What's New

Introduction

Welcome to Check Point’s Cyber Security Platform. R81 is the industry’s most advanced Threat Prevention and security management software that delivers uncompromising simplicity and consolidation across the enterprise. Whether it is deploying the latest technologies and security to protect the organization or expertly crafting security policies, R81 new features include: Infinity Threat Prevention, the industry’s first autonomous Threat Prevention system that provides fast, self-driven policy creation and one-click security profiles keeping policies always up to date. Policies are installed in seconds, upgrades require only one click, and gateways can be simultaneously upgraded in minutes. R81 further features secure connectivity for encrypted traffic utilizing the latest standards including TLS 1.3 and HTTP/2. In addition, the Scalable Platform software is now aligned with the R81 Cyber Security Platform bringing feature parity to Check Point Maestro.

Infinity Threat Prevention

Infinity Threat Prevention is an innovative management model that:

  • Provides zero-maintenance protection from zero-day threats, and continuously and autonomously ensures that your protection is up-to-date with the latest cyber threats and prevention technologies.

  • Empowers administrators with out-of-the-box policy profiles based on business and IT security needs.

  • Streamlines the configuration and deployment of policy profiles across gateways.

  • Provides simple and powerful customization to best serve your organization’s needs.

Threat Prevention
  • Manage your custom intelligence feeds through SmartConsole. Add, delete or modify IoC feeds fetched by the Security Gateways as well as import files in a CSV or STIX 1.x formats.

  • Threat Extraction is now supported on ICAP server mode, in addition to Threat Emulation and Anti-Virus.

  • Improved use of IoCs for indicators based on source IPv4 and IPv6 addresses.

Note - Administrators can still perform granular manual changes to override Check Point’s recommended policies and profiles.

Security Gateway and Gaia

Scalable Platforms is part of R81 release and is currently in Early Availability. Register here for the Early Availability program.

HTTPS Inspection
  • HTTPS Inspection supports the FutureX Hardware Security Module (HSM) by storing outbound HTTPS Inspection cryptographic keys and certificates on the HSM server.

  • Implementation of TLS 1.3 for SSL inspection.

    Notes

    • TLS 1.3 is off by default and is only applicable with User Space Firewall (USFW) is active. For the list of appliances that support USFW see Appliance Support for User Space Firewall (USFW)
    • Hardware Security Module (HSM) is not supported with TLS 1.3
Access Control
  • Generic Data Center - Use Generic Data Center Objects in the Source and Destination columns of Access Control, NAT, Threat Prevention and HTTPS Inspection rules to enforce access to or from IP addresses defined on external web servers. IP addresses defined in the object are automatically updated without the need for policy installation.

  • Support an unlimited number of languages in UserCheck objects.

Policy Installation
NAT Rule Base
  • Support for Domain objects, Updatable objects, Security Zones, Access Roles and Data Center objects.

  • Hit count for NAT rules.

Identity Awareness
  • Azure Active Directory support for Identity Awareness - Use the Identity Awareness Access role picker to authenticate and authorize Azure AD users and groups.

  • Identity Awareness nested groups - Discovers all the groups a user belongs to from the branch specified in the LDAP account unit in one query.

  • Security ID (SID) support for Identity Awareness - Move users and groups to different LDAP Organizational Units without the need to modify the Access Role Policy.

    Note - Security ID (SID) feature is off by default. Refer to the Security ID topic for more information.

IPsec VPN
  • Ability to configure multiple ciphers for external Gateways in a single VPN community. Use granular encryption methods between two specific VPN peers.

  • Support for SHA-512 encryption method.

Mobile Access
  • A fresh and modern user interface with improved user experience:

    • Redesigned scan results.

    • Discontinued the SNX connection pop-up.

    • Greater accessibility for non-English speakers.

    • Launch all applications in separate tabs without losing the main page window.

    • One click sign-out.

    • Simplified customization to easily utilize brand identities.

    • Full support for mainstream browsers that run on all major platforms.

  • Clientless RDP and SSH access through Mobile Access Blade's browser portal using Apache's Guacamole™ software suite.

  • Support for custom AD attributes to allow mapping of end-users to their office desktops for personalized portal link display and Access Control.

Clustering

Geo-Cluster in HA mode for cloud environments – Supports the configuration of the cluster Sync interface on different subnets while allowing L3 communication between the members on the sync interface. L2 connectivity and a trusted network between the cluster members (although still available) is not mandatory anymore.

VSX
  • Configure Virtual Router in VSX VSLS mode.

  • Configure Multi-Bridge in VSX VSLS mode.

  • Configure bridge interfaces on a standard Virtual System in VSX.

  • Use Threat Emulation and Identity Awareness Software Blades on a Virtual Systems with a Bridge Interface.

  • Configure VSX Gateway and VSX Cluster objects using Management REST APIs.

  • Configure Dynamic Routing VPN through Virtual Tunnel Interface (VTI) in VSX mode.

