What's New in NGX: VPN-1 Power

The NGX platform delivers hundreds of important new features, improvements, and enhancements to over twenty Check Point products, offering stronger security enforcement, VPN, and management capabilities - addressing your most challenging security problems.

Learn more about the specific features and benefits of upgrading your Check Point products to the NGX platform below and start planning your upgrade today.

See what's new by product

Product Naming
VPN-1 Pro is now VPN-1 Power and includes the Performance Pack.
Firewall
General Features VPN-1 Power can now act as a layer 2 firewall. DCE-RPC can now communicate over ports other than 135. Multicast traffic can now be allowed or blocked for each multicast group. Configuration is per interface. For example, define a new object called multicast address range, and use it when defining the network topology on the interface. IPv6 networks on the Linux platform are now supported. NAT hide can now be defined for PPTP clients. Authentication capabilities have been enhanced to better protect against brute force attacks. It is now possible to disable the logging of anti-spoofing activity of local interfaces and clusters. Individual interfaces can now be configured to accept or block traffic from specific multicast groups. ISP redundancy on the Nokia platform is now supported. Extension of SYNDefender to include new mechanism – SYN Cookies. This enables VPN-1 to not create entries in the connection table until after the TCP handshake is completed, saving memory under attack. Aggressive aging of connections during Denial of Service attacks conserves memories by deleting older, idle connections from the connection table when a possible attack is detected.
VoIP VPN-1 Power (VPN-1 Pro), VPN-1 UTM (Check Point Express / Express CI) and UTM-1 Edge NGX provide more VoIP protocol support and enhanced NAT support. Enhanced interoperability with Nortel, Broadsoft, Cisco, NEC, Polycom, Sylantro, Avaya, and other Support for MGCP NAT and MCGP on dynamic ports Many new H.323 NAT scenarios are now supported. H.323v4 is now supported.
Performance Pack BGE interface is now supported on Solaris.
Additonal Information Firewall-1 Datasheet Firewall-1 Product Page Application Intelligence Whitepaper VoIP Whitepaper Application Intelligence Product Page

Product Naming

VPN-1 Pro is now VPN-1 Power and includes the Performance Pack.

Firewall

General Features

VPN-1 Power can now act as a layer 2 firewall.
DCE-RPC can now communicate over ports other than 135.
Multicast traffic can now be allowed or blocked for each multicast group. Configuration is per interface. For example, define a new object called multicast address range, and use it when defining the network topology on the interface.
IPv6 networks on the Linux platform are now supported.
NAT hide can now be defined for PPTP clients.
Authentication capabilities have been enhanced to better protect against brute force attacks.
It is now possible to disable the logging of anti-spoofing activity of local interfaces and clusters.
Individual interfaces can now be configured to accept or block traffic from specific multicast groups.
ISP redundancy on the Nokia platform is now supported.
Extension of SYNDefender to include new mechanism – SYN Cookies. This enables VPN-1 to not create entries in the connection table until after the TCP handshake is completed, saving memory under attack.
Aggressive aging of connections during Denial of Service attacks conserves memories by deleting older, idle connections from the connection table when a possible attack is detected.

VoIP

VPN-1 Power (VPN-1 Pro), VPN-1 UTM (Check Point Express / Express CI) and UTM-1 Edge NGX provide more VoIP protocol support and enhanced NAT support.
Enhanced interoperability with Nortel, Broadsoft, Cisco, NEC, Polycom, Sylantro, Avaya, and other
Support for MGCP NAT and MCGP on dynamic ports
Many new H.323 NAT scenarios are now supported.
H.323v4 is now supported.

Performance Pack

BGE interface is now supported on Solaris.

Additonal Information

Firewall-1 Datasheet
Firewall-1 Product Page
Application Intelligence Whitepaper
VoIP Whitepaper
Application Intelligence Product Page

Endpoint Security

VPN-1 NGX can now cooperate with Check Point Integrity endpoint security for network access control of endpoints on the LAN as well as remote endpoints. It can also enforce compliance by interacting with Intel network interface cards (NICs) that have the vPro technology. This enables customers to gain a higher level of control over endpoint security by including firewall/VPN/intrusion prevention gateways as part of a NAC solution.

