Support Center > Search Results > SecureKnowledge Details
R77.20 vSEC Gateway for NSX managed by R77.30 vSEC Controller (GA) Known Limitations

This article lists all of the R77.20 vSEC Gateway for NSX managed by R77.30 vSEC Controller (GA) specific known limitations.

This is a live document that may be updated without special notice. We recommend registering to our weekly updates in order to stay up to date. To register go to UserCenter > ASSETS / INFO > My Subscriptions.


Important notes:


Table of Contents

  • General Limitations
  • vSEC Gateway for NSX Limitations
    • General Limitations
    • Unsupported Features
    • Network Limitations
    • ESX Configuration Limitations for Service VM
    • Cluster Limitations
  • vSEC Controller Limitations


ID Symptoms
General Limitations
- VMware recommends that you use VMware NSX 6.1.2 or higher. This release resolves some earlier VMware NSX issues.
- R77.30 vSEC Controller (GA) supports up to 1000 virtual objects in the Data Center Server. Performance may be affected if you have more objects.
01618218 R77.20 vSEC Gateway can be managed only by Security Management Server / Multi-Domain Security Management Server running on Gaia OS.

IP Anti-Spoofing is not supported in this release. This includes:

  • The IP Anti-Spoofing feature configured in SmartDashboard on R77.20 vSEC Gateway interfaces.
  • The IP Anti-Spoofing feature that was supported in previous R77.20 vSEC Gateway versions.

There are no logs for the creation of R77.20 vSEC Gateway object when it is created on Multi-Domain Security Management Server.

01361358 Before you rename or delete a Domain Management Server, you must delete all services used by R77.20 vSEC Gateway on the Domain Management Server.
01372023 The vSEC Bundle hotfix for Security Management Server / Multi-Domain Security Management Server is supported only on Gaia OS.
01364510 If a change is done on the virtual environment (created a new cluster, created / deleted a dvPort Group, etc.) while the vsec_config is running, the vsec_config will need to be restarted to apply the change.
01521375 The vSEC Bundle hotfix for Security Management Server / Multi-Domain Management Server can work with only one NSX manager and only one vCenter.
vSEC Gateway for NSX Limitations
General Limitations
  • Upgrading from earlier Security Gateway VE versions to R77.20 vSEC Gateway is not supported.
  • Installing Security Gateway hotfixes on R77.20 vSEC Gateway is not supported.
  • Installing later releases on top of R77.20 vSEC Gateway is not supported.

CPU consumption for the vSEC Gateway might show inaccurate results. To resolve this issue, reserve CPU resources on the ESX:

  1. In the vSphere client, right-click on the vSEC Gateway machine.
  2. Select 'Edit Settings'.
  3. On the 'Resources' tab, move the 'Reservation' slider to allocate a guaranteed CPU share (in MHz).
01433123 If R77.20 vSEC Gateway is not working / is down, Virtual Machines on the ESX server cannot be powered on.
01462030 Due to performance issues, interfaces affinity can not be set to CPU0.
01566831, 01362585

The Compatibility Check in the First Time Configuration Wizard fails.

Select "Ignore errors and continue" and press "Next" to do the tests manually.
Make sure that:

  • Your cloud quota is valid
  • Your Proxy Server and DNS server are configured
  • You have access to both to the Check Point Private Cloud and to the Check Point Download Center
Unsupported Features
01614405, 01505119, 01552878 Installing software packages using CPUSE is not supported.

These features are not supported:

  • E-mail Security.
  • HTTP/FTP/SMTP with Resource.
  • User/Client/Session Authentication.
  • Anti-Virus in the proactive mode.
  • Anti-Virus for FTP.
  • Anti-Virus by file direction.
01419351 UserCheck is not supported and has to be disabled:
  1. In SmartDashboard, double-click on the R77.20 vSEC Gateway object.
  2. In the 'UserCheck' pane, clear the box 'Enable UserCheck for active blades' and click on OK.
  3. Install policy on the R77.20 vSEC Gateway object.
00631143 Mobile Access blade and SSL Network Extender are not supported.

Identity Awareness blade does not support:

  • Identity Agent.
  • Captive Portal.
  • Distributed Identity Server and Identity Gateway.

Application Control blade does not support:

  • UserCheck action.
  • Default object "Internet" cannot be used in the rulebase.

