|
|
Check Point Quantum R82 Release[color=rgba(0, 0, 0, 0.87)][color=var(--color-text-light)]Product[color=var(--color-text-dark)]CloudGuard Network, Multi-Domain Security Management, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, Quantum Security Management, SmartConsole
[color=var(--color-text-light)]Version[color=var(--color-text-dark)]R82
[color=var(--color-text-light)]Last Modified[color=var(--color-text-dark)]2024-10-29
[color=rgba(0, 0, 0, 0.87)]Solution
[size=1em]Click Here to Show the Entire Article
Check Point Recommended version for all deployments is [color=var(--color-sk-page-link) !important] R81.20 with its Recommended [color=var(--color-sk-page-link) !important] Jumbo Hotfix Accumulator Take.
For more info about all Check Point releases, refer to [color=var(--color-sk-page-link) !important] Release map and [color=var(--color-sk-page-link) !important] Release Terminology articles.
[size=1.1em]Introduction | What's New | Documentation | Downloads and Installation | Additional Downloads and Products | Revision History
 |
| Introduction | R82 is Check Point's major software release for Quantum products and CloudGuard Network Security. It introduces 50 innovative capabilities to strengthen threat prevention, greatly streamline operations and provisioning, and troubleshoot network connections with integrated diagnostics tools.
This release provides access to new AI-powered threat prevention engines that strengthen defense against zero-day phishing, brand spoofing, malware, and more. R82 also adds DNS protection against NXNS, offers DNS configuration granularity, and supports DNS-over-HTTPS Inspection.
Check Point offers the industry's first complete protection for HTTP/3 over QUIC. R82 also enables effortless and automated HTTPS Inspection deployment with granular controls and exceptional performance.
Check Point's VSX has a new versatile mode (VSNext) that unifies management features and APIs across Virtual Systems and physical Security Gateways. Furthermore, cluster management is greatly simplified with a new page in Gaia Portal and a new mode (ElasticXL) that enables Security Gateway clustering without the need for physical Orchestrators.
In addition, R82 introduces a new version of Check Point's operating system with superior networking and routing capabilities. For automation, users and DevOps teams can now execute API calls directly to security gateways through a new dynamic policy layer. For future-proofing, R82 enables NIST-approved Kyber (ML-KEM) encryption to protect today’s VPN traffic against future quantum computing-based hacking.
These are just some of the powerful new capabilities in R82. | What's New in R82 | [color=var(--color-sk-page-link) !important][size=1.3em][url=] Threat Prevention[/url]AI-based prevention enginesCheck Point's new AI security engines represent a shift in how we utilize data, transitioning from mostly a single indicator perspective to a multi-dimensional approach. - [color=var(--color-sk-page-link) !important]ThreatCloud Graph - Leverages ThreatCloud AI knowledge base to form relationship graph, identifying attacks patterns to prevent zero-day threats.
- Kronos - Inspects behavior over time with AI and signal processing algorithms to detect malicious activity, preventing zero-day C2, phishing campaigns and other threats.
- [color=var(--color-sk-page-link) !important]Deep Brand Clustering - Prevents zero-day brand phishing campaigns with a patent-pending unsupervised deep learning engine. This engine cluster websites into local and global brands and determine whether it’s an attack.
- Dynamic classification of uncategorized websites - An AI-based engine for dynamic classification of websites, accurately categorizing URLs to block previously uncategorized dangerous or inappropriate websites.
Improved DNS Security CapabilitiesThis release provides new and enhanced DNS security capabilities with the addition of: - Advanced DNS protection against Non-Existent Domain (NXNS) Attack.
- Support for DNS over HTTPS (DoH) protocol.
- [color=var(--color-sk-page-link) !important]Configuration Granularity - Advanced DNS Security settings in the Threat Prevention profile.
- Detailed DNS Security statistics - Now available in the SmartView Dashboard.
