Check Point released its newest version R81.20, also known as Titan, today.

Check Point says “The Quantum Cyber Security Platform R81.20 (Titan) Release delivers significant innovations in Advanced Threat Prevention, Security Management, and Security Performance. In addition, Check Point has expanded on-premises and cloud network security through new and upcoming advanced cloud-based Check Point applications and services. By upgrading to R81.20, these new cloud-based applications offer powerful feature upgrades on Check Point Security Gateways, without requiring an upgrade to the next software release.”

R81.20 (Titan) delivers new security capabilities. R81.20 (Titan) uses AI Deep Learning to prevent 5x more DNS attacks in real time and also a firewall-based Zero-Day phishing prevention which blocks 4x more Zero-Day phishing attacks. With Quantum IoT Protect your IoT assets will be discovered with the Quantum Security Gateways and it uses Autonomous Zero Trust Profiles to only allow necessary IoT device communication and prevent threats that target IoT assets. For Maestro the new R81.20 (Titan) adds Auto-Scaling to provide dynamic performance scaling for mission critical apps and large workloads by shifting firewall resources in and out of Security Groups. Quantum Hyperflow delivers 3x times higher throughput for elephant flows by automatically allocating more firewall CPU cores to process them upon detection.

You can find all details regarding R81.20 (Titan) here, along with the Release Notes, Resolved Issues and Known Limitations. For Scalable Platforms and Maestro you can find more here.

To find out more about important behavioral changes between versions of Quantum Releases starting R80.30 there is also a new SK article here.

What’s New in R81.20 (Titan)

Quantum Security Gateway and Gaia

Threat Prevention

• Zero Phishing prevents web browsing to Zero-Day phishing websites
  • Check Point Quantum Security Gateway enhances its web browsing protection to further prevent users from accessing phishing websites.
  • Powered by patented technologies and AI engines, the Security Gateway now uses Clientless In-Browser protection to prevent access to the most sophisticated phishing websites, both known and completely unknown (zero-day phishing websites).
  • The enhanced solution is available through the Security Gateway network flow, introducing dynamic security components that run within the browser with no need to install any client.
  • Delivered as part of your existing SandBlast (SNBT) license.
  • Works out of the box for Security Gateways with Autonomous Threat Prevention enabled.
• Up to 50% performance enhancement to IPS CIFS protections.
• IoC feeds now support a significantly greater number of observables for URLs, Domains, IP addresses, and Hashes – 2 million and more (only on the XFS file system), depending on the Security Gateway’s hardware specifications.
  On the EXT3 file system, the IoC feed is limited to a maximum of 250,000 indicators, depending on the Security Gateway’s hardware specifications.
  For more information about the file systems, see sk141432.
•  ICAP Server now supports secure ICAP communication over TLS.

IoT Protection

Instantly discover and protect your IoT assets with Quantum Security Gateways and Infinity to enforce automated Zero Trust policies:

• Discover IoT devices, routers, and switches connected to your network using your R81.20 Quantum Security Gateways.
• Assign automatically generated restrictive policies to IoT devices based on their Internet access requirement to allow only what is needed for the IoT devices to operate.

Note: IoT General Availability is planned to be part of the R81.20 Jumbo Hotfix Accumulator.

Maestro Hyperscale

• Maestro Auto-Scaling – Automatically assigns Security Appliances (scale units) to a Security Group when the configured conditions are met.
• Maestro Fastforward – Significantly improved throughput and latency for trusted connections. Maestro Fastforward offloads accept or drop policy rules to the Quantum Maestro Orchestrator for hardware acceleration and provides:
  • Sub-microseconds latency.
  • Port line-rate throughput for a single connection.
• Support for accelerated policy installation on Maestro Security Groups. See sk169096.
• Monitor utilization of NAT resources in CPView and with SNMP.
• Support gradual upgrade in the Multi-Version Cluster (MVC) mode.
• Scalable Platforms now support CoreXL Dynamic Balancing – Based on the current traffic load, the Security Group automatically changes the number of CoreXL SNDs, CoreXL Firewall instances, and the Multi-Queue configuration for zero traffic impact.
• Scalable Platforms now support Management Data Plane Separation (MDPS, sk138672).

VSX

• Configure DHCP Server on each Virtual System using Gaia Clish.

IPsec VPN

• Scalable VPN performance – 3 times faster to process simultaneous Remote Access and Site to Site VPN connections.
• Major performance and stability improvement for Remote Access VPN and Site to Site VPN that delivers a significantly greater capacity for VPN tunnels.
• Extended Security Gateway certificate validation capabilities for quicker authentication.
• Resilient VPN architecture – multi-process architecture to handle IKE negotiations in dedicated scalable daemons, providing unprecedented resiliency.

Clustering

• Added support for the “Same VMAC” feature. For more information, see the ClusterXL Administration Guide.

Access Control

• Dynamic Policy – Use a Network Feed object to customize a private web server feed definition for IP addresses or domains. The objects are automatically updated in Security Gateway without the need to install a policy. Updatable Objects uses the Network Feed to strengthen the dynamic configuration ability of the Access Control policy. See the Security Management Administration Guide.
• Performance improvements – Support for Updatable Objects, Domain objects, and Dynamic objects with the Optimized Drop feature (drop templates).

