Support Center > Search Results > SecureKnowledge Details
Check Point Maestro R80.30SP with Gaia 3.10 Technical Level

Table of Contents:

  • What's New
  • Downloads
  • Known Limitations
  • Documentation
  • Revision History

Security at Hyperscale

Operational Supremacy

Cloud-Level Resiliency

On demand expansion available for
Security Gateways of all sizes 
Introduces new and simple ways to architect and
manage cyber security 
Delivering the highest standard of resiliency with
Telco-Grade Technology 

What's New

R80.30SP is supported on 6200 Base/Plus, 6400 Base/Plus, 6600 Base/Plus, 6700 Base/Plus, 6900 Base/Plus, 7000 Base/Plus, 16000 Base/Plus/Turbo, 16200 Base/Plus, 26000 Base/Plus/Turbo, 28000 Base/Plus, 16600 HS appliances, and 28600 HS appliances  (clean install only, no upgrade path)

Linux Kernel 3.10

Show / Hide this section

■ Improved firewall resiliency

■ New kernel capabilities:

● Upgraded Linux kernel 3.10

● New partitioning system (gpt):

○ Supports more than 2TB physical/logical drives

● Faster file system (xfs)

● Supports larger system storage (up to 48TB tested)

● I/O related performance improvements

● Multi-Queue (refer to sk153373):

○ Full Gaia Clish support for Multi-Queue commands

○ Automatic "on by default" configuration

● SMB v2/v3 mount support in Mobile Access blade

● Added NFSv4 (client) support (NFS v4.2 is the default NFS version used)

● Support of new system tools for debugging, monitoring, and configuring the system:

○ iotop (provides I/O runtime stats)

○ lshw (provides detailed information about all hardware)

○ lsusb (provides information about all devices connected to USB)

○ lsscsi (provides information about storage)

○ ps (new version, more counters)

○ psmisc (new version, more counters)

○ top (new version, more counters)

○ iostat (new version, more counters

■ New glibc: glibc-2.17-157

■ New ethtool: ethtool-4.8-7

■ New Bash: bash-4.2.46-29

■ lbzip2 support (free, multi-threaded compression utility)

■ xz support

■ rsync support

Threat Prevention 

Show / Hide this section

SandBlast Threat Extraction for web-downloaded documents

■ Simple to use, easily enabled for an existing Security Gateway, and does not require any changes to your configuration on the network or client side.

■ Extends Threat Extraction, Check Point's File Sanitization capabilities, to web-downloaded documents. Supported file types: Microsoft Word, Excel, PowerPoint, and PDF formats.

■ Threat Extraction prevents zero-day and known attacks by proactively removing active malware, embedded content, and other potentially malicious parts from a file. Promptly delivers sanitized content to users, maintaining business flow.

■ Allows access to the original file, if it is determined to be safe.

Endpoint Security Threat Extraction for web-downloaded documents

■ Endpoint and Network compatibility includes a new mechanism that inspects files just once, either by the Security Gateway or the Endpoint client.

Advanced Threat Prevention

■ Advanced forensics details for Threat Prevention logs.

■ Ability to import Cyber Intelligence Feeds to the Security Gateway using custom CSV and Structured Threat Information Expression (STIX).

■ FTP protocol inspection with Anti-Virus and SandBlast Threat Emulation.

■ Stability and performance improvements for SandBlast Threat Prevention components.

■ Consolidated Threat Prevention dashboard provides full threat visibility across networks, mobile devices, and endpoints.

Enhanced visibility to "Malware DNA" analysis

Improved understanding for security personnel of how malware analysis is performed and the reasons a file is flagged as malicious. The Threat Detail report now includes the Malware DNA – a deeper exploration into any features that are similar to those in known malware families. The enhanced analysis of similarities includes:

■ Behavior

■ Code structure

■ File similarities

■ Patterns of connection attempts to malicious websites and C&C servers.

Complete face-lift for the Threat Emulation Findings Summary Report

■ Redesigned Threat Emulation findings report for a more modern look.

■ The report also includes a dynamic map view of malware family appearances around the globe over time.

■ For more details, as well as information about availability, refer to sk120357.

Threat Prevention APIs enhancements

■ Added ability to send files via APIs to be scanned by Anti-Virus on local Check Point appliances. This capability is supported for both Security Gateways and dedicated Threat Emulation appliances.

■ For more information, refer to the Threat Prevention API Reference Guide.

New and Improved Machine-Learning Engines for Threat Emulation

■ Added new machine-learning engines focused on malware detection inside document files raising the catch rate to optimum.

Enhanced Control of Threat Emulation and MTA actions behavior in case of a failure

■ Added ability for administrators to granularly configure Threat Emulation policy for different behaviors for specific errors - the administrator can decide whether to allow a file transfer based on the error type.

■ When administrators configure the MTA gateway to block emails in case a scan fails (fail-block), they can now also granularly configure MTA to deliver emails to the users for specific failure types.

■ For more details and configuration instructions, refer to sk132492 and sk145552.

Enhanced Anti-Virus support

■ Anti-Virus protections are now applied by default on files received through the MTA gateway. These protections include signatures, hashes and link reputation checks for attachments, link reputation checks for the email body, and granular enforcement based on the file type.

