Introduction

The Quantum Cyber Security Platform R81.20 (Titan) Release  delivers significant innovations in Advanced Threat Prevention, Security Management, and Security Performance. In addition, Check Point has expanded on-premises and cloud network security through new and upcoming advanced cloud-based Check Point applications and services. By upgrading to R81.20, these new cloud-based applications offer powerful feature upgrades on Check Point Security Gateways, without requiring an upgrade to the next software release.
With R81.20, customers immediately benefit from a wide range of new security capabilities across four major categories:

Deep learning Threat Prevention

• AI Deep Learning prevents 5x more DNS attacks in real-time.
• Firewall-based, Zero-Day phishing prevention blocks 4x more Zero-Day phishing attacks (Check Point patented solution).

Quantum IoT Protect

• Discover IoT assets with Quantum Security Gateways.
• Autonomous Zero Trust Profiles allow only the necessary device communication and prevent threats that target IoT assets. This helps accelerate event correlation and Threat Hunting delivered through Check Point Detection & Response solutions.

• New Infinity Cloud Services page in SmartConsole - Quick and easy integration between your on-premises Security Management Server and Infinity Portal Applications. This includes the ability to share Quantum logs with Horizon Events for a unified view of logs across Quantum, CloudGuard, and Harmony products.
• Automated policy enforcement & updates using new Network Feed Objects. DevOps and other teams can manage their own access lists without requiring interaction from Security Admin groups.
• SmartWorkflow - streamlined policy change review, ensures accuracy of Security Policies through customizable built-in policy supervision workflows.

• Maestro Auto-Scaling provides dynamic performance scaling for mission critical apps and large workloads. Automatically shifts firewall resources in and out of Security Groups to support critical applications as throughput and compute requirements change.
• Maestro Fastforward provides a 100G cut-through mode for trusted connections - the highest throughput and lowest latency for specific applications.
• Quantum HyperFlow delivers 3x times higher throughput for elephant flows (very long, high-bandwidth intensive connections). Security Gateway automatically allocates more firewall CPU cores to process elephant flow connections upon detection

  What's New in R81.20

     Quantum Security Gateway and Gaia

Threat Prevention

• Zero Phishing prevents web browsing to Zero-Day phishing websites
  
  • Check Point Quantum Security Gateway enhances its web browsing protection to further prevent users from accessing phishing websites.
  • Powered by patented technologies and AI engines, the Security Gateway now uses Clientless In-Browser protection to prevent access to the most sophisticated phishing websites, both known and completely unknown (zero-day phishing websites).
  • The enhanced solution is available through the Security Gateway network flow, introducing dynamic security components that run within the browser with no need to install any client.
  • Delivered as part of your existing SandBlast (SNBT) license.
  • Works out of the box for Security Gateways with Autonomous Threat Prevention enabled.
• Up to 50% performance enhancement to IPS CIFS protections.
• IoC feeds now support a significantly greater number of observables for URLs, Domains, IP addresses, and Hashes - 2 million and more (only on the XFS file system), depending on the Security Gateway's hardware specifications.
  On the EXT3 file system, the IoC feed is limited to a maximum of 250,000 indicators, depending on the Security Gateway's hardware specifications.
  For more information about the file systems, see sk141432.
•  ICAP Server now supports secure ICAP communication over TLS.

IoT Protection

Instantly discover and protect your IoT assets with Quantum Security Gateways and Infinity to enforce automated Zero Trust policies:

• Discover IoT devices, routers, and switches connected to your network using your R81.20 Quantum Security Gateways.
• Assign automatically generated restrictive policies to IoT devices based on their Internet access requirement to allow only what is needed for the IoT devices to operate.

Note: IoT General Availability is planned to be part of the R81.20 Jumbo Hotfix Accumulator.

