Support Center > Search Results > SecureKnowledge Details
Scalable Platform R80.20SP - Known Limitations Technical Level

Table of Contents:

  • Introduction
  • Non Supported Features
  • Known Limitations
  • Related Solutions



This article lists all known limitations for Scalable Platform Appliances R80.20SP.

This is a live document that may be updated without special notice. We recommend that you register for our weekly updates in order to stay up to date. To register, go to UserCenter > ASSETS / INFO > My Subscriptions.


Important notes:

  • To get a fix for an issue listed below, contact Check Point Support with the issue ID.

  • To see if an issue has been fixed, search for the issue ID in Support Center.

This article contains two sections:

  • Non Supported Features
  • Known Limitations

Note: If not stated otherwise, all items listed below apply to both Security Gateway and VSX Gateway.


Non Supported Features

The following features are not supported in Scalable Platform Appliances R80.20SP, and may be supported in future versions.

  • General
    • General
    • Gaia OS
    • Hardware
  • Infrastructure
    • VSX
  • Networking
    • Networking
    • IPv6
  • Software Blades
    • Firewall
    • VPN
    • DLP
    • SmartView Monitor
    • QoS
    • SmartProvisioning

Enter the string to filter this table:

ID Symptoms Reported
Non Supported Features - General
MBS-3246 R80.20SP does not support:
  • DHCP Client configuration
  • DHCP Server configuration
  • Dynamically Assigned IP (DAIP) configuration
MBS-2379 The image auto-clone feature (set smo image auto-clone state on) only supports SGMs that run the same major version. When you add a new SGM to the R80.20SP chassis (add smo security-group), it either must not have any version installed, or it must have the R80.20SP version installed. R80.20SP  -
MBS-1586 The 'asg_syslog' command is no longer supported. Use the Gaia Clish 'set syslog ...' command instead. R80.20SP
MBS-1360 To install a license with the 'cplic put' command, before you run the Gaia First Time Configuration Wizard, you must run the 'cplic put' command in Expert mode. R80.20SP
MBS-8326 Scalable Platforms 40000 and 60000 do not support installation with the Central Deployment Tool (sk111158). R80.20SP
MBS-8327 Scalable Platforms 40000 and 60000 do not support the Management Data Separation feature (sk138672). R80.20SP
SPC-89 "Unified MAC for data ports" mode is not supported by VSX. R76SP.50  -
01517974 ISP Redundancy is not supported.  R76SP.10  -
00772706 60000 / 40000 Scalable Platforms do not have a WebUI to configure and monitor the system. HTTP access to the system is blocked.  R76SP   R80.20SP 
01350464 R80.20 supports only Hotfixes that were created specifically for this version. Hotfixes created for maintrain versions are not supported.  R76SP
00595914 Security Server (FTP/HTTP with Resource) is not supported. R76SP
00824847 60000 / 40000 Scalable Platforms do not support OPSEC SDK. R76SP  -
01800842 Hide NAT for traffic initiated from the Management interface of 60000 / 40000 Scalable Platforms is not supported.  R76SP   -
01322440 60000 / 40000 Scalable Platforms can not be configured as DHCP Servers.  R76SP  -
SPC-929 Dynamic NAT is not supported.   R76SP  -
Gaia OS
MBS-2836 The 'asg profile' command is not supported. R80.20SP -
MBS-3369 The "asg_archive" utility is no longer supported. To monitor the history data, use the CPview History mode per SGM.   R80.20SP
MBS-3625 The 'save configuration' command in gclish is not supported.  R80.20SP
MBS-3579 The Pingable Hosts State event type in the "asg alert" is not supported.   R80.20SP  -
MBS-4756 Maestro Hyperscale System does not support Gaia Cloning Groups.   R80.20SP 
MBS-2372 It is not supported to manually update or install the CPUSE Agent.   R80.20SP   -
