Support Center > Search Results > SecureKnowledge Details
R80.20 and R80.30 CloudGuard Controller Known Limitations Technical Level
Solution

This article lists all of the R80.20 and R80.30 CloudGuard Controller specific known limitations.

This is a live document that may be updated without special notice. We recommend registering to our weekly updates in order to stay up to date. To register go to UserCenter > ASSETS / INFO > My Subscriptions.

Important notes:

 

Table of Contents

  • General Limitations
  • Security Policy
  • CloudGuard Objects Naming
  • CloudGuard Controller Server
  • CloudGuard Controller Enforcement
  • CloudGuard Central License
  • CloudGuard Controller Monitoring
  • OpenStack
  • Nuage Networks
  • Threat Prevention Tagging
  • VMware NSX and vCenter
  • Cisco APIC
  • Cisco ISE
  • Public Cloud: Amazon Web Services, Microsoft Azure and Google Cloud Platform
  • Microsoft Azure
  • Amazon Web Services   
  • Google Cloud Platform

 

Enter the string to filter the below table:

ID Symptoms
General Limitations
01372023 CloudGuard Controller is supported only on Gaia OS.
VSECC-1057 In case of replacement of a Data Center Server's certificate that has been trusted by the user, communication with the Data Center Server fails and a log is sent.

Workaround: To resolve, open the Data Center Server Object in SmartConsole, and click on "Test connection".

01683557 Changes of the IP address of a Data Center Object will be enforced after approximately 30 seconds. This enforcementUpdateIntervalTime parameter can be configured globally, or per Data Center server type, as described in sk112855.
02500441

Integrating Data Center server to a Domain Server created with an IP address that was used in previously deleted Domain Server may cause CloudGuard Controller to malfunction.

To resolve, restart the CloudGuard Controller process using the vsec_controller_stop command.

-

Upgrading to R80.20: Before upgrading the CloudGuard Controller from the R80.x Security Management Server / Multi-Domain Security Management Server with the CloudGuard Service Registration Hotfix, you must first uninstall the CloudGuard Service Registration Hotfix. This ensures that services that are deployed are not impacted during the upgrade process.

Refer to "Upgrading the CloudGuard Controller" in the R80.20 CloudGuard Controller Administration Guide.

VSECC-589 Changes in connection properties (such as credentials or URL) of existing Data Center Servers will take effect (e.g., importing objects, updating objects updates, etc.) only after policy is installed on all the Security Gateways that have Data Center Objects from this Data Center Server.
- Changes in connection properties (such as credentials or URL) of existing Data Center Server followed by policy installation, will require the Security Gateway to initialize all mappings of IP addresses for Data Center Objects in all enforcement sessions.
01968060 If either Identity Awareness API is not installed on the Security Gateway, or installed but disabled, then Data Center Objects are not enforced by the Security Gateway, and are considered as objects without IP address.
There is no indication in SmartConsole about the missing configuration.
02070398 Importing 'Data Center Object' hierarchy object that contains one of the CloudGuard Gateway's IP addresses might lead to service drops. Therefore, CloudGuard Gateway's IP addresses must be excluded in additional rule.
VSECNSX-602 Unable to install CloudGuard Service Registration Hotfix with CloudGuard Controller in StandAlone configuration.
VSECC-1059 Cluster objects (ClusterXL and 3rd party Cluster with the exception of CloudGuard for NSX) must be configured with reachable VIP as the main Cluster IP address to receive updates on Data Center imported objects.
PMTR-3442 Connections to/from Data Center Objects that appear for the first time in a policy package pushed to the Securityateway will not be re-matched even if the rematch connection option was chosen enabled in the Security Gateway policy. Connections involving the Data Center Objects that were included in previous policy installations on the Security Gateway are re-matched.
VSECNSX-739 CloudGuard Service Registration is not supported on R80.20 Management Server.
 - When mapping a large Data Center environment, SmartConsole may display a "General error occurred" message when attempting to import objects, before the initial download of objects has completed (a.k.a. "first scan"). 
Security Policy
VSECC-1060

Data Center Objects are not supported in NAT policy & Network Group Objects and HTTPS policy.