Maestro Hyperscale

• Maestro Auto-Scaling - Automatically assigns Security Appliances (scale units) to a Security Group when the configured conditions are met.
• Maestro Fastforward - Significantly improved throughput and latency for trusted connections. Maestro Fastforward offloads accept or drop policy rules to the Quantum Maestro Orchestrator for hardware acceleration and provides:
  • Sub-microseconds latency.
  • Port line-rate throughput for a single connection.
• Support for accelerated policy installation on Maestro Security Groups. See sk169096.
• Monitor utilization of NAT resources in CPView and with SNMP.
• Support gradual upgrade in the Multi-Version Cluster (MVC) mode.
• Scalable Platforms now support CoreXL Dynamic Balancing - Based on the current traffic load, the Security Group automatically changes the number of CoreXL SNDs, CoreXL Firewall instances, and the Multi-Queue configuration for zero traffic impact.
• Scalable Platforms now support Management Data Plane Separation (MDPS, sk138672).

VSX

• Configure DHCP Server on each Virtual System using Gaia Clish.

IPsec VPN

• Scalable VPN performance - 3 times faster to process simultaneous Remote Access and Site to Site VPN connections.
• Major performance and stability improvement for Remote Access VPN and Site to Site VPN that delivers a significantly greater capacity for VPN tunnels.
• Extended Security Gateway certificate validation capabilities for quicker authentication.
• Resilient VPN architecture - multi-process architecture to handle IKE negotiations in dedicated scalable daemons, providing unprecedented resiliency.

Clustering

• Added support for the "Same VMAC" feature. For more information, see the ClusterXL Administration Guide.

Access Control

• Dynamic Policy - Use a Network Feed object to customize a private web server feed definition for IP addresses or domains. The objects are automatically updated in Security Gateway without the need to install a policy. Updatable Objects uses the Network Feed to strengthen the dynamic configuration ability of the Access Control policy. See the Security Management Administration Guide.
• Performance improvements - Support for Updatable Objects, Domain objects, and Dynamic objects with the Optimized Drop feature (drop templates).

Advanced Routing

• Support for Intermediate System (IS-IS) routing protocol.
• Support for DHCP Relay Agent Information Option 82 to address several scaling and security issues that arise in public DHCP use.
• Support for OSPFv3 NSSA.
• Support for IPv6 Static MFC Cache to enable forwarding of multicast data without PIM configuration.
• Support for Routing Event Triggers to allow ClusterXL failover, and tearing down of BGP connections through monitored BGP and BFD sessions.
• Routing Protocol History for BFD to improve troubleshooting capabilities.
• NetFlow Live connections and Firewall rule ID UUID.

Gaia Operating System

• Configure a retention policy for Gaia scheduled backups and snapshots.
• Configure Gaia scheduled jobs to run hourly or at specified minute intervals.
• Configuring a logical next hop gateway in IPv6 static routes to send traffic through a specified interface.
• Configure the minimum number of required interface links for a bonding group in the 802.3AD mode.
• Use Gaia Clish commands to monitor NIC transceivers in appliance - module temperature, supply voltage, TX Bias voltage, Rx optical Power, and TX optical power.
• Automatic update to the NIC firmware during the ISO installation process for appliances that have 40GbE, 100/25GbE, and NVIDIA ConnectX 100G Cards.

CoreXL

• HyperFlow provides automatic system resource allocation by proper prioritization of tasks on highly utilized CPU cores and dynamically balances the tasks. Introducing seamless gateway tuning and optimization and improving single flow performance and spikes handling.
• In User Space Firewall (USFW), the number of IPv6 CoreXL Firewall instances is no longer limited, IPv6 Firewall instances can be increased up to the number of IPv4 Firewall instances.

Identity Awareness

• The Identity Awareness Gateway automatically identifies and excludes Service Account sessions acquired by the Identity Collector. For more details, see sk174266.
• Improved resiliency, scalability, and stability for PDPs and Identity Broker. Additional threads handle authentication and authorization flows.

Mobile Access

• OAuth 2.0 support for Capsule Workspace and Office 365.

Quantum Spark Centrally Managed

• Central Deployment - Use SmartConsole to upgrade Quantum Spark and Quantum Edge Appliances. See the Security Management Administration Guide.
• Quantum Spark Appliances now support Identity Collector.
• Use SmartUpdate and SmartProvisioning (LSM) to manage Quantum Spark appliances that run R81.10.
• Quantum Spark Appliances now support transit connections to an Active Directory server on an internal network (appliances work as an AD proxy).