Enhanced Import of additional IOCs

Security Gateways configured as MTA can now be enriched with custom Anti-Virus IOCs from external sources.

■ IOCs can be manually imported via the User Interface.

■ Links to external feeds for automatic ongoing IOC importing can be added via a configuration change.

■ For more information and setup instructions, refer to sk92264 and sk132193.

Enhanced management of the MTA

■ Failure to inspect the attachments or links inside an email is now immediately treated as a failure. Previously, this was treated by adding the email to the MTA queue and retrying the action. As the majority of inspection retries fail as well, this change reduces the size of the queue and improves MTA performance.

Security Gateway

Show / Hide this section

SSL Inspection

Server Name Indications (SNI)

■ Improved TLS implementation for TLS Inspection and categorization

■ Next Generation Bypass - TLS inspection based on Verified Subject Name

TLS 1.2 support for additional cipher suites









■ X25519 Elliptic Curve

■ P-521 Elliptic Curve

■ Full ECDSA support

■ Improved fail open/close mechanism

■ Improved logging for validations

■ For the complete list of supported cipher suites, refer to sk104562


Important Notes:

Take  Appliances Package Comments
Take 47 6200, 6400, 6600, 6700, 6900, 7000, 16000, 16200,16600, 26000, 28000, 28600  (ISO) Aligned to R80.30SP Jumbo Take 31
Take 210 See sk155832 R80.20SP JHF Take 210 (and higher)

Known Limitations

The following limitations are known in Check Point Maestro R80.30SP.

All previous limitations are relevant unless stated as resolved. Refer to sk148074: Check Point Maestro R80.20SP Known Limitations.

Enter the string to filter this table:

ID Symptoms
MBS-6968 When you configure an R80.30SP Security Gateway object in R80.x SmartConsole, in the "Version" field you must select "R80.30".
MBS-9698 The 'installer uninstall[TAB]' command in Gaia gClish on Security Group members might not show an installed Hotfix / Jumbo Hotfix Accumulator package.

As a workaround, run these commands in Gaia gClish:
  1. show installer packages
  2. installer uninstall <Full Name of Package>
MBS-7145 R80.30SP does not support the Dynamic CLI as described in sk144112.
MBS-7069  Remote authentication for Expert mode using RADIUS / TACACS+ servers (the Gaia gClish command set expert-authentication-method {<shared-password> / <user-password>}) is not supported.
Threat Extraction
MBS-9931 A Hotfix is required to enable the Threat Extraction Software Blade. Contact Check Point Support
Threat Emulation
PMTR-41415 In a ClusteXL Load Sharing mode:

1. Due to the nature of transferring files over multiple connections, the following protocol features might not be inspected properly:
  • HTTP 206 Partial Content
  • SMBv3 Multi-Channel
  • FTP REST command used over multiple connections
2. Protection based on threshold count (between connections) might not work properly:
  • Static protections
    • DNS tunnel
    • Sweep Scan protection 
    • VoIP SIP
    • MGCP protection may not work over NAT
  • Protections that contain cross-connection logic
MBS-9357 R80.30SP does not support these CPUSE commands in Gaia Clish or Gaia gClish:
  • installer uninstall VALUE completely
  • installer uninstall VALUE last-take
Note: The command installer uninstall VALUE removes only the Hotfix / Jumbo Hotfix Accumulator specified in the "VALUE" parameter.
MBS-7929 Central License is not supported on Maestro appliances.
MBS-8837  In the context of a Virtual System in Bridge Mode:
  • The output of the asg diag verify "ARP Consistency" command shows "Failed" in the "Result" column.
  • The output of the asg_arp command shows "No matches found".
MBS-9806 A Hotfix is required to support VSX Virtual Switches. Contact Check Point Support.
MBS-7913 Cluster Control Protocol (CCP) encryption is not supported.
MBS-7946 The Interface Active Check feature (setting the value of the kernel parameter fwha_enable_if_probing to 1) is not supported.
MBS-7914 Multiple Entry Points (MEP) configuration using Dead Peer Detection (DPD) is not supported.
MBS-9085  VPN is not supported in VSX mode if VPN traffic needs to pass through a VSX Virtual Switch.
MBS-8938 R80.30SP does not support L2TP traffic passing to Security Groups.
Mobile Access
MBS-8443 It is not supported to configure the IP address of the Security Group as the main URL of the Mobile Access Portal: In SmartConsole > R80.30SP Security Gateway object > Mobile Access > Portal Settings > Main URL.  


User Guides
Check Point Maestro R80.30SP Release Notes
Check Point Maestro R80.30SP Getting Started Guide
Check Point Maestro R80.30SP Administration Guide
Check Point Maestro R80.30SP Gaia Administration Guide
Check Point Maestro R80.30SP Next Generation Security Gateway Guide
Check Point Maestro R80.30SP Performance Tuning Administration Guide
Check Point Maestro VSX R80.30SP Administration Guide
Related Solutions
sk165312: Maestro R80.30SP Jumbo Hotfix Accumulator

Revision History

Show / Hide this section
Date Description
8 June 2020 GA Replacement
31 March 2020 GA Replacement
06 Oct 2019 First release of this document. 

Give us Feedback
Please rate this document