What's New


As our networks continue to increase and the threat landscape continues to evolve, customers need security solutions that allow endless scalability and simple operations. With over 100 new features, R80.40, is imperative for putting our network security on the fast track. Providing unified management for both physical and virtual networks, on premise, and cloud enforcement points. By consolidating all aspects of your security environment seamlessly, it allows you to deploy protections across your organization without impeding business innovation. It also allows full visibility into security across your network in a customizable visual dashboard, helping you monitor and focus on what matters to you. With its scalable, extensible architecture, you can manage the most complex environments easily and efficiently.

This release contains innovations and significant improvements such as:

New in this release

IoT Security

A new IoT security controller to:

  • Collect IoT devices and traffic attributes from certified IoT discovery engines (currently supports Medigate, CyberMDX, Cynerio, Claroty, Indegy, SAM, and Armis).

  • Configure a new IoT dedicated Policy LayerClosed Layer (set of rules) in a Security Policy. in policy management.

  • Configure and manage security rules that are based on the IoT devices attributes.

HTTPS Inspection


HTTP/2 is an update to the HTTP protocol. The update provides improvements to speed, efficiency and security and results with a better user experience.

HTTPS Inspection Layer

Provides these new capabilities:

Threat Prevention

Optimized Security and Productivity for the Different Modes – Threat ExtractionClosed Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX. works with Threat EmulationClosed Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. to provide users with more productivity without compromising security.

  • Background Mode is now called Rapid Delivery to prevent many more malicious files within the emulation window of 3 seconds.

  • Hold Mode is now called Maximum Prevention and provides improved productivity to ensure that all Threat Extraction cleaned documents deliver quickly to end users. Maximum Security minimizes the time users wait without a compromise on security.

To learn more, see the R80.40 Threat Prevention Administration Guide > Chapter Advanced Threat Emulation Settings.

Threat Extraction

Automatic Engine Updates – Like the automatic updates to the Threat Emulation engines, you can now receive Threat Extraction updates automatically on your gateways. There is no need to update to a hotfixClosed Software package installed on top of the current software version to fix a wrong or undesired behavior, and to add a new behavior. or a major version. Security improvements, new features and more do not require intervention.

Anti-Virus and SandBlast Threat Emulation

MITRE ATT&CK™ Reporting – Threat Emulation Forensics Reports now include a detailed MITRE ATT&CK Matrix with the detected adversary tactics and techniques for every malicious executable file.

Enhanced Support for Archive Files – includes significant improvements in handling archive files:

  • Support for password protection for all supported file types, including *.7z and *.rar. For more details, see sk112821.

  • An improved mechanism to “guess” passwords automatically when it opens password-protected archives for emulation.

  • Added support for password-protected archives when the password includes Unicode characters.

  • Stability improvements.

Faster delivery of an emulation verdict for documents with embedded files.

Enhanced Support for Password-Protected Documents:

  • Admins can now configure a default action for password-protected documents. If such a file is emulated, the file is allowed or blocked by default. To configure a default action, follow the instructions in sk132492.

New File Types and Protocols:

  • Attachments from Nested MSG Files - Threat Emulation now supports emulation for files that attach to MSG files that attach to other MSG files.

  • Support for new Archive Formats - WIM, CHM, CramFS, DMG, EXT, FAT, GPT, HFS, IHEX, MBR, MSI, NSIS, NTFS, QCOW2, RPM, SquashFS, UDF, UEFI, VDI, VHD, VMDK, LZH, ARJ, CPIO, AR.

  • SCP and SFTP file transfers can be scanned using SSH Deep Packet Inspection.

  • SMBV3 Multi-Channel Connections – Multi-channel file transfer is on by default on all Windows operating systems. The Check Point Security Gateway is now the only one in the market that inspects large file transfers through SMBv3 (3.0, 3.0.2, 3.1.1) over multi-channel connections.

Enhanced Logging for Emulated Archive Files:

  • The archive file log includes the names of all the files inside.

  • A new log generates for every extracted file from the archive with its emulation results. This log contains the name of the archive file. Logs correlate easily between the archive file and those of the files it contains.

Importing SHA-256 IoCClosed Indicator of Compromise. Artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion. Typical IoCs are virus signatures and IP addresses, MD5 hashes of Malware files, or URLs or domain names of botnet command and control servers. Identified through a process of incident response and computer forensics, intrusion detection systems and anti-virus software can use IoC's to detect future attacks. feeds - Anti-VirusClosed Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. now supports SHA-256 hashes as Indicators of Compromise (IoC). Administrators can import SHA-256 IoC feeds manually or connect the Security Gateway to a live feed of SHA-256 IoC. For more information, see sk132193.

Replacing the Threat Emulation API Certificate – Administrators can now upload their own certificate to use for Threat Emulation API calls to their Threat Emulation Appliance. For more information, see sk160693.

Email Security
  • Enhanced Support for POP3 and IMAP protocols - Anti-Virus and SandBlast Threat Emulation now support inspection of e-mail over the POP3 protocol and improve inspection of e-mail over the IMAP protocol.

  • Enhanced Protection against BaseStriker - MTA Gateways now protect against malicious emails with URLs that use the BaseStriker technique.

  • Bounce Messages Behavior Change - Modifies the configuration of the MTA so that it tries to send bounce messages only once whether it reaches its destination or not.

  • Enhanced Threat Emulation inspection for files behind shortened links - The body of an email sometimes includes customized Bitly links that point to files. With this release, Threat Emulation scans the files behind these links to detect zero-day attacks. This capability requires Threat Emulation and Anti-Virus to be enabled and MTA must be configure for the Security Gateway.