Automatic Security Services ConfigurationZero Phishing, Anti-Virus, Anti-Bot and IPS Software Blades are now more accessible, providing a simpler and easier user experience. - Zero Phishing Software Blade - Introducing a new [color=var(--color-sk-page-link) !important]Automatic mode that significantly simplifies the configuration process, providing a seamless experience. With the Automatic mode, the Software Blade configuration is now effortless: simply enable the Software Blade and you are ready to go.
- The Anti-Virus and Anti-Bot Software Blades are now [color=var(--color-sk-page-link) !important]activated by default in newly created Security Gateway and Cluster objects. See sk182106.
- It is now possible to [color=var(--color-sk-page-link) !important]automatically load and update SNORT rules file as Custom Intelligence Feed and enforce them as new IPS protections.
Web Security- Added support of HTTP/3 protocol over QUIC transport (UDP) for Network Security, Threat Prevention, and Sandboxing.
HTTPS InspectionThis release [color=var(--color-sk-page-link) !important] sets a new standard with breakthrough performance, unmatched simplicity, and effortless deployment of HTTPS Inspection. Now, you can significantly increase your security without sacrificing speed or user experience. Embrace cutting-edge technology that transforms HTTPS Inspection into a seamless, innovative solution, ensuring your systems stay secure and your users stay satisfied. - Enhanced HTTPS Inspection UI - HTTPS Inspection is fully managed in SmartConsole.
- Enhanced HTTPS Inspection policy - A dedicated policy for inbound inspection, including certificate management views for both inbound and outbound policies and enhanced default outbound policy.
- Trusted CA package - A new view to manage Trusted certificates and see the status of the trusted CA package.
- HTTPS Advanced settings - A new view to configure advanced settings, including R82 new features.
- Client Side Fail mode - This new feature automatically detects failures in inspected HTTPS connections caused by client-side issues, such as certificate-pinned applications. When a failure is detected, the connection is flagged to be bypassed in future attempts, and Artificial intelligence (AI) learns from these failures to identify similar connections.
- Endpoint Detection - Identifies endpoints without deployed outbound CA certificate.
- Learning mode:
- Gradual & Smart deployment - Activated during the deployment of HTTPS Inspection, inspecting a minor percentage of traffic over two weeks.
- Network Learning - Gathers insights into network behavior and detects potential connectivity issues for Artificial intelligence consideration.
- Performance Prediction - Estimates the impact on performance when HTTPS Inspection is fully implemented.
- Bypass Under Load - Bypasses HTTPS connections when the Security Gateway experiences high CPU load.
- HTTPS Inspection monitoring - Introducing the HTTPS Inspection statistics view in SmartView, including bypass/inspect statistics.
[color=var(--color-sk-page-link) !important][size=1.3em][url=] Quantum Security Gateway[/url]New Clustering Technology- [color=var(--color-sk-page-link) !important]ElasticXL - a new clustering technology delivering simplified operations with a Single Management Object and automatic sync of configuration and software between all cluster members.
Dynamic Policy Layer- [color=var(--color-sk-page-link) !important]Fully automated, API-controlled policy layer that allows dynamic policy changes to be implemented directly on the Security Gateway in seconds without involving Security Management or installing Security Policy.
Identity AwarenessIPsec VPN- Added support for ML-KEM (Kyber768) as required by the FIPS 203 standard to address [color=var(--color-sk-page-link) !important]Post-Quantum Cryptography (PQC).
- [color=var(--color-sk-page-link) !important]Automatically detect configuration changes in AWS, Azure, and GCP public clouds and adjust the VPN settings ensuring connection stability.
- Introducing the [color=var(--color-sk-page-link) !important]Advanced VPN Monitoring tool that shows information on each VPN Tunnel and tracks its health and performance.
- [color=var(--color-sk-page-link) !important]Enhanced Link Selection:
- Interoperability:
- Uses public IP addresses as tunnel identifiers to establish separate tunnels for each link.
- Uses Dead Peer Detection (DPD) as the link probing protocol instead of the proprietary "Reliable Data Protocol" (RDP).
- Redundancy:
- Allows redundancy of VPN tunnels including third-party and native cloud VPN peers.
- Granularity:
- Ability to configure the Security Gateway to use different VPN interfaces in different VPN communities.
