Software Changes

Note - To see the list of changes starting R80.40, see sk180180.

This section describes differences in behavior from previous versions.

• Management Server

  • The SOLR functionality is replaced with a PostgreSQL database to improve the stability and performance of the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

    Notes: SOLR is still in use for logs and SmartEvent. All SOLR-based scripts are removed (for example $MDS_FWDIR/scripts/solr_monitor.sh, $MDS_FWDIR/scripts/solr_recovery.sh, $MDS_FWDIR/scripts/solr_cure.sh). All custom SOLR-based scripts are no longer operational.

  • The ICA (Internal Certificate Authority) service uses two separate ports:

    • Port 18265 for the ICA Internal Certificate Authority. A component on Check Point Management Server that issues certificates for authentication. portal: http://<IP Address of Domain Management Server>:18265.

    • Port 18264 for CRL (Certificate Revocation List) retrieval.

    For more information, refer to the R81.10 Security Management Administration Guide > Chapter "The ICA Management Tool".

  • Automatic revision purge is enabled by default:

    • Every 30 days, a purge operation executes automatically at 02:00 AM (according to Management Server time settings) and purges all revisions older than 14 days.

    • The 30 most recent revisions are kept and are not purged (even if older than 14 days).

    • Change the default settings or disable the automatic revision purge is available through API (see Check Point Management API Reference).

    • For more information, see sk170059.

• Multi-Domain Server

  • In Management High Availability Deployment and configuration mode of two Check Point Management Servers, in which they automatically synchronize the management databases with each other. In this mode, one Management Server is Active, and the other is Standby. Acronyms: Management HA, MGMT HA., publishing a session for the Global Domain Domain on a Multi-Domain Security Management Server, on which the Multi-Domain Server administrator creates and manages objects, security policies and settings that apply to the entire Multi-Domain Security Management environment. or the Domain Management does not automatically trigger synchronization. It may take up to 5 minutes for synchronization to start.

  • A Log Exporter configured on a Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS. or a Multi-Domain Log Server Dedicated Check Point server that runs Check Point software to store and process logs in a Multi-Domain Security Management environment. The Multi-Domain Log Server consists of Domain Log Servers that store and process logs from Security Gateways that are managed by the corresponding Domain Management Servers. Acronym: MDLS. now sends logs with the source IP address of the Domain Management Server Virtual Security Management Server that manages Security Gateways for one Domain, as part of a Multi-Domain Security Management environment. Acronym: DMS. or the Domain Log Server Dedicated Check Point server that runs Check Point software to store and process logs..

    Important - If a rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. that allows the Log Exporter connection already exists in the Rule Base All rules configured in a given Security Policy. Synonym: Rulebase., you must update it to allow connections using the Domain Management Servers or the Domain Log Server as the source IP address of the Log Exporter.

• Endpoint Security

  • The Web Management Portal is enabled by default when you enable the Endpoint Policy Management Check Point Software Blade on a Management Server to manage an on-premises Harmony Endpoint Security environment. Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. in the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. object.

• Endpoint Security VPN

  • Simultaneous Login Prevention (SLP) default was changed to "User is allowed only single login" in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. Menu > Global properties > Remote Access page > Simultaneous Login.

  • Visitor Mode is enabled by default in Security Gateway object > VPN Clients section > Remote Access page > Support Visitor Mode section.

  • Support connectivity enhancement for gateways with multiple external interfaces is enabled by default in: Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. object properties > VPN Clients > Office Mode > Multiple Interfaces.

• Access Control Policy

  • New default values for Access Rules, the value None replaces the value Any for new installations.

• VSX

  • Starting R81.10, VSLS is the only supported mode for new installations.

    Upgrade to R81.10 from earlier versions that use High Availability A redundant cluster mode, where only one Cluster Member (Active member) processes all the traffic, while other Cluster Members (Standby members) are ready to be promoted to Active state if the current Active member fails. In the High Availability mode, the Cluster Virtual IP address (that represents the cluster on that network) is associated: (1) With physical MAC Address of Active member (2) With virtual MAC Address. Synonym: Active/Standby. Acronym: HA. is supported.

    The change delivers a single unified model (Virtual System Virtual Device on a VSX Gateway or VSX Cluster Member that implements the functionality of a Security Gateway. Acronym: VS. High Availability is one use case of the VSLS mode).

    To convert the upgraded VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Cluster to VSLS, use the "vsx_util to convert" command.

• HTTPS Inspection

  • Transport Layer Security (TLS) v1.3 is enabled by default for Security Gateways (and Cluster Members) that use the User Space Firewall Mode (USFW).

    For more information, see sk167052.

• Gaia

  • Changed the name of the output Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. manual backup (1) In VRRP Cluster on Gaia OS - State of a Cluster Member that is ready to be promoted to Master state (if Master member fails). (2) In VSX Cluster configured in Virtual System Load Sharing mode with three or more Cluster Members - State of a Virtual System on a third (and so on) VSX Cluster Member. (3) A Cluster Member or Virtual System in this state does not process any traffic passing through cluster. file (added '--').

    Gaia uses this template (the date format is based on the Gaia Display Format for Date):

    backup_--_<HostName>.<Domain>_<DATE>_<HH>_<MM>_<SS>.tgz

  • Changed the name of the output Gaia scheduled backup file (added the name of the scheduled backup task surrounded with '-').

    Gaia uses this template (the date format is based on the Gaia Display Format for Date):

    backup_-<Name_of_Scheduled_Backup>-_<HostName>.<Domain>_<DATE>_<HH>_<MM>_<SS>.tgz

• SmartConsole

  • The Autonomous Threat Prevention option replaces the Threat Extraction First Time Activation Wizard.

  • In the Gateways & Servers view, when available, the actual software version appears instead of the one set in the Management Server database.

  • To add or remove licenses on the Licenses tab, an administrator must have the Run One Time Script permission selected in their profile.

    To assign this permission:

    1. In SmartConsole, go to Manage & Settings view > Permissions & Administrators > Permission Profiles.

    2. Open the applicable permission profile.

    3. In the left panel, click the Gateways page.

    4. In the Scripts section, select Run One-Time Script.

    5. Click OK.

    6. Publish the SmartConsole session.

  • In Menu > Global properties > Remote Access section, the page Certificates was removed.