Introduction | What's New | Documentation | Downloads and Installation | Additional Downloads and Products | Revision History
Introduction
The Quantum Cyber Security PlatformR81.20 (Titan) Release delivers significant innovations in Advanced Threat Prevention, Security Management, and Security Performance. In addition, Check Point has expanded on-premises and cloud network security through new and upcoming advanced cloud-based Check Point applications and services. By upgrading to R81.20, these new cloud-based applications offer powerful feature upgrades on Check Point Security Gateways, without requiring an upgrade to the next software release. With R81.20, customers immediately benefit from a wide range of new security capabilities across four major categories:
Deep learning Threat Prevention
AI Deep Learning prevents 5x more DNS attacks in real-time.
Firewall-based, Zero-Day phishing prevention blocks 4x more Zero-Day phishing attacks (Check Point patented solution).
Quantum IoT Protect
Discover IoT assets with Quantum Security Gateways.
Autonomous Zero Trust Profiles allow only the necessary device communication and prevent threats that target IoT assets. This helps accelerate event correlation and Threat Hunting delivered through Check Point Detection & Response solutions.
Network Security Management
New Infinity Cloud Services page in SmartConsole - Quick and easy integration between your on-premises Security Management Server and Infinity Portal Applications. This includes the ability to share Quantum logs with Horizon Events for a unified view of logs across Quantum, CloudGuard, and Harmony products.
Automated policy enforcement & updates using new Network Feed Objects. DevOps and other teams can manage their own access lists without requiring interaction from Security Admin groups.
SmartWorkflow - streamlined policy change review, ensures accuracy of Security Policies through customizable built-in policy supervision workflows.
Performance Acceleration for Quantum Security Gateways
Maestro Auto-Scaling provides dynamic performance scaling for mission critical apps and large workloads. Automatically shifts firewall resources in and out of Security Groups to support critical applications as throughput and compute requirements change.
Maestro Fastforward provides a 100G cut-through mode for trusted connections - the highest throughput and lowest latency for specific applications.
Quantum HyperFlow delivers 3x times higher throughput for elephant flows (very long, high-bandwidth intensive connections). Security Gateway automatically allocates more firewall CPU cores to process elephant flow connections upon detection
Zero Phishing prevents web browsing to Zero-Day phishing websites
Check Point Quantum Security Gateway enhances its web browsing protection to further prevent users from accessing phishing websites.
Powered by patented technologies and AI engines, the Security Gateway now uses Clientless In-Browser protection to prevent access to the most sophisticated phishing websites, both known and completely unknown (zero-day phishing websites).
The enhanced solution is available through the Security Gateway network flow, introducing dynamic security components that run within the browser with no need to install any client.
Delivered as part of your existing SandBlast (SNBT) license.
Works out of the box for Security Gateways with Autonomous Threat Prevention enabled.
Up to 50% performance enhancement to IPS CIFS protections.
IoC feeds now support a significantly greater number of observables for URLs, Domains, IP addresses, and Hashes - 2 million and more (only on the XFS file system), depending on the Security Gateway's hardware specifications. On the EXT3 file system, the IoC feed is limited to a maximum of 250,000 indicators, depending on the Security Gateway's hardware specifications. For more information about the file systems, see sk141432.
ICAP Server now supports secure ICAP communication over TLS.
IoT Protection
Instantly discover and protect your IoT assets with Quantum Security Gateways and Infinity to enforce automated Zero Trust policies:
Discover IoT devices, routers, and switches connected to your network using your R81.20 Quantum Security Gateways.
Assign automatically generated restrictive policies to IoT devices based on their Internet access requirement to allow only what is needed for the IoT devices to operate.
Note: IoT General Availability is planned to be part of the R81.20 Jumbo Hotfix Accumulator.
Maestro Hyperscale
Maestro Auto-Scaling - Automatically assigns Security Appliances (scale units) to a Security Group when the configured conditions are met.
Maestro Fastforward - Significantly improved throughput and latency for trusted connections. Maestro Fastforward offloads accept or drop policy rules to the Quantum Maestro Orchestrator for hardware acceleration and provides:
Sub-microseconds latency.
Port line-rate throughput for a single connection.
Support for accelerated policy installation on Maestro Security Groups. See sk169096.
Monitor utilization of NAT resources in CPView and with SNMP.
Support gradual upgrade in the Multi-Version Cluster (MVC) mode.
Scalable Platforms now support CoreXL Dynamic Balancing - Based on the current traffic load, the Security Group automatically changes the number of CoreXL SNDs, CoreXL Firewall instances, and the Multi-Queue configuration for zero traffic impact.
Scalable Platforms now support Management Data Plane Separation (MDPS, sk138672).
VSX
Configure DHCP Server on each Virtual System using Gaia Clish.
IPsec VPN
Scalable VPN performance - 3 times faster to process simultaneous Remote Access and Site to Site VPN connections.
Major performance and stability improvement for Remote Access VPN and Site to Site VPN that delivers a significantly greater capacity for VPN tunnels.
Extended Security Gateway certificate validation capabilities for quicker authentication.
Resilient VPN architecture - multi-process architecture to handle IKE negotiations in dedicated scalable daemons, providing unprecedented resiliency.
