The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
Check Point R81
Technical Level
Solution ID
sk166715
Technical Level
Product
All
Version
R81
OS
Gaia
Date Created
21-Oct-2020
Last Modified
29-Apr-2021
Solution
Click Here to Show the Entire Article
Introduction | What's New | Documentation | Downloads | Released Hotfixes | Additional Downloads and Products | Revision History
Introduction
Welcome to Check Point’s Cyber Security Platform. R81 is the industry’s most advanced Threat Prevention and security management software that delivers uncompromising simplicity and consolidation across the enterprise. Whether it is deploying the latest technologies and security to protect the organization or expertly crafting security policies, R81 new features include: Infinity Threat Prevention, the industry’s first autonomous Threat Prevention system that provides fast, self-driven policy creation and one-click security profiles keeping policies always up to date. Policies are installed in seconds, upgrades require only one click, and gateways can be simultaneously upgraded in minutes. R81 further features secure connectivity for encrypted traffic utilizing the latest standards including TLS 1.3 and HTTP/2. In addition, the Scalable Platform software is now aligned with the R81 Cyber Security Platform bringing feature parity to Check Point Maestro.
Infinity Threat Prevention is an innovative management model that:
Provides zero-maintenance protection from zero-day threats, and continuously and autonomously ensures that your protection is up-to-date with the latest cyber threats and prevention technologies.
Empowers administrators with out-of-the-box policy profiles based on business and IT security needs.
Streamlines the configuration and deployment of policy profiles across gateways.
Provides simple and powerful customization to best serve your organization’s needs.
Threat Prevention
Manage your custom intelligence feeds through SmartConsole. Add, delete or modify IoC feeds fetched by the Security Gateways as well as import files in a CSV or STIX 1.x formats.
Threat Extraction is now supported on ICAP server mode, in addition to Threat Emulation and Anti-Virus.
Improved use of IoCs for indicators based on source IPv4 and IPv6 addresses.
Note: Administrators can still perform granular manual changes to override Check Point’s recommended policies and profiles.
Scalable Platforms is now streamlined and part of R81 General Availability, aligning Jumbo Hotfix accumulators to deliver the latest enhancements and bug fixes and support most of the new features introduced in R81. See sk169954 for more information.
HTTPS Inspection
HTTPS Inspection supports the FutureX Hardware Security Module (HSM) by storing outbound HTTPS Inspection cryptographic keys and certificates on the HSM server.
Implementation of TLS 1.3 for SSL inspection.
Note:
TLS 1.3 is off by default and is only applicable with User Space Firewall (USFW) is active
Hardware Security Module (HSM) is not supported with TLS 1.3.
Access Control
Generic Data Center - Use Generic Data Center Objects in the Source and Destination columns of Access Control, NAT, Threat Prevention and HTTPS Inspection rules to enforce access to or from IP addresses defined on external web servers. IP addresses defined in the object are automatically updated without the need for policy installation.
Support an unlimited number of languages in UserCheck objects.
Policy Installation
Accelerated Policy Installation - A new Access Control policy installation flow that optimizes common use-cases and drastically speeds up the installation. The Policy installation is accelerated based on the changes made to the Access Control policy since the last installation. To learn more about Accelerated Policy Installation refer to the R81 Security Management Administration Guide.
Concurrent Security Policy installation - One or more administrators can run multiple installation tasks of different policies on multiple gateways at the same time.
NAT Rule Base
Support for Domain objects, Updatable objects, Security Zones, Access Roles and Data Center objects.
Hit count for NAT rules.
Identity Awareness
Azure Active Directory support for Identity Awareness - Use the Identity Awareness Access role picker to authenticate and authorize Azure AD users and groups.
Identity Awareness nested groups - Discovers all the groups a user belongs to from the branch specified in the LDAP account unit in one query.
Security ID (SID) support for Identity Awareness - Move users and groups to different LDAP Organizational Units without the need to modify the Access Role Policy.
Ability to configure multiple ciphers for external Gateways in a single VPN community. Use granular encryption methods between two specific VPN peers.
Support for SHA-512 encryption method.
Mobile Access
A fresh and modern user interface with improved user experience:
Redesigned scan results
Discontinued the SNX connection pop-up
Greater accessibility for non-English speakers
Launch all applications in separate tabs without losing the main page window
One click sign-out
Simplified customization to easily utilize a brand identities
Full support for mainstream browsers that run on all major platforms
Clientless RDP and SSH access through Mobile Access Blade's browser portal using Apache's Guacamole™ software suite
Support for custom AD attributes to allow mapping of end-users to their office desktops for personalized portal link display and Access Control
Clustering
Geo-Cluster in HA mode for cloud environments - Supports the configuration of the cluster Sync interface on different subnets while allowing L3 communication between the members on the sync interface. L2 connectivity and a trusted network between the cluster members (although still available) is not mandatory anymore.
VSX
Configure Virtual Router in VSX VSLS mode.
Configure Multi-Bridge in VSX VSLS mode.
Configure bridge interfaces on a standard Virtual System in VSX.
