R81 EA Program now available
Check Point introduced the R81 Early Availability program for production environments today. The GA release of R81 is expected later this year.
From the announcement on CheckMates:
R81 is the industry’s most advanced threat prevention and security management software for the data center, cloud, mobile, endpoint and IoT environment. R81 is equipped with every Quantum Security Gateway™ and features the highest level of security from SandBlast Zero-day protection to extend coverage for all products and protocols. R81 has some of the biggest innovations and features to arrive on the SmartConsole: The new Infinity Threat Prevention policy profiles for out-of-the-box security policies, the new MITRE ATT&CK View in SmartEvent and an all new Mobile Access Portal with a new design, improved user experience and full support for modern browsers. R81 is recognized for superior access control and policy organized in layers and sub-layers, single pane of glass management and provides the ability for admins to work in conjunction with granular multi-tasking features – all of which is unique to Check Point.
If you would like to participate in the R81 Production EA Program you need to fill in this enrollment survey.
New in this release
Infinity Threat Prevention
Infinity Threat Prevention is a new Threat Prevention management model, which uses an intelligent cyber security policy from the cloud to provide:
- Out of the box policy profiles based on business and IT security needs.
- Easy selection and assignment of a policy profile tailored to different needs.
- Automatically updated policy profiles with the latest technologies and recommendations that protects from evolving cyber security threats.
- Zero daily maintenance of policies and protections, without compromising on security or Connectivity
Administrators can still perform manual changes to override Check Point’s recommended policies and profiles in a granular way to best serve their organization’s need.
- Custom intelligence feeds can now be managed through SmartConsole. Add, delete or modify feeds fetched by the Security Gateways as well as import files in a CSV or STIX 1.x formats.
- Threat Extraction now works with ICAP servers in addition to Threat Emulation and Anti-Virus.
Security Gateway and Gaia
- Azure Active Directory support in Identity Awareness – Use Azure AD users and groups for authentication and authorization using Identity Awareness Access Role picker.
- Generic Data Center – A new type of Data Center object provides the ability to enforce access to or from IP addresses defined in files located in external web servers. Objects created based on these files can be used in the Source and Destination columns of Access Control, NAT and Threat Prevention rulebases. The enforced IP addresses are automatically updated without the need for policy installation.
- Support for Domain objects, updatable objects, security zones, access roles and data center objects in the NAT rule base.
- Hit count for NAT rules.
VSX now supports:
- Virtual Router configuration in VSX VSLS mode.
- Multi-Bridge configuration in VSX VSLS mode.
- Configuration of bridge interfaces on standard Virtual System in VSX.
- Blades support with bridge interfaces in VSX.
- Configuration of VSX Gateway and VSX Cluster objects using Management REST APIs.
- Dynamic Routing VPN using Virtual Tunnel Interface (VTI) in VSX mode.
- DNS server configuration independently per Virtual System in VSX.
- Proxy server configuration independently per Virtual System in VSX.
- QoS configuration independently per Virtual System in VSX.
- Downgrade of VSX management objects to previous releases using the VSX_util downgrade tool.
- The acceleration module now automatically adjusts the number of CoreXL SNDs, Firewall instances and the Multi-Queue configuration based on the current traffic load by default.
- Improved handling of IOCs for indicators based on source IPv4 and IPv6 addresses.
- A fresh and modern user interface.
- Improved user experience:
- Redesigned scan results.
- The SNX connection pop-up is obsolete.
- More accessible to non-English speakers.
- Ability to launch all applications in separate tabs without losing the main page window.
- One click sign-out.
- Simplified customization capabilities to easily utilize a customer’s brand identity.
- Full support for mainstream browsers running on all major platforms.
Scheduled Gaia Snapshots
New Gaia Scheduled Snapshot option lets you automatically back up and export a server’s configuration.
Support for additional network interface:
- gVNIC (Google Compute Engine virtual Network Interface).
- Support for additional tunneling protocols:
- Virtual Extensible LAN (VXLAN).
- Generic Routing Encapsulation (GRE).
Gaia REST API
- First time wizard configuration allows setting the machine as a Gateway/Management/Multi-Domain/Log Server using API.
- Control of IPv6 status.
A new management API allows running API commands on a Security Gateway from the Security Management Server.
- Enhancements for additional Dynamic Routing features:
- OSPFv3 AH authentication for OSPFv3 protocol security.
- IPv6 route aggregation – Reduces the number of prefixes advertised to neighbor routers improving performance and scaling.
- IPv4 NAT-pool routes – Configuring and redistributing NAT-pool routes to routing protocols.
Routing Information Protocol (RIP) route sync.
- Data Center Query Objects – A simplified way to build queries using Data Center Objects to represent multiple Data Centers in the Security Policy. This provides easier and more efficient separation of responsibilities for managing Data Centers.
- Kubernetes Data Center – Added CloudGuard Controller support for Kubernetes Clusters. Administrators can now create a Kubernetes-aware security policy for Kubernetes North-South traffic.
- CloudGuard Controller now uses the system proxy for connections to all Data Centers.
- A new object category in SmartConsole’s object explorer called “Cloud” that aggregates all Data Centers, Data Center objects and Data Center queries into one.
CloudGuard Data Centers Integration of CloudGuard IaaS for East-West deployments using VMware NSX-T.
- Cross-Domain Management Server Search lets you search for objects across multiple Domain Management Server databases.
- High Availability for Domain Management Server using Security Management Server. A Security Management Server can operate as a standby management Domain Management Server.
- Configure a dedicated Log Server and a dedicated SmartEvent server for an individual Domain in a Multi-Domain environment.
Concurrent Security Policy installation – One administrator or more can run several policy installations on different gateways at the same time.
- Support for multiple TACACS servers to utilize redundancy for administrators authenticating to SmartConsole.
- Central Deployment using SmartConsole:
- Allows upgrade between major versions.
- VSX upgrade.
- Use offline installation packages, the Security Gateway does not have to be connected to the internet. Import the installation packages to the Security Management Server and distribute to targets.
- Diff report – generate a report that lists the differences between two revisions or lists the changes performed during a private session.
A new MITRE ATT&CK view provides the ability to investigate security issues according to the MITRE defense models, and extract immediate action items based on the mitigation flow.
Management Server Upgrade
Significant Improvement in the upgrade process for Security Management Servers upgrading from R80.20 and higher to R81.
Logging and Monitoring
- New API for log queries provides the ability to fetch logs through API. Use a single API management command to query for logs or statistics.
- Significant improvement in log indexing, queries and SmartEvent views and reports.
- Export logs using a timestamp of milliseconds, to more easily and efficiently construct a chain of events.
- Log attachment API provides an automated way to fetch log achievements using Log Exporter, or API for logs.
- Endpoint Web Management – a new Web-based management interface for Endpoint Threat Prevention components.
- Communication with management services remains on port 443 instead of port 4434 when the Endpoint Management component is activated.
Endpoint Policy Management
- Anti-Malware support for shared signature locations to support non-persistent VDI environments.
- Application Control policy changes (multiple applications per EXE, terminate on execution, WSL, Developer protection)
- Compliance integration with Windows Server Update Serviced (WSUS).
- Full Disk Encryption support for custom HD images.
- TACACS authentication for Web Remote Help (WebRH) .
Remote Access VPN
- Significant performance improvements for Remote Access VPN clients using Visitor Mode.