What's New

Improved DNS Security Capabilities

This release provides new and enhanced DNS security capabilities with the addition of:

• Advanced DNS protection against Non-Existent Domain (NXNS) Attack.

• Support for DNS over HTTPS (DoH) protocol.

• Configuration Granularity - Advanced DNS Security settings in the Threat Prevention profile.

• Detailed DNS Security statistics - Now available in the SmartView Dashboard.

HTTPS Inspection

This release sets a new standard with breakthrough performance, unmatched simplicity, and effortless deployment of HTTPS Inspection. Now, you can significantly increase your security without sacrificing speed or user experience. Embrace cutting-edge technology that transforms HTTPS Inspection into a seamless, innovative solution, ensuring your systems stay secure and your users stay satisfied.

• Enhanced HTTPS Inspection UI - HTTPS Inspection is fully managed in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.:

  • Enhanced HTTPS Inspection policy - A dedicated policy for inbound inspection, including certificate management views for both inbound and outbound policies and enhanced default outbound policy.

  • Trusted CA package - A new view to manage Trusted certificates and see the status of the trusted CA package

  • HTTPS Advanced settings - A new view to configure advanced settings, including R82 new features.

• Client Side Fail mode - This new feature automatically detects failures in inspected HTTPS connections caused by client-side issues, such as certificate-pinned applications. When a failure is detected, the connection is flagged to be bypassed in future attempts, and Artificial intelligence (AI) learns from these failures to identify similar connections.

  • Endpoint Detection - Identifies endpoints without deployed outbound CA certificate.

• Learning mode:

  • Gradual & Smart deployment - Activated during the deployment of HTTPS Inspection, inspecting a minor percentage of traffic over two weeks.

  • Network Learning - Gathers insights into network behavior and detects potential connectivity issues for Artificial intelligence consideration.

  • Performance Prediction - Estimates the impact on performance when HTTPS Inspection is fully implemented.

• Bypass Under Load - Bypasses HTTPS connections when the Security Gateway experiences high CPU load.

• HTTPS Inspection monitoring - Introducing the HTTPS Inspection statistics view in SmartView, including bypass/inspect statistics.

Quantum Security Gateway

New Clustering Technology

• ElasticXL - A new clustering technology delivering simplified operations with a Single Management Object Single Security Gateway object in SmartConsole that represents a Security Group configured on a Quantum Maestro Orchestrator / Scalable Chassis. Acronym: SMO. and automatic sync of configuration and software between all cluster members.

Dynamic Policy Layer

• Fully automated, API-controlled policy layer that allows dynamic policy changes to be implemented directly on the Security Gateway in seconds without involving Security Management or installing Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection..

Identity Awareness

• Quantum Gateways can now use multiple external Identity Providers defined in the Check Point Infinity Portal, providing a cross product unified identity management.

• Improved resiliency in case of connectivity loss to the PDP Check Point Identity Awareness Security Gateway that acts as Policy Decision Point: acquires identities from identity sources; shares identities with other gateways. by adding new Identity Cache Mode for Identity Sharing protocols.

IPsec VPN

• Added support for ML-KEM (Kyber768) as required by the FIPS 203 standard to address Post-Quantum Cryptography (PQC).

• Automatically detect configuration changes in AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services., Azure, and GCP Google® Cloud Platform is a suite of products and services that includes hosting, cloud computing, database services and more. public clouds and adjust the VPN settings ensuring connection stability.

• Introducing the Advanced VPN Monitoring tool that shows information on each VPN Tunnel An encrypted connection between two hosts using standard protocols (such as L2TP) to encrypt traffic going in and decrypt it coming out, creating an encapsulated network through which data can be safely shared as though on a physical private line. and tracks its health and performance.

• Enhanced Link Selection

  • Interoperability:

    • Uses public IP addresses as tunnel identifiers to establish separate tunnels for each link.

    • Uses Dead Peer Detection (DPD) as the link probing protocol instead of the proprietary "Reliable Data Protocol" (RDP).

  • Redundancy:

    • Allows redundancy of VPN tunnels including third-party and native cloud VPN peers.

  • Granularity:

    • Ability to configure the Security Gateway to use different VPN interfaces in different VPN communities.

Remote Access VPN

• Security Gateway now supports the IKEv2 protocol for connections from Remote Access VPN An encrypted tunnel between remote access clients (such as Endpoint Security VPN) and a Security Gateway. Clients (E88.40 and higher).

Mobile Access

• Mobile Access Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. Policy and Capsule Workspace configurations are now available in SmartConsole.

