After all, we have a new Kernel: TL:DR
IoT Security
- Collect
IoT devices and traffic attributes from certified IoT discovery engines
(currently supports Medigate, CyberMDX, Cynerio, Claroty, Indegy, SAM and
Armis).
- Configure
a new IoT dedicated Policy Layer in policy management.
- Configure
and manage security rules that are based on the IoT devices' attributes.
TLS Inspection
- HTTP/2
is an update to the HTTP protocol. The update provides improvements to
speed, efficiency and security and results with a better user
experience.
- Check
Point's Security Gateway now support HTTP/2 and benefits better speed and
efficiency while getting full security, with all Threat Prevention and
Access Control blades, as well as new protections for the HTTP/2 protocol.
- Support
is for both clear and SSL encrypted traffic and is fully integrated with
HTTPS/TLS
- Inspection
capabilities.
TLS
Inspection Layer
- A
new Policy Layer in SmartConsole dedicated to TLS Inspection.
- Different
TLS Inspection layers can be used in different policy packages.
- Sharing
of a TLS Inspection layer across multiple policy packages.
- API
for TLS operations.
Threat Prevention
- Overall
efficiency enhancement for Threat Prevention processes and updates.
- Automatic
updates to Threat Extraction Engine.
- Dynamic,
Domain and Updatable Objects can now be used in Threat Prevention and TLS
Inspection policies. Updatable objects are network objects that represent
an external service or a known dynamic list of IP addresses, for
example - Office365 / Google / Azure / AWS IP addresses and Geo
objects.
- Anti-Virus
now uses SHA-1 and SHA-256 threat indications to block files based on
their hashes. Import the new indicators from the SmartConsole Threat
Indicators view or the Custom Intelligence Feed CLI.
- Anti-Virus
and SandBlast Threat Emulation now support inspection of e-mail traffic
over the POP3 protocol, as well as improved inspection of e-mail traffic
over the IMAP protocol.
- Anti-Virus
and SandBlast Threat Emulation now use the newly introduced SSH inspection
feature to inspect files transferred over the SCP and SFTP protocols.
- Anti-Virus
and SandBlast Threat Emulation now provide an improved support for SMBv3
inspection (3.0, 3.0.2, 3.1.1), which includes inspection of multi-channel
connections. Check Point is now the only vendor to support inspection of a
file transfer through multiple channels (a feature that is on-by-default
in all Windows environments). This allows customers to stay secure while
working with this performance enhancing feature.
Access Control
- Support
for Captive Portal integration with SAML 2.0 and third party Identity
Providers.
- Support
for Identity Broker for scalable and granular sharing of identity
information between PDPs, as well as cross-domain sharing.
- Enhancements
to Terminal Servers Agent for better scaling and compatibility.
IPsec
VPN
- Configure
different VPN encryption domains on a Security Gateway that is a member of
multiple VPN communities. This provides:
- Improved
privacy - Internal networks are not disclosed in IKE protocol
negotiations.
- Improved
security and granularity - Specify which networks are accessible in a
specified VPN community.
- Improved
interoperability - Simplified route-based VPN definitions (recommended
when you work with an empty VPN encryption domain).
- Create
and seamlessly work with a Large Scale VPN (LSV) environment with the help
of LSV profiles.
URL
Filtering
- Improved
scalability and resilience.
- Extended
troubleshooting capabilities.
NAT
- Enhanced
NAT port allocation mechanism - on Security Gateways with 6 or more CoreXL
Firewall instances, all instances use the same pool of NAT ports, which
optimizes the port utilization and reuse.
- NAT
port utilization monitoring in CPView and with SNMP.
Voice over IP (VoIP)
Remote Access VPN
Mobile Access Portal Agent
Security Gateway and Gaia
- Support
for automatic allocation of CoreXL SNDs and Firewall instances that does
not require a Security Gateway reboot.
- Improved
out of the box experience - Security Gateway automatically changes the
number of CoreXL SNDs and Firewall instances and the Multi-Queue
configuration based on the current traffic load.
Clustering
- Support
for Cluster Control Protocol in Unicast mode that eliminates the need for
CCP
Broadcast
or Multicast modes.
- Cluster
Control Protocol encryption is now enabled by default.
- New
ClusterXL mode -Active/Active, which supports Cluster Members in different
geographic locations that are located on different subnets and have
different IP addresses.
- Support
for ClusterXL Cluster Members that run different software versions.
- Eliminated
the need for MAC Magic configuration when several clusters are connected
to the same subnet.
VSX
- Support
for VSX upgrade with CPUSE in Gaia Portal.
- Support
for Active Up mode in VSLS.
- Support
for CPView statistical reports for each Virtual System
Zero Touch
- Enhancements
to OSPF and BGP allow to reset and restart OSPF neighboring for each
CoreXL Firewall instance without the need to restart the routed daemon.
- Enhancing
route refresh for improved handling of BGP routing inconsistencies.
New kernel capabilities
- Upgraded
Linux kernel
- New
partitioning system (gpt):
- Supports
more than 2TB physical/logical drives
- Faster
file system (xfs)
- Supporting
larger system storage (up to 48TB tested)
- I/O
related performance improvements
- Multi-Queue:
- Full
Gaia Clish support for Multi-Queue commands
- Automatic
"on by default" configuration
- SMB
v2/3 mount support in Mobile Access blade
- Added
NFSv4 (client) support (NFS v4.2 is the default NFS version used)
- Support
of new system tools for debugging, monitoring and configuring the system
CloudGuard
Controller
- Performance
enhancements for connections to external Data Centers.
- Integration
with VMware NSX-T.
- Support
for additional API commands to create and edit Data Center Server objects.
Security Management
- Back
up and restore an individual Domain Management Server on a Multi-Domain
Server.
- Migrate
a Domain Management Server on one Multi-Domain Server to a different
Multi-Domain Security Management.
- Migrate
a Security Management Server to become a Domain Management Server on a
Multi-Domain Server.
- Migrate
a Domain Management Server to become a Security Management Server.
- Revert
a Domain on a Multi-Domain Server, or a Security Management Server to a
previous revision for further editing.
SmartTasks
and API
- New
Management API authentication method that uses an auto-generated API Key.
- New
Management API commands to create cluster objects.
- Central
Deployment of Jumbo Hotfix Accumulator and Hotfixes from SmartConsole or
with an API allows to install or upgrade multiple Security Gateways and
Clusters in parallel.
- SmartTasks
- Configure automatic scripts or HTTPS requests triggered by administrator
tasks, such as publishing a session or installing a policy.
Deployment
SmartEvent
Log Exporter
Endpoint Security
- Support
for BitLocker encryption for Full Disk Encryption.
- Support
for external Certificate Authority certificates for Endpoint Security
client
- authentication
and communication with the Endpoint Security Management Server.
- Support
for dynamic size of Endpoint Security Client packages based on the
selected
- features
for deployment.
- Policy
can now control level of notifications to end users.
- Support
for Persistent VDI environment in Endpoint Policy Management.
- Improved
privacy - Internal networks are not disclosed in IKE protocol
negotiations.
- Improved
security and granularity - Specify which networks are accessible in a
specified VPN community.
- Improved
interoperability - Simplified route-based VPN definitions (recommended
when you work with an empty VPN encryption domain).
NAT
Voice over IP (VoIP)
Remote Access VPN
Mobile Access Portal Agent
Security Gateway and Gaia
Zero Touch
New kernel capabilities
Security Management
SmartEvent
Log Exporter
Endpoint Security
