This is a live document that may be updated without special notice. We recommend registering to our weekly updates in order to stay up to date. To register go to UserCenter > ASSETS / INFO > My Subscriptions.
Public Cloud: Amazon Web Services, Microsoft Azure and Google Cloud Platform
Microsoft Azure
Amazon Web Services
Google Cloud Platform
Enter the string to filter the below table:
ID
Symptoms
General Limitations
01372023
CloudGuard Controller is supported only on Gaia OS.
VSECC-1057
In case of replacement of a Data Center Server's certificate that has been trusted by the user, communication with the Data Center Server fails and a log is sent.
Workaround: To resolve, open the Data Center Server Object in SmartConsole, and click on "Test connection".
01683557
Changes of the IP address of a Data Center Object will be enforced after approximately 30 seconds. This enforcementUpdateIntervalTime parameter can be configured globally, or per Data Center server type, as described in sk112855.
02500441
Integrating Data Center server to a Domain Server created with an IP address that was used in previously deleted Domain Server may cause CloudGuard Controller to malfunction.
To resolve, restart the CloudGuard Controller process using the vsec_controller_stop command.
-
Upgrading to R80.20: Before upgrading the CloudGuard Controller from the R80.x Security Management Server / Multi-Domain Security Management Server with the CloudGuard Service Registration Hotfix, you must first uninstall the CloudGuard Service Registration Hotfix. This ensures that services that are deployed are not impacted during the upgrade process.
Changes in connection properties (such as credentials or URL) of existing Data Center Servers will take effect (e.g., importing objects, updating objects updates, etc.) only after policy is installed on all the Security Gateways that have Data Center Objects from this Data Center Server.
-
Changes in connection properties (such as credentials or URL) of existing Data Center Server followed by policy installation, will require the Security Gateway to initialize all mappings of IP addresses for Data Center Objects in all enforcement sessions.
01968060
If either Identity Awareness API is not installed on the Security Gateway, or installed but disabled, then Data Center Objects are not enforced by the Security Gateway, and are considered as objects without IP address. There is no indication in SmartConsole about the missing configuration.
02070398
Importing 'Data Center Object' hierarchy object that contains one of the CloudGuard Gateway's IP addresses might lead to service drops. Therefore, CloudGuard Gateway's IP addresses must be excluded in additional rule.
VSECNSX-602
Unable to install CloudGuard Service Registration Hotfix with CloudGuard Controller in StandAlone configuration.
VSECC-1059
Cluster objects (ClusterXL and 3rd party Cluster with the exception of CloudGuard for NSX) must be configured with reachable VIP as the main Cluster IP address to receive updates on Data Center imported objects.
PMTR-3442
Connections to/from Data Center Objects that appear for the first time in a policy package pushed to the Securityateway will not be re-matched even if the rematch connection option was chosen enabled in the Security Gateway policy. Connections involving the Data Center Objects that were included in previous policy installations on the Security Gateway are re-matched.
VSECNSX-739
CloudGuard Service Registration is not supported on R80.20 Management Server.
-
When mapping a large Data Center environment, SmartConsole may display a "General error occurred" message when attempting to import objects, before the initial download of objects has completed (a.k.a. "first scan").
Security Policy
VSECC-1060
Data Center Objects are not supported in NAT policy & Network Group Objects and HTTPS policy.
VSECC-1063
CloudGuard Objects (Data Center Servers and Data Center Objects) are not supported in Global Domain.
02010025
Data Center Objects and standard Network Objects are not supported in the same rule cell.
VSECC-1062
Data Center Objects are not supported in Threat Prevention Exceptions that are installed on R77.20 and R77.30 Security Gateways (R80.x SmartConsole -> SECURITY POLICIES App -> Threat Prevention section -> Exceptions).
CloudGuard Objects Naming
VSECC-1064
Non-ASCII characters (non-English languages) in 'Data Center Server' properties (i.e., user, password and shared secret fields) are not supported. (If an object name contains one of the above characters, enforcement will not work.)
If Data Center Object's name includes Non-ASCII characters (non-English languages), enforcement will work, but its name might not be displayed properly in Security Logs and Events.
VSECC-1065
If Data Center Object name contains the following characters in its name:
"{" - opening curly bracket
"}" - closing curly bracket
"[" - opening square bracket
"]" - closing square bracket
"<" - less than
">" - greater than
Then, the Data Center Object name will appear in SmartLog with "_", instead of of each of the above characters. For example: {Name1} will appear as _Name1_
02462704
Data Center Object with empty name cannot be imported to security policy.
CloudGuard Controller Server
-
CPRID communication (TCP port 18208) must be allowed between the Management Server to the Security Gateway and throughout the network (use the Check Point predefined service 'FW1_CPRID'). Refer to sk52421 and open the ports used by Check Point (especially, TCP port 18208).
-
CloudGuard Controller does not support overlapping, or duplicate IP addresses on the same Security Gateway.
-
Logs for rules with Subnets, AWS Security Groups, Microsoft Azure Network Security Groups or VMware NSX Security Groups will contain only the IP address, and will not contain the instance name.