• SAML authentication support for Mobile Access clients that allows seamless integration with third-party Identity Providers.

• New Management API calls for Capsule Workspace configuration. See the Check Point Management API Reference > section "Mobile Access".

Dynamic Routing

Added support for new Dynamic Routing capabilities:

• BGP Extended Communities (RFC 4360).

• BGP Conditional Route Advertisement and Injection.

• Routing Table Monitor for Event Record of a security or network incident that is based on one or more logs, and on a customizable set of rules that are defined in the Event Policy. Triggers.

• IPv4 and IPv6 Router Discovery on cluster members.

• Router Preference and Route Information option.

• Route age information.

• IPv4 PIM-SSM with non-default prefixes.

• IPv4 PIM with BFD.

• IPv4 PIM neighbor filtering.

• IPv4 PIM RPT to SPT switchover control.

• IPv6 Protocol Independent Multicast (PIM) and Multicast Listener Discovery (MLD).

Added support for new Dynamic Routing API calls:

• REST API calls for BGP, PIM, Multicast Listener Discovery (MLD).

• REST API calls for Route Redistribution, Inbound Route Filters, and NAT Pools.

• REST API calls for IGMP.

See the Check Point Gaia API Reference v1.8 (and higher) > section "Networking".

Performance and Infrastructure

• HyperFlow acceleration of elephant flows for the SMB/CIFS protocol.

• HyperFlow acceleration of elephant flows for the QUIC protocol.

• Quantum Security Gateway log rate output capacity increased by up to 100% through a new multi-process architecture.

Quantum Maestro, Scalable Chassis, and ElasticXL

This release features improvements in managing and monitoring Scalable Platform clusters, which include:

• Support for REST API:

  • New API calls on Quantum Maestro Orchestrator A scalable Network Security System that connects multiple Check Point Security Appliances into a unified system. Synonyms: Orchestrator, Quantum Maestro Orchestrator, Maestro Hyperscale Orchestrator. Acronym: MHO. to configure and monitor Maestro Security Groups A logical group of Security Appliances (in Maestro) / Security Gateway Modules (on Scalable Chassis) that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances / Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. In Maestro, each Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected., Gateways, Sites, and Ports.

    See the complete list of available API calls in the Check Point Gaia API Reference v1.8 and higher > section "Maestro".

  • Support for Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. REST APIs on Scalable Platform Members.

• Support for Gaia First Time Configuration Wizard on Quantum Maestro Orchestrators with ability to configure the Maestro Site settings.

• Support for authentication to secure the synchronization connections between Quantum Maestro Orchestrators.

• Support for SNMP Queries on each Security Group Member.

• Support for LLDP on Uplink, Sync, and Management ports of Quantum Maestro Orchestrators.

• New page "Ports" in Gaia Portal on Quantum Maestro Orchestrator. This page shows a summary and interactive view of port configuration, runs diagnostics on ports, and blinks a port LED for identification.

• New page "Cluster Management" in Gaia Portal on ElasticXL / Security Group. This page shows the state and performance of Scalable Platform Members.

• "insights" - New CLI tool to monitor the entire Scalable Platform cluster in both Expert mode and Gaia gClish The name of the global command line shell in Check Point Gaia operating system for Security Appliances connected to Check Point Quantum Maestro Orchestrators and for Security Gateway Modules on Scalable Chassis. Commands you run in this shell apply to all Security Gateway Module / Security Appliances in the Security Group..

• New Gaia gClish commands "show cluster" and "set cluster".

• Improved boot time and decreased number of reboots of Scalable Platform Members when there is a change in the Gaia OS configuration in a Scalable Platform.

• Improved upgrade simplicity:

  • This release introduces automatic updates for the CPUSE Check Point Upgrade Service Engine for Gaia Operating System. With CPUSE, you can automatically update Check Point products for the Gaia OS, and the Gaia OS itself. Deployment Agent on Scalable Platforms. Manual deployment is no longer required.

  • Upgrade to R82 and higher no longer requires the "sp_upgrade" script and can be easily monitored with Scalable Platform monitoring tools.

• Additional snapshot mechanism to take small Gaia OS snapshots (lightshots).

VSX

Check Point VSX is enhanced with a new mode (VSNext), allowing simpler configuration, easier provisioning, and a similar experience to a physical Security Gateway.

The benefits of the new VSX mode are:

• Unified management experience between Check Point physical Security Gateways and Virtual Gateways, including the capability to manage each Virtual Gateway from a different Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

• Improves VSX provisioning performance and provisioning experience - creating, modifying, and deleting Virtual Gateways and Virtual Switches in Gaia Portal, Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)., or with Gaia REST API.

