Introduction | What's New | Documentation | Downloads | Released Hotfixes | Additional Downloads and Products | Revision History
Introduction
R80.20, part of the Check Point Infinity architecture, delivers the most innovative and effective security that keeps our customers protected against large scale, fifth generation cyber threats.
The release contains innovations and significant improvements in:
Gateway performance
Advanced Threat Prevention
Cloud Security
Access policy
Consolidated network and endpoint management capabilities
Enhanced configuration and monitor abilities for Mail Transfer Agent (MTA) in SmartConsole for handling malicious mails
Configuration of ICAP Server with Threat Emulation and Anti-Virus Deep Scan in SmartConsole
Automatic download of IPS updates by the Security Gateway
SmartConsole support for multiple Threat Emulation Private Cloud Appliances
SmartConsole support for blocking archives containing prohibited file types
Threat Extraction
Full ClusterXL HA synchronization, access to the original files is available after a failover
Support for external storage
Threat Prevention Indicators (IoC) API
Management API support for Threat Prevention Indicators (IoC)
Add, delete, and view indicators through the management API
Threat Prevention Layers
Support layer sharing within Threat Prevention policy
Support setting different administrator permissions per Threat Prevention layer
MTA (Mail Transfer Agent)
MTA monitoring, e-mails history views and statistics, current e-mails queue status and actions performed on e-mails in queue
MTA configuration enhancements
Setting a domain object as next hop
Ability to create an access rule to allow SMTP traffic to a Security Gateway
Create a dedicated Threat Prevention rule for MTA
MTA enforcement enhancements
Replacing malicious links in an email with a configurable template
Configurable format for textual attachments replacement
Ability to add a customized text to malicious e-mails' body or subject
Tagging malicious-mails using X-header
Sending a copy of the malicious e-mail to a predefined recipients list
Improvements in policy installation performance on R80.10 and above Security Gateways with IPS
Performance impact of "Suspicious Mail Activity" protection in Anti-Bot was changed to "High" and is now off by default
CloudGuard IaaS Enhancements
Automated Security Transit VPC in Amazon Web Services (AWS) - Automatically deploy and maintain secured scalable architecture in Amazon Web Services
Integration with Google Cloud Platform
Integration with Cisco ISE
Integration with Nuage Networks
Automatic license management with the CloudGuard IaaS Central Licensing utility
Monitoring capabilities integrated into SmartView
Data center objects can now be used in access policy rules installed on 41000, 44000, 61000 and 64000 Scalable Platforms
Access Policy
Updatable Objects - a new type of network objects that represent an external service such as Office 365, Amazon Web Services, Azure GEO locations and more, and can be used in the Source and Destination columns of an Access Control policy. These objects are dynamically updated and kept up-to-date by the Security Gateway without the need to install a policy
Wildcard network object in Access Control that represents a series of IP addresses that are not sequential
Only for Multi-Domain Server: Support for scheduled policy installation with cross-Domain installation targets (Security Gateways or Policy Packages)
Rule Base performance improvements, for enhanced Rule Base navigation and scrolling
Global VPN Communities (previously supported in R77.30)
Support for using NAT64 and NAT46 objects in Access Control
Security Management Server can securely connect to Active Directory via a Security Gateway if the Security Management Server has no connectivity to the Active Directory environment and the Security Gateway does
Identity Awareness
Identity Tags support the use of tags defined by an external source to enforce users, groups or machines in Access Roles matching
Improved SSO Transparent Kerberos Authentication for Identity Agent, LDAP groups are extracted from the Kerberos ticket
Two Factor Authentication for Browser-Based Authentication (support for RADIUS challenge/response in Captive Portal and RSA SecurID next Token/Next PIN mode)
Identity Collector
Support for Syslog Messages - ability to extract identities from syslog notifications
Support for NetIQ eDirectory LDAP Servers
Additional filter options - "Filter per Security Gateway" and "Filter by domain"
Improvements and stability fixes related to Identity Collector and Web API
New configuration container for Terminal Servers Identity Agents.
