Software Changes

Note - - To see the list of changes starting R80.40, see sk180180.

This section describes behavior changes from previous versions.

Gaia
- Update to Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. OS Linux kernel version.
- New Gaia installer:
  - You must upgrade to the latest Deployment Agent (DA) before upgrading to R81.20. See sk92449.
  - A new partition layout is introduced to accommodate the new Gaia installer changes.
  - Upgrade of a Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. from R77.30 to R81.20 is supported only if the Gaia works with the 64 bit kernel edition.
    
    For more information on configuring the Kernel edition, see sk94627.
- ISOmorphic Tool: You must use build 187 or higher. See sk65205.
- SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. download is no longer available from the Gaia Portal Web interface for the Check Point Gaia operating system.(you are redirected to Support Center).
- The password for the Gaia GRUB (boot loader - maintenance mode) is a dedicated password (separated from the Expert mode password).
  
  You can configure the Gaia GRUB password during the Gaia First Time Configuration Wizard, or after the Gaia installation.
- Messaging and logging daemon now uses Rsyslog (previously Syslog).
- Changed the date format for the Gaia manual backup file.
  
  Gaia always uses this template (regardless of the Gaia Display Format for Time and Date):
  
  backup_--_<HostName>.<Domain>_<DD>_<MMM>_<YYYY>_<HH>_<MM>_<SS>.tgz
- Changed the date format for the Gaia scheduled backup file.
  
  Gaia always uses this template (regardless of the Gaia Display Format for Time and Date):
  
  backup_-<Name_of_Scheduled_Backup>-_<HostName>.<Domain>_<DD>_<MMM>_<YYYY>_<HH>_<MM>_<SS>.tgz
SmartConsole
- The IoT Network Protection properties in SmartConsole are read-only.
  
  Manage your IoT policies and objects through the IoT Network Protect application in the Infinity Portal.
- Certificate status indication:
  - For the Internal CA certificate - SmartConsole shows an alert if the ICA Internal Certificate Authority. A component on Check Point Management Server that issues certificates for authentication. certificate expires in less than one year.
  - For IPsec VPN Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access. certificates - SmartConsole > Gateways & Servers view shows a warning near the VPN Gateway object about the certificate expiration.
VSX
- CLI commands for DHCP server configuration on VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. now support the Virtual System Virtual Device on a VSX Gateway or VSX Cluster Member that implements the functionality of a Security Gateway. Acronym: VS. context notation (set virtual-system <ID>).
Maestro
- The Enhanced NAT Port Allocation Mechanism (Global NAT, GNAT) is enabled by default on Maestro Security Groups A logical group of Security Appliances (in Maestro) / Security Gateway Modules (on Scalable Chassis) that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances / Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. In Maestro, each Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected..

HTTPS Inspection

In SmartDashboard Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings. > HTTPS Inspection Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi., the default value for the "Automatic Updates" changed to "Download and install updates automatically".

The change applies to a Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. upgrade from a lower version.

For more information, see sk173629 How to update trusted CAs automatically.

Important - Policy installation is required for the changes to take effect on the Security Gateway.

IPS
- The download package location of the IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). updates changed
  
  from /opt/CPsuite-R81.20/fw1/ips
  
  to /var/log/opt/CPsuite-R81.20/fw1/ips
ClusterXL MVC Upgrade
- During a cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. MVC upgrade, kernel tables with data about VPN are not synchronized from the cluster members with the current version to the upgraded cluster member Security Gateway that is part of a cluster.:
  - In the case of IKEv2 - cluster members do not synchronize the data about VPN at all.
  - In the case of IKEv1 - cluster members do not synchronize the data about IPSec SAs.
- Delta Sync operates fully only from the upgraded cluster members to the cluster members with the current version.
- A new VPN tunnel is created after failover from the cluster members with the current version to the upgraded cluster member.