R80.40 GA now available!
Check Point released their newest version R80.40 as a General Available release today.
Have a look at sk160736 for all information regarding R80.40 GA.
The Release Notes of R80.40 GA can be found here.
A list with R80.40 GA Resolved Issues can be found here.
And last but not least, don’t forget to read the R80.40 GA Known Limitations here.
What’s New?
IoT Security
A new IoT security controller to:
- Collect IoT devices and traffic attributes from certified IoT discovery engines (currently supports Medigate, CyberMDX, Cynerio, Claroty, Indegy, SAM and Armis).
- Configure a new IoT dedicated Policy Layer in policy management.
- Configure and manage security rules that are based on the IoT devices’ attributes.
HTTPS Inspection
HTTP/2
HTTP/2 is an update to the HTTP protocol. The update provides improvements to speed, efficiency and security and results with a better user experience.
- Check Point’s Security Gateway now supports HTTP/2 and benefits better speed and efficiency while getting full security, with all Threat Prevention and Access Control blades, as well as new protections for the HTTP/2 protocol.
- Support is for both clear and SSL encrypted traffic and is fully integrated with HTTPS Inspection capabilities.
HTTPS Inspection Layer
Provides these new capabilities:
- A new Policy Layer in SmartConsole dedicated to HTTPS Inspection.
- Different HTTPS Inspection layers can be used in different policy packages.
- Sharing of a HTTPS Inspection layer across multiple policy packages.
- API for HTTPS Inspection operations.
Threat Prevention
Optimized Security and Productivity for the Different Modes – Threat Extraction works with Threat Emulation to provide users with more productivity without compromising security
- Background Mode is now called Rapid Delivery to prevent many more malicious files within the emulation window of 3 seconds.
- Hold Mode is now called Maximum Prevention and provides improved productivity to ensure that all Threat Extraction cleaned documents deliver quickly to end users. Maximum Security minimizes the time users wait without a compromise on security.
Threat Extraction
Automatic Engine Updates – Like the automatic updates to the Threat Emulation engines, you can now receive Threat Extraction updates automatically on your gateways. There is no need to update to a hotfix or a major version. Security improvements, new features and more do not require intervention.
To learn more, refer to the Advanced Threat Emulation Settings Chapter in the R80.40 Threat Prevention Administration Guide.
Anti-Virus and SandBlast Threat Emulation
- MITRE ATT&CKTM Reporting – Threat Emulation Forensics Reports now include a detailed MITRE ATT&CK Matrix with the detected adversary tactics and techniques for every malicious executable file.
- Enhanced Support for Archive Files – this engine release includes significant improvements inhandling archive files:
- Support for password protection for all supported file types, including .7z and .rar. For more details, please refer to sk112821.
- An improved mechanism to “guess” passwords automatically when it opens password protected archives for emulation.
- Added support for password-protected archives when the password includes Unicode characters.
- Stability improvements.
- Faster delivery of an emulation verdict for documents with embedded files.
- Enhanced Support for Password-Protected Documents:
- Admins can now configure a default action for password-protected documents. If such a file is emulated, the file is allowed or blocked by default. To configure a default action, follow the instructions in sk132492.
- New File Types and Protocols:
- Attachments from Nested MSG Files – Threat Emulation now supports emulation for files that attach to MSG files that attach to other MSG files.
- Support for new Archive Formats – WIM, CHM, CramFS, DMG, EXT, FAT, GPT, HFS, IHEX, MBR, MSI, NSIS, NTFS, QCOW2, RPM, SquashFS, UDF, UEFI, VDI, VHD, VMDK, LZH, ARJ, CPIO, AR.
- SCP and SFTP file transfers can be scanned using SSH Deep Packet Inspection.
- SMBV3 Multi-Channel Connections – Multi-channel file transfer is on by default on all Windows operating systems. The Check Point Gateway is now the only one in the market that inspects large file transfers through SMBv3 (3.0, 3.0.2, 3.1.1) over multi-channel connections.
- Enhanced Logging for Emulated Archive Files:
- The archive file log includes the names of all the files inside.
- A new log generates for every extracted file from the archive with its emulation results. This log contains the name of the archive file. Logs correlate easily between the archive file and those of the files it contains.
- Importing SHA-256 IOCs – Anti-Virus now supports SHA-256 hashes as Indicators of Compromise (IOCs). Administrators can import SHA-256 IOCs manually or connect the gateway to a live feed of SHA-256 IOCs. For more information, refer to sk132193.
- Replacing the Threat Emulation API Certificate – Administrators can now upload their own certificate to use for Threat Emulation API calls to their Threat Emulation appliance. For more information, refer to sk160693.
