Danny Yang

更強大的R80.20版要來了! (預計2018 Q3)

Discussion created by Danny Yang Employee on Apr 22, 2018
Latest reply on May 24, 2018 by Danny Yang

Hello All,

 

剛好Mike問到有關ICAP Server是否會於R80.x版支援(R77.30已經有hotfix),在此將最新版R80.20預計的更新功能整理如下。而目前R80.20正進行到private EA階段,待正式public EA後應該就離GA不遠了(目前預估在第三季左右釋出)。

 

R80.20七大重要特色搶先看:

1) 會同步推出硬體加速卡(Acceleration card)-5000/15000/23000系列

2) 將同步推出新的GAiA OS

3) 將會通過EAL4+驗證(目前R77.30有)

4) 將支援SandBlast Appliance(目前只有R77.30)

5) 增加網路叢集/路由功能的支援

6) 可支援加密流量解密後mirror至外部

7) 預計支援Endpoint Security的整合管理(目前需要用R77.30.03版)

 

下列為R80.20計劃中的feature enhancement,但僅供參考之用,請以正式GA版的release note為準。

Acceleration
With Falcon Acceleration Cards:

• NGFW/NGTP/NGTX & HTTPS Inspection acceleration — supporting higher throughput with maximum security including inspection of HTTPS traffic.

• QoS acceleration.

• Firewall only acceleration — low-latency, high packet and session rates.

• VSX support.

Additional software enhancements:

• Session rate improvements on high-end appliances (including 2012 appliances and 13000 and above appliances).

• Acceleration is enabled during policy installation.

• HTTPS Inspection performance improvements.

 

Threat Prevention

Threat Prevention Indicators (IoC) API

• Management API support for Threat Prevention Indicators (IoC).

• Add, delete, and view indicators through the management API.

Threat Prevention Layers

• Support layer sharing within Threat Prevention policy.

• Support setting different administrator permissions per Threat Prevention layer.

 

MTA (Mail Transfer Agent)

MTA monitoring:

• E-mails history views and statistics, current e-mails queue status and actions performed on e-mails in queue.

MTA configuration enhancements:

• Setting a next-hop server by domain name.

• Stripping or neutralizing malicious links from e-mails.

• Adding a customized text to a malicious e-mail's body or subject.

• Malicious e-mail tagging using an X-header.

• Sending a copy of the malicious e-mail.

ICAP

• ICAP server support on a Security Gateway to consult with Threat Emulation and Anti-Virus Deep Scan whether a file is malicious.

 

Threat Emulation

• SmartConsole support for multiple Threat Emulation Private Cloud Appliances.

• SmartConsole support for Blocking files types in archives.

 

Clustering

• Sync redundancy support (over bond interface).

• Automatic CCP mode (either Unicast, Multicast or Broadcast mode).

• Unicast CCP mode.

• Enhanced state and failover monitoring capabilities.

• OSPFv3 (IPv6) clustering support.

• New cluster commands in Gaia Clish.

 

Advanced Routing

• Allow AS-in-count.

• IPv6 MD5 for BGP.

• IPv6 Dynamic Routing in ClusterXL.

• IPv4 and IPv6 OSPF multiple instances.

• Bidirectional Forwarding Detection (BFD) for gateways and VSX, including IP Reachability detection and BFD Multihop.

 

Identity Awareness

• Identity Tags support the use of tags defined by an external source to enforce users, groups or machines in Access Roles matching.

• Identity Collector support for Syslog Messages — ability to extract identities from syslog notifications.

• Identity Collector support for NetIQ eDirectory LDAP Servers.

• Transparent Kerberos SSO Authentication for Identity Agent.

• Two Factor Authentication for Browser-Based Authentication (support for RADIUS challenge/response in Captive Portal and RSA SecurID next Token/Next PIN mode).

• New configuration container for Terminal Servers Identity Agents.

• Ability to use an Identity Awareness Security Gateway as a proxy to connect to the Active Directory environment, if SmartConsole has no connectivity to the Active Directory environment and the gateway does.

• Active Directory cross-forest trust support for Identity Agent.

• Identity Agent automatic reconnection to prioritized PDP gateways.

 

Mirror and Decrypt

• Decryption and clone of HTTP and HTTPS traffic.
• Forwarding traffic to a designated interface for mirroring purposes.

 

Hardware Security Module (HSM)

• Enhancement of outbound HTTPS Inspection with a Gemalto SafeNet HSM Appliance.

• SSL keys are stored when using HTTPS Inspection.

 

Security Management

• Multiple simultaneous sessions in SmartConsole — One administrator can publish or discard several SmartConsole private sessions, independently of the other sessions.

• Integration with a Syslog server (previously supported in R77.30) — A Syslog server object can be configured in SmartConsole to send logs to a Syslog server.

 

SmartProvisioning

• Integration with SmartProvisioning (previously supported in R77.30).

• Support for the 1400 series appliances.

• Administrators can now use SmartProvisioning in parallel with SmartConsole

 

Access Policy

• New Wildcard Network object supported in Access Control policy.

• Simplified management of Network objects in a security policy.

• HTTPS Inspection now works in conjunction with HTTPS web sites categorization. HTTPS traffic that is bypassed will be categorized.

• Rule Base performance improvements, for enhanced rule base navigation and scrolling.

• Global VPN Communities. Previously supported in R77.30.

 

vSEC Controller Enhancements

• Integration with Google Cloud Platform.

• Integration with Cisco ISE.

• Automatic license management with the vSEC Central Licensing utility.

• Monitoring capabilities integrated into SmartView.

• vSEC Controller support for 41000, 44000, 61000, and 64000 Scalable Platforms.

 

Additional Enhancements

• HTTPS Inspection support for IPv6 traffic.

• Improvements in policy installation performance on R80.10 and higher gateways with IPS.

• Network defined by routes — gateway's topology is automatically configured based on routing.

• IPS Domain Purge on Security Management Server — IPS update packages are saved for 30 days, older packages are purged.

 

Endpoint Security Server

Managing features that are included in R77.30.03:

Management of new blades:

• SandBlast Agent Anti-Bot.

• SandBlast Agent Threat Emulation and Anti-Exploit.

• SandBlast Agent Forensics and Anti-Ransomware.

• Capsule Docs.

New features in existing blades:

• Full Disk Encryption.

• Offline Mode.

• Self Help Portal.

• XTS-AES Encryption.

• New options for the Trusted Platform Module (TPM).

• New options for managing Pre-Boot Users.

• Media Encryption and Port Protection.

• New options to configure encrypted container.

• Optical Media Scan.

Anti-Malware:

• Web Protection.

• Advanced Disinfection.

Outcomes