Been looking under the hood at R82 GA all morning, here are a few things I've uncovered. I'll try to avoid restating findings that are already in the release notes, also keep in mind these are initial impressions which may not be 100% accurate.
1) All NIC drivers (igb/ixgbe/vmxnet3/mlx_core etc) are taking a major driver version update due to the new 4.18 kernel, this may result in changes in network interface behavior upon upgrade (like this when we moved to kernel 3.10: sk166424: Number of RX packet drops on interfaces increases on a Security Gateway R80.30 and higher ...). The e1000 driver (which is the default interface in many virtualized environments) is deprecated in R82 and will throw a console warning if you are trying to use it. The e1000 driver still seems to work anyway on an SMS in VMWare, but does NOT work for me on a security gateway in VMWare so look out. sk180572: Hardware Compatibility Notifications
2) If you create a new R82 security gateway or cluster, Anti-Bot and Anti-Virus will be enabled by default. These features under R82 now also support a kind of hybrid between "Background" and "Hold", whereas if Hold is causing excessive latency connections start slowly getting treated as background in a very interesting trade-off (this hybrid mode doesn't appear to be enabled by default): sk181434: "Maximum Security" feature in Anti-Virus and Anti-Bot R82 and higher
3) The Advanced DNS protections introduced in R81.20 have been exposed somewhat in the TP profile settings, but it looks like all you can do is turn them off for testing purposes, not sure if exceptions could be created for these:
4) A new "Dynamic Layer" of rules can be added directly on a gateway even if the SMS is unreachable, kind of like SAM rules on steroids: sk182252: Dynamic Layer in Access Control Policy. Also it looks like the R82 gateways now cache multiple versions of previously installed policies so you can revert to an older known-good policy directly on the gateway itself, kind of like the Installation History screen in SmartConsole. sk181437: Access Control Policy Revert Tool (policy_rev_tool) Could be very handy when a policy install causes all hell to break loose including cutting off the gateway from the SMS, to recover you could just jump directly onto the gateway and reinstall the known-good policy that was installed just before the "bad" one was, as opposed to fw unloadlocal causing a full outage.
5) Looks like a new daemon called cpview_api_service has been added to R82 according to sk97638, I assume this would allow cpview data to be retrieved directly via API calls which opens up some verrrry interesting monitoring/reporting capabilities.
6) Looks like the ips command has gotten pimped out with some new options beyond just looking up the name of a protection ID you see in a debug, appears you now can switch off individual IPS protections right from the gateway's CLI without a policy install. Guess Check Point got tired of administrators running ips off and gave them some more granular options:
ips protections print_name <protection_id (hex)> # Display protection name
ips protections print_id '<protection name>' # Display protection ID
ips protections disabled show # Show IPS disabled and excluded protections
ips protections disabled exclude <protection_id> # Exclude IPS disabled protection
ips protections disabled delete_exclude <protection_id>|all # Delete excluded IPS disabled protection
7) New command called turbostat shows very detailed information about the processors such as power consumption, current clock rate and lots of other goodies. @Bob_Zimmerman would approve.
😎 Looks like we picked up two new paths in the output of fwaccel stats -s, presumably for Hyperflow boosting of QUIC and SMB/CIFS. Also the connection_pipelining command has been renamed hyperflow.
UDP IS XL pkts/Total pkts : 0/541805 (0%)
UDP IS pipeline pkts/Total pkts : 0/541805 (0%)
9) The great new connview tool requires USFW to function, it doesn't work if your firewall is in kernel mode.
10) The classic Unix command strace is back in Gaia (although it was previously available via the undocumented perf trace command). This great command can be used to sniff the system calls between an existing runaway/malfunctioning process and the kernel. You can see everything it is trying to access (files, sockets, etc) and even the data it is reading/writing. Awesome troubleshooting tool for processes that can be attached to a process that is already running.
11) All the configuration options for HTTPS Inspection including CA updates and such are now located in the main SmartConsole GUI and no longer in the legacy SmartDashboard which means they have been extricated from the vile clutches of fwm, speaking of which...
12) It seems that while the legacy single-threaded fwm process still exists in R82, it has had even more responsibilities taken away from it on the SMS which is a good thing. Policy installations seem WAY faster in R82 and watching the output of top during a policy installation shows fwm is doing very little now. In R81.20 and earlier fwm is always the major bottleneck for policy installation performance, even for accelerated ones.
13) Enhanced VPN Link Selection looks very nice, should make setting up ISP-redundant VPNs with non-Check Point gateways much easier.
