What's New

Introduction

Welcome to Check Point Quantum R81.10, the industry's most advanced Threat Prevention and Security Management software for network security that delivers uncompromising simplicity and consolidation. R81 introduced the first Autonomous Threat Prevention system that provides fast, self-driven policy creation and one-click security profiles, keeping policies always up to date. Policies install in seconds, upgrades require only one click, and the gateways can simultaneously upgrade in minutes. R81.10 brings a major improvement in operational security efficiency across the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.'s reliability, performance, and scale. Critical operations such as APIs, High Availability A redundant cluster mode, where only one Cluster Member (Active member) processes all the traffic, while other Cluster Members (Standby members) are ready to be promoted to Active state if the current Active member fails. In the High Availability mode, the Cluster Virtual IP address (that represents the cluster on that network) is associated: (1) With physical MAC Address of Active member (2) With virtual MAC Address. Synonym: Active/Standby. Acronym: HA. synchronization, and login are more reliable and faster than ever. In addition, the SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. is automatically updated with the latest fixes and improvements. R81.10 adds new dynamic log distribution to add Log Server Dedicated Check Point server that runs Check Point software to store and process logs. capacity on demand. And as part of Scalable Platforms, R81.10 brings a unique mix and match ability to leverage different Quantum Security Gateways within a single Quantum Maestro orchestration See "Maestro Orchestrator"..

Quantum Security Gateway and Gaia

Maestro Hyperscale

Maestro Orchestrator is aligned with the latest version R81.10 as part of the main-train release and includes the latest Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. fixes and improvements.
Ability to upgrade Security Groups A logical group of Security Appliances (in Maestro) / Security Gateway Modules (on Scalable Chassis) that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances / Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. In Maestro, each Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. and Orchestrators to the latest R81.10 version. For the list of supported versions see Supported Upgrade Paths.
The ability to assign different appliance models to the same Security Group (see sk162373).
Alignment with standard Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. features:
- VPN Tunnel An encrypted connection between two hosts using standard protocols (such as L2TP) to encrypt traffic going in and decrypt it coming out, creating an encapsulated network through which data can be safely shared as though on a physical private line. Interface (VTI)
  - Route-based VPN
  - Enable BGP and OSPF dynamic routing protocols on VTIs
- Tunnel Management - Permanent Tunnels
  - Tunnel testing for permanent tunnels
  - Dead State reported by a Cluster Member when it goes out of the cluster (due to 'cphastop' command (which is a part of 'cpstop'), or reboot). Peer Detection (DPD)
- Link Selection The packet selection mechanism is one of the central and most important components in the ClusterXL product and State Synchronization infrastructure for 3rd-party clustering solutions. Its main purpose is to decide (to select) correctly what has to be done to the incoming and outgoing traffic on the Cluster Member. (1) In ClusterXL, the packet is selected by Cluster Member(s) depending on the cluster mode: In HA modes - by Active member; In LS Unicast mode - by Pivot member; In LS Multicast mode - by all members. Then the Cluster Member applies the Decision Function (and the Cluster Correction Layer). (2) In 3rd-party / OPSEC cluster, the 3rd-party software selects the packet, and Check Point software just inspects it (and performs State Synchronization).
- Back-to-back tunnels (hub and spokes)
  - Maestro as the center in Star community – Satellite peers can communicate with each other through the Center.
  - Client-to-Site traffic over a Site to Site VPN An encrypted tunnel between two or more Security Gateways. Synonym: Site-to-Site VPN. Contractions: S2S VPN, S-to-S VPN. tunnel (Client > Maestro Gateway > VPN Peer Gateway > resource)
  - Client to Site to Client through a Maestro Gateway (Client > Maestro > Client)
- VPN local connections that originate from Maestro Security Group Members
  - Initiate a connection from a Security Group Member if the connection's destination requires encryption
  - Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. via VPN – The Identity Source (users database) can be located across a VPN tunnel (especially in the cloud). Identity Awareness

VSX

Configure bridge and multi-bridge interfaces on a regular Virtual Systems (VS) not in Bridge Mode Security Gateway or Virtual System that works as a Layer 2 bridge device for easy deployment in an existing topology.. Now you can use features that require an IP address to work, such as Identity Awareness, Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE., UserCheck Functionality in your Security Gateway or Cluster and endpoint clients that gives users a warning when there is a potential risk of data loss or security violation. This helps users to prevent security incidents and to learn about the organizational security policy. Web Portal, and Captive Portal A Check Point Identity Awareness web portal, to which users connect with their web browser to log in and authenticate, when using Browser-Based Authentication..

IPsec VPN

VPN performance enhancements - Site to Site VPN and Remote Access clients are now handled by two different processes.

