博威---云架构决胜云计算

 找回密码
 注册

QQ登录

只需一步,快速开始

搜索
查看: 563|回复: 4

Check Point Quantum R82 Release

[复制链接]
发表于 2024-11-5 10:42:03 | 显示全部楼层 |阅读模式
Check Point Quantum R82 Release[color=rgba(0, 0, 0, 0.87)][color=var(--color-text-light)]Product[color=var(--color-text-dark)]CloudGuard Network, Multi-Domain Security Management, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, Quantum Security Management, SmartConsole
[color=var(--color-text-light)]Version[color=var(--color-text-dark)]R82
[color=var(--color-text-light)]Last Modified[color=var(--color-text-dark)]2024-10-29

[color=rgba(0, 0, 0, 0.87)]Solution
[size=1em]Click Here to Show the Entire Article


Check Point Recommended version for all deployments is [color=var(--color-sk-page-link) !important]R81.20 with its Recommended [color=var(--color-sk-page-link) !important]Jumbo Hotfix Accumulator Take.
For more info about all Check Point releases, refer to [color=var(--color-sk-page-link) !important]Release map and [color=var(--color-sk-page-link) !important]Release Terminology articles.

[size=1.1em]Introduction  |  What's New  |  Documentation  |  Downloads and Installation  |  Additional Downloads and Products  |  Revision History




  Introduction
R82 is Check Point's major software release for Quantum products and CloudGuard Network Security. It introduces 50 innovative capabilities to strengthen threat prevention, greatly streamline operations and provisioning, and troubleshoot network connections with integrated diagnostics tools.

This release provides access to new AI-powered threat prevention engines that strengthen defense against zero-day phishing, brand spoofing, malware, and more. R82 also adds DNS protection against NXNS, offers DNS configuration granularity, and supports DNS-over-HTTPS Inspection.

Check Point offers the industry's first complete protection for HTTP/3 over QUIC. R82 also enables effortless and automated HTTPS Inspection deployment with granular controls and exceptional performance.

Check Point's VSX has a new versatile mode (VSNext) that unifies management features and APIs across Virtual Systems and physical Security Gateways. Furthermore, cluster management is greatly simplified with a new page in Gaia Portal and a new mode (ElasticXL) that enables Security Gateway clustering without the need for physical Orchestrators.

In addition, R82 introduces a new version of Check Point's operating system with superior networking and routing capabilities. For automation, users and DevOps teams can now execute API calls directly to security gateways through a new dynamic policy layer. For future-proofing, R82 enables NIST-approved Kyber (ML-KEM) encryption to protect today’s VPN traffic against future quantum computing-based hacking.

These are just some of the powerful new capabilities in R82.
  What's New in R82
[color=var(--color-sk-page-link) !important][size=1.3em][url=]    Threat Prevention[/url]
AI-based prevention engines
Check Point's new AI security engines represent a shift in how we utilize data, transitioning from mostly a single indicator perspective to a multi-dimensional approach.
  • [color=var(--color-sk-page-link) !important]ThreatCloud Graph - Leverages ThreatCloud AI knowledge base to form relationship graph, identifying attacks patterns to prevent zero-day threats.
  • Kronos - Inspects behavior over time with AI and signal processing algorithms to detect malicious activity, preventing zero-day C2, phishing campaigns and other threats.
  • [color=var(--color-sk-page-link) !important]Deep Brand Clustering - Prevents zero-day brand phishing campaigns with a patent-pending unsupervised deep learning engine. This engine cluster websites into local and global brands and determine whether it’s an attack.
  • Dynamic classification of uncategorized websites - An AI-based engine for dynamic classification of websites, accurately categorizing URLs to block previously uncategorized dangerous or inappropriate websites.
Improved DNS Security Capabilities
This release provides new and enhanced DNS security capabilities with the addition of:
  • Advanced DNS protection against Non-Existent Domain (NXNS) Attack.
  • Support for DNS over HTTPS (DoH) protocol.
  • [color=var(--color-sk-page-link) !important]Configuration Granularity - Advanced DNS Security settings in the Threat Prevention profile.
  • Detailed DNS Security statistics - Now available in the SmartView Dashboard.
Automatic Security Services Configuration
Zero Phishing, Anti-Virus, Anti-Bot and IPS Software Blades are now more accessible, providing a simpler and easier user experience.
  • Zero Phishing Software Blade - Introducing a new [color=var(--color-sk-page-link) !important]Automatic mode that significantly simplifies the configuration process, providing a seamless experience. With the Automatic mode, the Software Blade configuration is now effortless: simply enable the Software Blade and you are ready to go.
  • The Anti-Virus and Anti-Bot Software Blades are now [color=var(--color-sk-page-link) !important]activated by default in newly created Security Gateway and Cluster objects. See sk182106.
  • It is now possible to [color=var(--color-sk-page-link) !important]automatically load and update SNORT rules file as Custom Intelligence Feed and enforce them as new IPS protections.
Web Security
  • Added support of HTTP/3 protocol over QUIC transport (UDP) for Network Security, Threat Prevention, and Sandboxing.
HTTPS Inspection
This release [color=var(--color-sk-page-link) !important]sets a new standard with breakthrough performance, unmatched simplicity, and effortless deployment of HTTPS Inspection. Now, you can significantly increase your security without sacrificing speed or user experience. Embrace cutting-edge technology that transforms HTTPS Inspection into a seamless, innovative solution, ensuring your systems stay secure and your users stay satisfied.
  • Enhanced HTTPS Inspection UI - HTTPS Inspection is fully managed in SmartConsole.
    • Enhanced HTTPS Inspection policy - A dedicated policy for inbound inspection, including certificate management views for both inbound and outbound policies and enhanced default outbound policy.
    • Trusted CA package - A new view to manage Trusted certificates and see the status of the trusted CA package.
    • HTTPS Advanced settings - A new view to configure advanced settings, including R82 new features.
  • Client Side Fail mode - This new feature automatically detects failures in inspected HTTPS connections caused by client-side issues, such as certificate-pinned applications. When a failure is detected, the connection is flagged to be bypassed in future attempts, and Artificial intelligence (AI) learns from these failures to identify similar connections.
    • Endpoint Detection - Identifies endpoints without deployed outbound CA certificate.
  • Learning mode:
    • Gradual & Smart deployment - Activated during the deployment of HTTPS Inspection, inspecting a minor percentage of traffic over two weeks.
    • Network Learning - Gathers insights into network behavior and detects potential connectivity issues for Artificial intelligence consideration.
    • Performance Prediction - Estimates the impact on performance when HTTPS Inspection is fully implemented.
  • Bypass Under Load - Bypasses HTTPS connections when the Security Gateway experiences high CPU load.
  • HTTPS Inspection monitoring - Introducing the HTTPS Inspection statistics view in SmartView, including bypass/inspect statistics.