Use Threat Emulation and Identity Awareness Software Blades on a Virtual Systems in Bridge mode.
Configure VSX Gateway and VSX Cluster objects using Management REST APIs.
Configure Dynamic Routing VPN through Virtual Tunnel Interface (VTI) in VSX mode.
Independent QoS, DNS and Proxy server configuration per Virtual System.
VSX_util tool to downgrade VSX management objects to earlier versions.
Acceleration
Enhanced Multi-Queue distribution of IPsec VPN traffic.
Remote Access VPN
Significant performance improvements for Remote Access VPN clients in Visitor Mode.
Support for strongSwan IPsec clients on different Linux distributions.
Gaia OS
Scheduled Gaia Snapshots - Use Gaia Scheduled Snapshot to automatically back up and export configuration settings.
Added support for:
The Google Compute Engine virtual Network Interface (gVNIC).
Additional tunneling protocols:
Virtual Extensible LAN (VXLAN).
Generic Routing Encapsulation (GRE).
Link Layer Discovery Protocol (LLDP) configuration trough CLISH and the Gaia Portal.
IP conflict detection - Monitor and detect duplicate IP addresses located in the network.
Multi-Queue for Management and Sync interfaces.
Gaia REST API
API to set your device as a Gateway/Management/Multi-Domain/Log Server in the First Time Configuration Wizard.
Control IPv6 status.
Advanced Routing
Enhancements for additional Dynamic Routing features
OSPFv3 AH authentication for OSPFv3 protocol security.
IPv6 route aggregation - Reduces the number of prefixes advertised to neighbor routers to improve performance and scaling.
IPv4/IPv6 NAT-pool routes - Configure and redistribute NAT-pool routes to routing protocols.
Data Center Query Objects - Use Data Center Objects to represent multiple Data Centers in the Security Policy when you build queries. This provides easier and more efficient division of the responsibilities to manage Data Centers.
New Data Centers support:
Kubernetes Data Center - Added CloudGuard Controller support for Kubernetes Clusters. Administrators can now create a Kubernetes-aware security policy for Kubernetes North-South traffic.
VMware vCenter version 7.
CloudGuard Controller can use the system proxy for connections to all Data Centers.
A new object category in SmartConsole's object explorer called "Cloud" aggregates all Data Centers, Data Center objects and Data Center queries into one.
CloudGuard Data Centers
Integration of CloudGuard IaaS for East-West deployments using VMware NSX-T.
Upgrade Security Gateways and Clusters between major versions
Upgrade VSX Gateways and VSX Clusters
Install offline packages - The Security Gateway does not need to be connected to the internet to import the installation packages to the Security Management Server and distribute to targets
Multi-Domain Server
Cross-Domain Management Server Search to search for objects across multiple Domain Management Server databases.
High Availability for Domain Management Server with the Security Management Server. A Security Management Server can operate as a standby or an active Security Management in a Management High Availability setup.
Configure a dedicated Log Server and a dedicated SmartEvent server for an individual Domain in a Multi-Domain environment.
Management REST API
General performance improvement to Management REST API.
API throttling for login commands, to prevent load on the Security Management Server.
New API commands for: User Management, Identity Tags, Multi-Domain Server, High Availability, Automatic Purge and much more. Visit the Check Point API reference for more information.
Use the Security Management Server to run REST API commands on a gateway.
SmartConsole
Support for multiple TACACS servers to utilize redundancy when administrators authenticate to SmartConsole.
Changes Report - Generate a report that lists the changes between two revisions or lists the changes performed during a private session.
Administrators can now view, add and delete licenses through SmartConsole.
Support for CloudGuard Edge configuration in SmartConsole.
SmartEvent
A new MITRE ATT&CK view to investigate security issues according to the MITRE defense models, and extract immediate action items based on the mitigation flow.
Management Server Upgrade
Significant performance improvement in the upgrade process starting from R80.20 and higher to R81 for Security Management Servers.
Logging and Monitoring
New API for log queries to fetch logs through API. Use a single API management command to query for logs or statistics.
Significant improvement in log indexing, queries and SmartEvent views and reports.
Export logs with a timestamp of milliseconds, to construct a chain of events more easily and efficiently.
Log attachment API to automatically fetch log attachments with Log Exporter, or API for logs. .
SandBlast Agent Web Management - A new Web-based management interface for Endpoint Threat Prevention components. Note: For the best user experience it is recommended to use SandBlast Agent Web Management with Google Chrome.
Communication with management services remains on port 443 instead of port 4434 when the Endpoint Management component is activated.
Anti-Malware support for shared signature locations to support non-persistent VDI environments.
Manage URL Filtering capabilities of SandBlast Agent Browser Extension.
Application Control policy changes - Support multiple versions per product, terminate application and block WSL. (Windows Subsystem for Linux).
New set of Developer Protections for developers computers.
Compliance integration with Windows Server Update Services (WSUS).
TACACS authentication for Web Remote Help (WebRH).
Media Encryption & Port Protection - Import device overrides from a file.
Security Gateway and Gaia
CloudGuard IaaS
Security Management
Endpoint Security