Clustering

Use a loopback interface with Dynamic Routing in ClusterXL Cluster of Check Point Security Gateways that work together in a redundant configuration. The ClusterXL both handles the traffic and performs State Synchronization. These Check Point Security Gateways are installed on Gaia OS: (1) ClusterXL supports up to 5 Cluster Members, (2) VRRP Cluster supports up to 2 Cluster Members, (3) VSX VSLS cluster supports up to 13 Cluster Members. Note: In ClusterXL Load Sharing mode, configuring more than 4 Cluster Members significantly decreases the cluster performance due to amount of Delta Sync traffic. environments.

Access Control

Tighten your policy and reduce the risk of human error through Access Control Rule Base All rules configured in a given Security Policy. Synonym: Rulebase. settings and defaults. Watch the video.

Note - The new defaults apply only to new R81.10 installations. Upgraded environments can use this feature but the default behavior from previous versions is kept.

Advanced Routing

IPv4 PIM enhancements and stability fixes.
Ability to reset OSPFv2 counters.
Ability to configure a Source-Specific Multicast source for an IGMPv3 Group.
Support for ECMP algorithms to provide traffic load balancing:
- Based on the 2-tuple hash of Source and Destination.
- Based on the 5-tuple hash of Source, Destination, Source Port, Destination Port, and Protocol.

Gaia Operating System

Ability to configure (only in Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell).) the Ciphers and Message Authentication Codes (MAC) for the built-in OpenSSH Server.
Ability to configure the access to Gaia REST API for specific users.
Optimize SNMP OID for the ARP to return the current number of entries in the ARP table (.1.3.6.1.4.1.2620.1.6.22.1, or .iso.org.dod.internet.private.enterprises.checkpoint.products.svn.arpTableInfo.arpTableSize).
Administrator use of CLI to configure the TLS version of the Gaia Portal Web interface for the Check Point Gaia operating system..
Gaia API updated to latest released version (version 1.5) including new API calls for:
- SNMP
- GRE
- VXLAN
- Static route
- Scheduled snapshots

ISP Redundancy

Extended support for a maximum of 10 ISP links.

Threat Extraction

Automatic Threat Extraction Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX., Threat Extraction security improvements, and new features are automatically downloaded and applied without the need for human intervention.

Identity Awareness

AES encryption type configuration for Kerberos Ticket Encryption Methods is now available through SmartConsole. See sk111945.

Quantum Security Management

Security Management Servers enhancements

Significant improvements for the stability and performance of the Management Server, especially for large Management environments under high load:
- Faster Administrator operations to the Management Server such as backup (1) In VRRP Cluster on Gaia OS - State of a Cluster Member that is ready to be promoted to Master state (if Master member fails). (2) In VSX Cluster configured in Virtual System Load Sharing mode with three or more Cluster Members - State of a Virtual System on a third (and so on) VSX Cluster Member. (3) A Cluster Member or Virtual System in this state does not process any traffic passing through cluster. and restore, and revisions purge are drastically faster.
- Faster execution of Management API functions.
- Search and navigate in SmartConsole works more smoothly when concurrent SmartConsole administrators are connected.
Improved stability of the login process to the Management Server using SmartConsole or Management API, when the Management Server is under a heavy load.

Management REST API

New export, import, and upgrade Management APIs for primary Security Management Servers or Multi-Domain Servers .
Unified Management API commands for:
- Domain export and backup
- Domain import and restore
SmartLSM - REST API commands to simplify the creation of SmartLSM Gateways.

SmartConsole

Automatic updates - SmartConsole detects and installs client updates for the same major version. See sk171315.

Logging and Monitoring

IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). and Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. logs now include a MITRE ATT&CK section that details the different techniques for malicious attack attempts. This section provides an easier way to understand an attack by looking at the log card and to export the data to external SIEM systems, and an easy search and filter for attack events based on MITRE techniques.
Dynamic logs distribution - Configure the Security Gateway to distribute logs between multiple active State of a Cluster Member that is fully operational: (1) In ClusterXL, this applies to the state of the Security Gateway component (2) In 3rd-party / OPSEC cluster, this applies to the state of the cluster State Synchronization mechanism. Log Servers to support a higher rate of Logs and Log Server redundancy.
Enhancements to improve logging services stability.

Management High Availability

Multi-Domain Server

IoT Controller support.

SmartLSM

Use group object, Multiple IP addresses and IP ranges in LSM profiles

CloudGuard Network Security

Use AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. Security Token Service (STS) Assume Role to simplify the access to AWS Data Centers.
Create Azure Data Centers on different Azure cloud environments in parallel including Azure Global, Azure Government, and Azure China.

Harmony Endpoint

Harmony Endpoint Web Management enhancements to allow these configurations:

Media Encryption & Port Protection policy.
Firewall policy.
Application Control Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI. policy.
Developer protection policy.
Push Operation for Host Isolation and Client Uninstall.
Configuration of an email alert for High Availability synchronization issues between Primary, Secondary, or Remote Help servers.