    VSECC-1063  CloudGuard Objects (Data Center Servers and Data Center Objects) are not supported in Global Domain.
    02010025 Data Center Objects and standard Network Objects are not supported in the same rule cell.
    VSECC-1062 Data Center Objects are not supported in Threat Prevention Exceptions that are installed on R77.20 and R77.30 Security Gateways (R80.x SmartConsole -> SECURITY POLICIES App -> Threat Prevention section -> Exceptions).
    CloudGuard Objects Naming
    VSECC-1064
    • Non-ASCII characters (non-English languages) in 'Data Center Server' properties (i.e., user, password and shared secret fields) are not supported. (If an object name contains one of the above characters, enforcement will not work.)
    • If Data Center Object's name includes Non-ASCII characters (non-English languages), enforcement will work, but its name might not be displayed properly in Security Logs and Events.
    VSECC-1065 If Data Center Object name contains the following characters in its name:
    • "{" - opening curly bracket 
    • "}" - closing curly bracket 
    • "[" - opening square bracket 
    • "]" - closing square bracket
    • "<" - less than
    • ">" - greater than
    Then, the Data Center Object name will appear in SmartLog with "_", instead of of each of the above characters. For example: {Name1} will appear as _Name1_
    02462704 Data Center Object with empty name cannot be imported to security policy.
    CloudGuard Controller Server
    - CPRID communication (TCP port 18208) must be allowed between the Management Server to the Security Gateway and throughout the network (use the Check Point predefined service 'FW1_CPRID').
    Refer to sk52421 and open the ports used by Check Point (especially, TCP port 18208).
    - CloudGuard Controller does not support overlapping, or duplicate IP addresses on the same Security Gateway.
    - Logs for rules with Subnets, AWS Security Groups, Microsoft Azure Network Security Groups or VMware NSX Security Groups will contain only the IP address, and will not contain the instance name.
    - Update of the CloudGuard Gateway with IP mappings for newly imported Data Center Objects:
    When performing "Import of Data Center Objects" into the policy and policy installation, a time interval that is greater than or equal to the value of the enforcementUpdateIntervalTime parameter will pass before the IP mapping of the new objects will be communicated to the Security Gateway, and the new rules will be enforced (refer to sk112855).
    02413946 "Failed to update Data Center server objects on gateway" log in SmartLog on R80.x CloudGuard Controller for a deleted Security Gateway in SmartLog on R80.x CloudGuard Controller.
    Refer to sk114956.
    VSECC-1066 Policy Verification for overlapping, hiding or contradicting rules that include Data Center Objects is not supported.
    VSECC-1067 A policy that contains Data Center Objects is not enforced immediately after the policy installation. It takes time for the CloudGuard Controller to update the Security Gateway.
    VSECC-1068 In a Multi-Domain Security Management Server environment, VSX Gateway / VSX Cluster and all Virtual Systems that enforce a policy with Data Center Objects, must reside on the same Domain Management Server.
    VSECC-1069 For MDS HA managing a VSX gateway, a domain server must be deployed on all MDS servers that manage the VSX gateway installed with imported Data Center Objects.
    Note: This instruction applies to the VSX object. This is not mandatory for the virtual systems.
    VSECC-1070

    VS Cluster first policy installation should not include Data Center Objects.
    Note: If this cannot be achieved, a full-sync must be run on the cluster by running the following on the standby member:

    1. fw ctl setsync off
    2. fw ctl setsync start
    CloudGuard Controller Enforcement 
    VSECC-1071 If a Security Gateway works with CloudGuard Controller and other Identity Sources, there must not be IP addresses belonging to Data Center Objects also associated to Machines in other Identity Sources. Such overlapping can result in disassociation of the IP addresses from either the Data Center Object, or Access Roles with such Machines, and improper Security Policy enforcement.
    PMTR-26157

    In 41k/61k VSX gateway, Data Center Objects are not supported.

    • Resolved in R80.20.M2
    CloudGuard Central License
    PMTR-3953 Only one type of license is supported. If there is more than one license package (NGX, NGTP, DLP), the first license that was added to the account will create the default pool. Only licenses of this type will be distributed.
    PMTR-3955 The Security Gateway must have a policy installed to receive the license. A Security Gateway without a policy will not receive a license.
    PMTR-3956 An update to a Security Gateway's Vcore count, will be updated, one day from the time the changes were made. Expediting the update is possible, by initiating a policy installation, or by running distribution from vsec_lic_cli menu.
    PMTR-3957 Operations from SmartUpdate, such as attach/detach, will be ignored by this feature. Do not use any such operation on CloudGuard licenses after starting this feature.
    PMTR-3952 In the MDS HA system mode, every vsec_lic_cli operation which runs on one MDS, requires that 'Run license distribution' is entered on the other MDS (from the vsec_lic_cli menu).
    PMTR-3949 Evaluation license will not be distributed.
    PMTR-3948 The tool can work in one of the following modes: system mode or domain mode. Do not use both at the same time. If there is a need to change the mode, all CloudGuard licenses must be deleted from the management (using vsec_lic_cli) prior to the change. (Refer to the R80.10 CloudGuard Controller v1 Administration Guide for more information on the two modes.)
    PMTR-3947 When the core usage report is generated, time periods in which the management was down will be considered, as if the Security Gateway was down.
    PMTR-3950 This tool does not support the distribution of licenses to CloudGuard for NSX gateways. (Refer to the CloudGuard Gateway for NSX Managed by R80.10 Platforms Administration Guide for details on how to license it.)
    - To use the tool in system mode, the management server must have connectivity to the Internet. Make sure that the DNS and proxy are configured correctly (each domain must configure its own proxy).
    - MDS system mode requires a license whose IP address has not been changed more than the maximum allowed by UserCenter.

