What's New

Introduction

Welcome to Check Point Quantum R81.10, the industry's most advanced Threat Prevention and Security Management software for network security that delivers uncompromising simplicity and consolidation. R81 introduced the first Autonomous Threat Prevention system that provides fast, self-driven policy creation and one-click security profiles, keeping policies always up to date. Policies install in seconds, upgrades require only one click, and the gateways can simultaneously upgrade in minutes. R81.10 brings a major improvement in operational security efficiency across the Management Server's reliability, performance, and scale. Critical operations such as APIs, High Availability synchronization, and login are more reliable and faster than ever. In addition, the SmartConsole is automatically updated with the latest fixes and improvements. R81.10 adds new dynamic log distribution to add Log Server capacity on demand. And as part of Scalable Platforms, R81.10 brings a unique mix and match ability to leverage different Quantum Security Gateways within a single Quantum Maestro orchestration.

 

Quantum Security Gateway and Gaia

Maestro Hyperscale
  • Maestro Orchestrator is aligned with the latest version R81.10 as part of the main-train release and includes the latest Gaia fixes and improvements.

  • Ability to upgrade Security Groups and Orchestrators to the latest R81.10 version. For the list of supported versions see Supported Upgrade Paths.

  • Mix appliances - The ability to include different appliance models in the same Security Group.

  • Alignment with standard Security Gateway features:

    • VPN Tunnel Interface (VTI)

      • Route based VPN

      • Enable BGP and OSPF Dynamic Routing Protocols on VTIs

    • Tunnel Management - Permanent Tunnels

      • Tunnel testing for permanent tunnels

      • Dead Peer Detection (DPD)

    • Link Selection

      • Service based link selection (sk56384)

      • IP selection by remote peer

        • High Availability

        • Load Sharing

      • Outgoing route selection

      • Route-based probing

    • Back-to-back tunnels (hub and spokes)

      • Maestro as the center in Star community – Satellite peers can communicate with each other through the Center.

      • Client-to-Site traffic over a Site to Site VPN tunnel (Client > Maestro Gateway > VPN Peer Gateway> resource)

      • Client to Site to Client through a Maestro Gateway (Client > Maestro > Client)

    • VPN local connections that originate from Maestro Security Group Members

      • Initiate a connection from an Security Group Member if the connection's destination requires encryption

      • Identity Awareness via VPN – The Identity Source (users database) can be located across a VPN tunnel (especially in the cloud).

VSX

Configure bridge and multi-bridge interfaces on a regular Virtual Systems (VS) not in Bridge Mode. Now you can use features that require an IP address to work, such as Identity Awareness, Threat Emulation, UserCheck Web Portal and Captive Portal.

IPsec VPN

VPN performance enhancements - Site to Site VPN and Remote Access clients are now handled by two different processes.

Clustering

Use a loopback interface with Dynamic Routing in ClusterXL environments.

Access Control

Tighten your policy and reduce the risk of human error through Access Control Rule Base settings and defaults. Watch the video.

Note - The new defaults apply only to new R81.10 installations. Upgraded environments can use this feature but the default behavior from previous versions is kept.

Advanced Routing
  • IPv4 PIM enhancements and stability fixes.

  • Ability to reset OSPFv2 counters.

  • Ability to configure a Source-Specific Multicast (SSM) source for an IGMPv3 Group.

  • Support for ECMP algorithms to provide traffic load balancing:

    • Based on the 2-tuple hash of Source and Destination.

    • Based on the 5-tuple hash of Source, Destination, Source Port, Destination Port, and Protocol.

Gaia Operating System
  • Ability to configure (only in Gaia Clish) the Ciphers and Message Authentication Codes (MAC) for the built-in OpenSSH Server.

  • Ability to configure the access to Gaia REST API for specific users.

  • Optimize SNMP OID for the ARP to return the current number of entries in the ARP table (.1.3.6.1.4.1.2620.1.6.22.1, or .iso.org.dod.internet.private.enterprises.checkpoint.products.svn.arpTableInfo.arpTableSize).

  • Administrator use of CLI to configure the TLS version of the Gaia portal

  • Gaia API updated to latest released version (version 1.5) including new API calls for:

    • SNMP

    • GRE

    • VXLAN.

    • Static route

    • Scheduled snapshots

ISP Redundancy

Extended support for a maximum of 10 ISP links.

Threat Extraction

Automatic Threat Extraction, Threat Extraction security improvements, and new features are automatically downloaded and applied without the need for human intervention.

Identity Awareness

AES encryption type configuration for Kerberos Ticket Encryption Methods is now available through Smart Console. For more information see sk111945.

Quantum Security Management

Security Management Servers enhancements
  • Significant improvements for the stability and performance of the Management Server, especially for large Management environments under high load:
    • Faster Administrator operations to the Management Server such as backup and restore, and revisions purge are drastically faster.

    • Faster execution of Management API functions.

    • Search and navigate in SmartConsole works more smoothly when concurrent SmartConsole administrators are connected.

  • Improved stability of the login process to the Management Server using SmartConsole or Management API, when the Management Server is under a heavy load.

Management REST API
  • New export, import, and upgrade Management APIs for primary Security Management Servers or Multi-Domain Servers.

  • Unified Management API commands for:

    • Domain export and backup

    • Domain import and restore

  • SmartLSM - REST API commands to simplify the creation of ROBO Gateways.

SmartConsole

Automatic updates - SmartConsole detects and installs client updates for the same major version. For more information, see sk171315.

Logging and Monitoring
  • IPS and Anti-Bot logs now include a MITRE ATT&CK section that details the different techniques for malicious attack attempts. This section provides an easier way to understand an attack by looking at the log card and to export the data to external SIEM systems, and an easy search and filter for attack events based on MITRE techniques.

  • Dynamic logs distribution - Configure the Security Gateway to distribute logs between multiple active Log Servers to support a higher rate of Logs and Log Servers redundancy.

  • Enhancements to improve logging services stability.

Management High Availability
  • Synchronization and stability enhancements.

  • Significant Full sync duration improvement.

Multi-Domain Server

IoT Controller support for Multi-Domain Security Management.

SmartLSM

Use group object, Multiple IP addresses and IP ranges in LSM profiles

CloudGuard Network Security

  • Use AWS Security Token Service (STS) Assume Role to simplify the access to AWS Data Centers.

  • Create Azure Data Centers on different Azure cloud environments in parallel including Azure Global, Azure Government, and Azure China.

Harmony Endpoint

Harmony Endpoint Web Management enhancements to allow these configurations:

  • Media Encryption & Port Protection policy.

  • Firewall policy.

  • Application Control policy.

  • Developer protection policy.

  • Push Operation for Host Isolation and Client Uninstall.

Licensing

For all licenses issues contact Check Point Account Services.