MBS-5488 The Gaia Clish / Gaia gClish command 'snapshot_recover' is not supported.  R80.20SP Jumbo HFA R80.20SP Take 105
MBS-3010 4 x SSMs (Dual-Dual Star) deployment is not supported.  R80.20SP Jumbo HFA R80.20SP Take 242
MBS-1244 The Check Point Performance Sizing Utility 'cpsizeme' (see sk88160) is not supported.  R80.20SP 
MBS-4754 Scalable Platforms do not support Central Management of Gaia Device Settings:
  1. In SmartConsole, click on "Gateways & Servers" on the navigation panel.
  2. Right-click on the Scalable Platform gateway object. 
  3. The "Scripts" menu and "Actions" menu are not supported.  
MBS-3992 SSM60 is not supported by R80.20SP and above. R80.20SP 
02447213 On a 44000 / 64000 chassis, DC Power Entry Modules (PEM) are not supported.  R76SP.50   -
02457673 On SSM440, interfaces eth<X>-Mgmt1 and eth<X>-Mgmt2 will not be used and should not be configured. The management interfaces are eth<X>-Mgmt4 and eth<X>-Mgmt3.  R76SP.50  -
02439135 On SSM440, the auto-negotiation for Forward Error Correction (FEC) on 100Gb ports is not supported. FEC is enabled by default. The user can disable it manually in accordance with the settings on the peer side.  R76SP.50  -
02160144 N+N Type Chassis (new model) and N+1 Type Chassis (old model) are not supported together in a cluster (Dual Chassis setup).  R76SP.40  -
01007477 All SGMs in an environment must have the same number of CPU cores. Hybrid Systems (61000 Scalable Platforms with SGMs that have a different number of CPU cores) are not supported.   Pre-R76SP  -
MBS-2521 Scalable Platforms 40000 / 60000 do not support VRRP configuration.  R80.20SP   -
Non Supported Features - Infrastructure
MBS-3522 Enabling ICMP / CCP probing on cluster interfaces (setting the value of the kernel parameter fwha_enable_if_probing to 1) is not supported in VSX mode. R80.20  -
01413513 Virtual Routers are not supported. R76SP.10 -
01096568 The VSX Gateway can not be managed from data ports.
The supported Management interfaces are:
  • eth1-Mgmt1, eth1-Mgmt2, eth1-Mgmt3, eth1-Mgmt4
  • eth2-Mgmt1, eth2-Mgmt2, eth2-Mgmt3, eth2-Mgmt4
R76SP  -
Non Supported Features - Networking
MBS-4866 R80.20SP does not support ISP Redundancy configuration.   R80.20SP
MBS-4024 R80.20SP does not support the Bidirectional Forwarding Detection (BFD). R80.20SP
02003875 LACP is not supported with Management Aggregation (MAGG). R76SP.40 Jumbo HFA R80.20SP Take 210
01262356 PIM Sparse mode is not supported when the 60000 / 40000 Scalable Platform is defined as a Rendezvous Point (RP).  R76SP  -
MBS-11398 Correction is not supported for IPv6 local connections initiated from the Standby chassis. R80.20SP -
02621541 IPv6 VPN is not supported. R76SP
Non Supported Features - Software Blades
02641733 The 'fw sam' command (sk112061) is not supported.  R76SP 
SPC-986 Carrier Security (LTE) is supported only on the Security Gateway. R76SP -
01685300 SSL VPN is not supported for deployments that use NAT on Office Mode network.  R76SP.20
01445638 Traditional mode VPN is not supported.  R76SP.10
00737055 Virtual Tunnel Interfaces (VTI) are not supported.  R76SP  
00750851 Route-based probing configuration is not supported for VPN Link Selection in High Availability mode.  R76SP  -
01344987 Per-gateway VPN is not supported.  R76SP  -
01340588 Corporate Enforcement is not supported.  R76SP  -
01157859, 01349731 DLP Fingerprint is not supported. R76SP -
SmartView Monitor
00593173 SmartView Monitor is not supported for 60000 / 40000 Scalable Platforms. Statistics are only collected from a single SGM and do not describe all traffic that is passing through the system. R76SP -
MBS-2641 The DiffServ honoring on SSM is not supported. R80.20SP -
01248880 The QoS blade is not supported.  R76SP -
01511158 SmartProvisioning of 60000 / 40000 Scalable Platforms is not supported. R76SP -