-
Update of the CloudGuard Gateway with IP mappings for newly imported Data Center Objects: When performing "Import of Data Center Objects" into the policy and policy installation, a time interval that is greater than or equal to the value of the enforcementUpdateIntervalTime parameter will pass before the IP mapping of the new objects will be communicated to the Security Gateway, and the new rules will be enforced (refer to sk112855).
02413946
"Failed to update Data Center server objects on gateway" log in SmartLog on R80.x CloudGuard Controller for a deleted Security Gateway in SmartLog on R80.x CloudGuard Controller. Refer to sk114956.
VSECC-1066
Policy Verification for overlapping, hiding or contradicting rules that include Data Center Objects is not supported.
VSECC-1067
A policy that contains Data Center Objects is not enforced immediately after the policy installation. It takes time for the CloudGuard Controller to update the Security Gateway.
VSECC-1068
In a Multi-Domain Security Management Server environment, VSX Gateway / VSX Cluster and all Virtual Systems that enforce a policy with Data Center Objects, must reside on the same Domain Management Server.
VSECC-1069
For MDS HA managing a VSX gateway, a domain server must be deployed on all MDS servers that manage the VSX gateway installed with imported Data Center Objects. Note: This instruction applies to the VSX object. This is not mandatory for the virtual systems.
VSECC-1070
VS Cluster first policy installation should not include Data Center Objects. Note: If this cannot be achieved, a full-sync must be run on the cluster by running the following on the standby member:
fw ctl setsync off
fw ctl setsync start
CloudGuard Controller Enforcement
VSECC-1071
If a Security Gateway works with CloudGuard Controller and other Identity Sources, there must not be IP addresses belonging to Data Center Objects also associated to Machines in other Identity Sources. Such overlapping can result in disassociation of the IP addresses from either the Data Center Object, or Access Roles with such Machines, and improper Security Policy enforcement.
PMTR-26157
In 41k/61k VSX gateway, Data Center Objects are not supported.
Resolved in R80.20.M2
CloudGuard Central License
PMTR-3953
Only one type of license is supported. If there is more than one license package (NGX, NGTP, DLP), the first license that was added to the account will create the default pool. Only licenses of this type will be distributed.
PMTR-3955
The Security Gateway must have a policy installed to receive the license. A Security Gateway without a policy will not receive a license.
PMTR-3956
An update to a Security Gateway's Vcore count, will be updated, one day from the time the changes were made. Expediting the update is possible, by initiating a policy installation, or by running distribution from vsec_lic_cli menu.
PMTR-3957
Operations from SmartUpdate, such as attach/detach, will be ignored by this feature. Do not use any such operation on CloudGuard licenses after starting this feature.
PMTR-3952
In the MDS HA system mode, every vsec_lic_cli operation which runs on one MDS, requires that 'Run license distribution' is entered on the other MDS (from the vsec_lic_cli menu).
PMTR-3949
Evaluation license will not be distributed.
PMTR-3948
The tool can work in one of the following modes: system mode or domain mode. Do not use both at the same time. If there is a need to change the mode, all CloudGuard licenses must be deleted from the management (using vsec_lic_cli) prior to the change. (Refer to the R80.10 CloudGuard Controller v1 Administration Guide for more information on the two modes.)
PMTR-3947
When the core usage report is generated, time periods in which the management was down will be considered, as if the Security Gateway was down.
To use the tool in system mode, the management server must have connectivity to the Internet. Make sure that the DNS and proxy are configured correctly (each domain must configure its own proxy).
-
MDS system mode requires a license whose IP address has not been changed more than the maximum allowed by UserCenter.
If your license has had its IP address changed that many times, please contact your sales representative.
VSECC-544
The CloudGuard Central License Management Utility is not able to give a license to a StandAlone machine in a Full HA cluster configuration. On each Full HA cluster member, it is required to install a separate non-central license, generated for the IP address of the Full HA cluster member. Other gateways will get the Central License from the CloudGuard Central License Management Utility.
VSECC-557
In MDS server the license report with CloudGuard Central License data can be viewed from the relevant context only. When using domain mode it can be viewed from the domain and when using system mode it can be viewed from the MDS level only. The other license report will be empty in the CloudGuard licenses page.
CloudGuard Controller Monitoring
VSECC-422
After executing these commands, reboot, cprestart, and cloudguard off, Data Centers that have no imported objects, will not automatically show in the Data Center table.
To see the Data Centers in the table, open each Data Center individually in SmartConsole.
VSECC-1072
Data Centers that have no imported objects, will not appear in the Data Center table, after the cloudguard off command is run.
VSECC-346
Problems in Data Center will not always change the status of the Security Management server in SmartConsole.
Workaround: Open the Device & License information window to see the real status and update the status in SmartConsole.
VSECC-461
SmartView Monitor (legacy GUI) is not supported for viewing CloudGuard data and status.
VSECC-311
In a High-Availability deployment, the Standby server does not have complete Data Center information. The message "Standby machine (partial data)" appears in SmartView or when you run "cpstat vsec" from the CLI.
OpenStack
02462845
OpenStack HTTPS authentication is using tokens that expire according to OpenStack configuration. Upon token expiration, a new HTTPS session is created, and a log indicating authentication failure is sent.
