R81.20 Public EA is available

Nearly six months after the release of the Production EA for R81.20 Check Point has now launched the Public EA program for their upcoming R81.20 release. See also the R81.20 Public EA thread on CheckMates.

How to register?

UserCenter:
Register to the Public EA release via – UserCenter -> TRY OUR PRODUCTS -> Early Availability Programs -> CPEA-EVAL-R81.20

PartnerMAP:
Register to the Public EA release via – Partnermap -> CUSTOMER ACQUISITIONS -> Early Availability Programs -> CPEA-EVAL-R81.20

R81.20 Public EA limitations

• Check Point Public EA is designed for lab and sandbox deployments only.
• Public EA version upgrade to GA is not supported.
• VSX is not supported within the public EA program.
• For Maestro Hyper Scale – Please contact the Public EA Support team directly via the feedback link provided within the EA program.
• Multi-version Cluster (MVC) is not supported with Cluster Load-Sharing.

What’s New

Quantum Security Gateway and Gaia

Threat Prevention

• Prevent browsing to Zero-Day phishing websites.
  • Check Point Quantum Security Gateway enhances its web browsing protection to further prevent users from accessing phishing websites.
  • Powered by patented technologies and AI engines, the Security Gateway now uses Clientless In-Browser protection to prevent access to the most sophisticated phishing websites, both known and completely unknown (zero-day phishing websites).
  • The enhanced solution is available through the Security Gateway network flow, introducing dynamic security components that run within the browser with no need to install any client.
  • Delivered as part of your existing NGTX license.
  • Works out of the box for Security Gateways with Autonomous Threat Prevention enabled.
• Up to 50% performance enhancement to IPS CIFS protections.
• IOC feeds now support a significantly increased capacity in the number of observables for URLs, Domains, IP addresses, and Hashes – 2 million and up to hardware limit.
• Support for inspection of FTPS by Content Awareness, Anti-Virus and Threat Extraction blades.

Maestro Hyperscale

Maestro Auto-Scaling

Automatically assigns Security Appliances (scale units) to a Security Group when the configured conditions are met.

• Maestro Fastforward
• Sub microseconds latency.
• Port line-rate throughput for single connection.
• Support for Accelerated policy installation on Maestro Security Gateways. For more information see sk169096.
• Support gradual upgrade with Multi Version Cluster (MVC)
• Based on the current traffic load, the Security Gateway automatically changes the number of CoreXL SNDs, Firewall instances and the Multi-Queue configuration for zero traffic impact.
• Management Data Plane Separation (MDPS) support for Scalable Platforms.

IoT Protect

Leverage Quantum Security Gateway and Infinity to instantly discover IoT devices and enforce independent Zero-Trust policies.

• Only allow what is needed for the device to operate.
• Automatically assign policies to IoT devices according to their internet access requirements.

IPsec VPN

• Seamless site to site tunnel establishment with AWS native cloud VPN. Setup a route based VPN tunnel with a virtual Gateway in just a few simple steps.
• Major performance and stability improvement for Remote Access and Site to Site VPN that delivers a significantly greater capacity for VPN tunnels.
• Extended Security Gateway certificate validation capabilities for quicker authentication.
• Scalable VPN – Multi process architecture to process IKE negotiation (IKED)

Access Control

• Use a Network Feed object to customize a private web server feed definition for IP addresses or domains. The objects are automatically updated in Security Gateway without the need to install a policy. Updatable Objects uses the Network Feed to strengthen the dynamic configuration ability of the Access Control policy.
• Performance improvements – Support for Updatable Objects, Domain objects, and Dynamic objects with the Optimized Drop feature (drop templates).