[color=var(--color-sk-page-link) !important][size=1.3em][url=]    Quantum Security Gateway[/url]
New Clustering Technology
  • [color=var(--color-sk-page-link) !important]ElasticXL - a new clustering technology delivering simplified operations with a Single Management Object and automatic sync of configuration and software between all cluster members.
Dynamic Policy Layer
  • [color=var(--color-sk-page-link) !important]Fully automated, API-controlled policy layer that allows dynamic policy changes to be implemented directly on the Security Gateway in seconds without involving Security Management or installing Security Policy.
Identity AwarenessIPsec VPN
  • Added support for ML-KEM (Kyber768) as required by the FIPS 203 standard to address [color=var(--color-sk-page-link) !important]Post-Quantum Cryptography (PQC).
  • [color=var(--color-sk-page-link) !important]Automatically detect configuration changes in AWS, Azure, and GCP public clouds and adjust the VPN settings ensuring connection stability.
  • Introducing the [color=var(--color-sk-page-link) !important]Advanced VPN Monitoring tool that shows information on each VPN Tunnel and tracks its health and performance.
  • [color=var(--color-sk-page-link) !important]Enhanced Link Selection:
    • Interoperability:
      • Uses public IP addresses as tunnel identifiers to establish separate tunnels for each link.
      • Uses Dead Peer Detection (DPD) as the link probing protocol instead of the proprietary "Reliable Data Protocol" (RDP).
    • Redundancy:
      • Allows redundancy of VPN tunnels including third-party and native cloud VPN peers.
    • Granularity:
      • Ability to configure the Security Gateway to use different VPN interfaces in different VPN communities.


Remote Access VPN
  • Security Gateway now [color=var(--color-sk-page-link) !important]supports the IKEv2 protocol for connections from Remote Access VPN Clients (E88.40 and higher).
Mobile Access
  • Mobile Access Policy and Capsule Workspace configurations are [color=var(--color-sk-page-link) !important]now available in SmartConsole.
  • [color=var(--color-sk-page-link) !important]SAML authentication support for Mobile Access clients that allows seamless integration with third-party Identity Providers.
  • New Management API calls for Capsule Workspace configuration. See the [color=var(--color-sk-page-link) !important]Check Point Management API Reference > section "Mobile Access".
Dynamic Routing
Added support for new Dynamic Routing capabilities:
  • BGP Extended Communities (RFC 4360).
  • BGP Conditional Route Advertisement and Injection.
  • Routing Table Monitor for Event Triggers.
  • IPv4 and IPv6 Router Discovery on cluster members.
  • Router Preference and Route Information option.
  • Route age information.
  • IPv4 PIM-SSM with non-default prefixes.
  • IPv4 PIM with BFD.
  • IPv4 PIM neighbor filtering.
  • IPv4 PIM RPT to SPT switchover control.
  • IPv6 Protocol Independent Multicast (PIM) and Multicast Listener Discovery (MLD).
Added support for new Dynamic Routing API calls:
  • REST API calls for BGP, PIM, Multicast Listener Discovery (MLD).
  • REST API calls for Route Redistribution, Inbound Route Filters, and NAT Pools.
  • REST API calls for IGMP.
Also see the [color=var(--color-sk-page-link) !important]Check Point Gaia API Reference v1.8 (and higher) > section "Networking".
Performance and Infrastructure
  • [color=var(--color-sk-page-link) !important]HyperFlow acceleration of elephant flows for the SMB/CIFS protocol.
  • HyperFlow acceleration of elephant flows for the QUIC protocol.
  • Quantum Security Gateway log rate output capacity increased by up to 100% through a new multi-process architecture.
Quantum Maestro, Scalable Chassis, and ElasticXL
This release features improvements in managing and monitoring Scalable Platform clusters, which include:
  • Support for REST API:
    • New API calls on Quantum Maestro Orchestrator to configure and monitor Maestro Security Groups, Gateways, Sites, and Ports.
      See the complete list of available API calls in the [color=var(--color-sk-page-link) !important]Check Point Gaia API Reference v1.8 and higher > section "Maestro".
    • Support for Gaia REST APIs on Scalable Platform Members.
  • Support for Gaia [color=var(--color-sk-page-link) !important]First Time Configuration Wizard on Quantum Maestro Orchestrators with ability to configure the Maestro Site settings.
  • Support for authentication to [color=var(--color-sk-page-link) !important]secure the synchronization connections between Quantum Maestro Orchestrators.
  • Support for [color=var(--color-sk-page-link) !important]SNMP Queries on each Scalable Platform Member.
  • Support for [color=var(--color-sk-page-link) !important]LLDP on Uplink, Sync, and Management ports of Quantum Maestro Orchestrators.
  • New page [color=var(--color-sk-page-link) !important]"Ports" in Gaia Portal on Quantum Maestro Orchestrator. This page shows a summary and interactive view of port configuration, runs diagnostics on ports, and blinks a port LED for identification.
  • New page "Cluster Management" in Gaia Portal on ElasticXL / Security Group. This page shows the state and performance of Scalable Platform Members.
  • [color=var(--color-sk-page-link) !important]"insights" - New CLI tool to monitor the entire Scalable Platform cluster in both Expert mode and Gaia gClish.
  • New Gaia gClish commands "show cluster" and "set cluster".
  • Improved boot time and decreased number of reboots of Scalable Platform Members when there is a change in the Gaia OS configuration in a Scalable Platform.
  • Improved upgrade simplicity:
    • This release introduces automatic updates for the CPUSE Deployment Agent on Scalable Platforms. Manual deployment is no longer required.
    • Upgrade to R82 and higher no longer requires the sp_upgrade script and can be easily monitored with Scalable Platforms monitoring tools.
  • Additional snapshot mechanism to take small Gaia OS snapshots (lightshots).
VSX
Check Point VSX is enhanced with a new mode ([color=var(--color-sk-page-link) !important]VSNext), allowing simpler configuration, easier provisioning, and a similar experience to a physical Security Gateway.

