Software Changes in R82.10

Note - To see the list of changes starting from R80.40, see sk180180.

This section describes behavior changes in R82.10 comparing to the previous version R82.

Gaia Operating System

• Updated the Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. OS Linux kernel version to "5.14".

• Updated the OpenSSL version to "3.5.0".

• Updated the OpenSSH version to "8.6".

• Updated the network interface driver "mlx" version to "24.10-0.7.0".

• Updated the Data Plane Development Kit (DPDK) version to "22.11".

• Disabled these in the default SSH configuration (only in a Clean Install):

  • Weak Message Authentication Codes (MACs) in SSH:

    • hmac-sha1:

    • hmac-sha1-etm@openssh.com

    • umac-64-etm@openssh.com

    • umac-64@openssh.com

  • Weak Public-Keys:

    • ssh-rsa

    • ssh-rsa-cert-v01@openssh.com

• These Check Point Appliance models do not support R82.10:

  • 23500, 23800, 23900

  • 15400, 15600

  • 6500, 6800

  • 5100, 5200, 5400, 5600, 5800, 5900

  • 3100, 3200

  • Smart-1 5150, Smart-1 5050, Smart-1 625, Smart-1 405, Smart-1 410

  • Scalable Chassis The container that contains the all the components of a 60000 / 40000 Appliance. Synonym: Chassis. 44000 / 64000

Security Gateway

• On Check Point Appliances, Virtual Machines, and Open Servers:

  • Firewall runs only in the User Space Firewall mode (USFW).

    The Kernel Space Firewall mode (KSFW) does not exist anymore.

    See sk167052.

  • SecureXL Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway. runs only in the User Mode (UPPAK).

    The Kernel Mode (KPPAK) does not exist anymore.

    See the R82.10 Performance Tuning Administration Guide.

• Updated the Data Plane Development Kit (DPDK) version to 22.11.

• Added support for SecureXL in the User Mode (UPPAK) in CloudGuard Network Security Gateways in all cloud environments.

• Log Forwarding is now enabled by default in new Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. objects. At midnight, locally stored logs are sent to the primary Log Server Dedicated Check Point server that runs Check Point software to store and process logs..

  In the new Security Gateway / Cluster object, navigate to Logs > Additional Logging and refer to the section Log Forwarding Settings.

• By default, the Security Gateway's Multi-Portal (Web Portals for various Software Blades) is configured to use only recommended and secure TLS cipher suites.

  Weak cipher suites are now disabled by default. To re-enable the necessary weak ciphers, use the cipher_util tool.

  Important: Remote Access VPN An encrypted tunnel between remote access clients (such as Endpoint Security VPN) and a Security Gateway. connections and Multi-Portal use the same infrastructure on a Security Gateway. An R82.10 Security Gateway will fail Remote Access VPN connections from operating systems that: Do not support TLS 1.3 connections. and Do not support these TLS 1.2 ciphers: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA38 To support Remote Access VPN connections from such operating systems, you must use the cipher_util tool on the Security Gateway / each Cluster Member Security Gateway that is part of a cluster. / Security Group A logical group of Security Appliances (in Maestro) / Security Gateway Modules (on Scalable Chassis) that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances / Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. In Maestro, each Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. and enable the cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384. If the operating system of a Remote Access client supports either TLS 1.3 or these TLS 1.2 ciphers, then no need to change the configuration.

• Mobile Access Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. support for Citrix is deprecated (see Mobile Access Requirements).

• Support for Hardware Security Module (HSM) from the FutureX vendor is deprecated.

• These features are deprecated in VPN Communities:

  Deprecated Feature	How to Get There in SmartConsole R82 and lower	Next Step
  IKEv1	VPN Community A named collection of VPN domains, each protected by a VPN gateway. properties > page Encryption > section Encryption Settings > field Encryption Method	Use IKEv2
  Wire Mode	VPN Community properties > page Wire Mode	Disable
  IP Compression	VPN Community properties > page Advanced > section Properties	Disable
  Aggressive Mode	VPN Community properties > page Advanced > section Properties	Disable

  Important: VPN Communities continue to work as configured before an upgrade to R82.10. R82.10 SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.: Does not support the configuration of these deprecated features. Shows the applicable message and the next supported step.