Check Point R80.10 Public Early Availability

network

Check Point R80.10 Public Early Availability

We are happy to introduce you R80.10 - This release integrates R80 management
features with new Security Gateway features and enhancements.
What's new in Check Point R80.10 release:
R80.10 creates a breakthrough in Check Point Security Gateway, matching the R80 security management
innovations.

Security Policy New Architecture
• Policy Layers and Sub-Policies enable flexible control over the security policy behavior.
• Build a rule base with layers, each with a set of the security rules. Layers are inspected in
the order in which they are defined, giving control over the rule base flow and precedence
of security functionality. If an "Accept" action is done in a layer, inspection continues in the
next layer.
• Sub-Policies are sets of rules that you attach to specific rules. If the rule is matched,
inspection continues in the sub-policy attached to the rule. If the rule is not matched, the
sub-policy is skipped.
For example, a sub policy can manage a network segment or branch office.
• Sub-Policies can be managed by specific administrators, according to their permission
profile, allowing easy responsibility delegation in the team.
• Unified Security Policies:
• Access Control policy unifies the Firewall, Application Control & URL Filtering, Data
Awareness, and Mobile Access Software Blade policies.
• Threat Prevention policy unifies the IPS, Anti-Virus, Anti-Bot, and Threat Emulation
Software Blade policies.
Access Control Policy
• New Data Awareness Software Blade adds visibility and control over data transfers in the
network traffic, using data types based on content, file types, and direction.
• Application Control enhancements:
• Added Recommended Services to Applications for easier configuration of the unified policy.
• Applications matched on Recommended Services, customized set of services, or Any
service.
• New Protocol Signature added to Service object, to enhance policy matching security and
granularity.
• Security Zones: Group interfaces of gateways into Security Zones for new Source and
Destination definitions.
• Fully Qualified Domain Names (FQDN): Additional mode for Domain objects, to match fully
qualified domain names with forward DNS lookup.
• Acceleration of Domain Objects, Dynamic Objects, and Time Objects.
Introduction
R80.10 Release Notes Early Availability | 6
Threat Prevention Policy
• Multiple profiles for each Security Gateway, to enforce granular Threat Prevention policies.
• Faster Threat Prevention policy installation.
Significant Improvements and New Features
• Enhanced VPN and Mobile Access:
• VPN multicore performance with CoreXL multicore scalability for VPN traffic inspected by
Next Generation Firewall, Next Generation Threat Prevention, and Next Generation Threat
Extraction Software Blades.
• NAT-T support for Site-to-Site VPN.
• TLS 1.2 support for Mobile Access and portals.
• Login options with multi-factor authentication schemes for users of different clients and
portals.
• Explicit block for specified Mobile Access traffic.
• Reverse Proxy for external access to internal web servers.
• Enhanced Identity Awareness:
• Up to 200,000 Identity sessions per gateway.
• Gateway REST API to manage identities from 3rd party or customized system.
• Identity Collector - New agent that collects identity information from different sources (AD
and ISE), for large environment scalability.
• New Radius Accounting attribute parsing and IPv6 support.
• Enhanced handling of nested user groups for AD LDAP using LDAPv3.
• Enforce remote access client type in access role.
• Detect users located behind HTTP proxy using X-Forward-For header granularity per
Access Control Policy Layer.
• Dynamic Routing Enhancements:
• Netflow support for IPFIX (with NAT and IPv6 flow records).
• IPv6 DHCP relay with ClusterXL.
• IPv6 RIP with VRRPv2.
• SNMP.
• BGP 4-Byte AS and Local AS.
• Threat Emulation MTA (Mail Transfer Agent) support in VSX. You can run MTA for each VS
instance.
Management Enhancements
These enhancements were first introduced in R80.
• Multi-Domain Security Management:
• Global policy and settings for blades.
• Unified architecture and unified client with single Domain security management.
• New and improved views for Domain provisioning and global configuration.
Introduction
• Role-based & Concurrent Administration - Several administrators can work in parallel on the
same security policy, with granular and flexible privilege delegation to each administrator.
• A new advanced locking mechanism ensures administrators do not overwrite each others'
work.
• Rich administrator profiles for exact privileges each administrator will have, including
managing specific policies or network segments, viewing specific logs, and conducting
security operations, such as installing policy.
• Secured Automation and Orchestration - CLI and API for security management enables full
integration with 3rd party systems and automation of daily operations. Automation and
SmartConsole management operations are allowed based on the same privilege profile.
• Faster Day to Day Operations:
• Integrated logging to see all logs related to a rule in the same screen.
• Detailed rule information of who created the rule and when, hit counts, and user-defined
data, such as ticket numbers.
• Enhanced search capabilities to quickly find any rule or object in the system.
• Enhanced Management High Availability synchronizes only changes between servers,
significantly improving efficiency.
• Next Generation Logs, Events and Reports:
• Analyze hundreds of millions of logs per day with graphical views and reports, customized
to address specific requirements.
• Logging, monitoring, and report aspects also available in the web-based interface.
• Free-text search of logs and events with auto-suggest and favorites, with results in seconds.


R80.10 Public EA Current Limitations:
These limitations apply to this specific Public EA  ***THEY WILL BE FIXED FOR GA***

•         The Endpoint Policy Management blade is not supported.
•         Standalone configuration is not supported.
•         SmartConsole must be closed during upgrade.
•         On a Multi Domain Management Server that was upgraded from R80, the Create Domain operation might fail.
•         On a Multi Domain Management Server, when Global Policy is assigned, two cleanup rules show in the same layer. This is a cosmetic issue only.
•         The option to download the Identity Collector Agent from the gateway portal is missing