The benefits of the new VSX mode are:
  • Unified management experience between Check Point physical Security Gateways and Virtual Gateways, including the capability to manage each Virtual Gateway from a different Management Server.
  • Improves VSX provisioning performance and provisioning experience - creating, modifying, and deleting Virtual Gateways and Virtual Switches in Gaia Portal, Gaia Clish, or with Gaia REST API.
  • Management feature and API parity between Virtual Gateways (VGW) and physical Security Gateways.
  • Managing different Virtual Gateways with different Security Management Servers, in addition to different Domain Management Servers on the same Multi-Domain Security Management Server
Tools and Utilities
  • New tool [color=var(--color-sk-page-link) !important]"connview" - a new consolidated troubleshooting tool for viewing connections information on the Security Gateway that works in the User Space Firewall (USFW).
  • New tool [color=var(--color-sk-page-link) !important]"up_execute" that performs virtual Access Control / NAT Rule Base execution. Given inputs based on logs or connections, the execution provides detailed information such as matched rules and classification information.



[color=var(--color-sk-page-link) !important][size=1.3em][url=]    Gaia Operating System[/url]
Note - This section applies to Security Gateways, Management Servers, and Log Servers.
This release boosts Gaia OS with a new OS kernel and multiple new configuration options for better security, enhanced networking and a simpler experience.

The new capabilities are:
  • Enhance Gaia OS with:
    • Support for [color=var(--color-sk-page-link) !important]Link Layer Discovery Protocol (LLDP) in the VSX mode.
    • DHCPv6 server, DHCPv6 client, and DHCPv6 client for prefix-delegation in [color=var(--color-sk-page-link) !important]Gaia Portal and [color=var(--color-sk-page-link) !important]Gaia Clish.
    • [color=var(--color-sk-page-link) !important]Ability to configure the order of the "AAA" authentication (TACACS, RADIUS, Local authentication) in Gaia Portal and Gaia Clish.
    • [color=var(--color-sk-page-link) !important]DNS Proxy forwarding domains, which allows configuring specific DNS servers per DNS suffix.
  • New Gaia OS configuration items:
    • [color=var(--color-sk-page-link) !important]Two-Factor Authentication for Gaia OS login using time-based authenticator apps (Google Authenticator and Microsoft Authenticator).
    • NTP pools and a larger number of NTP servers in [color=var(--color-sk-page-link) !important]Gaia Portal and [color=var(--color-sk-page-link) !important]Gaia Clish.
    • [color=var(--color-sk-page-link) !important]NFSv4 configuration.
    • [color=var(--color-sk-page-link) !important]Keyboard layout.
    • TLS configuration for a remote Syslog server in [color=var(--color-sk-page-link) !important]Gaia Portal and [color=var(--color-sk-page-link) !important]Gaia Clish.
  • Support for storing a [color=var(--color-sk-page-link) !important]Gaia OS backup in Amazon S3 and Microsoft Azure and restoring it from there.



[color=var(--color-sk-page-link) !important][size=1.3em][url=]    Quantum Security Management[/url]
Security Management Server Enhancements
  • The LDAP Account Unit object [color=var(--color-sk-page-link) !important]now uses the LDAP server name and CA certificate for LDAP trust. The trust is automatically renewed if an administrator renews or replaces the LDAP server certificate. As a result, Check Point servers keep their connectivity to the LDAP server.
  • Support for Management API to run the "vsx_provisioning_tool" operations to configure VSX Gateway and VSX Cluster objects. See the[color=var(--color-sk-page-link) !important]Check Point Management API Reference> section "VSX" > command "vsx-provisioning-tool".
  • Support for Management API to configure the "Data Type" objects for the Data Loss Prevention and Content Awareness Software Blades. See the [color=var(--color-sk-page-link) !important]Check Point Management API Reference> section "Data Types".
  • Security Gateways [color=var(--color-sk-page-link) !important]can now be managed by a Security Management Server hosted behind a public cloud or third-party NAT device.
  • Support to manage up to 500 Security Gateways / Cluster Members, allowing concurrent policy installation on all managed Security Gateways / Cluster Members.
  • Support for SAML login in SmartConsole when Gaia Portal on the Management Server runs on a different port than the default port 443. See [color=var(--color-sk-page-link) !important]sk182032.
  • Ability to verify an Access Control policy that contains unpublished changes.
  • The "Access Rule Name" and "Access Rule Number" fields will now prioritize information from administrator-defined rules [color=var(--color-sk-page-link) !important]by excluding Accept rules from the pre-defined Playblocks and IoT Access Policy layers.
SmartConsole
  • Added the ability for the system account to install SmartConsole.
  • Enhancements in the SmartConsole > "Gateways & Servers" view:
    • You can now [color=var(--color-sk-page-link) !important]see and manage the Recommended Jumbo Hotfix Accumulators and Recommended Software Updates for Security Gateway / Cluster objects and Check Point Host objects.
    • [color=var(--color-sk-page-link) !important]HealthCheck Point (HCP) tests are now integrated. You can see them as part of the Security Gateway's status. The feature is disabled by default.