Advanced Routing

• Support for Intermediate System (IS-IS) routing protocol.
• Support for DHCP Relay Agent Information Option 82 to address several scaling and security issues that arise in public DHCP use.
• Support for OSPFv3 NSSA.
• Support for IPv6 Static MFC Cache to enable forwarding of multicast data without PIM configuration.
• Support for Routing Event Triggers to allow ClusterXL failover, and tearing down of BGP connections through monitored BGP and BFD sessions.
• Routing Protocol History for BFD to improve troubleshooting capabilities.
• NetFlow Live connections and Firewall rule ID UUID.

Gaia Operating System

• Configure a retention policy for Gaia scheduled backups and snapshots.
• Configure Gaia scheduled jobs to run hourly or at specified minute intervals.
• Configuring a logical next hop gateway in IPv6 static routes to send traffic through a specified interface.
• Configure the minimum number of required interface links for a bonding group in the 802.3AD mode.
• Use Gaia Clish commands to monitor NIC transceivers in appliance – module temperature, supply voltage, TX Bias voltage, Rx optical Power, and TX optical power.
• Automatic update to the NIC firmware during the ISO installation process for appliances that have 40GbE, 100/25GbE, and NVIDIA ConnectX 100G Cards.

CoreXL

• HyperFlow provides automatic system resource allocation by proper prioritization of tasks on highly utilized CPU cores and dynamically balances the tasks. Introducing seamless gateway tuning and optimization and improving single flow performance and spikes handling.
• In User Space Firewall (USFW), the number of IPv6 CoreXL Firewall instances is no longer limited, IPv6 Firewall instances can be increased up to the number of IPv4 Firewall instances.

Identity Awareness

• The Identity Awareness Gateway automatically identifies and excludes Service Account sessions acquired by the Identity Collector. For more details, see sk174266.
• Improved resiliency, scalability, and stability for PDPs and Identity Broker. Additional threads handle authentication and authorization flows.

Mobile Access

• OAuth 2.0 support for Capsule Workspace and Office 365.

Quantum Spark

• Central Deployment – Use SmartConsole to upgrade Quantum Spark and Quantum Edge Appliances. See the Security Management Administration Guide.
• Quantum Spark Appliances now support Identity Collector.
• Use SmartUpdate and SmartProvisioning (LSM) to manage Quantum Spark appliances that run R81.10.
• Quantum Spark Appliances now support transit connections to an Active Directory server on an internal network (appliances work as an AD proxy).

Quantum Security Management

Cloud Services Integration

• Integration between your on-premises Security Management Server and Infinity Portal:
  • Run cloud services that are managed in the Infinity Portal on your Security Management Server objects.
  • See a unified log view of all your Check Point products, on-premises and in cloud.
  • Run Management API calls securely on the on-premises Security Management Server from anywhere in the world through Infinity Portal.

See the Security Management Administration Guide.

SmartConsole

• SmartConsole can use SAML 2.0 to authenticate administrators with an Identity Provider. See the Administration Guide.

SmartWorkflow

• Send policy and configuration changes for a review and approval cycle by another administrator before applying the changes. See the Administration Guide.

SmartTasks

• New triggers – before and after working on a session that requires an approval, and for critical CloudGuard Controller events.
• New action – send an email with a detailed change report after publishing a session, after policy installation, and more.

See the Administration Guide.

Management REST API

Management API support for:

• Identity Awareness configuration on Security Gateways and Clusters.
• Configuration of HTTPS Inspection outbound certificate.
• Configuration of SmartLSM Gateways.
• Configuration of VPN settings on SmartLSM Gateways.

See the Check Point Management API Reference.

Upgrades

• Central Deployment of CPUSE packages in SmartConsole:
  • Gradually upgrade Quantum Cluster Members.
  • Upgrade Quantum Spark and Quantum Edge Appliances.
  See the Administration Guide.
• Pre-Upgrade Verifier results are now presented in the upgrade report.
• Simpler migration from a Standalone environment to a distributed environment located in Quantum Smart-1 Cloud or on-premises. See sk179444.
• Significant performance improvement of Multi-Domain Server upgrades by importing Domain Management Servers concurrently instead of sequentially.

CloudGuard Network Security

• CloudGuard Controller support for:
  • Oracle Cloud Infrastructure (OCI). See the Administration Guide.
  • Nutanix. See the Administration Guide.
  • New Azure resources – Application Security Groups, Private Endpoints. See the Administration Guide.
  • New AWS resources – Load Balancer tags. See the Administration Guide.
  • SmartTasks for CloudGuard Controller critical events. See the Administration Guide.
• Nutanix Flow support for CloudGuard Network Security Gateways.
• Amazon Web Services (AWS):
  • Cross Availability Zones Cluster (Geo Cluster).
  • Use of the Generic Network Virtualization Encapsulation (Geneve) network encapsulation protocol for Gateway Load Balancer (GWLB).

Harmony Endpoint

Endpoint Policy Management

• Use Single Sign-On to connect to the Endpoint Web Management Console.

Harmony Endpoint Web UI

• IoC Management – Users can now add Indicators of Compromise to their Endpoint Policy Management.
• Connection Awareness – Allows administrators to configure their own entity to determine the connectivity of the clients, and change a device’s policy type from “Connected” to “Disconnected”, and vice-versa accordingly.

Remote Access VPN

• Exclude SaaS applications (such as Office 365) from the Remote Access VPN tunnel.
• Use SAML 2.0 to authenticate Remote Access VPN users with an Identity Provider.