Software Changes
|
Note - To see the list of changes starting from R80.40, see sk180180. |
This section describes behavior changes from the previous version.
Management Server
-
Security Gateways R77.30 are not supported.
-
The search in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. Object Explorer and "Objects" sidebar was improved in a specific scenario. The partial search in text fields (name of an object, comment, and so on) does not require entering the wildcard character "
*
"(asterisk) anymore. See sk182006.
Gaia Operating System
-
Updated the Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. OS Linux kernel version to 4.18.
-
CPView Utility saves its log messages in these files:
-
On a Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. / Log Server Dedicated Check Point server that runs Check Point software to store and process logs. / Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.:
-
$CPDIR/log/cpviewd.elg
-
$CPDIR/log/cpview_api_service.elg
-
-
-
$CPDIR/log/cpviewd.elg.vs
<VSID>
-
$CPDIR/log/cpview_api_service.elg.vs<VSID>
-
-
-
Added the Python v3.11 package.
-
Introducing a dedicated messaging daemon
MSGD
. -
You can use the Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell). command "
set dns timeout <value>
" to control how long Gaia OS waits for a response from a DNS server before it sends the DNS request to the next configured DNS server. -
The log files in the
$RTDIR/laas/adjuster_service/log/
directory moved from the root partition "/
" to the "/var/log/
" partition. -
More user space log files are now rotated based on the settings in the
/etc/cpshell/log_rotation.conf
configuration file. -
The name template of a Gaia regular backup file changed:
from "
backup_--_<HostName>.<Domain>_<DD>_<MM>_<YYYY>_<HH>_<MM>_<SS>.tgz
"to "
backup_--_<HostName>.<Domain>_<YYYY>_<MM>_<DD>_<HH>_<MM>_<SS>.tgz
" -
The name template of a Gaia scheduled backup file changed:
from "
backup_-<Name_of_Scheduled_Backup>-_<HostName>.<Domain>_<DD>_<MMM>_<YYYY>_<HH>_<MM>_<SS>.tgz
"to "
backup_-<Name_of_Scheduled_Backup>-_<HostName>.<Domain>_<YYYY>_<MM>_<DD>_<HH>_<MM>_<SS>.tgz
" -
User Space Firewall (USFW) is now enabled by default on all environments except Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. (TE) Appliances and Standalone Configuration in which the Security Gateway and the Security Management Server products are installed and configured on the same server. setup.
-
Default disk space limit for storing core dump files was increased:
-
Management Server - from 1000 MB to 5000 MB
-
Security Gateway in the Kernel Space Firewall (KSFW) mode - from 1000 MB to 5000 MB
-
Security Gateway in the User Space Firewall (USFW) mode - from 10000 MB to 15000 MB
-
VSX
-
In the Traditional VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. mode, the default value for concurrent connections in the Virtual System Virtual Device on a VSX Gateway or VSX Cluster Member that implements the functionality of a Security Gateway. Acronym: VS. object was increased from 15,000 to 50,000 (Optimizations section > Capacity Optimization page).
-
In the VSNext mode, the Expert mode command "
clish -c
" now supports the context of a Virtual Gateway / Virtual Switch Virtual Device on a VSX Gateway or VSX Cluster Member that functions as a physical switch. Acronym: VSW. with this syntax:clish -v <Virtual Device ID> -c "<Gaia Clish Command>"
VPN
-
When a Check Point Management Server creates an IKE certificate, by default this certificate contains the "
Server Authentication
" attribute within the "Extended Key Usage
" field. -
Changed the default value of "
Maximum concurrent IKE negotiations
" from 1,000 to 10,000 in the Security Gateway / ClusterXL object > the "Optimization
" page. -
Changed the default value of
cphwd_medium_path_qid_by_mspi
parameter from 1 to 0 andcphwd_medium_path_qid_by_cpu_id
parameter from 0 to 1.
Quantum Maestro, Scalable Chassis, and ElasticXL
-
Newly added Scalable Platform Member always clones the image from the SMO Member, regardless of the SMO Image Cloning state.
-
Outputs of CLI commands were unified to use the same terms on an ElasticXL Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., a Maestro Security Group A logical group of Security Appliances (in Maestro) / Security Gateway Modules (on Scalable Chassis) that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances / Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. In Maestro, each Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected., and a Scalable Chassis The container that contains the all the components of a 60000 / 40000 Appliance. Synonym: Chassis.:
-
"Site" (instead of "Chassis")
-
-
The feature name changed from "Unique IP Address per Chassis" (UIPC) to "Unique IP Address per Site" (UIPS).
-
On the Maestro Orchestrator See "Maestro Orchestrator". MHO-175 ports, increased the default MTU size from 9216 to 10240 bytes.
-
Automated creation of the management bond interface (MAGG). All management interfaces assigned to a Security Group are automatically assigned to this MAGG interface.