Web SmartConsole
  • These new [color=var(--color-sk-page-link) !important]Web SmartConsole capabilities are available for this release:
    • Threat Prevention Rule Base
    • HTTPS Inspection Rule Base
    • NAT Rule Base
    • Rule Base search

Central Deployment of Hotfixes and Version Upgrades in SmartConsole
Central Software Deployment through SmartConsole was enhanced and now supports:
SmartProvisioning
  • Star VPN Community now supports Quantum Maestro Security Groups, VSX Gateways, and VSX Clusters as Center Gateways (Corporate Office Gateway).
Multi-Domain Security Management Server
  • Ability to clone an existing Domain on the same Multi-Domain Security Management Server. See [color=var(--color-sk-page-link) !important]sk180631.
  • Improved upgrade time of large Multi-Domain Security Management Server environments by up to 50%.
  • [color=var(--color-sk-page-link) !important]New support for IPv6 configuration (only with Management API "set mds") on a Multi-Domain Security Management Server that allows Domains to communicate with the managed Security Gateways over IPv6.
  • Automatic refresh of modified Global objects in SmartConsole that is connected to a non-Global Domain when a superuser assigns a Global Policy to a Domain Management Server. See [color=var(--color-sk-page-link) !important]sk182307.
  • Ability to select the Access Control, Threat Prevention, or both policies in a Policy Preset object.
Compliance
  • Added Gaia OS Best Practice support for Quantum Maestro - presenting a consolidated Best Practices status for each Security Group Member and Orchestrators.
  • Added Gaia OS Best Practice support for Quantum Spark Appliances (only for applicable Gaia OS Best Practices).
  • Added Gaia OS Best Practice support for Log Servers.
  • Added new regulations:
    • Center for Internet Security Benchmarks
    • Cyber Essentials v3.1
    • Cybersecurity Maturity Model Certification
    • Essential Eight & Strategies to Mitigate Cyber Security Incidents
    • IEC 62443-2-1 201
    • ISO 27001:2022
    • Israeli Cyber Defense Methodology 2.0
    • Network and Information Systems Directive 2
    • PCI DSS 4.0
    • TISAX 5.1




[color=var(--color-sk-page-link) !important][size=1.3em][url=]    CloudGuard Network Security[/url]
CloudGuard Controller
  • CloudGuard Controller [color=var(--color-sk-page-link) !important]now supports Identity Awareness PDP (Identity Sharing).
  • CloudGuard Controller [color=var(--color-sk-page-link) !important]now supports VMware NSX-T Global Manager to allow
    integration with VMware NSX-T v4.1.
  • CloudGuard Controller for VMware NSX-T now uses Policy Mode APIs to import objects from an NSX-T Manager.
  • Multi-Domain Security Management Server [color=var(--color-sk-page-link) !important]now supports Data Center objects and Data Center Query objects in the Global Policy.







 楼主| 发表于 2024-11-5 10:50:23 | 显示全部楼层
Check Point Quantum R82 版本
产品
CloudGuard 网络、多域安全管理、Quantum Maestro、Quantum 可扩展机箱、Quantum 安全网关、Quantum 安全管理、SmartConsole
版本
R82
上次修改
2024-10-29
解决方案
单击此处显示整篇文章

Check Point 建议所有部署的版本为 R81.20,并附带其推荐的 Jumbo Hotfix Accumulator Take。
有关所有 Check Point 版本的更多信息,请参阅版本图和版本术语文章。

简介 | 新功能 | 文档 | 下载和安装 | 其他下载和产品 | 修订历史

简介
R82 是 Check Point 针对 Quantum 产品和 CloudGuard 网络安全的主要软件版本。它引入了 50 项创新功能,以加强威胁预防,大大简化操作和配置,并使用集成的诊断工具排除网络连接故障。

此版本提供对新的 AI 驱动威胁预防引擎的访问,这些引擎可增强对零日网络钓鱼、品牌欺骗、恶意软件等的防御。R82 还增加了针对 NXNS 的 DNS 保护,提供 DNS 配置粒度,并支持 DNS-over-HTTPS 检查。

Check Point 提供业界首个针对 HTTP/3 over QUIC 的完整保护。R82 还支持轻松、自动化的 HTTPS 检查部署,具有精细的控制和卓越的性能。

Check Point 的 VSX 具有一种新的多功能模式 (VSNext),可统一虚拟系统和物理安全网关之间的管理功能和 API。此外,通过 Gaia Portal 中的新页面和一种无需物理编排器即可实现安全网关集群的新模式 (ElasticXL),集群管理得到了极大简化。

此外,R82 引入了具有卓越网络和路由功能的 Check Point 操作系统的新版本。对于自动化,用户和 DevOps 团队现在可以通过新的动态策略层直接对安全网关执行 API 调用。为了应对未来,R82 启用了 NIST 批准的 Kyber (ML-KEM) 加密,以保护当今的 VPN 流量免受未来基于量子计算的黑客攻击。

