R80.40 EA is Public

R80.40 EA went live a few days ago. There are tons of new features including a new Kernel: TL:DR

What’s New

IoT Security

A new IoT security controller to:

• Collect IoT devices and traffic attributes from certified IoT discovery engines (currently supports Medigate, CyberMDX, Cynerio, Claroty, Indegy, SAM and Armis).
• Configure a new IoT dedicated Policy Layer in policy management.
• Configure and manage security rules that are based on the IoT devices’ attributes.
  

HTTPS Inspection

• HTTP/2 is an update to the HTTP protocol. The update provides improvements to speed, efficiency and security and results with a better user experience.
  
• Check Point’s Security Gateway now support HTTP/2 and benefits better speed and efficiency while getting full security, with all Threat Prevention and Access Control blades, as well as new protections for the HTTP/2 protocol.
  
• Support is for both clear and SSL encrypted traffic and is fully integrated with HTTPS/TLS Inspection capabilities.
  

HTTPS Inspection Layer

• Provides these new capabilities:
• A new Policy Layer in SmartConsole dedicated to HTTPS Inspection.
• Different HTTPS Inspection layers can be used in different policy packages.
• Sharing of a HTTPS Inspection layer across multiple policy packages.
• API for HTTPS Inspection operations.

Threat Prevention

• Overall efficiency enhancement for Threat Prevention processes and updates.
• Automatic updates to Threat Extraction Engine.
• Dynamic, Domain and Updatable Objects can now be used in Threat Prevention and TLS Inspection policies. Updatable objects are network objects that represent an external service or a known dynamic list of IP addresses, for example – Office365 / Google / Azure / AWS IP addresses and Geo objects.
• Anti-Virus now uses SHA-1 and SHA-256 threat indications to block files based on their hashes. Import the new indicators from the SmartConsole Threat Indicators view or the Custom Intelligence Feed CLI.
• Anti-Virus and SandBlast Threat Emulation now support inspection of e-mail traffic over the POP3 protocol, as well as improved inspection of e-mail traffic over the IMAP protocol.
• Anti-Virus and SandBlast Threat Emulation now use the newly introduced SSH inspection feature to inspect files transferred over the SCP and SFTP protocols.
• Anti-Virus and SandBlast Threat Emulation now provides improved support for SMBv3 inspection (3.0, 3.0.2, 3.1.1), it includes inspection of multi-channel connections. Check Point is now the only vendor to support inspection of a file transfer through multiple channels (a feature that is on-by-default in all Windows environments). This allows customers to stay secure while working with this performance enhancing feature.

Access Control

• Identity Awareness
• Support for Captive Portal integration with SAML 2.0 and third party Identity Providers.
• Support for Identity Agent Broker for scalable and granular sharing of identity information between PDPs, as well as cross-domain sharing.
• Enhancements to Terminal Servers Agent for better scaling and compatibility.

IPsec VPN

• Configure different VPN encryption domains on a Security Gateway that is a member of multiple VPN communities. This provides:
• Improved privacy – Internal networks are not disclosed in IKE protocol negotiations.
• Improved security and granularity – Specify which networks are accessible in a specified VPN community.
• Improved interoperability – Simplified route-based VPN definitions (recommended when you work with an empty VPN encryption domain).
• Create and seamlessly work with a Large Scale VPN (LSV) environment with the help of LSV profiles.

URL Filtering

• Improved scalability and resilience.
• Extended troubleshooting capabilities.

Application Control

• Improved performance, diagnostics and monitoring tools.
• Enchantment to Server Name Indicators (SNI) classifications.

NAT

• Enhanced NAT port allocation mechanism – on Security Gateways with 6 or more CoreXL Firewall instances, all instances use the same pool of NAT ports, which optimizes the port utilization and reuse.
• NAT port utilization monitoring in CPView and with SNMP.

Voice over IP (VoIP)

• Multiple CoreXL Firewall instances handle the SIP protocol to enhance performance.

Remote Access VPN

• Use machine certificate to distinguish between corporate and non-corporate assets and to set a policy enforcing the use of corporate assets only. Enforcement can be pre-logon (device authentication only) or post-logon (device and user authentication).

Mobile Access Portal Agent

• Enhanced Endpoint Security on Demand within the Mobile Access Portal Agent to support all major web browsers. For more information see sk113410.

CoreX L and Multi-Queue

• Improved out of the box experience – Security Gateway automatically changes the number of CoreXL SNDs and Firewall instances and the Multi-Queue configuration based on the current traffic load.
• Priority Queues are enabled by default. For more information see sk105762.

Clustering

• Support for Cluster Control Protocol in Unicast mode that eliminates the need for CCP Broadcast or Multicast modes.
• Cluster Control Protocol encryption is now enabled by default.
• New ClusterXL mode -Active/Active, which supports Cluster Members in different geographic locations that are located on different subnets and have different IP addresses.
• Support for ClusterXL Cluster Members that run different software versions.
• Eliminated the need for MAC Magic configuration when several clusters are connected to the same subnet.

VSX

• Support for VSX upgrade with CPUSE in Gaia Portal.
• Support for Active Up mode in VSLS.
• Support for CPView statistical reports for each Virtual System

Zero Touch

• A simple Plug & Play setup process for installing an appliance – eliminating the need for technical
• expertise and having to connect to the appliance for initial configuration.

Gaia REST API

• Gaia REST API provides a new way to read and send information to servers that run Gaia Operating System. For more information see sk143612.

Advanced Routing

• Enhancements to OSPF and BGP allow to reset and restart OSPF neighboring for each CoreXL Firewall instance without the need to restart the routed daemon.
• Enhancing route refresh for improved handling of BGP routing inconsistencies.

New kernel capabilities

• Upgraded Linux kernel
• New partitioning system (gpt):
• Supports more than 2TB physical/logical drives
• Faster file system (xfs)
• Supporting larger system storage (up to 48TB tested)
• I/O related performance improvements
• Multi-Queue:
• Full Gaia Clish support for Multi-Queue commands
• Automatic “on by default” configuration
• SMB v2/3 mount support in Mobile Access blade
• Added NFSv4 (client) support (NFS v4.2 is the default NFS version used)
• Support of new system tools for debugging, monitoring and configuring the system

Multi-Domain Server

• Back up and restore an individual Domain Management Server on a Multi-Domain Server.
• Migrate a Domain Management Server on one Multi-Domain Server to a different Multi-Domain Security Management.
• Migrate a Security Management Server to become a Domain Management Server on a Multi-Domain Server.
• Migrate a Domain Management Server to become a Security Management Server.
• Revert a Domain on a Multi-Domain Server, or a Security Management Server to a previous revision for further editing.

SmartTasks and API

• New Management API authentication method that uses an auto-generated API Key.
• New Management API commands to create cluster objects.
• SmartTasks – Configure automatic scripts or HTTPS requests triggered by administrator tasks, such as publishing a session or installing a policy.

CloudGuard Controller

• Performance enhancements for connections to external Data Centers.
• Integration with VMware NSX-T.
• Support for additional API commands to create and edit Data Center Server objects.

Deployment

• Central Deployment of Jumbo Hotfix Accumulator and Hotfixes from SmartConsole or with an API allows to install or upgrade multiple Security Gateways and Clusters in parallel.

SmartEvent

• Share SmartView views and reports with other administrators.

Log Exporter

• Export logs filtered according to field values.
• Generate SIEM compatible Threat Emulation and Forensics reports.

Endpoint Security

• Support for BitLocker encryption for Full Disk Encryption.
• Support for external Certificate Authority certificates for Endpoint Security client authentication and communication with the Endpoint Security Management Server.
• Support for dynamic size of Endpoint Security Client packages based on the selected features for deployment.
• Policy can now control level of notifications to end users.
• Randomize the Malware scan time to make sure that not all computers do a scan at the same time. This makes sure that network performance is not affected by many simultaneous scans.