Wednesday, March 2, 2016

R80 is announced. What does it mean?

Check Point has issued a press release yesterday saying R80 "will be available this March". What does it mean, really?

Here are some questions and answers for the matter.

Q. Is it on time?
A. R80 is expected to be out since 2014. at CPX 2013 the company was mentioning a new version to be released after R77. Check Point delayed R80 for at least a couple of years.

Q. Why it is delayed?
A. R80 introduces completely new infrastructure of Check Point firewalls and management. It requires huge amount of work and testing to ensure flawless transition from previous versions. This work cannot be rushed. Quality and stability of security systems cannot be compromised. The company is apparently taking as much time as required to make sure the product is good, before releasing it publicly.

Q. What is in the release?
A. The announcement is talking about new management only. Corresponding gateway part is expected later this year as R80.10 release (allegedly)

Q. What is new in this release?
A. Management infrastructure and administrative tools are completely re-built. Expect quite different user experience with the new single SmartConsole application. Management architecture is now using an actual database, not a set of text files, as before. It is no longer limited for a single administrative session even within one SmartCenter. Multiple administrators will be able to make parallel changes.

Q. What are the expectations concerning R80 gateway release?
A. It is not clear at this point. CPX demos hint that R80 gateway will allow a new form of policy enforcement, so-called Unified Policy, where security administrators will be able to enforce not just traffic filtering, but also other security blade policies by creating rules sub-rules with different security settings.

Q. Why MGMT and GW parts are not released together, as usual?
A. These kind of revolutionary approach to firewalling requires substantial change of GW architecture and even more tests and validation that MGMT part. Hence the separation.

Q. Why Check Point changes architecture needs to be changed in the first place.
A. Latest rapid changes in security and threats landscapes require different architecture to deal with both performance and functionality changes. It is only natural to go for a new architecture to address both challenges.

Q. Should I upgrade to R80 management right after it is publicly available?
A. This is not a simple "yes" or "no" question. In general, some caution is advised when upgrading to a new release. You need to see if it has something valuable for you and then assess the risks. Lab tests and trials are must when moving between the main releases. Run R80 in the lab first, then decide.

Q. I am working with Check Point products for years. Is my experience still relevant for R80?
A. As already mentioned above, R80 introduces new experience and new architecture. Some learning curve is expected, but it should not be absolutely alien to any person working with other Check point products. It still has intuitive user interface, just different from what you are used to today.

Q. What should I do to prepare for R80 release for myself and my company? How can I learn the product?
A. Firstly, get on public EA and run it in the lab before it is released. Read documentation (yes, it is still mandatory). If you need any additional help, just know there should be new set of CCSA/CCSE courses for R80 later this year. I also hope there will be some books written about R80.

To support Check Point Video Nuggets project send your donations to

To support this blog simply subscribe to Indeni tech news via this link.