Check Point releases R81
Check Point released their newest major version today and introduces Cyber Security Platform R81 as the industry’s most advanced Threat Prevention and security management software that delivers uncompromising simplicity and consolidation across the enterprise.
R81 has a lot of new and exciting features already but more is still to come later through Jumbo Hotfixes (like support for Dynamic Split on VSX).
You can find all details regarding R81 here, along with the Release Notes, Resolved Issues and Known Limitations.
What’s new in R81?
Infinity Threat Prevention
Infinity Threat Prevention is an innovative management model that:
- Provides zero-maintenance protection from zero-day threats, and continuously and autonomously ensures that your protection is up-to-date with the latest cyber threats and prevention technologies.
- Empowers administrators with out-of-the-box policy profiles based on business and IT security needs.
- Streamlines the configuration and deployment of policy profiles across gateways.
- Provides simple and powerful customization to best serve your organization’s needs.
- Manage your custom intelligence feeds through SmartConsole. Add, delete or modify IoC feeds fetched by the Security Gateways as well as import files in a CSV or STIX 1.x formats.
- Threat Extraction is now supported on ICAP server mode, in addition to Threat Emulation and Anti-Virus.
- Improved use of IoCs for indicators based on source IPv4 and IPv6 addresses.
Note: Administrators can still perform granular manual changes to override Check Point’s recommended policies and profiles.
Security Gateway and Gaia
Scalable Platforms is part of R81 release and is currently in Early Availability. Register here for the Early Availability program.
- HTTPS Inspection supports the FutureX Hardware Security Module (HSM) by storing outbound HTTPS Inspection cryptographic keys and certificates on the HSM server.
- Implementation of TLS 1.3 for SSL inspection.
- TLS 1.3 is off by default and is only applicable with User Space Firewall (USFW) is active
- Hardware Security Module (HSM) is not supported with TLS 1.3.
- Generic Data Center – Use Generic Data Center Objects in the Source and Destination columns of Access Control, NAT, Threat Prevention and HTTPS Inspection rules to enforce access to or from IP addresses defined on external web servers. IP addresses defined in the object are automatically updated without the need for policy installation.
- Support an unlimited number of languages in UserCheck objects.
- Accelerated Policy Installation – A new Access Control policy installation flow that optimizes common use-cases and drastically speeds up the installation. The Policy installation is accelerated based on the changes made to the Access Control policy since the last installation. To learn more about Accelerated Policy Installation refer to the R81 Security Management Administration Guide.
- Concurrent Security Policy installation – One or more administrators can run multiple installation tasks of different policies on multiple gateways at the same time.
NAT Rule Base
- Support for Domain objects, Updatable objects, Security Zones, Access Roles and Data Center objects.
- Hit count for NAT rules.
- Azure Active Directory support for Identity Awareness – Use the Identity Awareness Access role picker to authenticate and authorize Azure AD users and groups.
- Identity Awareness nested groups – Discovers all the groups a user belongs to from the branch specified in the LDAP account unit in one query.
- Security ID (SID) support for Identity Awareness – Move users and groups to different LDAP Organizational Units without the need to modify the Access Role Policy.
Note: Security ID (SID) feature is off by default. Refer to R81 Identity Awareness Administration Guide for more information.
- Ability to configure multiple ciphers for external Gateways in a single VPN community. Use granular encryption methods between two specific VPN peers.
- Support for SHA-512 encryption method.
- A fresh and modern user interface with improved user experience:
- Redesigned scan results
- Discontinued the SNX connection pop-up
- Greater accessibility for non-English speakers
- Launch all applications in separate tabs without losing the main page window
- One click sign-out
- Simplified customization to easily utilize a brand identities
- Full support for mainstream browsers that run on all major platforms
- Clientless RDP and SSH access through Mobile Access Blade’s browser portal using Apache’s Guacamole™ software suite
- Support for custom AD attributes to allow mapping of end-users to their office desktops for personalized portal link display and Access Control
- Geo-Cluster in HA mode for cloud environments – Supports the configuration of the cluster Sync interface on different subnets while allowing L3 communication between the members on the sync interface. L2 connectivity and a trusted network between the cluster members (although still available) is not mandatory anymore.
- Configure Virtual Router in VSX VSLS mode.
- Configure Multi-Bridge in VSX VSLS mode.
- Configure bridge interfaces on a standard Virtual System in VSX.
- Use Threat Emulation and Identity Awareness Software Blades on a Virtual Systems in Bridge mode.
- Configure VSX Gateway and VSX Cluster objects using Management REST APIs.
- Configure Dynamic Routing VPN through Virtual Tunnel Interface (VTI) in VSX mode.
- Independent QoS, DNS and Proxy server configuration per Virtual System.
- VSX_util tool to downgrade VSX management objects to earlier versions.