    If your license has had its IP address changed that many times, please contact your sales representative. 

    VSECC-544 The CloudGuard Central License Management Utility is not able to give a license to a StandAlone machine in a Full HA cluster configuration.
    On each Full HA cluster member, it is required to install a separate non-central license, generated for the IP address of the Full HA cluster member. Other gateways will get the Central License from the CloudGuard Central License Management Utility. 
    VSECC-557 In MDS server the license report with CloudGuard Central License data can be viewed from the relevant context only. When using domain mode it can be viewed from the domain and when using system mode it can be viewed from the MDS level only. The other license report will be empty in the CloudGuard licenses page.
    CloudGuard Controller Monitoring
    VSECC-422 After executing these commands, reboot, cprestart, and cloudguard off, Data Centers that have no imported objects, will not automatically show in the Data Center table.

    To see the Data Centers in the table, open each Data Center individually in SmartConsole.

    VSECC-1072 Data Centers that have no imported objects, will not appear in the Data Center table, after the cloudguard off command is run.
    VSECC-346 Problems in Data Center will not always change the status of the Security Management server in SmartConsole.

    Workaround: Open the Device & License information window to see the real status and update the status in SmartConsole.

    VSECC-461

    SmartView Monitor (legacy GUI) is not supported for viewing CloudGuard data and status.

    VSECC-311 In a High-Availability deployment, the Standby server does not have complete Data Center information. The message "Standby machine (partial data)" appears in SmartView or when you run "cpstat vsec" from the CLI. 
    OpenStack
    02462845

    OpenStack HTTPS authentication is using tokens that expire according to OpenStack configuration. Upon token expiration, a new HTTPS session is created, and a log indicating authentication failure is sent.

      Nuage Networks
      VSECC-1073 Virtual IPs and Floating IPs are currently not supported.
      VSECC-1074  vPorts of the Container and Host are currently not supported.
      Threat Prevention Tagging
      - Security Tag names must contain only alpha-numeric characters. Otherwise, Threat Prevention Tagging will not work.
      - The IP Address of a CloudGuard Gateway for NSX that is configured in SmartConsole must be the same IP Address assigned to interface eth0.
      - Threat Prevention Tagging is disabled when Security Tag is removed.
      No log is sent in such a case.
      VMware NSX and vCenter
      VSECC-1075 VMware NSX Object - IP Set Objects with ranges or CIDR block notations are not supported. IP Set Objects representing one, or more, individual IP address/es are supported. 
        VSECC-1076 Official VMware Tools must be installed on a VM in order for CloudGuard Controller to successfully pool IP addresses. Install the VMware Tools for your specific version.
        For more information, refer to: VMware Knowledge Base 2004754: Installing and upgrading VMware Tools in vSphere.
        Cisco APIC
        VSECC-1083

        Cisco APIC Object - L3 External EPG Objects are not supported.

          VSECC-1084 CloudGuard for Cisco ACI controller IP address mapping and updates are based on ACI fabric IP learning capabilities, which requires enabling of unicast routing on the Bridge Domain containing the EPG.
          VSECC-1085

          Cisco APIC versions lower than 2.1:

          The Cisco ACI fabric does not age out individual endpoint IP address mappings, as long as one of the IP addresses responds to keep-alive ARP Requests from the fabric. As a result, these stale IP addresses will also be learned by the CloudGuard Controller.

