The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
Check Point R80.40
Click Here to Show the Entire Article
Introduction | What's New | Documentation | Downloads | Released Hotfixes | Additional Downloads and Products | Revision History
As our networks continue to increase and the threat landscape continues to evolve, customers need security solutions that allow endless scalability and simple operations. With over 100 new features, R80.40, is imperative for putting our network security on the fast track. Providing unified management for both physical and virtual networks, on premise, and cloud enforcement points. By consolidating all aspects of your security environment seamlessly, it allows you to deploy protections across your organization without impeding business innovation. It also allows full visibility into security across your network in a customizable visual dashboard, helping you monitor and focus on what matters to you. With its scalable, extensible architecture, you can manage the most complex environments easily and efficiently.
The release contains innovations and significant improvements such as:
SmartTasks - automates daily work with pre-defined or customizable actions
Dedicated HTTPS policy layer - preventing encrypted traffic from Gen V attacks
Zero-touch deployment from hours to minutes for installing new gateways
IoT Security Manager - identify IoT devices and seamlessly turn their attributes into IoT security policy
This release is initially recommended for customers who are interested in implementing the new features. Check Point will declare the version as default after a significant adaptation. It will then be available in the 'Showing Recommended Packages' section in the CPUSE tab in Gaia portal. Until then, Check Point's version widely recommended for all deployment is R80.30 Take 200 with Jumbo Hotfix Accumulator latest GA Take.
HTTP/2 is an update to the HTTP protocol. The update provides improvements to speed, efficiency and security and results with a better user experience.
Check Point's Security Gateway now supports HTTP/2 and benefits better speed and efficiency while getting full security, with all Threat Prevention and Access Control blades, as well as new protections for the HTTP/2 protocol.
Support is for both clear and SSL encrypted traffic and is fully integrated with HTTPS Inspection capabilities.
HTTPS Inspection Layer
Provides these new capabilities:
A new Policy Layer in SmartConsole dedicated to HTTPS Inspection.
Different HTTPS Inspection layers can be used in different policy packages.
Sharing of a HTTPS Inspection layer across multiple policy packages.
Optimized Security and Productivity for the Different Modes – Threat Extraction works with Threat Emulation to provide users with more productivity without compromising security
Background Mode is now called Rapid Delivery to prevent many more malicious files within the emulation window of 3 seconds.
Hold Mode is now called Maximum Prevention and provides improved productivity to ensure that all Threat Extraction cleaned documents deliver quickly to end users. Maximum Security minimizes the time users wait without a compromise on security.
Automatic Engine Updates – Like the automatic updates to the Threat Emulation engines, you can now receive Threat Extraction updates automatically on your gateways. There is no need to update to a hotfix or a major version. Security improvements, new features and more do not require intervention. To learn more, refer to the Advanced Threat Emulation Settings Chapter in the R80.40 Threat Prevention Administration Guide.
Anti-Virus and SandBlast Threat Emulation
MITRE ATT&CKTM Reporting - Threat Emulation Forensics Reports now include a detailed MITRE ATT&CK Matrix with the detected adversary tactics and techniques for every malicious executable file.
Enhanced Support for Archive Files - this engine release includes significant improvements inhandling archive files:
Support for password protection for all supported file types, including .7z and .rar. For more details, please refer to sk112821.
An improved mechanism to "guess" passwords automatically when it opens password protected archives for emulation.
Added support for password-protected archives when the password includes Unicode characters.
Faster delivery of an emulation verdict for documents with embedded files.
Enhanced Support for Password-Protected Documents:
Admins can now configure a default action for password-protected documents. If such a file is emulated, the file is allowed or blocked by default. To configure a default action, follow the instructions in sk132492.
New File Types and Protocols:
Attachments from Nested MSG Files - Threat Emulation now supports emulation for files that attach to MSG files that attach to other MSG files.
SCP and SFTP file transfers can be scanned using SSH Deep Packet Inspection.
SMBV3 Multi-Channel Connections – Multi-channel file transfer is on by default on all Windows operating systems. The Check Point Gateway is now the only one in the market that inspects large file transfers through SMBv3 (3.0, 3.0.2, 3.1.1) over multi-channel connections.
Enhanced Logging for Emulated Archive Files:
The archive file log includes the names of all the files inside.
A new log generates for every extracted file from the archive with its emulation results. This log contains the name of the archive file. Logs correlate easily between the archive file and those of the files it contains.
Importing SHA-256 IOCs - Anti-Virus now supports SHA-256 hashes as Indicators of Compromise (IOCs). Administrators can import SHA-256 IOCs manually or connect the gateway to a live feed of SHA-256 IOCs. For more information, refer to sk132193.
Replacing the Threat Emulation API Certificate - Administrators can now upload their own certificate to use for Threat Emulation API calls to their Threat Emulation appliance. For more information, refer to sk160693.
Enhanced Support for POP3 and IMAP protocols - Anti-Virus and SandBlast Threat Emulation now support inspection of e-mail over the POP3 protocol and improve inspection of e-mail over the IMAP protocol.
Enhanced Protection against BaseStriker - MTA Gateways now protect against malicious emails with URLs that use the BaseStriker technique.
Bounce Messages Behavior Change - Modifies the configuration of the MTA so that it tries to send bounce messages only once whether it reaches its destination or not.
Enhanced Threat Emulation inspection for files behind shortened links - The body of an email sometimes includes customized Bitly links that point to files. With this release, Threat Emulation scans the files behind these links to detect zero-day attacks. This capability requires Threat Emulation and Anti-Virus to be enabled and MTA must be configure for the Security Gateway.