- Enhanced Multi-Queue distribution of IPsec VPN traffic.
Remote Access VPN
- Significant performance improvements for Remote Access VPN clients in Visitor Mode.
- Support for strongSwan IPsec clients on different Linux distributions.
- Scheduled Gaia Snapshots – Use Gaia Scheduled Snapshot to automatically back up and export configuration settings.
- Added support for:
- The Google Compute Engine virtual Network Interface (gVNIC).
- Additional tunneling protocols:
- Virtual Extensible LAN (VXLAN).
- Generic Routing Encapsulation (GRE).
- Link Layer Discovery Protocol (LLDP) configuration trough CLISH and the Gaia Portal.
- IP conflict detection – Monitor and detect duplicate IP addresses located in the network.
- Multi-Queue for Management and Sync interfaces.
Gaia REST API
- API to set your device as a Gateway/Management/Multi-Domain/Log Server in the First Time Configuration Wizard.
- Control IPv6 status.
- Enhancements for additional Dynamic Routing features
- OSPFv3 AH authentication for OSPFv3 protocol security.
- IPv6 route aggregation – Reduces the number of prefixes advertised to neighbor routers to improve performance and scaling.
- IPv4/IPv6 NAT-pool routes – Configure and redistribute NAT-pool routes to routing protocols.
- Routing Information Protocol (RIP) route sync.
- PIM restart capability.
- BGP support for VxLAN interfaces.
- Dynamic Routing support for GRE interfaces
- Data Center Query Objects – Use Data Center Objects to represent multiple Data Centers in the Security Policy when you build queries. This provides easier and more efficient division of the responsibilities to manage Data Centers.
- New Data Centers support:
- Kubernetes Data Center – Added CloudGuard Controller support for Kubernetes Clusters. Administrators can now create a Kubernetes-aware security policy for Kubernetes North-South traffic.
- VMware vCenter version 7.
- CloudGuard Controller can use the system proxy for connections to all Data Centers.
- A new object category in SmartConsole’s object explorer called “Cloud” aggregates all Data Centers, Data Center objects and Data Center queries into one.
CloudGuard Data Centers
- Integration of CloudGuard IaaS for East-West deployments using VMware NSX-T.
Use SmartConsole to:
- Upgrade Security Gateways and Clusters between major versions
- Upgrade VSX Gateways and VSX Clusters
- Install offline packages – The Security Gateway does not need to be connected to the internet to import the installation packages to the Security Management Server and distribute to targets
- Cross-Domain Management Server Search to search for objects across multiple Domain Management Server databases.
- High Availability for Domain Management Server with the Security Management Server. A Security Management Server can operate as a standby or an active Security Management in a Management High Availability setup.
- Configure a dedicated Log Server and a dedicated SmartEvent server for an individual Domain in a Multi-Domain environment.
Management REST API
- General performance improvement to Management REST API.
- API throttling for login commands, to prevent load on the Security Management Server.
- New API commands for: User Management, Identity Tags, Multi-Domain Server, High Availability, Automatic Purge and much more. Visit the Check Point API reference for more information.
- Use the Security Management Server to run REST API commands on a gateway.
- Support for multiple TACACS servers to utilize redundancy when administrators authenticate to SmartConsole.
- Changes Report – Generate a report that lists the changes between two revisions or lists the changes performed during a private session.
- Administrators can now view, add and delete licenses through SmartConsole.
- Support for CloudGuard Edge configuration in SmartConsole.
- A new MITRE ATT&CK view to investigate security issues according to the MITRE defense models, and extract immediate action items based on the mitigation flow.
Management Server Upgrade
- Significant performance improvement in the upgrade process starting from R80.20 and higher to R81 for Security Management Servers.
Logging and Monitoring
- New API for log queries to fetch logs through API. Use a single API management command to query for logs or statistics.
- Significant improvement in log indexing, queries and SmartEvent views and reports.
- Export logs with a timestamp of milliseconds, to construct a chain of events more easily and efficiently.
- Log attachment API to automatically fetch log attachments with Log Exporter, or API for logs.
- SandBlast Agent Web Management – A new Web-based management interface for Endpoint Threat Prevention components.
Note: For the best user experience it is recommended to use SandBlast Agent Web Management with Google Chrome.
- Communication with management services remains on port 443 instead of port 4434 when the Endpoint Management component is activated.
- Anti-Malware support for shared signature locations to support non-persistent VDI environments.
- Manage URL Filtering capabilities of SandBlast Agent Browser Extension.
- Application Control policy changes – Support multiple versions per product, terminate application and block WSL. (Windows Subsystem for Linux).
- New set of Developer Protections for developers computers.
- Compliance integration with Windows Server Update Services (WSUS).
- TACACS authentication for Web Remote Help (WebRH).
- Media Encryption & Port Protection – Import device overrides from a file.