Check Point R80.20 for Small and Medium Business Appliances

Support Center > Search Results > SecureKnowledge Details

Solution ID	sk159173
Product	Branch Office Appliances
Version	R80.20
OS	Gaia Embedded
Platform / Model	1500
Date Created	17-Oct-2019
Last Modified	17-Oct-2019

Solution

Table of Contents

Introduction
What's New in R80.20 for SMB Appliances
Downloads
Known Limitations
Documentation
Revision History

Introduction

The next family of our Small and Medium Business appliances is based on R80 code.

Check Point's R80.20 release for Small and Medium Business Appliances is supported only on the new 1500 Series Security Gateways. For more information about the 1500 Series, refer to sk157412: 1500 Series Security Gateways.

Check Point is committed to providing the best and most up-to-date security for all deployments including small businesses, medium businesses, and branch offices. The existing 700, 900, 1200R, and 1400 appliance lines will continue to be supported with our R77.20.xx code base.

What's New in R80.20 for SMB Appliances

SMB Next Generation Appliances are R80 code aligned, increasing performance and bringing cutting-edge enterprise grade security to your small and medium size business.

Centrally and locally managed enhancements

Application Control and Threat Prevention blades use security packages aligned to enterprise grade appliances to enable comprehensive security.

Automatic Device recognition and discovery.

Multicore VPN and VPN hardware enabled acceleration.

Additional ciphers support for HTTPS Inspection (see sk104562).

WatchTower application enhanced features.

Centrally managed enhancements (will be available in the R80.30 Jumbo Hotfix Accumulator and R80.40 Security Management Server releases)

Policy layers and sub-policy support for centrally managed mode.

Unified access policy support for centrally managed mode (Firewall, Application Control, and URL Filtering).

Unified Threat Prevention policy (IPS, Anti-Virus, Anti-Bot, and Threat Emulation Software Blade policies).

Acceleration of Domain Objects, Dynamic Objects, and Time Objects for centrally managed mode.

Wildcard network object in Access Control that represents a series of IP addresses that are not sequential.

Locally managed enhancements

New Threat Prevention blade control: Unified Threat Prevention policy, easy and intuitive to set and control.

New SSL inspection enforcement: Simultaneously support light SSL and Full SSL inspection.

Improved High Availability mechanism.

WiFi Monitoring - wireless active devices: Track connected devices, signal strength, channel used, and more.

WiFi Monitoring - Access point: Monitor your WiFi environment to identify congested channels, frequency used, and signal strength.

Audit logs - Log Admin Activities was added to System logs.

Downloads

Note: To download this package you will need to have a Software Subscription or Active Support plan.

Download Package Link

R80.20.00 Build 992000668 for 1500 Appliances

Known Limitations

The following R77.20.87 features are not yet supported:

IMAPS

Private Threat Emulation

MAC filtering and ARP spoofing

FTP is not inspected by Anti-Virus.

IPv6

VoIP H323 is partially supported. For more information, refer to SMB-10136 in sk159772.

Centrally managed support (will be supported in R80.30 Jumbo Hotfix Accumulator and R80.40 Security Management Server releases).

LSM support (will be supported in R80.30 Jumbo Hotfix Accumulator and R80.40 Security Management Server release).

The following R77.20.87 Known Limitations still apply to R80.20:

Unsupported features:

Mobile Access

Monitoring

Data Loss Prevention (DLP)

Threat Extraction

Mail Transfer Agent (MTA)

Anti-Virus (scans the files only in their compressed form)

Content Awareness

Cluster: only HA is supported (load sharing is not supported)

R80.20 Known Limitations (gaps between Gaia Embedded and Gaia):

See sk159772: Check Point R80.20.xx for 1550 / 1590 Appliance Features and Known Limitations

ID Description

General

SMB-10301
IPv6 packet inspection is not supported and therefore IPv6 traffic will be dropped.
To allow IPv6 traffic:

Go to Device > Advanced Settings > Stateful Inspection - Allow IPv6 packets.

Set the parameter to "true".

Unified Access

SMB-8464 When a QoS rule is configured to be applied to a specific time/day/date, it is not limited to those specifications.

SMB-7992 In locally managed appliances, H.323 is not supported in the hide NAT configuration.

- Identity awareness AD query functionality is supported when the domain controller server is part of one of the internal networks.

Threat Prevention

SMB-9351 Threat emulation is not supported with remote emulation appliances.

SMB-9808 FTP traffic is not inspected by the Anti-Virus blade.

SMB-10233 IMAPS is not supported in the Threat Prevention Software Blades.

SMB-9988
The "Import IPS protections" option fails if done via the WebUI. Offline updates can be installed via CLI.

SMB-10433 In Centrally Managed Gateways, you can not fetch the IPS package from Management.
Workaround:

To install the package:

Enter expert mode.

Copy $FWDIR/state/local/AMW/local.sd_updates to /storage partition.

Run: online_update_cmd -b IPS -o offlineUpdate -f storage/local.sd_updates

VPN and Remote Access

SMB-9846 When changing the configuration of an existing VPN Tunnel interface (VTI) from numbered to unnumbered or vice versa, routes which contain the VTI interface as a destination must be redefined.

SMB-10127 In the Logs & Monitoring tab, the "Decrypt" action does not appear on some configurations (for example, PPPoE) but the functionality still works.

SMB-10115
In locally managed mode: When configuring a VPN tunnel with PSK/certificate authentication methods in IKEv2 mode, and a peer in the community is configured with dynamic IP, the tunnel fails to establish.
Workaround:

Go to the VPN tab > Site > Encryption settings.

Select a specific encryption method instead of the default suites.

SMB-10431 During a cluster failover, connected Remote Access users may be disconnected.

Embedded Gaia

SMB-10086 Certain CLISH commands allow configuration of a DMZ interface even though there is no DMZ port on the appliance (relevant to v0 only).

SMB-10169 Protected devices with names in a non-English language are not displayed properly in the WebUI or on a mobile device due to database restrictions.

SMB-10266 Audit Logs will not be displayed for the following operations:

Operations that are done before the First Time Configuration Wizard has finished.

Operations that are done from SmartProvisioning.

Dynamic routing, fw, cpwd_admin, upgrade and restore CLI commands.

For some operations, the audit log will be "admin executed <command_name> command". The log will be written even if the command failed.

Documentation

User Guides

1500 Appliance R80.20 Release Notes

1550 Appliance R80.20 Getting Started Guide

1590 Appliance R80.20 Getting Started Guide

1500 Appliance Series R80.20 Locally Managed Administration Guide

1500 Appliance Series R80.20 Centrally Managed Administration Guide

SMB 1500 Appliance CLI Guide R80.20 Reference Guide

Related SecureKnowledge Articles

sk157412: 1500 Series Security Gateways

sk159772: Check Point R80.20 for 1500 Appliances Features and Known Limitations

Related Datasheet

1500 Security Gateways Datasheet

Revision History

Show / Hide this section

Date Description

17 Oct 2019 First Release of this document.

Check Point CheckMates Community

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating