What's New

Deep Learning Threat Prevention

• AI Deep Learning prevents 5x more DNS attacks in real-time. The feature it is part of the NGTX license, and is enabled when the Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. and Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. Software Blades are active. For more information see:

  • sk178487 - ThreatCloud The cyber intelligence center of all of Check Point products. Dynamically updated based on an innovative global network of threat sensors and invites organizations to share threat data and collaborate in the fight against modern malware. DNS tunneling protection.

  • sk175623 - ThreatCloud Domain Generation Algorithm (DGA) protection.

• Firewall-based, Zero-Day phishing prevention blocks 4x more Zero-Day phishing attacks (Check Point patented solution).

Quantum IoT Protect

• Discover IoT assets with Quantum Security Gateways.

• Autonomous Zero Trust Profiles allow only the necessary device communication and prevent threats that target IoT assets.

Network Security Management

• New Infinity Cloud Services Refers to a centralized identities solution provided by Infinity Identity and Directory Sync. These services offer identity management and directory synchronization capabilities, hosted and managed in the cloud. page in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. – Quick and easy integration between your on-premises Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. and Infinity Portal Applications. This includes the ability to share Quantum logs with Infinity Events for a unified view of logs across Quantum, CloudGuard, and Harmony products, and helps accelerate event correlation Procedure that extracts, aggregates, correlates, and analyzes events from the logs. and Threat Hunting delivered through Check Point Detection & Response solutions.

• Automated policy enforcement & updates using new Network Feed Objects. DevOps and other teams can manage their own access lists without requiring interaction from Security Admin groups.

• SmartWorkflow - streamlined policy change review, ensures accuracy of Security Policies Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. through customizable built-in policy supervision work-flows.

Performance Acceleration for Quantum Security Gateways

• Maestro Auto-Scaling provides dynamic performance scaling for mission critical apps and large workloads. Automatically shifts firewall resources in and out of Security Groups A logical group of Security Appliances (in Maestro) / Security Gateway Modules (on Scalable Chassis) that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances / Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. In Maestro, each Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. to support critical applications as throughput and compute requirements change.

• Maestro Fastforward provides a 100G cut-through mode for trusted connections - the highest throughput and lowest latency for specific applications.

• Quantum HyperFlow delivers 2.5x times higher throughput for elephant flows (very long, high-bandwidth intensive connections). Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. automatically allocates more CPU cores to process elephant flow connections upon detection.

IoT Protection

Instantly discover and protect your IoT assets with Quantum Security Gateways and Infinity to enforce automated Zero Trust policies:

• Discover IoT devices, routers, and switches connected to your network using your R81.20 Quantum Security Gateways.

• Assign automatically generated restrictive policies to IoT devices based on their Internet access requirement to allow only what is needed for the IoT devices to operate.

Note - IoT General Availability is planned to be part of the R81.20 Jumbo Hotfix Accumulator.

Maestro Hyperscale

• Maestro Auto-Scaling - Automatically assigns Security Appliances (scale units) to a Security Group when the configured conditions are met.

• Maestro Fastforward - Significantly improved throughput and latency for trusted connections. Maestro Fastforward offloads accept or drop policy rules to the Quantum Maestro Orchestrator A scalable Network Security System that connects multiple Check Point Security Appliances into a unified system. Synonyms: Orchestrator, Quantum Maestro Orchestrator, Maestro Hyperscale Orchestrator. Acronym: MHO. for hardware acceleration and provides:

  • Sub-microsecond latency.

  • Port line-rate throughput for a single connection.

• Support for accelerated policy installation on Maestro Security Groups. See sk169096.

• Monitor utilization of NAT resources in CPView and with SNMP.

• Support gradual upgrade in the Multi-Version Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. (MVC) mode.

• Scalable Platforms now support CoreXL Performance-enhancing technology for Security Gateways on multi-core processing platforms. Multiple Check Point Firewall instances are running in parallel on multiple CPU cores. Dynamic Balancing - Based on the current traffic load, the Security Group automatically changes the number of CoreXL SNDs, CoreXL Firewall instances, and the Multi-Queue An acceleration feature on Security Gateway that configures more than one traffic queue for each network interface. Multi-Queue assigns more than one receive packet queue (RX Queue) and more than one transmit packet queue (TX Queue) to an interface. Multi-Queue is applicable only if SecureXL is enabled (this is the default). Acronym: MQ. configuration for zero traffic impact.

• Scalable Platforms now support Management Data Plane Separation (MDPS, sk138672).

VSX

• Support for the DHCP Server configuration in Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell). in the context of each Virtual System Virtual Device on a VSX Gateway or VSX Cluster Member that implements the functionality of a Security Gateway. Acronym: VS..

IPsec VPN

• Scalable VPN performance - 3 times faster to process simultaneous Remote Access and Site to Site VPN An encrypted tunnel between two or more Security Gateways. Synonym: Site-to-Site VPN. Contractions: S2S VPN, S-to-S VPN. connections.