这些只是 R82 中一些强大的新功能。

R82 中的新功能

威胁预防
基于 AI 的预防引擎
Check Point 的新 AI 安全引擎代表了我们利用数据方式的转变,从主要单一指标视角转变为多维方法。

ThreatCloud Graph - 利用 ThreatCloud AI 知识库形成关系图,识别攻击模式以防止零日威胁。
Kronos - 使用 AI 和信号处理算法检查随时间变化的行为以检测恶意活动,防止零日 C2、网络钓鱼活动和其他威胁。
深度品牌聚类 - 使用正在申请专利的无监督深度学习引擎防止零日品牌网络钓鱼活动。该引擎将网站聚类为本地和全球品牌并确定是否是攻击。
未分类网站的动态分类 - 基于 AI 的网站动态分类引擎,可准确对 URL 进行分类,以阻止之前未分类的危险或不适当的网站。
改进的 DNS 安全功能
此版本提供了新的和增强的 DNS 安全功能,并添加了以下内容:

针对不存在域 (NXNS) 攻击的高级 DNS 保护。
支持 DNS over HTTPS (DoH) 协议。
配置粒度 - 威胁防护配置文件中的高级 DNS 安全设置。
详细的 DNS 安全统计信息 - 现在可在 SmartView 仪表板中使用。
自动安全服务配置
零网络钓鱼、防病毒、反机器人和 IPS 软件刀片现在更易于访问,可提供更简单、更轻松的用户体验。
零网络钓鱼软件刀片 - 引入了一种新的自动模式,可显著简化配置过程,提供无缝体验。使用自动模式,软件刀片配置现在毫不费力:只需启用软件刀片,您就可以开始了。
防病毒和防机器人软件刀片现在在新建的安全网关和集群对象中默认激活。请参阅 sk182106。
现在可以自动加载和更新 SNORT 规则文件作为自定义情报源,并将其作为新的 IPS 保护强制执行。
网络安全
增加了对通过 QUIC 传输 (UDP) 的 HTTP/3 协议的支持,以实现网络安全、威胁预防和沙盒。
HTTPS 检查
此版本通过突破性的性能、无与伦比的简单性和轻松部署 HTTPS 检查树立了新标准。现在,您可以在不牺牲速度或用户体验的情况下显着提高安全性。采用尖端技术,将 HTTPS 检查转变为无缝、创新的解决方案,确保您的系统保持安全,您的用户保持满意。

增强的 HTTPS 检查 UI - HTTPS 检查是完整的
Check Point Quantum R82 bǎnběn
chǎnpǐn
CloudGuard wǎngluò, duō yù ānquán guǎnlǐ,Quantum Maestro,Quantum kě kuòzhǎn jīxiāng,Quantum ānquán wǎngguān,Quantum ānquán guǎnlǐ,SmartConsole
bǎnběn
R82
shàng cì xiūgǎi
2024-10-29
jiějué fāng'àn
dān jī cǐ chù xiǎnshì zhěng piān wénzhāng

Check Point jiànyì suǒyǒu bùshǔ de bǎnběn wèi R81.20, Bìng fùdài qí tuījiàn de Jumbo Hotfix Accumulator Take.
Yǒuguān suǒyǒu Check Point bǎnběn de gèng duō xìnxī, qǐng cānyuè bǎnběn tú hé bǎnběn shùyǔ wénzhāng.

Jiǎnjiè | xīn gōngnéng | wéndàng | xiàzài hé ānzhuāng | qítā xiàzài hé chǎnpǐn | xiūdìng lìshǐ

jiǎnjiè
R82 shì Check Point zhēnduì Quantum chǎnpǐn hé CloudGuard wǎngluò ānquán de zhǔyào ruǎnjiàn bǎnběn. Tā yǐnrùle 50 xiàng chuàngxīn gōngnéng, yǐ jiāqiáng wēixié yùfáng, dàdà jiǎnhuà cāozuò hé pèizhì, bìng shǐyòng jíchéng de zhěnduàn gōngjù páichú wǎngluò liánjiē gùzhàng.

Cǐ bǎnběn tígōng duì xīn de AI qūdòng wēixié yùfáng yǐnqíng de fǎngwèn, zhèxiē yǐnqíng kě zēngqiáng duì líng rì wǎngluò diàoyú, pǐnpái qīpiàn, èyì ruǎnjiàn děng de fángyù.R82 hái zēngjiāle zhēnduì NXNS de DNS bǎohù, tígōng DNS pèizhì lìdù, bìng zhīchí DNS-over-HTTPS jiǎnchá.

Check Point tígōng yèjiè shǒu gè zhēnduì HTTP/3 over QUIC de wánzhěng bǎohù.R82 hái zhīchí qīngsōng, zìdònghuà de HTTPS jiǎnchá bùshǔ, jùyǒu jīngxì de kòngzhì hé zhuóyuè dì xìngnéng.

Check Point de VSX jùyǒu yī zhǒng xīn de duō gōngnéng móshì (VSNext), kě tǒngyī xūnǐ xìtǒng hé wùlǐ ānquán wǎngguān zhī jiān de guǎnlǐ gōngnéng hé API. Cǐwài, tōngguò Gaia Portal zhōng de xīn yèmiàn hé yī zhǒng wúxū wùlǐ biānpái qì jí kě shíxiàn ānquán wǎngguān jíqún de xīn móshì (ElasticXL), jíqún guǎnlǐ dédàole jí dà jiǎnhuà.

Cǐwài,R82 yǐnrùle jùyǒu zhuóyuè wǎngluò hé lùyóu gōngnéng de Check Point cāozuò xìtǒng de xīn bǎnběn. Duìyú zìdònghuà, yònghù hé DevOps tuánduì xiànzài kěyǐ tōngguò xīn de dòngtài cèlüè céng zhíjiē duì ānquán wǎngguān zhíxíng API diàoyòng. Wèile yìngduì wèilái,R82 qǐyòngle NIST pīzhǔn dì Kyber (ML-KEM) jiāmì, yǐ bǎohù dāngjīn de VPN liúliàng miǎn shòu wèilái jīyú liàngzǐ jìsuàn de hēikè gōngjí.