Remote Access VPN- Security Gateway now [color=var(--color-sk-page-link) !important]supports the IKEv2 protocol for connections from Remote Access VPN Clients (E88.40 and higher).
Mobile Access- Mobile Access Policy and Capsule Workspace configurations are [color=var(--color-sk-page-link) !important]now available in SmartConsole.
- [color=var(--color-sk-page-link) !important]SAML authentication support for Mobile Access clients that allows seamless integration with third-party Identity Providers.
- New Management API calls for Capsule Workspace configuration. See the [color=var(--color-sk-page-link) !important]Check Point Management API Reference > section "Mobile Access".
Dynamic RoutingAdded support for new Dynamic Routing capabilities: - BGP Extended Communities (RFC 4360).
- BGP Conditional Route Advertisement and Injection.
- Routing Table Monitor for Event Triggers.
- IPv4 and IPv6 Router Discovery on cluster members.
- Router Preference and Route Information option.
- Route age information.
- IPv4 PIM-SSM with non-default prefixes.
- IPv4 PIM with BFD.
- IPv4 PIM neighbor filtering.
- IPv4 PIM RPT to SPT switchover control.
- IPv6 Protocol Independent Multicast (PIM) and Multicast Listener Discovery (MLD).
Added support for new Dynamic Routing API calls: - REST API calls for BGP, PIM, Multicast Listener Discovery (MLD).
- REST API calls for Route Redistribution, Inbound Route Filters, and NAT Pools.
- REST API calls for IGMP.
Also see the [color=var(--color-sk-page-link) !important]Check Point Gaia API Reference v1.8 (and higher) > section "Networking".
Performance and Infrastructure- [color=var(--color-sk-page-link) !important]HyperFlow acceleration of elephant flows for the SMB/CIFS protocol.
- HyperFlow acceleration of elephant flows for the QUIC protocol.
- Quantum Security Gateway log rate output capacity increased by up to 100% through a new multi-process architecture.
Quantum Maestro, Scalable Chassis, and ElasticXLThis release features improvements in managing and monitoring Scalable Platform clusters, which include: - Support for REST API:
- New API calls on Quantum Maestro Orchestrator to configure and monitor Maestro Security Groups, Gateways, Sites, and Ports.
See the complete list of available API calls in the [color=var(--color-sk-page-link) !important]Check Point Gaia API Reference v1.8 and higher > section "Maestro". - Support for Gaia REST APIs on Scalable Platform Members.
- Support for Gaia [color=var(--color-sk-page-link) !important]First Time Configuration Wizard on Quantum Maestro Orchestrators with ability to configure the Maestro Site settings.
- Support for authentication to [color=var(--color-sk-page-link) !important]secure the synchronization connections between Quantum Maestro Orchestrators.
- Support for [color=var(--color-sk-page-link) !important]SNMP Queries on each Scalable Platform Member.
- Support for [color=var(--color-sk-page-link) !important]LLDP on Uplink, Sync, and Management ports of Quantum Maestro Orchestrators.
- New page [color=var(--color-sk-page-link) !important]"Ports" in Gaia Portal on Quantum Maestro Orchestrator. This page shows a summary and interactive view of port configuration, runs diagnostics on ports, and blinks a port LED for identification.
- New page "Cluster Management" in Gaia Portal on ElasticXL / Security Group. This page shows the state and performance of Scalable Platform Members.
- [color=var(--color-sk-page-link) !important]"insights" - New CLI tool to monitor the entire Scalable Platform cluster in both Expert mode and Gaia gClish.
- New Gaia gClish commands "show cluster" and "set cluster".
- Improved boot time and decreased number of reboots of Scalable Platform Members when there is a change in the Gaia OS configuration in a Scalable Platform.
- Improved upgrade simplicity:
- This release introduces automatic updates for the CPUSE Deployment Agent on Scalable Platforms. Manual deployment is no longer required.
- Upgrade to R82 and higher no longer requires the sp_upgrade script and can be easily monitored with Scalable Platforms monitoring tools.