     Quantum Security Management

Cloud Services Integration

• Integration between your on-premises Security Management Server and Infinity Portal:
  • Run cloud services that are managed in the Infinity Portal on your Security Management Server objects.
  • See a unified log view of all your Check Point products, on-premises and in cloud.
  • Run Management API calls securely on the on-premises Security Management Server from anywhere in the world through Infinity Portal.

See the Security Management Administration Guide.

SmartConsole

• SmartConsole can use SAML 2.0 to authenticate administrators with an Identity Provider. See the Administration Guide.

SmartWorkflow

• Send policy and configuration changes for a review and approval cycle by another administrator before applying the changes. See the Administration Guide.

SmartTasks

• New triggers - before and after working on a session that requires an approval, and for critical CloudGuard Controller events.
• New action - send an email with a detailed change report after publishing a session, after policy installation, and more.

See the Administration Guide.

Management REST API

Management API support for:

• Identity Awareness configuration on Security Gateways and Clusters.
• Configuration of HTTPS Inspection outbound certificate.
• Configuration of SmartLSM Gateways.
• Configuration of VPN settings on SmartLSM Gateways.

See the Check Point Management API Reference.

Upgrades

• Central Deployment of CPUSE packages in SmartConsole:
  
  • Gradually upgrade Quantum Cluster Members.
  • Upgrade Quantum Spark and Quantum Edge Appliances.
  See the Administration Guide.
• Pre-Upgrade Verifier results are now presented in the upgrade report.
• Simpler migration from a Standalone environment to a distributed environment located in Quantum Smart-1 Cloud or on-premises. See sk179444.
• Significant performance improvement of Multi-Domain Server upgrades by importing Domain Management Servers concurrently instead of sequentially.

     CloudGuard Network Security

• CloudGuard Controller support for:
  
  • Oracle Cloud Infrastructure (OCI). See the Administration Guide.
  • Nutanix. See the Administration Guide.
  • New Azure resources - Application Security Groups, Private Endpoints. See the Administration Guide.
  • New AWS resources - Load Balancer tags. See the Administration Guide.
  • SmartTasks for CloudGuard Controller critical events. See the Administration Guide.
• Nutanix Flow support for CloudGuard Network Security Gateways.
• Amazon Web Services (AWS):
  • Cross Availability Zones Cluster (Geo Cluster).
  • Use of the Generic Network Virtualization Encapsulation (Geneve) network encapsulation protocol for Gateway Load Balancer (GWLB).

     Harmony Endpoint

Endpoint Policy Management

• Use Single Sign-On to connect to the Endpoint Web Management Console.

Harmony Endpoint Web UI

• IoC Management - Users can now add Indicators of Compromise to their Endpoint Policy Management.
• Connection Awareness - Allows administrators to configure their own entity to determine the connectivity of the clients, and change a device's policy type from "Connected" to "Disconnected", and vice-versa accordingly.

Remote Access VPN

• Exclude SaaS applications (such as Office 365) from the Remote Access VPN tunnel.
• Use SAML 2.0 to authenticate Remote Access VPN users with an Identity Provider.

  Documentation

Release Notes

Administration Guides

Resolved Issues

Known Limitations

  Downloads and Installation

    Upgrading Quantum Security Management

Prerequisites:

1. Take a full backup and Gaia Snapshot of the current Check Point computer.
2. Use the Upgrade/Download Wizard to download the applicable upgrade images.

If your servers are connected to the Internet

1. Connect to Gaia Portal.
2. From the left navigation tree, click Upgrades (CPUSE) > Status and Actions.
3. In the Major Versions section, right-click the Gaia Fast Deployment (Blink) package* and click Verify.
4. Right-click the Gaia Fast Deployment (Blink) package and click Upgrade.

If your servers are not connected to the Internet

1. Download and install the latest Upgrade Tools package and Gaia Deployment Agent (CPUSE).
2. Download the Gaia Fast Deployment (Blink) package.

