ProHoster > Blog > Administration > Check Point Gaia R80.40. What will be new?

Check Point Gaia R80.40. What will be new?

Check Point Gaia R80.40. What will be new?

The next release of the operating system is approaching Gaia R80.40. A few weeks ago Early Access program launched, where you can access to test the distribution. We, as usual, publish information about what will be new, as well as highlight the moments that are most interesting from our point of view. Looking ahead, I can say that the innovations are really significant. Therefore, it is worth preparing for an early update procedure. Previously we have published an article how to do this (for more information, see apply here). Let's get to the topic...

What's New

Consider here the officially announced innovations. Information taken from the site Check Mates (official Check Point community). With your permission, I will not translate this text, since the Habr audience allows this. Instead, I will leave my comments in the next chapter.

1. IoT Security. New features related to the Internet of things

  • Collect IoT devices and traffic attributes from certified IoT discovery engines (currently supports Medigate, CyberMDX, Cynerio, Claroty, Indegy, SAM and Armis).
  • Configure a new IoT dedicated Policy Layer in policy management.
  • Configure and manage security rules that are based on the IoT devices' attributes.

2.TLS InspectionHTTP / 2:

  • HTTP/2 is an update to the HTTP protocol. The update provides improvements to speed, efficiency and security and results with a better user experience.
  • Check Point's Security Gateway now support HTTP/2 and benefits better speed and efficiency while getting full security, with all Threat Prevention and Access Control blades, as well as new protections for the HTTP/2 protocol.
  • Support is for both clear and SSL encrypted traffic and is fully integrated with HTTPS/TLS
  • inspection capabilities.

TLS Inspection Layer. New for HTTPS Inspection:

  • A new Policy Layer in SmartConsole dedicated to TLS Inspection.
  • Different TLS Inspection layers can be used in different policy packages.
  • Sharing of a TLS Inspection layer across multiple policy packages.
  • API for TLS operations.

3. Threat Prevention

  • Overall efficiency enhancement for Threat Prevention processes and updates.
  • Automatic updates to Threat Extraction Engine.
  • Dynamic, Domain and Updatable Objects can now be used in Threat Prevention and TLS Inspection policies. Updatable objects are network objects that represent an external service or a known dynamic list of IP addresses, for example - Office365 / Google / Azure / AWS IP addresses and Geo objects.
  • Anti-Virus now uses SHA-1 and SHA-256 threat indications to block files based on their hashes. Import the new indicators from the SmartConsole Threat Indicators view or the Custom Intelligence Feed CLI.
  • Anti-Virus and SandBlast Threat Emulation now support inspection of e-mail traffic over the POP3 protocol, as well as improved inspection of e-mail traffic over the IMAP protocol.
  • Anti-Virus and SandBlast Threat Emulation now use the newly introduced SSH inspection feature to inspect files transferred over the SCP and SFTP protocols.
  • Anti-Virus and SandBlast Threat Emulation now provide an improved support for SMBv3 inspection (3.0, 3.0.2, 3.1.1), which includes inspection of multi-channel connections. Check Point is now the only vendor to support inspection of a file transfer through multiple channels (a feature that is on-by-default in all Windows environments). This allows customers to stay secure while working with this performance enhancing feature.

4. Identity Awareness

  • Support for Captive Portal integration with SAML 2.0 and third party Identity Providers.
  • Support for Identity Broker for scalable and granular sharing of identity information between PDPs, as well as cross-domain sharing.
  • Enhancements to Terminal Servers Agent for better scaling and compatibility.

5. IPsec VPN

  • Configure different VPN encryption domains on a Security Gateway that is a member of multiple VPN communities. This provides:
  • Improved privacy - Internal networks are not disclosed in IKE protocol negotiations.
  • Improved security and granularity - Specify which networks are accessible in a specified VPN community.
  • Improved interoperability - Simplified route-based VPN definitions (recommended when you work with an empty VPN encryption domain).
  • Create and seamlessly work with a Large Scale VPN (LSV) environment with the help of LSV profiles.

6. URL Filtering

  • Improved scalability and resilience.
  • extended troubleshooting capabilities.

NAT

  • Enhanced NAT port allocation mechanism - on Security Gateways with 6 or more CoreXL Firewall instances, all instances use the same pool of NAT ports, which optimizes the port utilization and reuse.
  • NAT port utilization monitoring in CPView and with SNMP.

8. Voice over IP (VoIP)Multiple CoreXL Firewall instances handle the SIP protocol to enhance performance.

9.Remote Access VPNUse machine certificate to distinguish between corporate and non-corporate assets and to set a policy enforcing the use of corporate assets only. Enforcement can be pre-logon (device authentication only) or post-logon (device and user authentication).

10. Mobile Access Portal AgentEnhanced Endpoint Security on Demand within the Mobile Access Portal Agent to support all major web browsers. For more information, see sk113410.

11.CoreXL and Multi-Queue

  • Support for automatic allocation of CoreXL SNDs and Firewall instances that does not require a Security Gateway reboot.
  • Improved out of the box experience - Security Gateway automatically changes the number of CoreXL SNDs and Firewall instances and the Multi-Queue configuration based on the current traffic load.

12. Clustering

  • Support for Cluster Control Protocol in Unicast mode that eliminates the need for CCP

Broadcast or Multicast modes:

  • Cluster Control Protocol encryption is now enabled by default.
  • New ClusterXL mode -Active/Active, which supports Cluster Members in different geographic locations that are located on different subnets and have different IP addresses.
  • Support for ClusterXL Cluster Members that run different software versions.
  • Eliminated the need for MAC Magic configuration when several clusters are connected to the same subnet.