Advanced Routing

• Support for Intermediate System (IS-IS) routing protocol.
• DHCP Relay Agent Information Option 82 that addresses several scaling and security issues that arise in public DHCP use.
• OSPFv3 NSSA support.
• IPv6 Static MFC Cache to enable forwarding of multicast data without PIM configuration.
• Support for Routed control scripts to allow ClusterXL fail-over and tear down of BGP connections.
• Routing Protocol History for BFD to improve troubleshooting capabilities.
• NetFlow Live connections and Firewall rule ID UUID.

Gaia Operating System

• Configure a retention policy for Gaia scheduled backups and snapshots.
• Use the CLI, to monitor the module temperature, module supply voltage, TX Bais voltage, Rx optical Power, and TX optical power for a single transceiver or all transceivers on an appliance.
• Automatic update to the NIC firmware during the ISO installation process for appliances that have 40GbE, 100/25GbE, and/or NVIDIA ConnectX 100G Cards.

CoreXL

• HyperFlow
  • Increases throughput of elephant connections.
  • Automatically detects and dynamically allocates CPU cores between main tasks on a Security Gateway.
  • Improves CoreXL FWK processes response time.
• In User Space Firewall (USFW), the number of IPv6 instances can equal the number of IPv4 instances, this allows the gateway to process a more significant amount of IPv6 traffic.

Identity Awareness

• The Identity Awareness Gateway automatically identifies and excludes Service Account sessions acquired by the Identity Collector. For more details, see sk174266.
• Improved resiliency, scalability, and stability for PDPs and Identity Brokers. Additional threads handle authentication and authorization flows.Improved resiliency, scalability, and stability for PDPs and Identity Brokers. Additional threads handle authentication and authorization flows.
• During a PDP failure, a PEP Identity Awareness Gateway can recover its identity database from connected PDP Gateways.
• Identity Collector is now supported with Quantum Spark Appliances.

Mobile Access

OAuth 2.0 support for Capsule Workspace and Office 365.

SMB Appliances

Central Deployment – Use SmartConsole to upgrade Quantum Spark and Quantum Edge Appliances. Identity Collector is now supported with Quantum Spark Appliances.

Quantum Security Management

General

• Integration between your on-premises Security Management Server and the Infinity Portal:
  • Run cloud services that are managed in the Infinity Portal on your Security Management Server objects.
  • See a unified log view of all your Check Point products, on-premises and in cloud.
  • Run Management APIs securely on the on-premises Security Management Server from anywhere in the world through the Infinity Portal.
• Performance improvements to IPS updates and utilization.

SmartConsole

Administrators can use SAML 2.0 to configure SmartConsole users to authenticate with an Identity Provider.

SmartWorkflow

Send policy and configuration changes for peer review and approval before publishing.

Management REST API

Management API support for:

• Identity Awareness configuration on gateways and clusters.
• HTTPS Inspection outbound certificate configuration.
• Creation of LSM Gateways.
• Creation of LSM Gateways VPN configuration.

Upgrades

• Central Deployment- Use SmartConsole to Gradually upgrade Quantum Cluster Members.
  • Upgrade Quantum Spark and Quantum Edge Appliances.
• Pre-Upgrade Verifier results are now presented in the upgrade report.
• Significant performance improvement by importing Domain Management Servers concurrently instead of sequentially.

CloudGuard Network Security

• CloudGuard Controller support for:
  • Oracle Cloud Infrastructure (OCI)
  • Nutanix
  • New Azure resources – Application Security Groups, Private Endpoints
  • New AWS resources – Load Balancer tags
  • SmartTasks integration – Configure SmartTasks for CloudGuard Controller events.
• Nutanix Flow support for CloudGuard Network Security Gateways.
• Amazon Web Services (AWS):
  • Cross Availability Zones Cluster.
  • Security Gateways Auto Scaling Group for Gateway Load Balancer (GWLB).

Harmony Endpoint

Endpoint Policy Management

Use SSO to connect to the Endpoint Web Management Console.

Remote Access VPN

Exclude SAAS applications (such as Office 365) from the remote-access VPN domain.Authenticate Remote Access VPN users with SAML.