Nuage Networks
VSECC-1073
Virtual IPs and Floating IPs are currently not supported.
Threat Prevention Tagging
-
Security Tag names must contain only alpha-numeric characters. Otherwise, Threat Prevention Tagging will not work.
-
The IP Address of a CloudGuard Gateway for NSX that is configured in SmartConsole must be the same IP Address assigned to interface eth0.
-
Threat Prevention Tagging is disabled when Security Tag is removed. No log is sent in such a case.
VMware NSX and vCenter
VSECC-1075
VMware NSX Object - IP Set Objects with ranges or CIDR block notations are not supported. IP Set Objects representing one, or more, individual IP address/es are supported.
CloudGuard for Cisco ACI controller IP address mapping and updates are based on ACI fabric IP learning capabilities, which requires enabling of unicast routing on the Bridge Domain containing the EPG.
VSECC-1085
Cisco APIC versions lower than 2.1:
The Cisco ACI fabric does not age out individual endpoint IP address mappings, as long as one of the IP addresses responds to keep-alive ARP Requests from the fabric. As a result, these stale IP addresses will also be learned by the CloudGuard Controller.
VSECC-1086
Supported fabric size: The total amount of all the following objects must not exceed 100,000:
Tenants
Application Profiles
EPGs
IP addresses
VSECC-1087
APIC HTTP URLs, which redirect to HTTPS, are not supported. Use either HTTPS URLs directly, or HTTP without redirection.
VSECC-1088
Mixing both HTTP and HTTPS APIC URLs in the connection properties is not supported.
VSECC-1089
When multiple APIC URLs are specified, the connectivity test will succeed, as long as one of the URLs connects. There is no requirement for initial verification for all the URLs.
VSECC-1090
On failure to connect to all the given APIC URLs, the returned error message is for the first unsuccessful URL.
VSECC-1091
Changes to privileges of the APIC user that was used to create the Data Center Object, are not reflected during an active login session. For example, if a new security domain is added to the user, which allows him to see a new tenant, this will not be visible to the APIC scanner.
Workaround: Run the vsec_controller_stop command on the CloudGuard Controller to restart the CloudGuard Controller services and force a new login.
VSECC-1092
If an object imported from Cisco APIC is deleted on the APIC, and then created again, the object must be re-imported into Check Point Policy. Enforcement will work properly once the object has been recreated in APIC, however the re-import is required to maintain updates for the object in the Security Management Server.
VSECC-1093
Only the following TLS cipher suites are supported for APIC HTTPS connectivity:
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
Cisco ISE
VSECC-1094
Supports up to 10 concurrent connections. This may cause intermittent failures to refresh IP information in an MDM environment where many domains use the ISE controller.
-
Overall performance degradation of IP-to-SGT mapping retrievals, as number of IPs grows.
VSECC-1095
Filtering IP-to-SGT mappings by SG name uses a wildcard ('*SG_NAME*') search, so incorrect IPs may be returned, in case two SGs have overlapping names (one is contained in the other).
Public Cloud: Amazon Web Services, Microsoft Azure and Google Cloud Platform
VSECC-1097
IPv6 information is not imported for Data Center Objects in Public Cloud. CloudGuard Gateways in Public Cloud do not support IPv6.
-
VSX mode is not supported on CloudGuard IaaS Security Gateways installed on public cloud platforms.
VSECC-1098
Data Center Tags:
Tags keys and values longer than 100 characters will be truncated to the first 100 characters and "..." will be padded to the end of the tag.
In Microsoft Azure, Tag keys are case-insensitive, whereas Tag values are case-sensitive. In CloudGuard Controller, both Tag key and Tag value will be treated as case-sensitive. Meaning, the same key/value in different cases will be shown on 2 separate lines in SmartConsole.
Microsoft Azure
PMTR-3938
CloudGuard Controller for Microsoft Azure will no longer retrieve Load Balancer IP addresses for Virtual Machine Scale Sets Objects.
PMTR-3808
Public IP addresses for virtual machines in Virtual Machine Scale Sets will be retrieved only for the AzureCloud environment.
-
Resource Group Object name displayed in CloudGuard controller might differ (in terms of lower/upper case) from the name displayed in the Microsoft Azure Portal.
Amazon Web Services
-
The time on the Gaia OS must be synchronized with the current time. Otherwise, polling of information from AWS might fail.
-
The region name that was selected in the "Create New AWS Server" view, might appear as the region code name in the import view.
-
The value of the AWS Tag "Name" that appears as part of the object's name, will be truncated after the first 100 characters.
Google Cloud Platform
PMTR-3789
IP addresses for Tags Objects are not displayed in SmartConsole.
-
The time on the Gaia OS must be synchronized with the current time. Otherwise, polling of information from Google Cloud Platform might fail.
VSECC-1001
Projects with shared VPC are not supported. Refer to sk164139
Give us Feedback
Thanks for your feedback!
Are you sure you want to rate this stars?
This is a live document that may be updated without special notice. We recommend registering to our weekly updates in order to stay up to date. To register go to 