Email Security
- Enhanced Support for POP3 and IMAP protocols – Anti-Virus and SandBlast Threat Emulation now support inspection of e-mail over the POP3 protocol and improve inspection of e-mail over the IMAP protocol.
- Enhanced Protection against BaseStriker – MTA Gateways now protect against malicious emails with URLs that use the BaseStriker technique.
- Bounce Messages Behavior Change – Modifies the configuration of the MTA so that it tries to send bounce messages only once whether it reaches its destination or not.
- Enhanced Threat Emulation inspection for files behind shortened links – The body of an email sometimes includes customized Bitly links that point to files. With this release, Threat Emulation scans the files behind these links to detect zero-day attacks. This capability requires Threat Emulation and Anti-Virus to be enabled and MTA must be configure for the Security Gateway.
- [Early Availability] Click-Time URL Protection – The MTA gateway can now re-write links in incoming emails. When users click on them, the resources (web sites or files) behind the links have inspections again. This prevents delayed attacks where attackers replace the resource behind the link after the email delivery
- [Early Availability] Anti-Phishing Engine – The MTA gateway introduces a new State of the Art Anti- Phishing engine. This design alerts against and prevents sophisticated phishing, spear phishing, and targeted phishing attacks.
Want to join the beta and hear more? Contact us at email_security@checkpoint.com.
Other Enhancements
Dynamic, Domain and Updatable Objects can be used in Threat Prevention and HTTPS Inspection Policies.
Access Control
Identity Awareness
- Support for Captive Portal integration with SAML 2.0 and third party Identity Providers.
- Support for Identity Broker for scalable and granular sharing of identity information between PDPs, as well as cross-domain sharing.
- Enhancements to Terminal Servers Agent for better scaling and compatibility.
IPsec VPN
- Configure different VPN encryption domains on a Security Gateway that is a member of multiple VPN communities. This provides:
- Improved privacy – Internal networks are not disclosed in IKE protocol negotiations.
- Improved security and granularity – Specify which networks are accessible in a specified VPN community.
- Improved interoperability – Simplified route-based VPN definitions (recommended when you work with an empty VPN encryption domain).
- Large Scale VPN (LSV) environment – using LSV profiles provides the ability to connect Externally Managed and Third Party VPN peers seamlessly by simply providing them with the same CA certificate used by central Security Gateway.
URL Filtering
- Improved scalability and resilience.
- Extended troubleshooting capabilities.
Application Control
- Improved performance, diagnostics and monitoring tools.
NAT
- Enhanced NAT port allocation mechanism – on Security Gateways with 6 or more CoreXL Firewall instances, all instances use the same pool of NAT ports, which optimizes the port utilization and reuse.
- NAT port utilization monitoring in CPView and with SNMP.
Voice over IP (VoIP)
- Multiple CoreXL Firewall instances handle the SIP protocol to enhance performance.
Remote Access VPN
- Machine Certificate Authentication – use machine certificate to distinguish between corporate and non-corporate assets adding the ability to restrict access to corporate assets only. Enforcement can be pre-logon (device authentication only) or post-logon (device and user authentication).
Mobile Access Portal Agent
- Enhanced Endpoint Security on Demand within the Mobile Access Portal Agent to support all major web browsers. For more information, see sk113410.
Mobile Access
- SMB v2/3 mount support in Mobile Access blade.
Security Gateway and Gaia
CoreXL and Multi-Queue
- Security Gateway automatically changes the number of CoreXL SNDs and Firewall instances and the Multi-Queue configuration based on the current traffic load. To learn more, refer to R80.40 Performance Tuning Administration Guide.
- Priority Queues are enabled by default. For more information see sk105762.
Clustering
- Multi-Version Clustering (MVC) – ClusterXL acts like a standard cluster running cluster members with different software versions during upgrade scenarios supporting redundancy between members and state synchronization.
- New ClusterXL mode: Active-Active ,supports running several cluster members in ACTIVE state, each member is a part of a separated routing domain and handles its own traffic, redundancy is kept during failover.
- Geo-Clustering in Active-Active mode – Supports the configuration of the cluster Sync interface on different subnets while allowing L3 communication between the members on the sync interface. making the requirement for L2 connectivity and a trusted network between the cluster members (while working in Active-Active mode) obsolete.
- Support for Cluster Control Protocol (CCP) in Unicast mode for any number of cluster members eliminating the need for CCP Broadcast, Multicast or Automatic modes.
- Configuring VMAC does not require changing the NIC to promiscuous mode.
- Eliminated the need for MAC Magic configuration when several clusters are connected to the same subnet.