Zhèxiē zhǐshì R82 zhōng yīxiē qiángdà de xīn gōngnéng.

R82 zhōng de xīn gōngnéng

wēixié yùfáng
jīyú AI de yùfáng yǐnqíng
Check Point de xīn AI ānquán yǐnqíng dàibiǎole wǒmen lìyòng shùjù fāngshì de zhuǎnbiàn, cóng zhǔyào dānyī zhǐbiāo shìjiǎo zhuǎnbiàn wèi duōwéi fāngfǎ.

ThreatCloud Graph - lìyòng ThreatCloud AI zhīshì kù xíngchéng guānxì tú, shìbié gōngjí móshì yǐ fángzhǐ líng rì wēixié.
Kronos - shǐyòng AI hé xìnhào chǔlǐ suànfǎ jiǎnchá suí shíjiān biànhuà de xíngwéi yǐ jiǎncè èyì huódòng, fángzhǐ líng rì C2, wǎngluò diàoyú huódòng hé qítā wēixié.
Shēndù pǐnpái jù lèi - shǐyòng zhèngzài shēnqǐng zhuānlì de wú jiāndū shēndù xuéxí yǐnqíng fángzhǐ líng rì pǐnpái wǎngluò diàoyú huódòng. Gāi yǐnqíng jiāng wǎngzhàn jù lèi wéi běndì hé quánqiú pǐnpái bìng quèdìng shìfǒu shì gōngjí.
Wèi fēnlèi wǎngzhàn de dòngtài fēnlèi - jīyú AI de wǎngzhàn dòngtài fēnlèi yǐnqíng, kě zhǔnquè duì URL jìn háng fēnlèi, yǐ zǔzhǐ zhīqián wèi fēnlèi de wéixiǎn huò bù shìdàng de wǎngzhàn.
Gǎijìn de DNS ānquán gōngnéng
cǐ bǎnběn tígōngle xīn de hé zēngqiáng de DNS ānquán gōngnéng, bìng tiānjiāle yǐxià nèiróng:

Zhēnduì bù cúnzài yù (NXNS) gōngjí de gāojí DNS bǎohù.
Zhīchí DNS over HTTPS (DoH) xiéyì.
Pèizhì lìdù - wēixié fánghù pèizhì wénjiàn zhōng de gāojí DNS ānquán shèzhì.
Xiángxì de DNS ānquán tǒngjì xìnxī - xiànzài kě zài SmartView yíbiǎo bǎn zhōng shǐyòng.
Zìdòng ānquán fúwù pèizhì
líng wǎngluò diàoyú, fáng bìngdú, fǎn jīqìrén hé IPS ruǎnjiàn dāopiàn xiànzài gēng yìyú fǎngwèn, kě tígōng gèng jiǎndān, gèng qīngsōng de yònghù tǐyàn.
Líng wǎngluò diàoyú ruǎnjiàn dāopiàn - yǐnrùle yī zhǒng xīn de zìdòng móshì, kě xiǎnzhù jiǎnhuà pèizhì guòchéng, tígōng wú fèng tǐyàn. Shǐyòng zìdòng móshì, ruǎnjiàn dāopiàn pèizhì xiànzài háo bù fèilì: Zhǐ xū qǐyòng ruǎnjiàn dāopiàn, nín jiù kěyǐ kāishǐle.
Fáng bìngdú hé fáng jīqìrén ruǎnjiàn dāopiàn xiànzài zài xīnjiàn de ānquán wǎngguān hé jíqún duìxiàng zhōng mòrèn jīhuó. Qǐng cānyuè sk182106.
Xiànzài kěyǐ zìdòng jiāzài hé gēngxīn SNORT guīzé wénjiàn zuòwéi zì dìngyì qíngbào yuán, bìng jiāng qí zuòwéi xīn de IPS bǎohù qiángzhì zhíxíng.
Wǎngluò ānquán
zēngjiāle duì tōngguò QUIC chuánshū (UDP) de HTTP/3 xiéyì de zhīchí, yǐ shíxiàn wǎngluò ānquán, wēixié yùfáng héshā hé.
HTTPS jiǎnchá
cǐ bǎnběn tōngguò túpò xìng dì xìngnéng, wúyǔlúnbǐ de jiǎndān xìng hé qīngsōng bùshǔ HTTPS jiǎnchá shùlìle xīn biāozhǔn. Xiànzài, nín kěyǐ zài bù xīshēng sùdù huò yònghù tǐyàn de qíngkuàng xià xiǎnzhe tígāo ānquán xìng. Cǎiyòng jiānduān jìshù, jiāng HTTPS jiǎnchá zhuǎnbiàn wéi wú fèng, chuàngxīn de jiějué fāng'àn, quèbǎo nín de xìtǒng bǎochí ānquán, nín de yònghù bǎochí mǎnyì.