Active Directory cross-forest trust support for Terminal Servers Agent
Identity Agent automatic reconnection to prioritized PDP gateways
HTTPS Inspection
Hardware Security Module (HSM) support – outbound HTTPS Inspection stores the SSL keys and certificates on a third party dedicated appliance
Additional ciphers supports for HTTPS Inspection (for more information, see sk104562)
Mirror and Decrypt
Decryption and clone of HTTP and HTTPS traffic
Forwarding traffic to a designated interface for mirroring purposes
Clustering
New CCP Unicast - a new mode in which a cluster member sends the CCP packets to the unicast address of a peer member
New Automatic CCP mode - CCP mode is adaptive to network changes, Unicast, Multicast or Broadcast modes are automatically applied according to network state
Enhanced cluster monitoring capabilities
Enhanced cluster statistics and debugging capabilities
Enhanced Active/Backup Bond
Support for more topologies for Synchronization Network over Bond interfaces
Improved cluster synchronization and policy installation mechanism
New grace mechanism for cluster failover for improved stability
New cluster commands in Gaia Clish
Improved clustering infrastructure for RouteD (Dynamic Routing) communication
Gaia OS
Upgraded Linux kernel (3.10) - applies to Security Management Server only
New file system (xfs)
More than 2TB support per a single storage device
Enlarged systems storage (up to 48TB)
I/O related performance improvements
Support of new system tools for debugging, monitoring and configuring the system
iotop (provides I/O runtime statistics)
lsusb (provides information about all devices connected to USB)
lshw (provides detailed information about all hardware)
lsscsi (provides information about storage)
ps (new version, more counters)
top (new version, more counters)
iostat (new version, more counters)
Advanced Routing:
Allow AS-in-count
IPv6 MD5 for BGP
IPv4 and IPv6 OSPF multiple instances
Bidirectional Forwarding Detection (BFD) for gateways and VSX, including IP Reachability detection and BFD Multihop
Multiple simultaneous sessions in SmartConsole - One administrator can publish or discard several SmartConsole private sessions, independently of the other sessions
SmartConsole Accessibility features
Keyboard navigation - ability to use the keyboard alone to navigate between the different SmartConsole fields
Improved experience for the visually impaired, color invert for all SmartConsole windows
Required fields are highlighted
Logging and Monitoring
Log Exporter - an easy and secure method to export Check Point logs over Syslog to any SIEM vendor using standard protocols and formats
Ability to export logs directly from a Security Gateway (previously supported in R77.30)
Unified logs for Security Gateway, SandBlast Agent and SandBlast Mobile for simplified log investigation
Enhanced SmartView in browser:
Log viewer with log card, column profile and statistics
Export logs with custom or all fields
Automatic-refresh for views
Relative time frame support
Improved log viewer with cards, profiles, statistics and filters
I18N support for 6 languages (English, French, Spanish, Japanese, Chinese, Russian)
Accessibility support - keyboard navigation and high contrast theme
SmartProvisioning
Integration with SmartProvisioning (previously supported in R77.30)
Support for the 1400 series appliances
Administrators can now use SmartProvisioning in parallel with SmartConsole
Mobile Access
Support for reCaptcha, keep abusive automated software activities from interfering with regular portal operations
Support for One Time Password (OTP) without any hardware tokens
Endpoint Security Management Server
Endpoint Security Server is now part of the main train.
Support for SandBlast Agent, Anti-Exploit and Behavioral Guard policies
SandBlast Agent push operation to move/restore files from quarantine
Directory Scanner initial scan and full rescan takes significantly less time
Stability and performance enhancements for Online Automatic Synchronization (High Availability)
Endpoint Security Management features that are included in R77.30.03:
Management of new Software Blades:
SandBlast Agent Anti-Bot
SandBlast Agent Threat Emulation and Anti-Exploit
SandBlast Agent Forensics and Anti-Ransomware
Capsule Docs
New features in existing Software Blades:
Full Disk Encryption
Offline Mode
Self Help Portal
XTS-AES Encryption
New options for the Trusted Platform Module (TPM)
New options for managing Pre-Boot Users
Media Encryption & Port Protection
New options to configure encrypted container
Optical Media Scan
Anti-Malware:
Web Protection
Advanced Disinfection
Compliance
User can create custom best practices based on scripts
Support for 35 regulations including General Data Protection Regulation (GDPR)