- Cluster Control Protocol encryption is now enabled by default.
VSX
- Support for VSX upgrade with CPUSE in Gaia Portal.
- Support for Active Up mode in VSLS.
- Support for CPView statistical reports for each Virtual System.
Zero Touch
- A simple Plug & Play setup process for installing an appliance – eliminating the need for technical expertise and having to connect to the appliance for initial configuration.
Gaia REST API
- Gaia REST API provides a new way to read and send information to servers that run Gaia Operating System. See sk143612.
CloudGuard IaaS
AWS Data Center enhancements:
- Load Balancer (ALB and NLB) objects are supported.
- Security Groups support the use of tags.
- Subnet objects include IP addresses from all associated Network Interfaces.
Azure Data Center improvements:
- Load Balancer (Public and Internal) objects are supported.
- Load Balancers, Virtual Networks, and Network Security Groups support the use of tags.
- Subnet objects include Front end IP addresses of the Internal Load Balancers.
Advanced Routing
- Enhancements to OSPF and BGP allow to reset and restart OSPF neighboring for each CoreXL Firewall instance without the need to restart the routed daemon.
- Enhancing route refresh for improved handling of BGP routing inconsistencies.
New kernel capabilities
- Upgraded Linux kernel
- New partitioning system (gpt):
- Supports more than 2TB physical/logical drives.
- Faster file system (xfs).
- Supporting larger system storage (up to 48TB tested).
- I/O related performance improvements.
- Multi-Queue – Full Gaia Clish support for Multi-Queue commands.
- SMB v2/3 mount support in Mobile Access blade.
- Added NFSv4 (client) support (NFS v4.2 is the default NFS version used).
- Support of new system tools for debugging, monitoring and configuring the system.
Security Management
Revert to Revision
The Security Management Server architecture supports built-in revisions. Each publish operation saves a new revision that contains only the delta from the previous revision allowing:
- Safe recovery from a crisis, restore a Domain or a Management Server to a good known revision.
- Improved policy verification process based on the difference between the current policy and the one contained in the revision database.
Multi-Domain Server
- Back up and restore an individual Domain Management Server on a Multi-Domain Server.
- Migrate a Multi-Domain Security Management from one Multi-Domain Server to a different Multi-Domain Server.
- Migrate a Security Management Server to become a Multi-Domain Security Management on a Multi-Domain Server.
- Migrate a Domain Management Server to become a Security Management Server.
SmartTasks and API
- DevOps teams can automate their security and transform it into DevSecOps workflows using Ansible and Terraform. Automate security responses to threats, provision both physical and virtualized next-generation firewalls and automate routine configuration tasks, saving time and reducing configuration errors.
- For more information about Check Point Ansible module see Check Point Ansible security modules.
- For more information about Check Point Terraform provider see Check Point Terraform Provider.
- New Management API authentication method that uses an auto-generated API Key.
- New Management API commands to create cluster objects.
- SmartTasks – Configure automatic scripts or HTTPS requests triggered by administrator tasks, such as publishing a session or installing a policy.
- Significant increase of performance for multiple set/edit/delete object commands with Batch API.
CloudGuard Controller
- Generate Events and Automatic Reactions based on CloudGuard Controller logs and events.
- Performance enhancements for connections to external Data Centers.
- Integration with VMware NSX-T.
- Support for additional API commands to create and edit Data Center Server objects.
SmartConsole
- Central Deployment of Jumbo Hotfix Accumulator and Hotfixes from SmartConsole or via API allowing multiple Security Gateways and Cluster installations in parallel.
- Object search – support for partial word search using a wildcard, for example: a match is returned for searching *oba for an existing Host named: USGlobalHost
SmartEvent
- Share SmartView views and reports with other administrators.
Log Exporter
- Export logs filtered according to field values.
- Generate SIEM compatible Threat Emulation and Forensics reports.
Endpoint Security
- Collect Logs push operations – upload logs and debug information automatically to an FTP server.
- Support for BitLocker encryption with Full Disk Encryption.
- Support for external Certificate Authority certificates for Endpoint Security client authentication and communication with the Endpoint Security Management Server.
- Support for dynamic size of Endpoint Security Client packages based on the selected features for deployment.
- Policy can now control the level of notifications to end users.
- Randomize the Malware scan time to make sure that not all computers do a scan at the same time. This makes sure that network performance is not affected by many simultaneous scans.
- Uninstall Endpoint Security clients using a Challenge-Response process.
- Gaia Backup includes Endpoint Management components.
- All client-server communication use HTTPS.
- Endpoint Security Clients can connect to the Endpoint Security Management Server using FQDN in addition to the IP Address.