Clustering
Added support for the "Same VMAC" feature. For more information, see the ClusterXL Administration Guide.
Access Control
Dynamic Policy - Use a Network Feed object to customize a private web server feed definition for IP addresses or domains. The objects are automatically updated in Security Gateway without the need to install a policy. Updatable Objects uses the Network Feed to strengthen the dynamic configuration ability of the Access Control policy. See the Security Management Administration Guide.
Performance improvements - Support for Updatable Objects, Domain objects, and Dynamic objects with the Optimized Drop feature (drop templates).
Advanced Routing
Support for Intermediate System (IS-IS) routing protocol.
Support for DHCP Relay Agent Information Option 82 to address several scaling and security issues that arise in public DHCP use.
Support for OSPFv3 NSSA.
Support for IPv6 Static MFC Cache to enable forwarding of multicast data without PIM configuration.
Support for Routing Event Triggers to allow ClusterXL failover, and tearing down of BGP connections through monitored BGP and BFD sessions.
Routing Protocol History for BFD to improve troubleshooting capabilities.
NetFlow Live connections and Firewall rule ID UUID.
Gaia Operating System
Configure a retention policy for Gaia scheduled backups and snapshots.
Configure Gaia scheduled jobs to run hourly or at specified minute intervals.
Configuring a logical next hop gateway in IPv6 static routes to send traffic through a specified interface.
Configure the minimum number of required interface links for a bonding group in the 802.3AD mode.
Use Gaia Clish commands to monitor NIC transceivers in appliance - module temperature, supply voltage, TX Bias voltage, Rx optical Power, and TX optical power.
Automatic update to the NIC firmware during the ISO installation process for appliances that have 40GbE, 100/25GbE, and NVIDIA ConnectX 100G Cards.
CoreXL
HyperFlow provides automatic system resource allocation by proper prioritization of tasks on highly utilized CPU cores and dynamically balances the tasks. Introducing seamless gateway tuning and optimization and improving single flow performance and spikes handling.
In User Space Firewall (USFW), the number of IPv6 CoreXL Firewall instances is no longer limited, IPv6 Firewall instances can be increased up to the number of IPv4 Firewall instances.
Identity Awareness
The Identity Awareness Gateway automatically identifies and excludes Service Account sessions acquired by the Identity Collector. For more details, see sk174266.
Improved resiliency, scalability, and stability for PDPs and Identity Broker. Additional threads handle authentication and authorization flows.
Mobile Access
OAuth 2.0 support for Capsule Workspace and Office 365.
SmartConsole can use SAML 2.0 to authenticate administrators with an Identity Provider. See the Administration Guide.
SmartWorkflow
Send policy and configuration changes for a review and approval cycle by another administrator before applying the changes. See the Administration Guide.
SmartTasks
New triggers - before and after working on a session that requires an approval, and for critical CloudGuard Controller events.
New action - send an email with a detailed change report after publishing a session, after policy installation, and more.
Use Single Sign-On to connect to the Endpoint Web Management Console.
Harmony Endpoint Web UI
IoC Management - Users can now add Indicators of Compromise to their Endpoint Policy Management.
Connection Awareness - Allows administrators to configure their own entity to determine the connectivity of the clients, and change a device's policy type from "Connected" to "Disconnected", and vice-versa accordingly.
Remote Access VPN
Exclude SaaS applications (such as Office 365) from the Remote Access VPN tunnel.
Use SAML 2.0 to authenticate Remote Access VPN users with an Identity Provider.
If your Multi-Domain Security Management Server is connected to the Internet (the common case):
Connect to Gaia Portal.
From the left navigation tree, click Upgrades (CPUSE) > Status and Actions.
In the Major Versions section, right-click the suggested TGZ package and click Verify.
Right-click the TGZ package and click Upgrade.
If your Multi-Domain Security Management Server is not connected to the Internet, see instructions:
Important: Gaia Fast Deployment (Blink) does not support the Multi-Domain Security Management Server upgrade.
Download the Upgrade TAR package:
For more information and other upgrade options, see R81.20 Installation and Upgrade Guide > Chapter "Upgrade of Multi-Domain Servers and Multi-Domain Log Servers".
Use Central Deployment in SmartConsole to upgrade one or more Security Gateways: SmartConsole > Gateways & Servers > right-click a Security Gateway or Cluster object > click Actions
Central Deployment Tool (CDT) is a utility that lets you manage a deployment of software packages from your Management Server to the multiple managed Security Gateways and cluster members at the same time.
If your Security Gateway is not connected to the Internet, see instructions:
Download the Gaia Fast Deployment (Blink) TGZ package (the VSX upgrade is not supported):
Connect to Gaia Portal.
From the left navigation tree, click Upgrades (CPUSE) > Status and Actions.
Import the Gaia Fast Deployment (Blink) package.
In the Major Versions section, right-click the Gaia Fast Deployment (Blink) package and click Verify.
Right-click the Gaia Fast Deployment (Blink) package and click Upgrade.
For Security Gateway, Security Management, or Multi-Domain Management Server, download and import the Gaia Fast Deployment (Blink) package into Gaia Portal.
Quantum Security Gateway and Gaia
Quantum Security Management
CloudGuard Network Security
Harmony Endpoint
Upgrading Quantum Security Management
