Policy Layers and Sub-Policies enable flexible control over the security policy behavior.
Build a rule base with layers, each with a set of the security rules. Layers are inspected in the order in which they are defined, giving control over the rule base flow and precedence of security functionality. If an "Accept" action is done in a layer, inspection continues in the next layer.
Sub-Policies are sets of rules that you attach to specific rules. If the rule is matched, inspection continues in the sub-policy attached to the rule. If the rule is not matched, the sub-policy is skipped. For example, a sub-policy can manage a network segment or branch office.
Policy Layers and Sub-Policies can be managed by specific administrators, according to their permission profile, allowing easy responsibility delegation in the team.
Unified Security Policies
Access Control policy unifies the Firewall, Application Control & URL Filtering, Content Awareness, and Mobile Access Software Blade policies.
Threat Prevention policy unifies the IPS, Anti-Virus, Anti-Bot, Threat Extraction, and Threat Emulation Software Blade policies.
Access Control Policy
New Content Awareness Software Blade adds visibility and control over data transfers in the network traffic, using data types based on content, file types, and direction.
Application Control enhancements:
Added Recommended Services to Applications for easier configuration of the unified policy.
Applications matched on Recommended Services, customized set of services, or Any service.
New Protocol Signature added to Service object, to enhance policy matching security and granularity.
Mobile Access policy rules can be defined in the main, unified Access Control Policy:
Unified rules can define access from different client types to the same resources.
Explicit rules can block specified Mobile Access traffic.
Ability to define access to resources from specified client types only.
Security Zones: Group interfaces of gateways into Security Zones for new Source and Destination definitions.
Fully Qualified Domain Names (FQDN): Additional mode for Domain objects, to match fully qualified domain names with forward DNS lookup.
Acceleration of Domain Objects, Dynamic Objects, and Time Objects.
New tracking options in Unified Rule Base.
Improvement of policy installation time duration.
Threat Prevention Policy
Multiple profiles for each Security Gateway, to enforce granular Threat Prevention policies.
Faster Threat Prevention policy installation.
IPS is integrated into the Threat Prevention policy Rule Base and policy installation.
Threat Prevention profiles support IPS protection activation based on property tags.
The new Check Point Labs lets you experience new features and send feedback to Check Point. The first Check Point Labs feature lets you see information on Session changes before you publish.
VPN and Mobile Access Enhancements:
VPN multicore performance with CoreXL multicore scalability for VPN traffic inspected by Next Generation Firewall, Next Generation Threat Prevention, and Next Generation Threat Extraction Software Blades.
NAT-T support for Site-to-Site VPN.
TLS 1.2 support for Mobile Access and portals.
Multiple login options with multi-factor authentication schemes for users of different clients and portals.
A Mobile Access transparent Reverse Proxy, allowing external users to access internal resources, without the Mobile Access Portal.
Identity Awareness Enhancements:
Up to 200,000 Identity sessions per gateway.
Gateway REST API to manage identities from 3rd party or customized system.
Identity Collector - New agent that collects identity information from different sources (AD and ISE), for large environment scalability.
New RADIUS Accounting attribute parsing and IPv6 support.
Enhanced handling of nested user groups for AD LDAP using LDAPv3.
Enforce remote access client type in access role.
Detect users located behind HTTP proxy using X-Forward-For header granularity per Access Control Policy Layer.
Threat Prevention Enhancements:
Threat Emulation MTA (Mail Transfer Agent) support in VSX. You can run MTA for each VS instance.
Threat Extraction support for VSX Gateways.
Snort rules can be imported from SmartConsole.
Importing Custom Indicators (IoC) is supported from SmartConsole.
NAT Enhancements :
Improved scalability of hide NAT on high end multicore gateways, allowing maximum usage of available hide ports by dynamically assigning available ports to the cores. See sk103656.
IP Pool NAT performance enhancement: CoreXL multicore scalability for IP Pool NAT connections.
Netflow support for IPFIX (with NAT and IPv6 flow records).
IPv6 DHCP relay with ClusterXL (Security Gateway and VSX modes).
Dynamic Routing Enhancements:
RIPng with VRRPv2.
SNMP enhancements for routing.
BGP 4-Byte AS and Local AS.
64-bit support for VSX Gateways, increasing concurrent connections capacity.
Content Awareness for VSX Gateways.
The MAC Magic value is acquired automatically and is backward compatible with gateways that were configured manually in earlier versions.
For VSX Clusters in Load Sharing environments (VSLS), Backup members can communicate with external networks and receive updates, in addition to Active and Standby members.
Connectivity Upgrades now support synchronization of Dynamic Routing.
Unified architecture and management console for Security Management and Multi Domain Security Management.
New and improved views for Domain Management and Global Assignment.
Role-based & Concurrent Administration - Several administrators can work in parallel on the same security policy, with granular and flexible privilege delegation to each administrator.
A new advanced locking mechanism ensures administrators do not overwrite each others' work.
Rich administrator profiles for exact privileges each administrator will have, including managing specific policies or network segments, viewing specific logs, and conducting security operations, such as installing policy.
Secured Automation and Orchestration - CLI and API for Security Management enables full integration with 3rd party systems and automation of daily operations. Automation and SmartConsole management operations are allowed based on the same privilege profile.
Faster Day to Day Operations
Integrated logging to see all logs related to a rule in the same screen.
Detailed rule information of who created the rule and when, hit counts, and user-defined data, such as ticket numbers.
Enhanced search capabilities to quickly find any rule or object in the system.
Enhanced Management High Availability synchronizes only changes between servers, significantly improving efficiency.
Next Generation Logs, Events and Reports
Analyze hundreds of millions of logs per day with graphical views and reports, customized to address specific requirements.
Logging, monitoring, and report aspects also available in the Web-based interface.
Free-text search of logs and events with auto-suggest and favorites, with results in seconds.
New and Enhanced Revision Management Capabilities
Built-in database revision control.
Install a specific version of policies.
Change to a specific version of IPS package.
Cloud Demo: Experience R80.10 management scenarios on any computer. See sk103431.
vSEC Controller: Natively integrates with the leading private and public cloud platforms, such as VMware vCenter & NSX, CISCO ACI, AWS, Azure, OpenStack, and more. vSEC Controller provides dynamic security policy and visibility, which automatically adapts to changes in the cloud environments. This provides simple automated security across physical, virtual, and cloud environments, from a single Unified Management solution.
Note: Over the past months Check Point identified few performance edge cases that were resolved in Jumbo Hotfix Accumulator Take 154 and above. Effective October 24, 2018, Check Point recommends to install the latest Jumbo Hotfix Accumulator Take and the latest Application Control update.
Effective June 12th, 2019, SmartConsole package has been updated (Build 128). See sk119612.