Who rated this post

Slides and Q&A are below.

When will R81.20 be released?

Soon. It will be available via UserCenter.

What licensing is required for DNS Security and Zero Phishing?

DNS Security is included in the NGTP and NGTX license. Zero Phishing is included only in the NGTX license.

What license is required for IoT?

This is a separate offering that requires R81.20, pricing will be announced at GA. 

Does SmartConsole still exist in R81.20?

Yes. Eliminating SmartConsole is part of our longer-term roadmap.

Why the R81.X is not available for even brand new SMB firewalls such as 1500/1600 series?

R81.10.00 has been available since July 2022. Download from sk179004. R81.10.05 is currently in EA.

Is QUIC supported?

Not currently, but it is planned for a future release (not R81.20).

How does this work with traditional SEG solutions for customers that already have a SEG solution?

We can be an MX or a nexthop similar to a SEG (and pass traffic to an existing solution). Of course, if you’re using a cloud-based email provider, you probably want to use Harmony Email and Collaboration (a.k.a. Avanan) instead.

HI please let know whether r81.20 is able to block ioc inbound and outbound with third party cloud

This is supported from R81 using ioc_feeds. In R81.20, we offer a Network Feed feature, which is a bit more flexible.

Is HTTPS Inspection required for Zero-Phishing?

Yes, it is a mandatory requirement since almost all web traffic is HTTPS.

What is the minimum hardware requirement to run R81.20 will all the new blades?

Minimum hardware requirements will be listed in the release notes. If you have specific sizing questions for your environment, reach out to your Check Point SE. In general, it should be similar to R81.10.

Blocking Zero Day Phishing: Would you end up blocking a companies custom test phishes which also test the users using fake web pages (like Microsoft fake page for example)? Will we need to bypass our test phishes when training employees?

Yes, you should be able to configure exceptions for your own phishing sites used for internal training.

So if you have Titan Zero Phishing Blade, you don't need Harmony Email?

These are complimentary solutions. The Zero Phishing on the gateway only protects phishing when webmail and similar is accessed through the gateway. Harmony Email and Collaboration works regardless of where the users access webmail from.

Will R81.20 available for Open Server?

Yes, of course. Additional hardware should be supported with this release as well.

Does CP have a hardware refresh plan which integrates hardware based chips to offload processor intensive tasks?

Accelerating Layer 7 inspection is part of our long-term roadmap for our Lightspeed platforms.

What does the page look like if within 2 secs determines phishing page?

When the end user clicks into a field to enter information, if it’s determined the site is phishing, entry into the text field will be blocked by the Javascript.

Is SD-WAN part of R81.20?

It’s a separate offering that is coming soon. It will be available for R81.10 or R81.20 with JHF when released.

Is the VPN monitoring still in the legacy SmartConsole or has it been integrated into the modern SmartConsole?

Not part of R81.20

Up and including R81.10, attempts by the clients to resolve malicious pages labels them as “Infected Computer”. That definition is incorrect. Does this behavior change in the R81.20?

It is best to address this with the TAC.

Is that stage 4 protection ( exfiltrate data ) enforced when our clients have policies like src:rfc1918 dst:any , service: icmp and or dns? Is the protection going to overrule the flaws in the client policies ? ( a mistake I've seen it in a lot of client policies )
DNS blade and Cisco Umbrella DNS in the same environment?? How will they play together

We've been scanning domains for a long time now with the Anti-Virus and Anti-BOT blades. If both are already enabled you shouldn't have any issue

Has HTTPS decryption performance been improved compared to previous releases?

Not initially, but a future JHF is expected to improve performance.

How to prevent dns-attacks in DoH/DoT? Many Browsers provide DoH separately from operating system, so they not using unencrypted DNS witch are provided from OS.

These are already covered with our existing IPS and Anti-bot blades.

Can we have a dedicated SG with NGTX that other GW with NGTP can send traffic to be analysed for ZeroPhishing like we would do with Threat Emulation and Extraction?

Zero Phishing must be done with an inline gateway that is running HTTPS Inspection.

The IoT scanning is passive? I mean, it checks the traffic as it passes through the gateway?

The scanning is passive and it requires further integration with further network components.

When should I use a Network Feed versus a Generic Datacenter Object?

Going forward, Network Feeds are probably the better choice for the vast majority of use cases. Refer to this thread for discussion on the matter. 

IoT protect needs Cloud Management and a Check Point appliance or can be implemented also with on-prem management?

Quantum IoT requires an on-prem gateway managed with either an on-prem Smart-1 or Smart-1 Cloud as well as an Infinity Portal tenant.

Will wildcard certs be finally available for outbound HTTPS Inspection?

Outbound HTTPS Inspection requires a Certificate Authority key. This is required because certificates are generated on the fly. A wildcard certificate cannot sign other certificates. 

How fast gateway can read this file at web server for network feed objects?

There is an interval that can be set in the Network Feed window, called "Check feed interval" under Network. The lowest interval that can be set is one minute.

In Network Feed can we add and delete object and policy installation will not be required correct ? How can we know that changes saved?

Correct. We have a "Test Feed" button in SmartConsole you can use to verify the feed is working.

