Check Point R80.10
新特性
We are happy to introduce you R80.10 - This release integrates R80 management features with new Security Gateway features and enhancements.
我们很高兴向您介绍R80.10 - 此版本集成了R80管理功能和新的安全网关功能的特性和增强功能。
What's new in Check Point R80.10 release:
Check Point R80.10版本中的新功能:
R80.10 creates a breakthrough in Check Point Security Gateway, matching the R80 security management innovations.
R80.10在Check Point安全网关中创造了突破,匹配了R80安全管理创新。
Security Policy New Architecture
安全策略新架构
• Policy Layers and Sub-Policies enable flexible control over the security policy behavior.
策略层和子策略实现对安全策略行为的灵活控制。
• Build a rule base with layers, each with a set of the security rules. Layers are inspected inthe order in which they are defined, giving control over the rule base flow and precedence of security functionality. If an "Accept" action is done in a layer, inspection continues in the next layer.
使用层构建规则库,每个层都有一组安全规则。 按照定义它们的顺序检查层,从而控制规则库流和安全功能的优先级。 如果在层中执行“接受”操作,则检查在下一层继续。
• Sub-Policies are sets of rules that you attach to specific rules. If the rule is matched,inspection continues in the sub-policy attached to the rule. If the rule is not matched, the sub-policy is skipped.For example, a sub policy can manage a network segment or branch office.
子策略是您附加到特定规则的规则库。 如果匹配规则,则在附加到规则的子策略中继续检查。 如果规则不匹配,则跳过子策略。例如,子策略可以管理网段或分支机构。
• Sub-Policies can be managed by specific administrators, according to their permission profile, allowing easy responsibility delegation in the team.
子策略可以由特定管理员根据其权限配置文件进行管理,从而允许在团队中进行轻松的责任委派。
• Unified Security Policies:
统一安全策略:
• Access Control policy unifies the Firewall, Application Control & URL Filtering, Data Awareness, and Mobile Access Software Blade policies.
访问控制策略统一了防火墙,应用程序控制和URL过滤,数据感知和移动访问软件刀片策略。
• Threat Prevention policy unifies the IPS, Anti-Virus, Anti-Bot, and Threat Emulation Software Blade policies.Access Control Policy
威胁防护策略统一IPS,防病毒,防机器人和威胁仿真软件刀片策略。访问控制策略
• New Data Awareness Software Blade adds visibility and control over data transfers in the network traffic, using data types based on content, file types, and direction.
新的数据感知软件刀片使用基于内容,文件类型和方向的数据类型来增加对网络流量中的数据传输的可见性和控制。
• Application Control enhancements:
应用控制增强:
• Added Recommended Services to Applications for easier configuration of the unified policy.
向应用程序添加了推荐服务,以便于统一策略的配置。
• Applications matched on Recommended Services, customized set of services, or Any service.
为推荐服务,自定义服务或任意服务匹配应用。
• New Protocol Signature added to Service object, to enhance policy matching security and granularity.
新增协议签名到服务对象,增强策略匹配的安全性和粒度。
• Security Zones: Group interfaces of gateways into Security Zones for new Source and Destination definitions.
安全区域:将网关的接口分组到新的源和目标定义的安全区域。
• Fully Qualified Domain Names (FQDN): Additional mode for Domain objects, to match fullyqualified domain names with forward DNS lookup.
完整的域名(FQDN):域对象的附加模式,用于使完整的域名与正向DNS查找相匹配。
• Acceleration of Domain Objects, Dynamic Objects, and Time Objects.
域对象,动态对象和时间对象的加速功能。
Introduction R80.10 Release Notes Early Availability | 6
Threat Prevention Policy
威胁防护策略
• Multiple profiles for each Security Gateway, to enforce granular Threat Prevention policies.
每个安全网关匹配多个配置文件,用于实施精细的防护策略。
• Faster Threat Prevention policy installation.Significant Improvements and New Features
更快的防护策略安装。明显的提升和新特性
• Enhanced VPN and Mobile Access:
增强型VPN和移动访问:
• VPN multicore performance with CoreXL multicore scalability for VPN traffic inspected by Next Generation Firewall, Next Generation Threat Prevention, and Next Generation Threat
VPN多核性能与CoreXL多核可扩展性,适用于下一代防火墙检测的VPN流量,下一代威胁防护和下一代威胁
Extraction Software Blades.
• NAT-T support for Site-to-Site VPN.
NAT-T支持站点到站点VPN。
• TLS 1.2 support for Mobile Access and portals.
TLS 1.2支持移动访问和门户。
• Login options with multi-factor authentication schemes for users of different clients and portals.
对于不同客户端和站点的用户,具有多因子认证方案的登录选项。
• Explicit block for specified Mobile Access traffic.
• Reverse Proxy for external access to internal web servers.