[Early Availability] Click-Time URL Protection - The MTA gateway can now re-write links in incoming emails. When users click on them, the resources (web sites or files) behind the links have inspections again. This prevents delayed attacks where attackers replace the resource behind the link after the email delivery
[Early Availability] Anti-Phishing Engine - The MTA gateway introduces a new State of the Art Anti- Phishing engine. This design alerts against and prevents sophisticated phishing, spear phishing, and targeted phishing attacks.
Support for Captive Portal integration with SAML 2.0 and third party Identity Providers.
Support for Identity Broker for scalable and granular sharing of identity information between PDPs, as well as cross-domain sharing.
Enhancements to Terminal Servers Agent for better scaling and compatibility.
Configure different VPN encryption domains on a Security Gateway that is a member of multiple VPN communities. This provides:
Improved privacy - Internal networks are not disclosed in IKE protocol negotiations.
Improved security and granularity - Specify which networks are accessible in a specified VPN community.
Improved interoperability - Simplified route-based VPN definitions (recommended when you work with an empty VPN encryption domain).
Large Scale VPN (LSV) environment - using LSV profiles provides the ability to connect Externally Managed and Third Party VPN peers seamlessly by simply providing them with the same CA certificate used by central Security Gateway.
Improved scalability and resilience.
Extended troubleshooting capabilities.
Improved performance, diagnostics and monitoring tools.
Enhanced NAT port allocation mechanism - on Security Gateways with 6 or more CoreXL Firewall instances, all instances use the same pool of NAT ports, which optimizes the port utilization and reuse.
NAT port utilization monitoring in CPView and with SNMP.
Voice over IP (VoIP)
Multiple CoreXL Firewall instances handle the SIP protocol to enhance performance.
Remote Access VPN
Machine Certificate Authentication - use machine certificate to distinguish between corporate and non-corporate assets adding the ability to restrict access to corporate assets only. Enforcement can be pre-logon (device authentication only) or post-logon (device and user authentication).
Mobile Access Portal Agent
Enhanced Endpoint Security on Demand within the Mobile Access Portal Agent to support all major web browsers. For more information, see sk113410.
Priority Queues are enabled by default. For more information see sk105762.
Multi-Version Clustering (MVC) – ClusterXL acts like a standard cluster running cluster members with different software versions during upgrade scenarios supporting redundancy between members and state synchronization.
New ClusterXL mode: Active-Active ,supports running several cluster members in ACTIVE state, each member is a part of a separated routing domain and handles its own traffic, redundancy is kept during failover.
Geo-Clustering in Active-Active mode – Supports the configuration of the cluster Sync interface on different subnets while allowing L3 communication between the members on the sync interface. making the requirement for L2 connectivity and a trusted network between the cluster members (while working in Active-Active mode) obsolete.
Support for Cluster Control Protocol (CCP) in Unicast mode for any number of cluster members eliminating the need for CCP Broadcast, Multicast or Automatic modes.
Configuring VMAC does not require changing the NIC to promiscuous mode.
Eliminated the need for MAC Magic configuration when several clusters are connected to the same subnet.
Cluster Control Protocol encryption is now enabled by default.
Support for VSX upgrade with CPUSE in Gaia Portal.
Support for Active Up mode in VSLS.
Support for CPView statistical reports for each Virtual System.
A simple Plug & Play setup process for installing an appliance - eliminating the need for technical expertise and having to connect to the appliance for initial configuration.
Gaia REST API
Gaia REST API provides a new way to read and send information to servers that run Gaia Operating System. See sk143612.
AWS Data Center enhancements:
Load Balancer (ALB and NLB) objects are supported.
Security Groups support the use of tags.
Subnet objects include IP addresses from all associated Network Interfaces.
Azure Data Center improvements:
Load Balancer (Public and Internal) objects are supported.
Load Balancers, Virtual Networks, and Network Security Groups support the use of tags.
Subnet objects include Front end IP addresses of the Internal Load Balancers.
Enhancements to OSPF and BGP allow to reset and restart OSPF neighboring for each CoreXL Firewall instance without the need to restart the routed daemon.
Enhancing route refresh for improved handling of BGP routing inconsistencies.
New kernel capabilities
Upgraded Linux kernel
New partitioning system (gpt):
Supports more than 2TB physical/logical drives.
Faster file system (xfs).
Supporting larger system storage (up to 48TB tested).
I/O related performance improvements.
Multi-Queue - Full Gaia Clish support for Multi-Queue commands.
SMB v2/3 mount support in Mobile Access blade.
Added NFSv4 (client) support (NFS v4.2 is the default NFS version used).
Support of new system tools for debugging, monitoring and configuring the system.
1500 appliance series can be managed with R80.40 Security Management Server and R80.40 SmartProvisioning.
A new report for Management Servers upgrades is available. The report shows the current status and progress and is located on the target machine under $MDS_FWDIR/log/upgrade_report-<timestamp>.html. For CPUSE upgrades, the report is available in the CPUSE section of Gaia's WebUI.
Revert to Revision
The Security Management Server architecture supports built-in revisions. Each publish operation saves a new revision that contains only the delta from the previous revision allowing:
Safe recovery from a crisis, restore a Domain or a Management Server to a good known revision.
Improved policy verification process based on the difference between the current policy and the one contained in the revision database.
Back up and restore an individual Domain Management Server on a Multi-Domain Server.
Migrate a Multi-Domain Security Management from one Multi-Domain Server to a different Multi-Domain Server.
Migrate a Security Management Server to become a Multi-Domain Security Management on a Multi-Domain Server.
Migrate a Domain Management Server to become a Security Management Server.
SmartTasks and API
DevOps teams can automate their security and transform it into DevSecOps workflows using Ansible and Terraform. Automate security responses to threats, provision both physical and virtualized next-generation firewalls and automate routine configuration tasks, saving time and reducing configuration errors.