VPN

To tighten security and enhance granularity of the VPN security policy, enforcement of VPN rules by the direction of a connection is now possible. For example, it is possible to define in the VPN column:

Source	Destination
Community A	Community B
Community A	Any
Local Domain	Community A
Local Domain	Remote Access Community

Support of Back-up links and On-Demand links is enabled by multiple VPN links between VPN-1 Gateways. Multiple VPN links are available when a single VPN-1 Gateway is connected to multiple network infrastructures (e.g., multiple ISPs). Two VPN Gateways may have several paths of communication that they can use to reach each other. Also new are Link Selection mechanisms, which provide additional methods to resolve a Gateway's IP address, such as defining a fixed IP address to always be used, and defining a DNS name to be resolved, which is most useful for Gateways with dynamically allocated IP addresses.
Wire mode VPN is now available: Internal (safe) VPN connectivity is supported by reducing security checks on VPN traffic.

Route Based VPN

Numbered Virtual Tunnel Interfaces (VTI) enable routing packets across a VPN tunnel using dynamic routing protocols.
OSPF/BGP over VPN is enabled with VPN-1 Gateway on SecurePlatform. Every VPN tunnel is represented as a virtual adapter, enabling encapsulation of OSPF and BGP traffic. These virtual adapters can be used to establish integrated dynamic routing configurations with the routing domains in the protected networks. In effect this new technology enables unification of all the VPN-protected networks to a unified dynamically adaptable network.
GRE is now supported over IPsec in order to interoperate with devices that support dynamic routing over the VPN only with GRE.

VPN Tunnel Management

VPN tunnels may now be defined from VPN-1 Gateways. The functionality is accessed using the command line interface to the gateway. This extends the interface to external management tools for Check Point Gateways.
VPN links can now be configured to be “always on.” This feature enables:
- VPN link (tunnel) monitoring - link-properties, link-state, traffic through the link and more.
- Better support of sensitive applications for link setup delays.
- Configuration of Route Injection Mechanism when using MEP.

Multiple Entry Point (MEP) and VPN Load Distribution

For site to site VPN, Explicit MEP configuration is now available at the center of a star community. There are several methods to connect to the MEP Gateway, including explicit priority among entry points (which is independent of the VPN domain definition of entry points). For Remote Access VPN, the old MEP configuration still exists.

VPN-1 Clusters

Cisco gateways and L2TP and Nokia clients can now open VPN tunnels with ClusterXL Gateways in Load Sharing mode, provided the Sticky Decision Function is enabled.

PKI, PKCS

Internal CA diagnostics are now available through SmartView status.
Internal CA enhancements include:
- Certificate enrollment using PKCS10 is available.
- Generate certificate - as PKCS12 (used in CAPI token)
- Additional, configurable level of administration privileges
Certificate enrollment to a VPN-1 module using SCEP and CMP protocols is now available.
Online Certificate Status Protocol (OCSP) is now supported.

VPN-1 Diagnostics (Logging, Monitoring, Planning)

The usability of VPN activity logs has been enhanced.

Connectivity

The encryption domain of the Gateway can now be defined differently for site-to-site VPN, and for remote access VPN.
Third party DAIP Gateways and externally managed DAIP Gateways are now supported with certificate authentication.

Office Mode

Office Mode assignment can now be used to access other gateways in the site.
A RADIUS server can now be used for Office Mode IP assignment.

L2TP Clients

Legacy authentication schemes, such as Firewall-1 password, OS password, RADIUS, LDAP, TACACS, etc., are now supported for L2TP clients.

Multicast

Through the use of VPN Virtual interfaces, multicast traffic can now be encrypted and passed through VPN tunnels.

Route Injection Mechanism

RIM (Route Injection Mechanism) is now supported both with and without MEP. It can be configured under the Tunnel Management page on the community.

Support for UTM-1 Edge behind NAT

VPN-1 Power (VPN-1 Pro) now supports UTM-1 Edge behind NAT devices. This can implemented by using NAT traversal (port 4500), which encapsulates the IKE/IPSEC in UDP packets, between the UTM-1 Edge device and the VPN-1 Power (VPN-1 Pro).

VPN-1 VSX

SmartCenter Server can now manage the following versions of VSX:

VSX 2.0.1
VSX NG AI
VSX NG AI Release 2

For more information on these releases, please see the documentation.

Additional Information

UTM-1 Edge Datasheet
VPN-1 Power (VPN-1 Pro) Datasheet
VPN-1 Power (VPN-1 Pro) Product Page

Take advantage of these important new features and hundreds of others available only with the NGX platform by ordering your NGX Upgrade Kit today.