- Additional snapshot mechanism to take small Gaia OS snapshots (lightshots).
VSXCheck Point VSX is enhanced with a new mode ([color=var(--color-sk-page-link) !important] VSNext), allowing simpler configuration, easier provisioning, and a similar experience to a physical Security Gateway.
The benefits of the new VSX mode are: - Unified management experience between Check Point physical Security Gateways and Virtual Gateways, including the capability to manage each Virtual Gateway from a different Management Server.
- Improves VSX provisioning performance and provisioning experience - creating, modifying, and deleting Virtual Gateways and Virtual Switches in Gaia Portal, Gaia Clish, or with Gaia REST API.
- Management feature and API parity between Virtual Gateways (VGW) and physical Security Gateways.
- Managing different Virtual Gateways with different Security Management Servers, in addition to different Domain Management Servers on the same Multi-Domain Security Management Server
Tools and Utilities- New tool [color=var(--color-sk-page-link) !important]"connview" - a new consolidated troubleshooting tool for viewing connections information on the Security Gateway that works in the User Space Firewall (USFW).
- New tool [color=var(--color-sk-page-link) !important]"up_execute" that performs virtual Access Control / NAT Rule Base execution. Given inputs based on logs or connections, the execution provides detailed information such as matched rules and classification information.
[color=var(--color-sk-page-link) !important][size=1.3em][url=] Gaia Operating System[/url]Note - This section applies to Security Gateways, Management Servers, and Log Servers. This release boosts Gaia OS with a new OS kernel and multiple new configuration options for better security, enhanced networking and a simpler experience.
The new capabilities are: - Enhance Gaia OS with:
- Support for [color=var(--color-sk-page-link) !important]Link Layer Discovery Protocol (LLDP) in the VSX mode.
- DHCPv6 server, DHCPv6 client, and DHCPv6 client for prefix-delegation in [color=var(--color-sk-page-link) !important]Gaia Portal and [color=var(--color-sk-page-link) !important]Gaia Clish.
- [color=var(--color-sk-page-link) !important]Ability to configure the order of the "AAA" authentication (TACACS, RADIUS, Local authentication) in Gaia Portal and Gaia Clish.
- [color=var(--color-sk-page-link) !important]DNS Proxy forwarding domains, which allows configuring specific DNS servers per DNS suffix.
- New Gaia OS configuration items:
- [color=var(--color-sk-page-link) !important]Two-Factor Authentication for Gaia OS login using time-based authenticator apps (Google Authenticator and Microsoft Authenticator).
- NTP pools and a larger number of NTP servers in [color=var(--color-sk-page-link) !important]Gaia Portal and [color=var(--color-sk-page-link) !important]Gaia Clish.
- [color=var(--color-sk-page-link) !important]NFSv4 configuration.
- [color=var(--color-sk-page-link) !important]Keyboard layout.
- TLS configuration for a remote Syslog server in [color=var(--color-sk-page-link) !important]Gaia Portal and [color=var(--color-sk-page-link) !important]Gaia Clish.
- Support for storing a [color=var(--color-sk-page-link) !important]Gaia OS backup in Amazon S3 and Microsoft Azure and restoring it from there.
[color=var(--color-sk-page-link) !important][size=1.3em][url=] Quantum Security Management[/url]Security Management Server Enhancements- The LDAP Account Unit object [color=var(--color-sk-page-link) !important]now uses the LDAP server name and CA certificate for LDAP trust. The trust is automatically renewed if an administrator renews or replaces the LDAP server certificate. As a result, Check Point servers keep their connectivity to the LDAP server.
- Support for Management API to run the "vsx_provisioning_tool" operations to configure VSX Gateway and VSX Cluster objects. See the[color=var(--color-sk-page-link) !important]Check Point Management API Reference> section "VSX" > command "vsx-provisioning-tool".
- Support for Management API to configure the "Data Type" objects for the Data Loss Prevention and Content Awareness Software Blades. See the [color=var(--color-sk-page-link) !important]Check Point Management API Reference> section "Data Types".
