R81.10 has been released
Check Point released its newest version R81.10 on July 6th.
Check Point says “R81.10 brings a major improvement in operational security efficiency across the management server’s reliability, performance, and scale. Critical operations such as APIs, High Availability synchronization, and login are more reliable and faster than ever. In addition, the SmartConsole is automatically updated with the latest fixes and improvements. R81.10 adds new dynamic log distribution to add log server capacity on demand. And as part of Scalable Platforms, R81.10 brings a unique mix and match ability to leverage different Quantum security gateways within a single Quantum Maestro security group.“
What’s New in R81.10
Quantum Security Gateway and Gaia
- Maestro Orchestrator is aligned with the latest version R81.10 as part of the main-train release and includes the latest Gaia fixes and improvements.
- Ability to upgrade Security Groups and Orchestrators to the latest R81.10 version. For the list of supported versions see “Supported Upgrade Paths” on page 17 of Release Notes.
- Mix appliances – The ability to include different appliance models in the same Security Group.
- Alignment with standard Security Gateway features:
- VPN Tunnel Interface (VTI)
- Route Based VPN
- Enable BGP and OSPF Dynamic Routing Protocols on VTIs
- Tunnel Management – Permanent Tunnels
- Tunnel Testing for Permanent Tunnels
- Dead Peer Detection (DPD)
- Link Selection
- Service Based Link Selection (sk56384)
- IP Selection by Remote Peer
- High Availability
- Load Sharing
- Outgoing Route Selection
- Route-based probing
- Back-to-back tunnels (hub and spokes)
- Maestro as a center in Star community – Satellite peers can communicate with each other through the Center.
- Client-to-Site Traffic over a Site-to-Site VPN Tunnel (Client -> Maestro Gateway -> VPN Peer Gateway -> resource)
- Client to Site to Client through a Maestro Gateway (Client -> Maestro -> Client)
- VPN local connections that originate from Maestro Security Group Members
- Initiate a connection from a Security Group Member if the connection’s destination requires encryption
- Identity Awareness via VPN – The Identity Source (users database) can be located across a VPN tunnel (especially in the cloud)
- VPN Tunnel Interface (VTI)
- Configure Bridge and Multi-Bridge interfaces on a regular Virtual Systems not in Bridge Mode to use features that require an IP address to work, such as Identity Awareness, Threat Emulation, UserCheck Web Portal and Captive Portal.
- VPN performance enhancements – Site to Site VPN and Remote Access clients are now handled by two different processes.
- Use a loopback interface with Dynamic Routing in ClusterXL environments.
- Tighten your policy and reduce the risk of human error through Access Control Rule Base settings and defaults. Watch the video.
Note: The new defaults apply only to new R81.10 installations. Upgraded environments can use this feature. However, the default behavior from previous versions is kept.
- IPv4 PIM enhancements and stability fixes.
- Ability to reset OSPFv2 counters.
- Ability to configure a Source-Specific Multicast (SSM) source for an IGMPv3 Group.
- Support for ECMP algorithms to provide traffic load balancing:
- Based on the 2-tuple hash of Source and Destination
- Based on the 5-tuple hash of Source, Destination, Source Port, Destination Port, and Protocol
Gaia Operating System
- Ability to configure (only in Gaia Clish) the Ciphers and Message. Authentication Codes (MAC) for the built-in OpenSSH Server.
- Ability to configure the access to Gaia REST API for specific users.
- Added the SNMP OID that returns the current number of entries in the ARP table
- Administrator use of CLI to configure the TLS version of the Gaia portal.
- Gaia API updated to the latest released version (version 1.5) including new API calls for:
- Static route
- Scheduled snapshots
- Extended supports for up to 10 ISP links.
- Automatic Threat Extraction, Threat Extraction security improvements, and new features are automatically downloaded and applied without the need for human intervention.
- AES encryption type configuration for Kerberos Ticket Encryption Methods is now available through Smart Console. For more information, see sk111945.
Quantum Security Management
Security Management Servers Enhancements
- Significant improvements for the stability and performance of the Management Server, especially for large Management environments under high load:
- Faster Administrator operations to the Management Server such as backup and restore, and revisions purge are drastically faster.
- Faster execution of Management API functions.
- Search and navigate in SmartConsole works more smoothly when concurrent SmartConsole administrators are connected.
- Improved stability of the login process to the Management Server using SmartConsole or Management API, when the Management Server is under a heavy load.
Management REST API
- New export, import, and upgrade Management APIs for primary Security Management Servers or Multi-Domain Servers.
- Unified Management API commands for:
- Domain export and backup
- Domain import and restore
- SmartLSM – REST API commands to simplify the creation of ROBO Gateways.
- Automatic updates – SmartConsole detects and installs client updates for the same major version. For more information, see sk171315.
Logging and Monitoring
- IPS and Anti-Bot logs now include a MITRE ATT&CK section that details the different techniques for malicious attack attempts. This section provides an easier way to understand an attack by looking at the log card and to export the data to external SIEM systems, and an easy search and filter for attack events based on MITRE techniques.
- Dynamic logs distribution – Configure the Security Gateway to distribute logs between multiple active Log Servers to support a better rate of Logs and Log Servers redundancy.
- Enhancements to logging services stability.
Management High Availability
- Synchronization and stability enhancements.
- Significant Full sync duration improvement.
- IoT Controller support for Multi-Domain Security Management.
- Use group object, Multiple IP addresses and IP ranges in LSM profiles.
CloudGuard Network Security
- Use AWS Security Token Service (STS) Assume Role to simplify the access to AWS Data Centers.
- Create Azure Data Centers on different Azure cloud environments in parallel including Azure Global, Azure Government, and Azure China.
Harmony Endpoint Web Management enhancements to allow these configurations:
- Media Encryption & Port Protection policy
- Firewall policy
- Application Control policy
- Developer protection policy
- Push Operation for Host Isolation and Client Uninstall