反向代理,用于对内部Web服务器的外部访问。
• Enhanced Identity Awareness:、
增强对身份的识别
• Up to 200,000 Identity sessions per gateway.
每个网关超过20万个身份会话。
• Gateway REST API to manage identities from 3rd party or customized system.
网关REST API,用于从第三方或定制系统管理身份。
• Identity Collector - New agent that collects identity information from different sources (AD and ISE), for large environment scalability.
身份收集器 - 从不同来源(AD和ISE)收集身份信息的新代理,用于大型环境可扩展性。
• New Radius Accounting attribute parsing and IPv6 support.
新的Radius帐号认证属性解析和IPv6支持。
• Enhanced handling of nested user groups for AD LDAP using LDAPv3.
使用LDAPv3增强了对AD LDAP的嵌套用户组的处理。
• Enforce remote access client type in access role.
• Detect users located behind HTTP proxy using X-Forward-For header granularity per Access Control Policy Layer.
• Dynamic Routing Enhancements:
• Netflow support for IPFIX (with NAT and IPv6 flow records).
• IPv6 DHCP relay with ClusterXL.
• IPv6 RIP with VRRPv2.
• SNMP.
• BGP 4-Byte AS and Local AS.
• Threat Emulation MTA (Mail Transfer Agent) support in VSX. You can run MTA for each VS instance. Management Enhancements These enhancements were first introduced in R80.
VSX中的威胁仿真MTA(邮件传输代理)支持。 您可以为每个VS实例运行MTA。 管理增强这些增强功能首次在R80中引入。
• Multi-Domain Security Management:
•多域安全管理:
• Global policy and settings for blades.
全局策略设置于
• Unified architecture and unified client with single Domain security management.
统一架构和统一客户端,具有单域安全管理。
• New and improved views for Domain provisioning and global configuration.Introduction
•新的和改进的视图域配置和全局配置
• Role-based & Concurrent Administration - Several administrators can work in parallel on the same security policy, with granular and flexible privilege delegation to each administrator.
基于角色和并发管理 - 多个管理员可以在相同的安全策略上并行工作,向每个管理员授予精细且灵活的权限委派。
• A new advanced locking mechanism ensures administrators do not overwrite each others' work.
新的高级锁定机制确保管理员不会覆盖彼此的工作。
• Rich administrator profiles for exact privileges each administrator will have, including managing specific policies or network segments, viewing specific logs, and conducting security operations, such as installing policy.
丰富的管理员配置文件,用于确保每个管理员拥有的特权,包括管理特定策略或网络段,查看特定日志以及执行安全操作(如安装策略)。
• Secured Automation and Orchestration - CLI and API for security management enables full integration with 3rd party systems and automation of daily operations. Automation and SmartConsole management operations are allowed based on the same privilege profile.
•安全自动化和编排 - 用于安全管理的CLI和API可实现与第三方系统的完全集成和日常操作的自动化。 基于相同的权限配置文件允许自动化和SmartConsole管理操作。
• Faster Day to Day Operations:
更快的日常操作:
• Integrated logging to see all logs related to a rule in the same screen.
集成日志记录以查看与同一屏幕中的规则相关的所有日志。
• Detailed rule information of who created the rule and when, hit counts, and user-defined data, such as ticket numbers.
创建规则的人员的详细规则信息,以及时间,点击计数和用户定义的数据(例如标签编号)。
• Enhanced search capabilities to quickly find any rule or object in the system.
增强的搜索功能,可快速查找系统中的任何规则或对象。
• Enhanced Management High Availability synchronizes only changes between servers, significantly improving efficiency.
• Next Generation Logs, Events and Reports:
下一代日志,事件和报告:
• Analyze hundreds of millions of logs per day with graphical views and reports, customized to address specific requirements.
每天分析数亿条日志,并提供图形化视图和报告,以满足特定需求。
• Logging, monitoring, and report aspects also available in the web-based interface.
日志记录,监视和报告方面也可在基于Web的界面中使用。
• Free-text search of logs and events with auto-suggest and favorites, with results in seconds.
自由定义和收藏的自动文本搜索日志和事件,结果在几秒钟内。
R80.10 Public EA Current Limitations:
R80.10 使用限制
These limitations apply to this specific Public EA ***THEY WILL BE FIXED FOR GA***
• The Endpoint Policy Management blade is not supported.
• Standalone configuration is not supported.
不支持独立配置。
• SmartConsole must be closed during upgrade.
升级过程中必须关闭SmartConsole
• On a Multi Domain Management Server that was upgraded from R80, the Create Domain operation might fail.
在从R80升级的多域管理服务器上,创建域操作可能会失败
• On a Multi Domain Management Server, when Global Policy is assigned, two cleanup rules show in the same layer. This is a cosmetic issue only.
• The option to download the Identity Collector Agent from the gateway portal is missing |