• Major performance and stability improvement for Remote Access VPN An encrypted tunnel between remote access clients (such as Endpoint Security VPN) and a Security Gateway. and Site to Site VPN that delivers a significantly greater capacity for VPN tunnels.

• Extended Security Gateway certificate validation capabilities for quicker authentication.

• Resilient VPN architecture - multi-process architecture to handle IKE negotiations in dedicated scalable daemons, providing unprecedented resiliency.

Clustering

• Added support for the "Same VMAC" feature. For more information, see the R81.20 ClusterXL Administration Guide.

• ClusterXL in the Active-Active mode now supports these Software Blades:

  • Application Control Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI.

  • URL Filtering Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF.

  • Content Awareness Check Point Software Blade on a Security Gateway that provides data visibility and enforcement. Acronym: CTNT.

  • Anti-Spam Check Point Software Blade on a Security Gateway that provides comprehensive protection for email inspection. Synonym: Anti-Spam & Email Security. Acronyms: AS, ASPAM. and Email Security

  • Anti-Bot Malicious software that neutralizes Anti-Virus defenses, connects to a Command and Control center for instructions from cyber criminals, and carries out the instructions.

  • Anti-Virus

Access Control

• Dynamic Policy - Use a Network Feed object to customize a private web server feed definition for IP addresses or domains. The objects are automatically updated in Security Gateway without the need to install a policy. Updatable Objects uses the Network Feed to strengthen the dynamic configuration ability of the Access Control policy. See the Administration Guide.

• Performance improvements - Support for Updatable Objects, Domain objects, and Dynamic objects with the Optimized Drop feature (drop templates).

Advanced Routing

• Support for Intermediate System (IS-IS) routing protocol.

• Support for DHCP Relay Agent Information Option 82 to address several scaling and security issues that arise in public DHCP use.

• Support for OSPFv3 NSSA.

• Support for IPv6 Static MFC Cache to enable forwarding of multicast data without PIM configuration.

• Support for Routing Event Record of a security or network incident that is based on one or more logs, and on a customizable set of rules that are defined in the Event Policy. Triggers to allow ClusterXL failover, and tearing down of BGP connections through monitored BGP and BFD sessions.

• Routing Protocol History for BFD to improve troubleshooting capabilities.

• NetFlow Live connections and Firewall rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. UUID.

Gaia Operating System

• Configure a retention policy for Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. scheduled backups and snapshots.

• Configure Gaia scheduled jobs to run hourly or at specified minute intervals.

• Configuring a logical next hop gateway in IPv6 static routes to send traffic through a specified interface.

• Configure the minimum number of required interface links for a bonding group in the 802.3AD mode.

• Use Gaia Clish commands to monitor NIC transceivers in appliance - module temperature, supply voltage, TX Bias voltage, Rx optical Power, and TX optical power.

• Automatic update to the NIC firmware during the ISO installation process for appliances that have 40GbE, 100/25GbE, and 2-Port Dual-Width 10/25/40/100G QSFP28 Cards.

CoreXL

• HyperFlow provides automatic system resource allocation by proper prioritization of tasks on highly utilized CPU cores and dynamically balances the tasks. Introducing seamless gateway tuning and optimization and improving single flow performance and spikes handling.

• In User Space Firewall (USFW), the number of IPv6 CoreXL Firewall instances is no longer limited, IPv6 Firewall instances can be increased up to the number of IPv4 Firewall instances.

Identity Awareness

• The Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Gateway automatically identifies and excludes Service Account In Microsoft® Active Directory, a user account created explicitly to provide a security context for services running on Microsoft® Windows® Server. sessions acquired by the Identity Collector Check Point dedicated client agent installed on Windows Servers in your network. Identity Collector collects information about identities and their associated IP addresses and sends it to the Check Point Security Gateways or Infinity Identity solution for identity enforcement, you can download the Identity Collector package from the Support Center.. For more details, see sk174266.

• Improved resiliency, scalability, and stability for PDPs and Identity Broker Identity Sharing mechanism between Identity Servers (PDP): (1) Communication channel between PDPs based on Web-API (2) Identity Sharing capabilities between PDPs - ability to add, remove, and update the identity session.. Additional threads handle authentication and authorization flows.

Mobile Access

• OAuth 2.0 support for Capsule Workspace and Office 365.

Quantum Spark

• Central Deployment - Use SmartConsole to upgrade Quantum Spark and Quantum Edge Appliances. See the Security Management Administration Guide.

• Quantum Spark Appliances now support Identity Collector.

• Use SmartUpdate Legacy Check Point GUI client used to manage licenses and contracts in a Check Point environment. and SmartProvisioning Check Point Software Blade on a Management Server (the actual name is "Provisioning") that manages large-scale deployments of Check Point Security Gateways using configuration profiles. Synonyms: Large-Scale Management, SmartLSM, LSM. (LSM) to manage Quantum Spark appliances that run R81.10.