13.VSX

  • Support for VSX upgrade with CPUSE in Gaia Portal.
  • Support for Active Up mode in VSLS.
  • Support for CPView statistical reports for each Virtual System

14. Zero TouchA simple Plug & Play setup process for installing an appliance β€” eliminating the need for technical expertise and having to connect to the appliance for initial configuration.

15. Gaia REST APIGaia REST API provides a new way to read and send information to servers that run Gaia Operating System. See sk143612.

16 Advanced Routing

  • Enhancements to OSPF and BGP allow to reset and restart OSPF neighboring for each CoreXL Firewall instance without the need to restart the routed daemon.
  • Enhancing route refresh for improved handling of BGP routing inconsistencies.

17. New kernel capabilities

  • Upgraded Linux kernel
  • New partitioning system (gpt):
  • Supports more than 2TB physical/logical drives
  • Faster file system (xfs)
  • Supporting larger system storage (up to 48TB tested)
  • I/O related performance improvements
  • Multi Queue:
  • Full Gaia Clish support for Multi-Queue commands
  • Automatic "on by default" configuration
  • SMB v2/3 mount support in Mobile Access blade
  • Added NFSv4 (client) support (NFS v4.2 is the default NFS version used)
  • Support of new system tools for debugging, monitoring and configuring the system

18. CloudGuard Controller

  • Performance enhancements for connections to external Data Centers.
  • Integration with VMware NSX-T.
  • Support for additional API commands to create and edit Data Center Server objects.

19. Multi-Domain Server

  • Back up and restore an individual Domain Management Server on a Multi-Domain Server.
  • Migrate a Domain Management Server on one Multi-Domain Server to a different Multi-Domain Security Management.
  • Migrate a Security Management Server to become a Domain Management Server on a Multi-Domain Server.
  • Migrate a Domain Management Server to become a Security Management Server.
  • Revert a Domain on a Multi-Domain Server, or a Security Management Server to a previous revision for further editing.

20. SmartTasks and API

  • New Management API authentication method that uses an auto-generated API Key.
  • New Management API commands to create cluster objects.
  • Central Deployment of Jumbo Hotfix Accumulator and Hotfixes from SmartConsole or with an API allows to install or upgrade multiple Security Gateways and Clusters in parallel.
  • SmartTasks - Configure automatic scripts or HTTPS requests triggered by administrator tasks, such as publishing a session or installing a policy.

21.DeploymentCentral Deployment of Jumbo Hotfix Accumulator and Hotfixes from SmartConsole or with an API allows to install or upgrade multiple Security Gateways and Clusters in parallel.

22 Smart EventShare SmartView views and reports with other administrators.

23.Log ExporterExport logs filtered according to field values.

24 Endpoint Security

  • Support for BitLocker encryption for Full Disk Encryption.
  • Support for external Certificate Authority certificates for Endpoint Security client
  • authentication and communication with the Endpoint Security Management Server.
  • Support for dynamic size of Endpoint Security Client packages based on the selected
  • features for deployment.
  • Policy can now control level of notifications to end users.
  • Support for Persistent VDI environment in Endpoint Policy Management.

What we liked the most (based on customer tasks)

As you can see, there are a lot of innovations. But for us, as for system integrator, there are several very interesting points (which are also of interest to our customers). Our Top 10:

  1. Finally, full support for IoT devices has appeared. It is already quite difficult to meet a company that would not have such devices.
  2. TLS inspection is now in a separate layer (Layer). It is much more convenient than now (at 80.30). You no longer need to run the old Legacy Dashboard. Plus, now you can use Updatable objects in the HTTPS inspection policy, such as Office365, Google, Azure, AWS, etc. services. This is very handy when you need to set up exceptions. However, there is still no support for tls 1.3. Apparently they will "catch up" with the next hotfix.
  3. Significant changes for Anti-Virus and SandBlast. Now you can check such protocols as SCP, SFTP and SMBv3 (by the way, no one else can check this multichannel protocol).
  4. A lot of improvements regarding Site-to-Site VPN. Now you can configure multiple VPN domains on a gateway that consists of multiple VPN communities. It is very convenient and much safer. In addition, Check Point finally remembered Route Based VPN and slightly improved its stability / compatibility.
  5. There is a much requested feature for remote users. Now you can authenticate not only the user, but also the device from which he connects. For example, we want to allow VPN connections only from corporate devices. This is done of course with the help of certificates. It also became possible to automatically mount (SMB v2/3) file shares for remote users with a VPN client.
  6. A lot of changes in the work of the cluster. But perhaps one of the most interesting is the possibility of cluster operation, where gateways have different versions of Gaia. This is handy when you plan to upgrade.
  7. Improved Zero Touch capabilities. A useful thing for those who often install "small" gateways (for example, for ATMs).
  8. Log storage is now supported up to 48TB.
  9. You can share your SmartEvent dashboards with other administrators.
  10. Log Exporter now allows you to pre-filter sent messages by the required fields. Those. only the necessary logs and events will go to your SIEM systems

Update

Perhaps many are already thinking about upgrading. Don't rush. For starters, version 80.40 should move to General Availability. But even after that, you should not immediately update. It is better to wait at least for the first hotfix.
Perhaps many "sit" on older versions. I can say that at least it is already possible (and even necessary) to upgrade to 80.30. This is already a stable and proven system!

You can also subscribe to our publics (Telegram, Facebook, VK, TS Solution Blog), where you can follow the emergence of new materials on Check Point and other security products.

Only registered users can participate in the survey. Sign in, you are welcome.

What version of Gaia are you using?

  • R77.10

  • R77.30

  • R80.10

  • R80.20

  • R80.30

  • Other

13 users voted. 6 users abstained.

Source: habr.com

Add a comment