNS Proxy forwarding domains, which allows configuring specific DNS servers per DNS suffix.
  • Multi-Domain Security Management Server now supports Data Center objects and Data Center Query objects in the Global Policy.
  • Added elephant flow acceleration support for SMB/CIFS service in HyperFlow
Alex-
Advisor
Advisor

Solid list of new features and finally a complete VSX redesign. I'm thrilled by a refresh of the HTTPS Inspection experience, which can be a challenge to implement at some customers, along with DoH and QUIC support .

Raven
Participant
Participant

When can we expect R82 Public EA release?
If I understand correctly this is intended only for those who would like to test the R82 EA in a production environment and not in a lab?

Naor_Nassi
Employee
Employee

Hi,

@Raven  - Public EA is estimated to be open during Q1

Kaspars_Zibarts
Employee Employee
Employee

@Magnus-Holmberg 

RE: VSX restore. Surely you want to move to IaaC setup and use API / i.e. Terraform to build and restore your environment with proper version control? 🙂 Plus I suspect there would be full local Gaia backup holding all VSes. Instead of requiring connectivity to Mgmt. I can challenge you there: when I had VSX in one country and Mgmt in another, MPLS was down, then I had real problems restoring VSX... 😉 just saying

To be seen! 🙂

Garrett_DirSec
Advisor

update:   (thank you google).  

https://community.checkpoint.com/t5/General-Topics/R82-ElasticXL/m-p/192459#M32247

 

very exciting!

Where can we read more about ElasticXL in the immediate future?   Even our local CP engineers are in the dark.

thanks

PhoneBoy
Admin
Admin

ElasticXL is not released yet.
We’ll probably have more to say about it at CPX
If you want to read up on it in the meantime, get familiar with Maestro, which is what ElasticXL is based on.
The setup (minus orchestrator) is expected to be similar (single management object, g_clish commands).

RamGuy239
Advisor
Advisor

I'm somewhat confused about "VSXnext", but I'm sure it will be less confusing once we get more details on it. To me, it sounds like VSXnext is trying to make VSX configuration more like managing regular gateways? But what does this mean? I've always considered it a benefit of VSX to be able to configure things in Smart Console instead of having to utilise local Gaia Portal and/or CLI/SSH. This sounds like a step backwards?

One major problem with modern VSX is of course how we have so many things not exposed in Smart Console. It feels like a split-personality kind of deal. You do basic routing and interfacing in Smart Console, which to me makes much more sense compared to regular gateways where you have to do everything using local Gaia Portal and/or CLI/SSH. But the fact that anything besides basic routing and interfacing still has to be done locally kinds defeats the purpose.

If VSXnext is trying to make configuration of virtual systems morel like regular gateways, does that mean Check Point is more or less giving up making configuration using Smart Console a thing? I had hoped things would move in the opposite direction, bringing more configuration to Smart Console, not the other way around.

Oliver_Fink
Advisor
Advisor

I really appreciate that the strong tie between SMS and VSX gateway disappears. Doing snapshots during updates and upgrades was really as mess due to dependencies between both of them. And I do not like auto-publishing when changing  a VS configuration, also.

What I really like with the actual VSX is VSLS. I am not quite sure how one can find something comparable with VSNext. And I do not know, if I really like this active/active configuration.

It seems obvious that Check Point had something to do to the traditional VSX in order to reduce complexity and to raise manageability. We will see if VSNext does this job. I am very confident…

PhoneBoy
Admin
Admin

@RamGuy239 VSnext is a new implementation of VSX that also leverages ElasticXL (also new in R82).
VSes are configured in Gaia and associated with management similar to a regular gateway.
This enables different management domains to have VSes on the same gateway.
It's also a lot more API friendly (VSX in general is currently not).

There will be more information on these technologies posted to CheckMates after CPX 2024 is over.

Chris_Atkinson
Employee Employee
Employee

Getting excited for this release as we learn more about the new features!

https://sc1.checkpoint.com/documents/SmartConsole/WhatsNew.html

 

Bob_Zimmerman
Authority
Authority

There have been some new versions in the recent past with changes which could only be applied by wiping the system and reinstalling from external media (ISO, thumb drive, etc.). Notably, kernel 3.10 changed the default filesystem from ext3 to XFS, and R81.20 fixed the longstanding partition alignment bug on drives with 4k block sizes (most drives).

Is R82 expected to have any changes like this which benefit from a wipe-and-rebuild over an in-place upgrade?

Raven
Participant
Participant

@Naor_Nassi  Any news regarding R82 Public EA release? First it was planned to be available in Q1 2024.

Don_Paterson
Advisor

Regarding VSXNext:
Any chance of getting visibility of the VSX Admin Guide for R82 EA at this point.
I am curious to understand VSXNext and see the significant changes that it seems to promise.

Thanks,

Don

PhoneBoy
Admin
Admin

We usually don't publish full documentation until GA (or at least public EA).
I presume you've seen the "under the hood" presentation at the recent CPX? https://community.checkpoint.com/t5/Holding-Area/R82-ElasticXL-and-VSNext-Generation-Under-the-Hood/... 

Don_Paterson
Advisor

Thanks D

Another cpx video with poor sound quality 😢 

I am keen to read the details and limitations, but no worries on waiting for GA

 

Naor_Nassi
Employee
Employee

Hi,

@Raven no official date for Public EA yet, we are estimating in beginning of May

Labels