  • Independent QoS, DNS and Proxy server configuration per Virtual System.

  • VSX_util tool to downgrade VSX management objects to earlier versions.

Acceleration
  • Enhanced Multi-Queue distribution of IPsec VPN traffic.

Remote Access VPN
  • Significant performance improvements for Remote Access VPN clients in Visitor Mode.

  • Support for strongSwan IPsec clients on different Linux distributions.

Gaia OS
  • Scheduled Gaia Snapshots - Use Gaia Scheduled Snapshot to automatically back up and export configuration settings.
  • Added support for:

    • The Google Compute Engine virtual Network Interface (gVNIC):
    • Additional tunneling protocols:

      • Virtual Extensible LAN (VXLAN).
      • Generic Routing Encapsulation (GRE).

    • Link Layer Discovery Protocol (LLDP) configuration trough CLISH and the Gaia Portal.
    • IP conflict detection - Monitor and detect duplicate IP addresses located in the network.

    • Multi-Queue for Management and Sync interfaces.

Gaia REST API
  • API to set your device as a Security Gateway/Security Management Server/Multi-Domain Server/Log Server in the First Time Configuration Wizard

  • Control IPv6 status.

Advanced Routing
  • Enhancements for additional Dynamic Routing features:

    • OSPFv3 AH authentication for OSPFv3 protocol security.

    • IPv6 route aggregation - Reduces the number of prefixes advertised to neighbor routers to improve performance and scaling.

    • IPv4/IPv6 NAT-pool routes - Configure and redistribute NAT-pool routes to routing protocols.

    • Routing Information Protocol (RIP) route sync.

    • PIM restart capability.

    • BGP support for VxLAN interfaces.

    • Dynamic Routing support for GRE interfaces.

CloudGuard IaaS

CloudGuard Controller
  • Data Center Query Objects - Use Data Center Objects to represent multiple Data Centers in the Security Policy when you build queries. This provides easier and more efficient division of the responsibilities to manage Data Centers.

  • New Data Centers support:
    • Kubernetes Data Center – Added CloudGuard Controller support for Kubernetes Clusters. Administrators can now create a Kubernetes-aware security policy for Kubernetes North-South traffic.

    • VMware vCenter version 7.

  • CloudGuard Controller can use the system proxy for connections to all Data Centers.

  • A new object category in SmartConsole's object explorer called "Cloud" aggregates all Data Centers, Data Center objects and Data Center queries into one.

CloudGuard Data Centers

Integration of CloudGuard IaaS for East-West deployments using VMware NSX-T.

Security Management

Central Deployment
  • Use SmartConsole to:

    • Upgrade Security Gateways and Clusters between major versions.

    • Upgrade VSX Gateways and VSX Clusters.

    • Install offline packages - The Security Gateway does not need to be connected to the internet to import the installation packages to the Security Management Server and distribute to targets.

Multi-Domain Server
  • Cross-Domain Management Server Search to search for objects across multiple Domain Management Server databases.

  • High Availability for Domain Management Server with the Security Management Server. A Security Management Server can operate as a standby or an active Security Management in a Management High Availability setup

  • Configure a dedicated Log Server and a dedicated SmartEvent server for an individual Domain in a Multi-Domain environment.

Management REST API
  • General performance improvement to Management REST API.

  • API throttling for login commands, to prevent load on the Security Management Server.

SmartConsole
  • Support for multiple TACACS servers to utilize redundancy when administrators authenticate to SmartConsole.

  • Changes Report – Generate a report that lists the changes between two revisions or lists the changes performed during a private session.

  • License Management - Administrators can now view, add and delete licenses through SmartConsole.
  • Support for CloudGuard Edge configuration in SmartConsole.

SmartEvent

A new MITRE ATT&CK view to investigate security issues according to the MITRE defense models, and extract immediate action items based on the mitigation flow.

Management Server Upgrade

Significant performance improvement in the upgrade process starting from R80.20 and higher to R81 for Security Management Servers.

Logging and Monitoring

Endpoint Security

  • SandBlast Agent Web Management - A new Web-based management interface for Endpoint Threat Prevention components.

    Note - For the best user experience it is recommended to use SandBlast Agent Web Management with Google Chrome

  • Communication with management services remains on port 443 instead of port 4434 when the Endpoint Management component is activated.

  • Anti-Malware support for shared signature locations to support non-persistent VDI environments.

  • Manage URL Filtering capabilities of SandBlast Agent Browser Extension

  • Application Control policy changes - Support multiple versions per product, terminate application and block WSL. (Windows Subsystem for Linux).

  • New set of Developer Protections for developers computers.
  • Compliance integration with Windows Server Update Services (WSUS).

  • TACACS authentication for Web Remote Help (WebRH).

  • Media Encryption & Port Protection - Import device overrides from a file.

Licensing

For all licenses issues contact Check Point Account Services.