- Security Gateways [color=var(--color-sk-page-link) !important]can now be managed by a Security Management Server hosted behind a public cloud or third-party NAT device.
- Support to manage up to 500 Security Gateways / Cluster Members, allowing concurrent policy installation on all managed Security Gateways / Cluster Members.
- Support for SAML login in SmartConsole when Gaia Portal on the Management Server runs on a different port than the default port 443. See [color=var(--color-sk-page-link) !important]sk182032.
- Ability to verify an Access Control policy that contains unpublished changes.
- The "Access Rule Name" and "Access Rule Number" fields will now prioritize information from administrator-defined rules [color=var(--color-sk-page-link) !important]by excluding Accept rules from the pre-defined Playblocks and IoT Access Policy layers.
SmartConsole- Added the ability for the system account to install SmartConsole.
- Enhancements in the SmartConsole > "Gateways & Servers" view:
- You can now [color=var(--color-sk-page-link) !important]see and manage the Recommended Jumbo Hotfix Accumulators and Recommended Software Updates for Security Gateway / Cluster objects and Check Point Host objects.
- [color=var(--color-sk-page-link) !important]HealthCheck Point (HCP) tests are now integrated. You can see them as part of the Security Gateway's status. The feature is disabled by default.
Web SmartConsole- These new [color=var(--color-sk-page-link) !important]Web SmartConsole capabilities are available for this release:
- Threat Prevention Rule Base
- HTTPS Inspection Rule Base
- NAT Rule Base
- Rule Base search
Central Deployment of Hotfixes and Version Upgrades in SmartConsoleCentral Software Deployment through SmartConsole was enhanced and now supports: SmartProvisioning- Star VPN Community now supports Quantum Maestro Security Groups, VSX Gateways, and VSX Clusters as Center Gateways (Corporate Office Gateway).
Multi-Domain Security Management Server- Ability to clone an existing Domain on the same Multi-Domain Security Management Server. See [color=var(--color-sk-page-link) !important]sk180631.
- Improved upgrade time of large Multi-Domain Security Management Server environments by up to 50%.
- [color=var(--color-sk-page-link) !important]New support for IPv6 configuration (only with Management API "set mds") on a Multi-Domain Security Management Server that allows Domains to communicate with the managed Security Gateways over IPv6.
- Automatic refresh of modified Global objects in SmartConsole that is connected to a non-Global Domain when a superuser assigns a Global Policy to a Domain Management Server. See [color=var(--color-sk-page-link) !important]sk182307.
- Ability to select the Access Control, Threat Prevention, or both policies in a Policy Preset object.
Compliance- Added Gaia OS Best Practice support for Quantum Maestro - presenting a consolidated Best Practices status for each Security Group Member and Orchestrators.
- Added Gaia OS Best Practice support for Quantum Spark Appliances (only for applicable Gaia OS Best Practices).
- Added Gaia OS Best Practice support for Log Servers.
- Added new regulations:
- Center for Internet Security Benchmarks
- Cyber Essentials v3.1
- Cybersecurity Maturity Model Certification
- Essential Eight & Strategies to Mitigate Cyber Security Incidents
- IEC 62443-2-1 201
- ISO 27001:2022
- Israeli Cyber Defense Methodology 2.0
- Network and Information Systems Directive 2
- PCI DSS 4.0
- TISAX 5.1
[color=var(--color-sk-page-link) !important][size=1.3em][url=] CloudGuard Network Security[/url]CloudGuard Controller- CloudGuard Controller [color=var(--color-sk-page-link) !important]now supports Identity Awareness PDP (Identity Sharing).
- CloudGuard Controller [color=var(--color-sk-page-link) !important]now supports VMware NSX-T Global Manager to allow
integration with VMware NSX-T v4.1. - CloudGuard Controller for VMware NSX-T now uses Policy Mode APIs to import objects from an NSX-T Manager.
- Multi-Domain Security Management Server [color=var(--color-sk-page-link) !important]now supports Data Center objects and Data Center Query objects in the Global Policy.
|
|
|
IP卡
狗仔卡
发表于 2024-11-5 10:42:03
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡
楼主