• Management feature and API parity between Virtual Gateways (VGW) and physical Security Gateways.

• Managing different Virtual Gateways with different Security Management Servers, in addition to different Domain Management Servers Virtual Security Management Server that manages Security Gateways for one Domain, as part of a Multi-Domain Security Management environment. Acronym: DMS. on the same Multi-Domain Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server..

Tools and Utilities

• New tool "connview" - a new consolidated troubleshooting tool for viewing connections information on the Security Gateway that works in the User Space Firewall (USFW).

• New tool "fw up_execute" - performs virtual Access Control / NAT Rule Base All rules configured in a given Security Policy. Synonym: Rulebase. execution. Given inputs based on logs or connections, the execution provides detailed information such as matched rules and classification information.

Gaia Operating System

Note - This section applies to Security Gateways, Management Servers, and Log Servers.

This release boosts Gaia OS with a new OS kernel and multiple new configuration options for better security, enhanced networking and a simpler experience.

The new capabilities are:

• Enhance Gaia OS with:

  • Support for Link Layer Discovery Protocol (LLDP) in the VSX mode.

  • DHCPv6 server, DHCPv6 client, and DHCPv6 client for prefix-delegation in Gaia Portal and Gaia Clish.

  • Ability to configure the order of the "AAA" authentication (TACACS, RADIUS, Local authentication) in Gaia Portal and Gaia Clish

  • DNS Proxy forwarding domains, which allows configuring specific DNS servers per DNS suffix.

• New Gaia OS configuration items:

  • Two-Factor Authentication for Gaia OS login using time-based authenticator apps (Google Authenticator and Microsoft Authenticator).

  • NTP pools and a larger number of NTP servers in Gaia Portal and Gaia Clish.

  • NFSv4 configuration.

  • Keyboard layout.

  • TLS configuration for a remote Syslog server in Gaia Portal and Gaia Clish.

• Support for storing a Gaia OS backup in Amazon S3 and Microsoft Azure Collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centers managed by Microsoft®. and restoring it from there.

Quantum Security Management

Security Management Server Enhancements

• The LDAP Account Unit object now uses the LDAP server name and CA certificate for LDAP trust. The trust is automatically renewed if an administrator renews or replaces the LDAP server certificate. As a result, Check Point servers keep their connectivity to the LDAP server.

• Support for Management API to run the "vsx_provisioning_tool" operations to configure VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. and VSX Cluster objects. See the Check Point Management API Reference > section "VSX" > command "vsx-provisioning-tool".

• Support for Management API to configure the "Data Type Classification of data in a Check Point Security Policy for the Content Awareness Software Blade." objects for the Data Loss Prevention Check Point Software Blade on a Security Gateway that detects and prevents the unauthorized transmission of confidential information outside the organization. Acronym: DLP. and Content Awareness Check Point Software Blade on a Security Gateway that provides data visibility and enforcement. Acronym: CTNT. Software Blades. See the Check Point Management API Reference > section "Data Types".

• Security Gateways can now be managed by a Security Management Server hosted behind a public cloud or third-party NAT device.

• Support to manage up to 500 Security Gateways / Cluster Members, allowing concurrent policy installation on all managed Security Gateways / Cluster Members. See Maximum Supported Items.

• Support for SAML login in SmartConsole when Gaia Portal on the Management Server runs on a different port than the default port 443. See sk182032.

• Ability to verify an Access Control policy that contains unpublished changes.

• The "Access Rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. Name" and "Access Rule Number" fields will now prioritize information from administrator-defined rules by excluding Accept rules from the pre-defined Playblocks and IoT Access Policy layers.

SmartConsole

• Added the ability for the system account to install SmartConsole.

• Enhancements in the SmartConsole > "Gateways & Servers" view:

  • You can now see and manage the Recommended Jumbo Hotfix Software package installed on top of the current software version to fix a wrong or undesired behavior, and to add a new behavior. Accumulators and Recommended Software Updates for Security Gateway / Cluster objects and Check Point Host objects.

  • HealthCheck Point (HCP) tests are now integrated. You can see them as part of the Security Gateway's status. The feature is disabled by default.

Web SmartConsole

• These new Web SmartConsole capabilities are available for this release:

  • Threat Prevention Rule Base

  • HTTPS Inspection Rule Base

  • NAT Rule Base

  • Rule Base search

Central Deployment of Hotfixes and Version Upgrades in SmartConsole

Central Software Deployment through SmartConsole was enhanced and now supports:

• Uninstall of Jumbo Hotfix Accumulators.