Can network feeds access an HTTPS webserver? If yes, Is it possible to validate the server cert?

Yes it is

Can the policy changes be mailed to an admin for reviews?

Yes, you can configure smart-task for that with the required mails addresses

Can this change approval process to be integrated with ServiceNow and Management API?

SmartWorkflow features are also available via the API, which means it can be integrated into ServiceNow and similar platforms.

Network Feed objects read by each gateay or mgmt server and information push to gateways?

Network Feed are fetched by the gateway.

Is Horizon a re-branding of SmartConsole?

No. The products/services that are part of Horizon involve Infinity Portal. 

Will the streamline policy also allow admins to install only their own changes or only approved changes?

SmartWorkflow adds two roles to the admin permission profile in addition to the Install Policy permission:

• Publish Sessions without approval
• Approve/Reject other sessions

Persons with the Install Policy permission will only be able to install changes that were published.

Dynamic Balancing is also supported for VSX??

It is already supported with R81.10

For SmartWorkflow, are the locked objects submitted for the approval differentiated from the ones that are not yet submitted? Use case: multiple admins working on different segments of the rulebase. Approver is looking at the policy, not only at change report.

Changes must be approved per-session, not globally. Any object/rule modified in any session but not yet published will show as "locked" in SmartConsole and will not be editable until the relevant session is approved or discarded.

Does the network feed object need a particular license?

No.

Will everything showed here end up in the R81.20 GA or will some parts added later with a JHF?

All we showed will be part of the initial release (without JHF).

What are the requirements to run Hyperflow? 

The requirements (which will be publicly documented in SK187070 when R81.20 is GA) are as follows:

• Check Point appliances with at least 8 logical CPU cores
• USFW Mode (see sk167052)
• Dynamic Balancing enabled
• One or more blades enabled from the following categories: NGFW, NGTP, NGTX (i.e. not supported in Firewall/VPN only)

VSX is supported as well.

Will Hyperflow work with route based VPN where a single core is assigned to the flow and large file transfer will always use the same flow rather than balance across multiple cores?

At the moment, no. However, it is something we are evaluating for a future release.

Does Network Feed support STIX format?

No. For that, use the existing ioc_feeds feature.

What about SD-WAN? Will it be available with R81.20?

The SD-WAN offering is separate from R81.20. It will also be supported on R81.10. 

Hyperflow is also for IPv6?

Yes

Does the SAML authentication also enable SSO, as in using groups in SMS/MDS connected to group in another user database, so no more need to create admins in SmartConsole?

Yes, you won't need to create admins in SmartConsole.

Will new Checkpoint version support VPN With Zscaler?

Already supported, see sk174878 and sk175385.

Any major IA improvements incoming? Especially looking forward to multicore support of the pep daemon?

Identity Awareness in general will be more robust and scalable as a result of the changes made in R81.20.

Regarding elephant flows, one heavy session is handled by only one core, right?

Before HyperFlow- yes, a single connection is processed by a single FW instance assigned on a single core. HyperFlow allows offloading jobs to additional core(s) as needed.

Are Maestro common pool appliances do work only with Security Groups that are on the same Major Version?

Yes

Will SmartConsole R81.20 WebUI have all features as the SmartConsole app?

No, but it should have more than in R81.10.

What's the lowest version from which users can upgrade to Titan (R81.20)?

It will be mentioned in release notes and upgrade guides. Having said that, if you are on a version prior to R80.40, you should upgrade as prior releases are no longer supported. 

When is R81.xx going to be available for Centrally Managed SMB devices?

In the coming weeks. It is already available as an EA.

Does this align standard and SP releases or are there still 2 software streams?

This was already done as part of the R81 release. There is still a separate installation ISO for Scalable Platforms and there are some features not yet implemented on Maestro yet and we will continue to close these gaps in coming releases.

SmartView access is by checkpoint password and user only - or thats my understanding - will this be improved?

That and the SmartConsole Web will be able to leverage SAML authentication in R81.20, which will allow you to use whatever authentication methods are configured in your IdP.

Did you plan improvement for Identity Awareness ? I mean, a better compatibility with Azure AD (AutoPilot devices, etc.)

Please communicate your specific requirements with your Check Point SE.

We have Harmony endpoint with Phishing protection, we can use the same on gateway together ?

Yes, we made sure they can co-exist safely.

Does R81.20 include the SSH DPI keys being able to be synced between firewalls without having to do it manually? Secondly, it would be nice to have a way to say that I only want this subnet to be SSH DPI using all the keys that have been uploaded.

No specific changes to SSH DPI have been made. If you have specific requirements, please reach out to your Check Point SE.

There was an extra official rule to insert the cost of SSL inspection in the sizing of a gateway, which was considering a 50% to 100% increase in the needed throughput. Is it still the recommended way of calculating the performance needed?

For now, yes.

Could you explain the main improvements regarding Authenticate Remote Access VPN users with SAML?

This is actually not a new feature, as it was rolled out in releases since R80.40 in the JHF. For more details, refer to this CheckMates thread.

QUIC support in R81.20?

Planned for a future release.

Is Skyline integrated into R81.20?

Yes