Zēngqiáng de HTTPS jiǎnchá UI - HTTPS jiǎnchá shì wánzhěng de
展开
 楼主| 发表于 2024-11-5 10:53:25 | 显示全部楼层
Quantum 安全网关
新集群技术
ElasticXL - 一种新的集群技术,通过单一管理对象和所有集群成员之间配置和软件的自动同步来简化操作。
动态策略层
完全自动化、API 控制的策略层,允许在几秒钟内直接在安全网关上实施动态策略更改,而无需涉及安全管理或安装安全策略。
身份意识
Quantum 网关现在可以使用 Check Point Infinity 门户中定义的多个外部身份提供商,提供跨产品的统一身份管理。
通过为身份共享协议添加新的身份缓存模式,提高了 PDP 连接丢失时的弹性。
IPsec VPN
根据 FIPS 203 标准的要求,增加了对 ML-KEM (Kyber768) 的支持,以解决后量子密码学 (PQC)。
自动检测 AWS、Azure 和 GCP 公共云中的配置更改并调整 VPN 设置,确保连接稳定。
引入高级 VPN 监控工具,该工具显示每个 VPN 隧道的信息并跟踪其运行状况和性能。
增强的链路选择:
互操作性:
使用公共 IP 地址作为隧道标识符,为每个链路建立单独的隧道。
使用死对等检测 (DPD) 作为链路探测协议,而不是专有的“可靠数据协议”(RDP)。
冗余:
允许 VPN 隧道冗余,包括第三方和本地云 VPN 对等。
粒度:
能够配置安全网关以在不同的 VPN 社区中使用不同的 VPN 接口。
远程访问 VPN
安全网关现在支持来自远程访问 VPN 客户端(E88.40 及更高版本)的 IKEv2 协议连接。
移动访问
移动访问策略和 Capsule Workspace 配置现在可在 SmartConsole 中使用。
移动访问客户端的 SAML 身份验证支持,允许与第三方身份提供商无缝集成。
用于 Capsule Workspace 配置的新管理 API 调用。请参阅 Check Point 管理 API 参考 >“移动访问”部分。
动态路由
增加了对新动态路由功能的支持:

BGP 扩展社区 (RFC 4360)。

BGP 条件路由通告和注入。

事件触发器的路由表监视器。

集群成员上的 IPv4 和 IPv6 路由器发现。

路由器首选项和路由信息选项。

路由年龄信息。

具有非默认前缀的 IPv4 PIM-SSM。

具有 BFD 的 IPv4 PIM。

IPv4 PIM 邻居过滤。

IPv4 PIM RPT 到 SPT 切换控制。

IPv6 协议独立多播 (PIM) 和多播侦听器发现 (MLD)。
增加了对新动态路由 API 调用的支持:

BGP、PIM、多播侦听器发现 (MLD) 的 REST API 调用。

路由重新分发、入站路由过滤器和 NAT 池的 REST API 调用。
IGMP 的 REST API 调用。
另请参阅 Check Point Gaia API 参考 v1.8(及更高版本)>“网络”部分。

性能和基础设施
SMB/CIFS 协议的 HyperFlow 大流量加速。
QUIC 协议的 HyperFlow 大流量加速。
Quantum Security Gateway 通过新的多进程架构将日志速率输出容量提高了 100%。
Quantum Maestro、可扩展机箱和 ElasticXL
此版本在管理和监控可扩展平台集群方面有所改进,包括:

支持 REST API:
Quantum Maestro Orchestrator 上的新 API 调用,用于配置和监控 Maestro 安全组、网关、站点和端口。
请参阅 Check Point Gaia API 参考 v1.8 及更高版本 >“Maestro”部分中可用的 API 调用的完整列表。
支持可扩展平台成员上的 Gaia REST API。
支持 Quantum Maestro Orchestrator 上的 Gaia 首次配置向导,能够配置 Maestro 站点设置。
支持身份验证,以确保 Quantum Maestro Orchestrator 之间的同步连接安全。
支持每个可扩展平台成员上的 SNMP 查询。
支持 Quantum Maestro Orchestrator 的上行链路、同步和管理端口上的 LLDP。
Gaia Portal 中 Quantum Maestro Orchestrator 的新页面“端口”。此页面显示端口配置的摘要和交互式视图,对端口运行诊断,并闪烁端口 LED 以进行识别。
Gaia Portal 中 ElasticXL/安全组的新页面“集群管理”。此页面显示可扩展平台成员的状态和性能。
“insights” - 新的 CLI 工具,用于在专家模式和 Gaia gClish 中监控整个可扩展平台集群。
新的 Gaia gClish 命令“show cluster”和“set cluster”。
当可扩展平台中的 Gaia OS 配置发生变化时,可扩展平台成员的启动时间缩短,重启次数减少。
升级更加简单:
此版本引入了可扩展平台上 CPUSE 部署代理的自动更新。不再需要手动部署。
升级到 R8
 楼主| 发表于 2024-11-5 10:55:20 | 显示全部楼层
升级更简便:
此版本引入了可扩展平台上 CPUSE 部署代理的自动更新。不再需要手动部署。
升级到 R82 及更高版本不再需要 sp_upgrade 脚本,并且可以使用可扩展平台监控工具轻松监控。
附加快照机制,用于拍摄小型 Gaia OS 快照(lightshots)。
VSX
Check Point VSX 增强了新模式 (VSNext),允许更简单的配置、更轻松的配置以及与物理安全网关类似的体验。

新 VSX 模式的优势包括:

Check Point 物理安全网关和虚拟网关之间的统一管理体验,包括从不同的管理服务器管理每个虚拟网关的能力。
改进 VSX 配置性能和配置体验 - 在 Gaia Portal、Gaia Clish 或使用 Gaia REST API 创建、修改和删除虚拟网关和虚拟交换机。
虚拟网关 (VGW) 和物理安全网关之间的管理功能和 API 奇偶校验。
使用不同的安全管理服务器管理不同的虚拟网关,以及在同一多域安全管理服务器上管理不同的域管理服务器
工具和实用程序
新工具“connview” - 一种新的综合故障排除工具,用于查看在用户空间防火墙 (USFW) 中工作的安全网关上的连接信息。
新工具“up_execute”执行虚拟访问控制/NAT 规则库执行。根据日志或连接给出输入,执行提供详细信息,例如匹配的规则和分类信息。

Gaia 操作系统
注意 - 本节适用于安全网关、管理服务器和日志服务器。

此版本通过新的操作系统内核和多个新的配置选项增强了 Gaia OS,以实现更好的安全性、增强的网络和更简单的体验。

新功能包括:

增强 Gaia OS:
在 VSX 模式下支持链路层发现协议 (LLDP)。
DHCPv6 服务器、DHCPv6 客户端和 DHCPv6 客户端用于 Gaia Portal 和 Gaia Clish 中的前缀委派。
能够在 Gaia Portal 和 Gaia Clish 中配置“AAA”身份验证(TACACS、RADIUS、本地身份验证)的顺序。
DNS 代理转发域,允许为每个 DNS 后缀配置特定的 DNS 服务器。
新的 Gaia OS 配置项:
使用基于时间的身份验证器应用程序(Google Authenticator 和 Microsoft Authenticator)对 Gaia OS 登录进行双因素身份验证。
Gaia Portal 和 Gaia Clish 中的 NTP 池和大量 NTP 服务器。
NFSv4 配置。
键盘布局。
Gaia Portal 和 Gaia Clish 中远程 Syslog 服务器的 TLS 配置。
支持将 Gaia OS 备份存储在 Amazon S3 和 Microsoft Azure 中并从那里恢复。

Quantum 安全管理
安全管理服务器增强功能
LDAP 帐户单元对象现在使用 LDAP 服务器名称和 CA 证书进行 LDAP 信任。如果管理员更新或替换 LDAP 服务器证书,则信任会自动更新。因此,Check Point 服务器保持与 LDAP 服务器的连接。
支持管理 API 运行“vsx_provisioning_tool”操作来配置 VSX 网关和 VSX 群集对象。请参阅 Check Point 管理 API 参考 > 部分“VSX” > 命令“vsx-provisioning-tool”。
支持管理 API 为数据丢失防护和内容感知软件刀片配置“数据类型”对象。请参阅 Check Point 管理 API 参考 > 部分“数据类型”。
安全网关现在可以由托管在公共云或第三方 NAT 设备后面的安全管理服务器管理。
支持管理最多 500 个安全网关/群集成员,允许在所有托管安全网关/群集成员上并发安装策略。
当管理服务器上的 Gaia Portal 在默认端口 443 以外的其他端口上运行时,支持在 SmartConsole 中进行 SAML 登录。请参阅 sk182032。
能够验证包含未发布更改的访问控制策略。
“访问规则名称”和“访问规则编号”字段现在将通过从预定义的 Playblocks 和 IoT 访问策略层中排除接受规则来优先处理来自管理员定义规则的信息。
SmartConsole
添加了系统帐户安装 SmartConsole 的功能。
SmartConsole > “网关和服务器”视图中的增强功能:
您现在可以查看和管理安全网关/集群对象和 Check Point 主机对象的推荐巨型修补程序累加器和推荐软件更新。
HealthCheck Point (HCP) 测试现已集成。您可以将其视为安全网关状态的一部分。默认情况下,此功能处于禁用状态。
Web SmartConsole
此版本提供了以下新的 Web SmartConsole 功能:
威胁预防规则库
HTTPS 检查规则库
NAT 规则库
规则库搜索
修补程序和版本升级的集中部署
 楼主| 发表于 2024-11-5 10:55:49 | 显示全部楼层
在 SmartConsole 中
通过 SmartConsole 进行中央软件部署的功能已得到增强,现在支持:

卸载 Jumbo Hotfix 累加器。
在“切换到更高优先级集群成员”配置(“主启动”)中在 ClusterXL 高可用性模式下安装软件包。
在辅助管理服务器上安装软件包。
在专用日志服务器上安装软件包。
在专用 SmartEvent 服务器上安装软件包。
从独立服务器安装软件包。
多域安全管理服务器上每个域的软件包存储库。
SmartProvisioning
Star VPN Community 现在支持 Quantum Maestro 安全组、VSX 网关和 VSX 集群作为中心网关(企业办公室网关)。
多域安全管理服务器
能够在同一多域安全管理服务器上克隆现有域。请参阅 sk180631。
大型多域安全管理服务器环境的升级时间缩短高达 50%。
在多域安全管理服务器上新增对 IPv6 配置的支持(仅使用管理 API“set mds”),允许域通过 IPv6 与托管安全网关进行通信。
当超级用户将全局策略分配给域管理服务器时,自动刷新连接到非全局域的 SmartConsole 中已修改的全局对象。请参阅 sk182307。
能够在策略预设对象中选择访问控制、威胁预防或两种策略。
合规性
为 Quantum Maestro 添加了 Gaia OS 最佳实践支持 - 为每个安全组成员和编排器提供综合的最佳实践状态。
为 Quantum Spark 设备添加了 Gaia OS 最佳实践支持(仅适用于适用的 Gaia OS 最佳实践)。
为日志服务器添加了 Gaia OS 最佳实践支持。
添加了新法规:
互联网安全基准中心
网络基本要素 v3.1
网络安全成熟度模型认证
缓解网络安全事件的八项基本要素和策略
IEC 62443-2-1 201
ISO 27001:2022
以色列网络防御方法 2.0
网络和信息系统指令 2
PCI DSS 4.0
TISAX 5.1

CloudGuard 网络安全
CloudGuard 控制器
CloudGuard 控制器现在支持身份感知 PDP(身份共享)。
CloudGuard 控制器现在支持 VMware NSX-T 全局管理器,以允许
与 VMware NSX-T v4.1 集成。
适用于 VMware NSX-T 的 CloudGuard 控制器现在使用策略模式 API 从 NSX-T 管理器导入对象。
多域安全管理服务器现在支持全局策略中的数据中心对象和数据中心查询对象。
您需要登录后才可以回帖 登录 | 注册

本版积分规则

小黑屋|手机版|Archiver|boway Inc. ( 冀ICP备10011147号 )

GMT+8, 2024-12-4 01:26 , Processed in 0.104259 second(s), 16 queries .

Powered by Discuz! X3.4

Copyright © 2001-2021, Tencent Cloud.

快速回复 返回顶部 返回列表