• Quantum Spark Appliances now support transit connections to an Active Directory server on an internal network (appliances work as an AD proxy).

Cloud Services Integration

• Integration between your on-premises Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. and Infinity Portal:

  • Run cloud services that are managed in the Infinity Portal on your Security Management Server objects.

  • See a unified log view of all your Check Point products, on-premises and in cloud.

  • Run Management API calls securely on the on-premises Security Management Server from anywhere in the world through Infinity Portal.

  See the Administration Guide.

SmartConsole

• SmartConsole can use SAML 2.0 to authenticate administrators with an Identity Provider. See the Administration Guide.

SmartWorkflow

• Send policy and configuration changes for a review and approval cycle by another administrator before applying the changes. See the Administration Guide.

SmartTasks

• New triggers - before and after working on a session that requires an approval, and for critical CloudGuard Controller Provisions SDDC services as Virtual Data Centers that provide virtualized computer networking, storage, and security. events.

• New action - send an email with a detailed change report Summary of network activity and Security Policy enforcement that is generated by Check Point products, such as SmartEvent. after publishing a session, after policy installation, and more.

See the Administration Guide.

Management REST API

Management API support for:

• Identity Awareness configuration on Security Gateways and Clusters.

• Configuration of HTTPS Inspection Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi. outbound certificate.

• Configuration of SmartLSM Gateways.

• Configuration of VPN settings on SmartLSM Gateways.

See the Check Point Management API Reference.

Upgrades

• Central Deployment of CPUSE Check Point Upgrade Service Engine for Gaia Operating System. With CPUSE, you can automatically update Check Point products for the Gaia OS, and the Gaia OS itself. packages in SmartConsole:

  • Gradually upgrade Quantum Cluster Members.

  • Upgrade Quantum Spark and Quantum Edge Appliances.

  See the Administration Guide.

• Pre-Upgrade Verifier results are now presented in the upgrade report.

• Simpler migration from a Standalone Configuration in which the Security Gateway and the Security Management Server products are installed and configured on the same server. environment to a distributed environment located in Quantum Smart-1 Cloud or on-premises. See sk179444.

• Significant performance improvement of Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS. upgrades by importing Domain Management Servers Virtual Security Management Server that manages Security Gateways for one Domain, as part of a Multi-Domain Security Management environment. Acronym: DMS. concurrently instead of sequentially.

Internal Certificate Authority (ICA)

• Ability to create certificates with 3072-bit RSA keys - the root ICA Internal Certificate Authority. A component on Check Point Management Server that issues certificates for authentication. certificate and SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. certificates. See sk96591.

CloudGuard Network Security

• CloudGuard Controller support for:

  • Oracle Cloud Oracle Cloud is a cloud computing service offered by Oracle Corporation. It provides servers, storage, networks, applications, and services through a global network of Oracle Corporation-managed data centers. Infrastructure (OCI). See the Administration Guide.

  • Nutanix Nutanix is a private and hybrid cloud software provider that offers software for virtualization, Kubernetes, database-as-a-service, software-defined networking, security, as well as software-defined storage for file, object, and block storage.. See the Administration Guide.

  • New Microsoft Azure Collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centers managed by Microsoft®. resources - Application Security Groups, Private Endpoints. See the Administration Guide.

  • New Amazon Web Services resources - Load Balancer tags. See the Administration Guide.

  • New Cisco ACI Cisco® Application Centric Infrastructure. Comprehensive SDN architecture, policy-based automation solution for increased scalability through a distributed enforcement system with greater network visibility. Trademark of Cisco. resources - End-point Security Group (ESG), Policy tag, Name Alias tag. See the Administration Guide.

  • SmartTasks for CloudGuard Controller critical events. See the Administration Guide.

• Nutanix Flow support for CloudGuard Network Security Gateways.

• Amazon Web Services (AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services.):

  • Cross Availability Zones Cluster (Geo Cluster). See the Administration Guide.

  • Use of the Generic Network Virtualization Encapsulation (Geneve) network encapsulation protocol for Gateway Load Balancer (GWLB).

Harmony Endpoint

Endpoint Policy Management

• Use Single Sign-On to connect to the Endpoint Web Management Console.

Harmony Endpoint Web UI

• IoC Management - Users can now add Indicators of Compromise to their Endpoint Policy Management Check Point Software Blade on a Management Server to manage an on-premises Harmony Endpoint Security environment..

• Connection Awareness - Allows administrators to configure their own entity to determine the connectivity of the clients, and change a device's policy type from "Connected" to "Disconnected", and vice-versa accordingly.

Remote Access VPN

• Exclude SaaS applications (such as Office 365) from the Remote Access VPN tunnel.

• Use SAML 2.0 to authenticate Remote Access VPN users with an Identity Provider.