-
If an administrator stops a Maestro Orchestrator with the "
orchd stop
" command (or reboots it), and the Orchestrator detects that other Orchestrators on the Maestro Site are not operational, then before stopping (or rebooting) the Orchestrator shows a warning and a prompt to the administrator. -
When an administrator changes the administrative state of a port on a Maestro Orchestrator, this change now survives an Orchestrator reboot and the restart of the Orchestrator daemon with the "
orchd restart
" command. -
On the Orchestrator, the Gaia Portal Web interface for the Check Point Gaia operating system. > Network Management section > Network Interfaces page now hides interfaces that are used for internal purposes:
-
Sync-ext
-
Sync-int
-
dl<number>
-
eth<number>
-
eth<number>-CIN<number>
-
swid0_eth
-
- On the Maestro Orchestrator, it is no longer supported to convert an existing Security Group from the 'Gateway' mode to the 'VSX' mode (by selecting the corresponding checkbox in the Security Group properties).
-
The output of the Gaia gClish The name of the global command line shell in Check Point Gaia operating system for Security Appliances connected to Check Point Quantum Maestro Orchestrators and for Security Gateway Modules on Scalable Chassis. Commands you run in this shell apply to all Security Gateway Module / Security Appliances in the Security Group. / Gaia Clish command "
show interfaces
" on Scalable Platforms was aligned with the output of this command on a regular Security Gateway. -
These CLI commands were deprecated and replaced:
Deprecated Command
Use this Command in the Expert mode
Use this Command in Gaia gClish
asg cluster_site_admin
-
cluster_site_admin -c <Site ID> {down | up}
-
set cluster site-id <Site ID> admin-state {up | down}
-
set cluster sites-admin-state id <Site ID> {down | up}
asg conns
-
insights
-
cluster-cli show connection --help
-
g_connview --help
-
insights
-
show cluster info connection <parameter>
asg cores_stat
-
insights
-
cluster-cli show cpu
-
insights
-
show cluster info cpu
asg diag
asg_diag
asg6 diag
-
insights
-
hcp --help
(run the applicable tests)
-
insights
asg if
asg_if
asg6 if
-
insights
-
hcp --help
(run the applicable tests)
-
cluster-cli show interfaces
-
insights
-
show cluster info interfaces
asg perf
-
insights
-
cluster-cli show --help
-
insights
-
show cluster info <parameter>
asg resource
asg6 resource
-
insights
-
cluster-cli show --help
-
insights
-
show cluster info <parameter>
asg search
asg6 search
-
insights
-
cluster-cli show connection --help
-
insights
-
show cluster info connection <parameter>
asg_bond
-
hcp --help
(run the "Bond Health" test)
-
N / A
asg_chassis_admin
-
cluster_site_admin -c <Site ID - 1 or 2> {down | up}
-
N / A
toggle_same_vmac
-
toggle_same_vmac_os
-
N / A
-
show chassis id {1|2} general unique_ip
-
set chassis id {1|2} general unique_ip
-
delete chassis id {1|2} general unique_ip
-
N / A
-
show cluster configuration unique-ip <Site ID> interface <parameters>
-
set cluster configuration unique-ip <Site ID> interface <parameters>
-
delete cluster configuration unique-ip site-id <Site ID> interface <parameters>
-
show chassis high-availability <parameters>
-
set chassis high-availability <parameters>
-
N / A
-
show cluster configuration high-availability <parameters>
-
set cluster configuration high-availability <parameters>
-
show smo
-
set smo
-
delete smo
-
N / A
-
show cluster <parameters>
-
set cluster <parameters>
asg_collect_vsx_logs
-
cpinfo -h
(see sk92739)
-
cpinfo -h
(see sk92739)
drop_monitor
-
N / A
-
N / A
asg_affinity_enhance
-
N / A
-
N / A
Notes:
-
In the Expert mode, the command "
cinfo
" is the alias for the command "cluster-cli show info
". -
For information about the new commands, see the R82 Scalable Platforms Administration Guide > Chapter "Working with Command Line".
-
Security Gateway
-
In the feature "Hide NAT behind IP Address Range", it is now possible to configure the Security Gateway to select the Hide NAT IP address based on the combination of the source IP address and the source port. See sk105302.
-
Improved the output of the
adlogconfig
command. See the R82 CLI Reference Guide. -
In the Threat Prevention Engine Settings, the default "Connection Unification" period changed from 600 minutes to 180 minutes (in SmartConsole, click "Manage & Settings" > "Blades" > in the "Threat Prevention" section, click "Advanced Settings" > click the "General" page).
Mobile Access
-
Changed the default value of the "
max_concurrent_vpn_tunnels
" parameter from 200 to 10000 in VSX environments.
QoS
-
QoS Check Point Software Blade on a Security Gateway that provides policy-based traffic bandwidth management to prioritize business-critical traffic and guarantee bandwidth and control latency. policy now supports different Service objects with the same Destination Port and different Source Ports.
SmartConsole
-
Upgraded the SmartConsole .NET Framework from 4.5 to 4.8.
-
Upgraded the SmartConsole Visual C++ Redistributable from 2012 to 2019.
-
Hovering over the SmartConsole icon on the Windows OS taskbar now shows the SmartConsole version in the tooltip in this format:
<IP_Address>-<Version>-SmartConsole
-
The "HTTPS Inspection Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi." tab was removed from the Legacy SmartDashboard Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings..