R80.40 EA went live a few days ago. There are tons of new features including a new Kernel: TL:DR
A new IoT security controller to:
- Collect IoT devices and traffic attributes from certified IoT discovery engines (currently supports Medigate, CyberMDX, Cynerio, Claroty, Indegy, SAM and Armis).
- Configure a new IoT dedicated Policy Layer in policy management.
- Configure and manage security rules that are based on the IoT devices’ attributes.
- HTTP/2 is an update to the HTTP protocol. The update provides improvements to speed, efficiency and security and results with a better user experience.
- Check Point’s Security Gateway now support HTTP/2 and benefits better speed and efficiency while getting full security, with all Threat Prevention and Access Control blades, as well as new protections for the HTTP/2 protocol.
- Support is for both clear and SSL encrypted traffic and is fully integrated with HTTPS/TLS Inspection capabilities.
HTTPS Inspection Layer
- Provides these new capabilities:
- A new Policy Layer in SmartConsole dedicated to HTTPS Inspection.
- Different HTTPS Inspection layers can be used in different policy packages.
- Sharing of a HTTPS Inspection layer across multiple policy packages.
- API for HTTPS Inspection operations.
- Overall efficiency enhancement for Threat Prevention processes and updates.
- Automatic updates to Threat Extraction Engine.
- Dynamic, Domain and Updatable Objects can now be used in Threat Prevention and TLS Inspection policies. Updatable objects are network objects that represent an external service or a known dynamic list of IP addresses, for example – Office365 / Google / Azure / AWS IP addresses and Geo objects.
- Anti-Virus now uses SHA-1 and SHA-256 threat indications to block files based on their hashes. Import the new indicators from the SmartConsole Threat Indicators view or the Custom Intelligence Feed CLI.
- Anti-Virus and SandBlast Threat Emulation now support inspection of e-mail traffic over the POP3 protocol, as well as improved inspection of e-mail traffic over the IMAP protocol.
- Anti-Virus and SandBlast Threat Emulation now use the newly introduced SSH inspection feature to inspect files transferred over the SCP and SFTP protocols.
- Anti-Virus and SandBlast Threat Emulation now provides improved support for SMBv3 inspection (3.0, 3.0.2, 3.1.1), it includes inspection of multi-channel connections. Check Point is now the only vendor to support inspection of a file transfer through multiple channels (a feature that is on-by-default in all Windows environments). This allows customers to stay secure while working with this performance enhancing feature.
- Identity Awareness
- Support for Captive Portal integration with SAML 2.0 and third party Identity Providers.
- Support for Identity Agent Broker for scalable and granular sharing of identity information between PDPs, as well as cross-domain sharing.
- Enhancements to Terminal Servers Agent for better scaling and compatibility.
- Configure different VPN encryption domains on a Security Gateway that is a member of multiple VPN communities. This provides:
- Improved privacy – Internal networks are not disclosed in IKE protocol negotiations.
- Improved security and granularity – Specify which networks are accessible in a specified VPN community.
- Improved interoperability – Simplified route-based VPN definitions (recommended when you work with an empty VPN encryption domain).
- Create and seamlessly work with a Large Scale VPN (LSV) environment with the help of LSV profiles.
- Improved scalability and resilience.
- Extended troubleshooting capabilities.
- Improved performance, diagnostics and monitoring tools.
- Enchantment to Server Name Indicators (SNI) classifications.
- Enhanced NAT port allocation mechanism – on Security Gateways with 6 or more CoreXL Firewall instances, all instances use the same pool of NAT ports, which optimizes the port utilization and reuse.
- NAT port utilization monitoring in CPView and with SNMP.
Voice over IP (VoIP)
- Multiple CoreXL Firewall instances handle the SIP protocol to enhance performance.
Remote Access VPN
- Use machine certificate to distinguish between corporate and non-corporate assets and to set a policy enforcing the use of corporate assets only. Enforcement can be pre-logon (device authentication only) or post-logon (device and user authentication).
Mobile Access Portal Agent
- Enhanced Endpoint Security on Demand within the Mobile Access Portal Agent to support all major web browsers. For more information see sk113410.
CoreX L and Multi-Queue
- Improved out of the box experience – Security Gateway automatically changes the number of CoreXL SNDs and Firewall instances and the Multi-Queue configuration based on the current traffic load.
- Priority Queues are enabled by default. For more information see sk105762.
- Support for Cluster Control Protocol in Unicast mode that eliminates the need for CCP Broadcast or Multicast modes.
- Cluster Control Protocol encryption is now enabled by default.
- New ClusterXL mode -Active/Active, which supports Cluster Members in different geographic locations that are located on different subnets and have different IP addresses.
- Support for ClusterXL Cluster Members that run different software versions.
- Eliminated the need for MAC Magic configuration when several clusters are connected to the same subnet.
- Support for VSX upgrade with CPUSE in Gaia Portal.
- Support for Active Up mode in VSLS.
- Support for CPView statistical reports for each Virtual System
- A simple Plug & Play setup process for installing an appliance – eliminating the need for technical
- expertise and having to connect to the appliance for initial configuration.
Gaia REST API
- Gaia REST API provides a new way to read and send information to servers that run Gaia Operating System. For more information see sk143612.
- Enhancements to OSPF and BGP allow to reset and restart OSPF neighboring for each CoreXL Firewall instance without the need to restart the routed daemon.
- Enhancing route refresh for improved handling of BGP routing inconsistencies.
New kernel capabilities
- Upgraded Linux kernel
- New partitioning system (gpt):
- Supports more than 2TB physical/logical drives
- Faster file system (xfs)
- Supporting larger system storage (up to 48TB tested)
- I/O related performance improvements
- Full Gaia Clish support for Multi-Queue commands
- Automatic “on by default” configuration
- SMB v2/3 mount support in Mobile Access blade
- Added NFSv4 (client) support (NFS v4.2 is the default NFS version used)
- Support of new system tools for debugging, monitoring and configuring the system
- Back up and restore an individual Domain Management Server on a Multi-Domain Server.
- Migrate a Domain Management Server on one Multi-Domain Server to a different Multi-Domain Security Management.
- Migrate a Security Management Server to become a Domain Management Server on a Multi-Domain Server.
- Migrate a Domain Management Server to become a Security Management Server.
- Revert a Domain on a Multi-Domain Server, or a Security Management Server to a previous revision for further editing.
SmartTasks and API
- New Management API authentication method that uses an auto-generated API Key.
- New Management API commands to create cluster objects.
- SmartTasks – Configure automatic scripts or HTTPS requests triggered by administrator tasks, such as publishing a session or installing a policy.
- Performance enhancements for connections to external Data Centers.
- Integration with VMware NSX-T.
- Support for additional API commands to create and edit Data Center Server objects.
- Central Deployment of Jumbo Hotfix Accumulator and Hotfixes from SmartConsole or with an API allows to install or upgrade multiple Security Gateways and Clusters in parallel.
- Share SmartView views and reports with other administrators.
- Export logs filtered according to field values.
- Generate SIEM compatible Threat Emulation and Forensics reports.
- Support for BitLocker encryption for Full Disk Encryption.
- Support for external Certificate Authority certificates for Endpoint Security client authentication and communication with the Endpoint Security Management Server.
- Support for dynamic size of Endpoint Security Client packages based on the selected features for deployment.
- Policy can now control level of notifications to end users.
- Randomize the Malware scan time to make sure that not all computers do a scan at the same time. This makes sure that network performance is not affected by many simultaneous scans.