   

3. Connect to Gaia Portal.
4. From the left navigation tree, click Upgrades (CPUSE) > Status and Actions. 
5. Import the Gaia Fast Deployment (Blink) package*.
6. In the Major Versions section, right-click the Gaia Fast Deployment (Blink) package and click Verify.
7. Right-click the Gaia Fast Deployment (Blink) package and click Upgrade.

For more information and other upgrade options, see R81.20 Installation and Upgrade Guide.

    Upgrading Multi-Domain Security Management

Prerequisites:

1. Take a full backup and Gaia Snapshot of the current Check Point computer.
2. Use the Upgrade/Download Wizard to download the applicable upgrade images.

Important: Gaia Fast Deployment (Blink) does not support the Multi-Domain Server upgrade. For more information and other upgrade options, see R81.20 Installation and Upgrade Guide > Chapter "Upgrade of Multi-Domain Servers and Multi-Domain Log Servers".

    Upgrading Quantum Security Gateway

Prerequisites:

1. Schedule a full maintenance window to make sure you can make all the custom configurations again after the upgrade.
2. Take a full backup and Gaia Snapshot of the current Check Point computer.
3. Use the Upgrade/Download Wizard to download the applicable upgrade images.
4. Upgrade all Management Servers and Log Servers in your environment.

Best Practice

Use the Central Deployment in SmartConsole to upgrade one or more Security gateways.
For more information, see the R81.20 Security Management Administration Guide - Chapter "Managing Gateways" > Section "Central Deployment of Hotfixes and Version Upgrades".

If your servers are connected to the Internet

1. Connect to Gaia Portal.
2. From the left navigation tree, click Upgrades (CPUSE) > Status and Actions.
3. In the Major Versions section, right-click the Gaia Fast Deployment (Blink) package* and click Verify.
4. Right-click the Gaia Fast Deployment (Blink) package and click Upgrade.

* Gaia Fast Deployment (Blink) does not support the VSX upgrade.

If your servers are not connected to the Internet

1. Download and import the Gaia Fast Deployment (Blink) package* into the SmartConsole package repository.

   

   * Gaia Fast Deployment (Blink) does not support the VSX upgrade.

2. Click the target Security Gateway and click Upgrade.

For more information and other upgrade options, see R81.20 Installation and Upgrade Guide.

    Clean Install

Prerequisite: Use the Upgrade/Download Wizard to download the applicable installation images.

Using Gaia Fast Deployment

For Security Gateway, Security Management, or Multi-Domain Management Server, download and import the Gaia Fast Deployment (Blink) package into Gaia WebUI.

   

Using Bootable USB device

1. Download the Gaia Operating System Clean Install ISO file:

   

2. See sk65205 to create a bootable USB device.

3. Run the Gaia First Time Configuration Wizard.

For more information, see the R81.20 Installation and Upgrade Guide.

    SmartConsole

1. Download the SmartConsole installation file:

   

2. Transfer the SmartConsole installation file to a Windows-based computer you wish to use as a SmartConsole Client.

3. Run the SmartConsole installation file with Administrator privileges.

4. Follow the on-screen instructions.

For Web SmartConsole, see sk170314

    Quantum Maestro and Scalable Chassis (Scalable Platforms)

Gaia Deployment Agent (CPUSE) Upgrade

• Download and import this Upgrade package:

  

  For more information, see Quantum Maestro R81.20 Administration Guide.
  
  

Clean install

• Download and import this Installation package:

  

  For more information, see the Quantum Maestro Getting Started Guide or Quantum Scalable Chassis Administration Guide.
  Also see sk177624 - Check Point R81.20 for Scalable Platforms.

---

  Released Hotfixes

  Additional Downloads and Products

Product	Download
Quantum Security Gateway / Security Management / Multi-Domain Security Management	Clean Install and Upgrade Image (TGZ)
SmartConsole	Portable SmartConsole (sk116158)  Web SmartConsole (sk170314)
Gaia Fast Deployment (Blink)	See sk120193
ISOMorphic Tool	For Gaia, SecurePlatform and Linux, see sk65205
DLP Exchange Server	For Windows (TGZ)

Release map | Upgrade and Backward Compatibility maps |  Releases Terminology

  Revision History