[Early Availability] Click-Time URL Protection – The MTA Security Gateway can now re-write links in incoming emails. When users click on them, the resources (web sites or files) behind the links have inspections again. This prevents delayed attacks where attackers replace the resource behind the link after the email delivery.

[Early Availability] Anti-Phishing Engine – The MTA Security Gateway introduces a new state of the art Anti-Phishing engine. This design alerts against and prevents sophisticated phishing, spear phishing, and targeted phishing attacks.

Want to join the program and hear more? Contact us at email_security@checkpoint.com.

Other Enhancements

Dynamic, Domain and Updatable Objects can be used in Threat Prevention and HTTPS Inspection Policies.

Domain objects enchantment - DNS passive learning. For more information, see sk161612.

Access Control

Identity Awareness


  • Configure different VPN encryption domains on a Security Gateway that is a member of multiple VPN communities. This provides:

    • Improved privacy - Internal networks are not disclosed in IKE protocol negotiations.

    • Improved security and granularity - Specify which networks are accessible in a specified VPN community.

    • Improved interoperability - Simplified route-based VPN definitions (recommended when you work with an empty VPN encryption domain).

  • Large Scale VPN (LSV) environment. Using LSV profiles provides the ability to connect Externally Managed and Third Party VPN peers seamlessly by simply providing them with the same CA certificate used by central Security Gateway.

URL Filtering

  • Improved scalability and resilience.

  • Extended troubleshooting capabilities.

Application Control

Improved performance, diagnostics and monitoring tools.


Voice over IP (VoIP)

Multiple CoreXL Firewall instances handle the SIP protocol to enhance performance.

Remote Access VPN

Machine Certificate Authentication - use machine certificate to distinguish between corporate and non-corporate assets adding the ability to restrict access to corporate assets only. Enforcement can be pre-logon (device authentication only) or post-logon (device and user authentication).

Security Gateway and Gaia

CoreXL and Multi-Queue


Zero Touch

A simple Plug & Play setup process for installing an appliance - eliminating the need for technical expertise and having to connect to the appliance for initial configuration.


GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. REST API provides a new way to read and send information to servers that run Gaia Operating System. See sk143612.

CloudGuard IaaS

AWS Data Center enhancements:
  • Load Balancer (ALB and NLB) objects are supported.

  • Security Groups support the use of tags.

  • Subnet objects include IP addresses from all associated Network Interfaces.

Azure Data Center improvements:
  • Load Balancer (Public and Internal) objects are supported.

  • Load Balancers, Virtual Networks, and Network Security Groups support the use of tags.

  • Subnet objects include Front end IP addresses of the Internal Load Balancers.

Advanced Routing

  • Enhancements to OSPF and BGP allow to reset and restart OSPF neighbor adjacency per OSPF instance and BGP peering per peer.

  • Enhancing route refresh for improved handling of BGP routing inconsistencies.

New kernel capabilities

Security Management

Quantum Spark

1500 appliance series can be managed with R80.40 Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. and R80.40 SmartProvisioningClosed Check Point Software Blade on a Management Server (the actual name is "Provisioning") that manages large-scale deployments of Check Point Security Gateways using configuration profiles. Synonyms: Large-Scale Management, SmartLSM, LSM..


A new reportClosed Summary of network activity and Security Policy enforcement that is generated by Check Point products, such as SmartEvent. for Management Servers upgrades is available. The report shows the current status and progress and is located on the target machine under $MDS_FWDIR/log/upgrade_report-<timestamp>.html. For CPUSE upgrades, the report is available in the Upgrades (CPUSE) section of Gaia Portal.

Revert to Revision

The Security Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. architecture supports built-in revisions. Each publish operation saves a new revision that contains only the delta from the previous revision, allowing safe recovery from a crisis by restoring a Domain or a Management Server to a good known revision.

Multi-Domain Server

SmartTasks and API

  • DevOps teams can automate their security and transform it into DevSecOps workflows using Ansible and Terraform.

    Automate security responses to threats, provision both physical and virtualized next-generation firewalls and automate routine configuration tasks, saving time and reducing configuration errors.

  • New Management API authentication method that uses an auto-generated API Key.

  • New Management API commands to create cluster objects.

  • SmartTasks - Configure automatic scripts or HTTPS requests triggered by administrator tasks, such as publishing a session or installing a policy.

  • Significant increase of performance for multiple set/edit/delete object commands with Batch API.

CloudGuard Controller


  • Central Deployment of Jumbo Hotfix Accumulators and Hotfixes from SmartConsole or with API supports multiple Security Gateways and Cluster installations in parallel.

  • Object search - support for partial word search using a wildcard. For example: when you search for *oba, SmartConsole shows an existing object named MyGlobalHost.


Share SmartView views and reports with other administrators.

Log Exporter

  • Export logs filtered according to field values.

  • Generate SIEM compatible Threat Emulation and Forensics reports.

Endpoint Security

  • Collect Logs push operations - upload logs and debug information automatically to an FTP server.

  • Support for BitLocker encryption with Full Disk Encryption.

  • Support for external Certificate Authority certificates for Endpoint Security client authentication and communication with the Endpoint Security Management Server.

  • Support for dynamic size of Endpoint Security Client packages based on the selected features for deployment.

  • Policy can now control the level of notifications to end users.

  • Randomize the Malware scan time to make sure that not all computers do a scan at the same time. This makes sure that network performance is not affected by many simultaneous scans.

  • Uninstall Endpoint Security clients using a Challenge-Response process

  • Gaia Backup includes Endpoint Management components.

  • All client-server communication use HTTPS.

  • Endpoint Security Clients can connect to the Endpoint Security Management Server using FQDN in addition to the IP Address.


For all license issues, contact Check Point Account Services.