URL Filtering blade does not support:

  • UserCheck action.
00785488 Data Loss Prevention (DLP) blade is not supported.

Threat Emulation blade does not support:

  • Local Emulation.
00575642 IPS protection 'Header Spoofing' is not supported.
00527310 IPS protection 'Initial Sequence Number (ISN) Spoofing' is not supported.
00527312 IPS protection 'SYN Attack' is not supported.
00526867 R77.20 vSEC Gateway in Bridge mode is not supported.
00525721 R77.20 vSEC Gateway in Hypervisor Mode cannot operate as a Layer 3 network device (router).
Layer 3 features, such as NAT and VPN, are not supported.
00525819 ClusterXL is not supported (both High Availability mode and Load Sharing mode).
00525822 QoS is not supported.
00568687 VoIP is not supported.
00631138 IPv6 is not supported.
00786818 HTTPS Inspection is not supported.
01502922 The firewall rulebase 'Reject' action is not supported. Rules with action 'Reject' will behave similarly to Rules with action 'Drop'.
00527267 SecureXL Heavy Load Quality of Service feature (HLQoS) is not supported.
01423615 'Account' log is not supported when SecureXL is enabled. The log might show an incorrect count of the bytes and/or packets.
01423166 SecureXL monitoring via /proc/ppk/ is not supported.
01423166 The following SecureXL SIM commands are not supported:
  • sim affinity
  • sim affinityload
  • sim drv
  • sim hlqos
  • sim installin
  • sim installout
  • sim uninstallin
Network Limitations
01567832 You must not remove or add NICs to a R77.20 vSEC Gateway.
01513267 You can not change, add, remove or change vNICs. All NICs are predefined in this release.
00557690 Dynamic Routing is not supported.
01611020 Jumbo Frames are not supported.
00525805 User cannot configure a VLAN using the VM Guest operating system in an ESX environment. Configure the VLAN using a vSwitch.
01040659 Overlapping IP addresses are not supported - R77.20 vSEC Gateway cannot distinguish between different Virtual Machines that use the same IP addresses.
ESX Configuration Limitations for Service VM
- VMware Tools are not supported.
- vSphere vMotion is not supported. Refer to sk112245.
- vSphere Distributed Resource Scheduler (DRS) is not supported.
- vSphere Distributed Power Management (DPM) is not supported.
- vSphere Network I/O Control (NIOC) is not supported.
- vSphere Replication is not supported.
00863806 vSphere VMDirectPath I/O is not supported.
00863806 Intel Virtualization Technology for Directed I/O (VT-D I/O) is not supported.
00863806 Single Root I/O Virtualization (SR-IOV I/O) is not supported.
00525821 User cannot use VMware Fault Tolerance on any Virtual Machines, including the R77.20 vSEC Gateway Virtual Machine.
00640862 VMsafe products (vNetwork Appliance products) are not supported with R77.20 vSEC Gateway in Hypervisor Mode.
It is not supported to create or remove a snapshot of the Service Virtual Machine running vSEC Gateway for NSX in Hypervisor Mode while it is powered on (to prevent latency on all the traffic passing through this gateway).
Cluster Limitations
00553212 R77.20 vSEC Gateway in Hypervisor Mode supports up to 32 cluster members.
01368255 R77.20 vSEC Gateway in Hypervisor Mode is not supported on hosts with different ESX versions.
vSEC Controller Limitations
01680567 If the Virtual Machine belongs to more than one Data Center Group, the name in the vSEC Gateway log can be associated with the wrong Data Center Group.
01683557 Changes in the IP address of a Data Center object in the CMS will be enforced only after about 30 seconds.
01682838 Certificates are not transferred between High Availability members. If the import menu freezes, then reset SIC between the CMS and Security Management Server / Domain Management Server.
01682786 If you click "show 20 more" in the cloud object import list, there are duplicate entries. This issue is fixed if you close the picker window and open it again.
01682050 After you add a secondary Domain Management Server, the R77.30 Add-on status becomes "Needs Attention" in SmartDomain Manager.
Data Center Group content is not synchronized with vCenter.
01673660 SmartEvent does not show Data Center Group in Multi-Domain Security Management.
02160116 Upgrade from R77.30 vSEC Controller (GA) with Data Center objects to Security Management Server / Multi-Domain Security Management Server R80 is not supported.
Refer to sk109796.

Give us Feedback
Please rate this document