          VSECC-1086 Supported fabric size: The total amount of all the following objects must not exceed 100,000:
          • Tenants
          • Application Profiles
          • EPGs
          • IP addresses
          VSECC-1087 APIC HTTP URLs, which redirect to HTTPS, are not supported. Use either HTTPS URLs directly, or HTTP without redirection.
          VSECC-1088 Mixing both HTTP and HTTPS APIC URLs in the connection properties is not supported.
          VSECC-1089 When multiple APIC URLs are specified, the connectivity test will succeed, as long as one of the URLs connects.
          There is no requirement for initial verification for all the URLs.
          VSECC-1090 On failure to connect to all the given APIC URLs, the returned error message is for the first unsuccessful URL.
          VSECC-1091 Changes to privileges of the APIC user that was used to create the Data Center Object, are not reflected during an active login session.
          For example, if a new security domain is added to the user, which allows him to see a new tenant, this will not be visible to the APIC scanner.

          Workaround:
          Run the vsec_controller_stop command on the CloudGuard Controller to restart the CloudGuard Controller services and force a new login.

          VSECC-1092

          If an object imported from Cisco APIC is deleted on the APIC, and then created again, the object must be re-imported into Check Point Policy. Enforcement will work properly once the object has been recreated in APIC, however the re-import is required to maintain updates for the object in the Security Management Server.

          VSECC-1093

          Only the following TLS cipher suites are supported for APIC HTTPS connectivity:

          • TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
          • TLS_DHE_DSS_WITH_AES_128_CBC_SHA
          • TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
          • TLS_DHE_DSS_WITH_AES_256_CBC_SHA
          • TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
          • TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
          • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
          • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
          • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
          • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
          • TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
          • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
          • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
          • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
          • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
          • TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
          • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
          • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
          • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
          • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
          • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
          • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
          • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
          • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
          • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
          • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
          • TLS_EMPTY_RENEGOTIATION_INFO_SCSV
          • TLS_RSA_WITH_3DES_EDE_CBC_SHA
          • TLS_RSA_WITH_AES_128_CBC_SHA
          • TLS_RSA_WITH_AES_128_CBC_SHA256
          • TLS_RSA_WITH_AES_256_CBC_SHA
          • TLS_RSA_WITH_AES_256_CBC_SHA256
          • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
          • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
          • TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
          • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
          Cisco ISE
          VSECC-1094 Supports up to 10 concurrent connections. This may cause intermittent failures to refresh IP information in an MDM environment where many domains use the ISE controller.
          - Overall performance degradation of IP-to-SGT mapping retrievals, as number of IPs grows.
          VSECC-1095 Filtering IP-to-SGT mappings by SG name uses a wildcard ('*SG_NAME*') search, so incorrect IPs may be returned, in case two SGs have overlapping names (one is contained in the other).
          Public Cloud: Amazon Web Services, Microsoft Azure and Google Cloud Platform 
          VSECC-1097

          IPv6 information is not imported for Data Center Objects in Public Cloud. CloudGuard Gateways in Public Cloud do not support IPv6.

            - VSX mode is not supported on CloudGuard IaaS Security Gateways installed on public cloud platforms.
            VSECC-1098 Data Center Tags:
            • Tags keys and values longer than 100 characters will be truncated to the first 100 characters and "..." will be padded to the end of the tag.
            • In Microsoft Azure, Tag keys are case-insensitive, whereas Tag values are case-sensitive. In CloudGuard Controller, both Tag key and Tag value will be treated as case-sensitive. Meaning, the same key/value in different cases will be shown on 2 separate lines in SmartConsole.
            Microsoft Azure
            PMTR-3938

            CloudGuard Controller for Microsoft Azure will no longer retrieve Load Balancer IP addresses for Virtual Machine Scale Sets Objects.

              PMTR-3808 Public IP addresses for virtual machines in Virtual Machine Scale Sets will be retrieved only for the AzureCloud environment.
              - Resource Group Object name displayed in CloudGuard controller might differ (in terms of lower/upper case) from the name displayed in the Microsoft Azure Portal.
              Amazon Web Services
              -

              The time on the Gaia OS must be synchronized with the current time. Otherwise, polling of information from AWS might fail.

                - The region name that was selected in the "Create New AWS Server" view, might appear as the region code name in the import view.
                - The value of the AWS Tag "Name" that appears as part of the object's name, will be truncated after the first 100 characters.
                Google Cloud Platform
                PMTR-3789 IP addresses for Tags Objects are not displayed in SmartConsole.
                - The time on the Gaia OS must be synchronized with the current time. Otherwise, polling of information from Google Cloud Platform might fail.
                VSECC-1001 Projects with shared VPC are not supported. Refer to sk164139

                Give us Feedback
                Please rate this document
                [1=Worst,5=Best]
                Comment