• Installation of packages on ClusterXL High Availability mode in the "Switch to higher priority Cluster Member" configuration ("Primary Up").

• Installation of packages on Secondary Management Servers.

• Installation of packages on Dedicated Log Servers.

• Installation of packages on Dedicated SmartEvent Servers.

• Installation of packages from Standalone Servers.

• Package Repository per Domain on a Multi-Domain Security Management Server.

SmartProvisioning

• Star VPN Community A named collection of VPN domains, each protected by a VPN gateway. now supports Quantum Maestro Security Groups, VSX Gateways, and VSX Clusters as Center Gateways (Corporate Office Gateway).

Multi-Domain Security Management Server

• Ability to clone an existing Domain on the same Multi-Domain Security Management Server. See sk180631.

• Improved upgrade time of large Multi-Domain Security Management Server environments by up to 50%.

• New support for IPv6 configuration (only with Management API "set mds") on a Multi-Domain Security Management Server that allows Domains to communicate with the managed Security Gateways over IPv6.

• Automatic refresh of modified Global objects in SmartConsole that is connected to a non-Global Domain when a superuser assigns a Global Policy On a Multi-Domain Security Management Server, a policy defined in the Global Domain. You can assigns this Global Policy to Domains. to a Domain Management Server. See sk182307.

• Ability to select the Access Control, Threat Prevention, or both policies in a Policy Preset object.

Compliance

• Added Gaia OS Best Practice support for Quantum Maestro - presenting a consolidated Best Practices status for each Security Group Member Member of a Security Group in ElasticXL Cluster, Maestro, and Scalable Chassis. Acronym: SGM. and Orchestrators.

• Added Gaia OS Best Practice support for Quantum Spark Appliances (only for applicable Gaia OS Best Practices).

• Added Gaia OS Best Practice support for Log Servers.

• Added new regulations:

  • Center for Internet Security Benchmarks

  • Cyber Essentials v3.1

  • Cybersecurity Maturity Model Certification

  • Essential Eight & Strategies to Mitigate Cyber Security Incidents

  • IEC 62443-2-1 201

  • ISO 27001:2022

  • Israeli Cyber Defense Methodology 2.0

  • Network and Information Systems Directive 2

  • PCI DSS 4.0

  • TISAX 5.1

CloudGuard Network Security

CloudGuard Controller

• CloudGuard Controller Provisions SDDC services as Virtual Data Centers that provide virtualized computer networking, storage, and security. now supports Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. PDP (Identity Sharing).

• CloudGuard Controller now supports VMware NSX-T Global Manager to allow integration with VMware NSX-T VMware NSX-T is a network virtualization and security platform that builds security into the network virtualization infrastructure. v4.1.

• CloudGuard Controller for VMware NSX-T now uses Policy Mode APIs to import objects from an NSX-T Manager.

• Multi-Domain Security Management Server now supports Data Center Virtual centralized repository, or a group of physical networked hosts, Virtual Machines, and datastores. They are collected in a group for secured remote storage, management, and distribution of data. objects and Data Center Query objects in the Global Policy.

Harmony Endpoint Web Management

• Client optimization for Windows servers - Harmony Endpoint now allows you to easily optimize the Endpoint Security clients for Windows servers, such as Exchange servers, Active Directory servers, Database servers, and so on, by manually assigning Windows server roles.

• Run Diagnostics - Using the Push Operation, an administrator can run a diagnostic check on endpoint clients.

  The reports show the total CPU and RAM usage for the last 12 hours, including the CPU usage by processes. Based on the report Summary of network activity and Security Policy enforcement that is generated by Check Point products, such as SmartEvent. data, Harmony Endpoint may offer suggested exclusions to optimize the endpoint performance. You can easily add an exclusion as part of "Global Exclusion" or "Exclusion per Rule".

• Exclusions Enhancements:

  • Exclusion description - You can now add comments to new or existing exclusions.

  • Global Exclusion - You can now easily add global exclusions that apply to all rules.

• Application Control for macOS - Control which applications can run or use networking.

• New Asset Management view:

  • Filters - A brand new look and functionality for filters that enhances operation and productivity, while using the Asset Management view.

  • Asset Management Table - Bigger asset management table to see all relevant data easily.

  • Columns reorder - New Column reorder option to customize the asset management table based on their specific needs by changing columns location.

• Linux Offline Package - Supports upload and export package for Linux OS clients.

• Support for Harmony Endpoint Management API on an on-premises Endpoint Security Management Server.

  The API is disabled by default for on-premises deployments. See the Harmony Endpoint Management API documentation.