Known Limitations

The following limitations are known in Scalable Platform Appliances R80.20SP.

  • General
    • General
    • Gaia OS (Global Shell / Commands)
    • Hardware
    • Management and Policy

  • Installation
    • Installation / Upgrade
    • Licensing
  • Infrastructure
    • Security Gateway
    • VSX
    • SecureXL
    • Cluster
    • Hyper-Threading

  • Networking
    • Networking
    • Dynamic Routing
    • IPv6
  • Software Blades
    • VPN
    • Threat Prevention
    • Identity Awareness
    • Logs
    • Application Control
  • Monitoring
    • SNMP

Enter the string to filter this table:

ID Symptoms Reported
Known Limitations - General
MBS-3114 You can restore snapshots only on the same chassis type and SGM model on which it was collected. R80.20SP -
MBS-3363 R80.20SP does not support the 'asg_selective_template_exclude' command.  R80.20SP  -
MBS-6190 R80.20SP on Scalable Platforms 40000 / 60000 does not support the Multiple Security Groups feature. R80.20SP Jumbo HFA R80.20SP Take 240
MBS-9128  The Unique IP address per Chassis (UIPC) feature is not supported for IPv6 addresses. R80.20SP  -
SPC-1104 Connections that arrive via the data interface and are sent out via the management interface are not supported.  R76SP.50
SPC-1111 Connections that arrive via the management interface and sent out via the data interface are not supported R76SP.50
02476852 Before importing a snapshot on SGM, you must check if there is enough free disk space. If necessary, delete old snapshots and other unneeded files to free up disk space. SGMs that do not have enough disk space will not create the snapshot in their database, and there will be no error message to indicate this. R76SP.50   -
01247865 'cpstop' and 'cpstart' commands are not supported for 60000 / 40000 Scalable Platforms.  R76SP
00738754 If SGMs lose connectivity to the CMM, the 'asg stat' command displays the most recent status of the system. For example, a chassis module that was "UP" before the CMM lost connectivity, continues to have the status "UP". The state of the CMM is changed to "DOWN". R76SP 
Gaia OS (Global Shell / Commands)
MBS-4080 Gaia OS does not support Bond interface in Round Robin mode. R80.20SP -
MBS-964 Scalable Platforms 40000 / 60000 do not support the NTP Server configuration.  R80.20SP  -
MBS-6514  Setting the Minimum Number of Slaves in a Bond interface is not supported. R80.20SP 
02476859 Gaia Clish command 'show snapshots' might display the following error: "NMSNAP9999 Timeout waiting for response from database server".

Workaround: Run the 'show snapshots' command again.

R76SP.50   -
02476902 Gaia Clish command 'show snapshots' might display the following error: "NMSNAP0042 Snapshot mechanism is not supported in this system".

Workaround: Run the 'show snapshots' command again.

R76SP.50   -
00738300 The 'asg' commands are an extension of native gclish commands.
The 'asg' commands have different syntax and there is no auto-completion.
R76SP   -
00621838 From gclish, running the 'show hostname' command returns the hostname shared by all the SGMs, but not the specific ID for each SGM. The specific ID is displayed as %m.  R76SP  -
00634412 To perform hardware related control commands on SGMs in a remote chassis (for example, 'asg_reboot', 'asg_hard_start' or 'asg_hard_shutdown'), at least one remote chassis SGM must be in the "UP" state.

For example, running the 'asg_hard_start' command on a remote chassis on which the SGMs are not "UP" has no effect on the system.

R76SP   -
00642401 A CLI command that uses a range for the parameter can only operate if all the relevant SGMs are defined in the security group.  R76SP  -
00633262 The arguments of the global commands are processed before the local (native) arguments, and this can cause the local arguments to be ignored. For example, the 'g_ls -l /tmp/' command is processed as 'ls /tmp/' on the local SGM instead of as 'ls -l /tmp/' on all SGMs.

Relocating the local arguments within the command (where applicable) can resolve the problem. For example, run the 'g_ls /tmp/ -l' command instead of the 'g_ls -l /tmp/' command.

 R76SP  -
01061553 When exporting or importing a snapshot, you must export from or import to the /var/log directory.
  • To export a snapshot, run the 'set snapshot export <image_name> path /var/log/' command.
  • To import a snapshot, run the 'set snapshot import <image_name> path /var/log/ name <new_name_for_image>' command.
R76SP   -
01089206 Running the 'asg_hard_shutdown' command on an SGM two times, one after the other, causes a reboot and not a shutdown.

It takes one minute for the SGM to shut down after running the 'asg_hard_shutdown' command. During this interval, do not run the 'asg_hard_shutdown' command again.

R76SP   -
01237799 When you run multiple gclish 'set ...' commands, one after another, some of these commands can stop running. When this happens, the message "Processing Transaction" shows in the output. R76SP   -
MBS-3870 R80.20SP supports a maximum of two SSMs in a chassis (SSM1 and SSM2). R80.20SP -
02434343 On SSM440, error "Dot3Ah: Failed getting variable from bm" can appear when running the 'system reload' command.  R76SP.50
02169635 On SSM440, the MTU is limited to a maximum of 9000 bytes.  R76SP.50  -
02496928 Verification is needed after changing QSFP mode on SSMs:
"show smo verifiers print name <Port_Speed>".

If verification fails, change the QSFP mode on SSMs again:
"set ssm id <SSM_ID> qsfp-ports-mode <Port_Speed>"

R76SP.50   -
02439227 On a 44000 chassis, PXE installation on Slot 6 (SGM 2_06 / SGM 1_06) is supported by changing the kdevice to eth3. R76SP.50   -
SPC-214 On SSM440, when working with 1G copper transceiver in ethX-Mgmt4, after SSM reboot the interface will show the link as up but traffic will not pass.
Refer to sk126612.
00624269 The Ethernet ports on the SGMs are not used. Each SGM has two Ethernet ports that are not used by the system and must not be configured. The output of the 'ifconfig' command displays these ports as eth1 and eth2.  R76SP
00894653 Transceivers for 60000 / 40000 Scalable Platform Appliances are not interchangeable with transceivers from other Check Point appliances. Only transceivers provided with the 60000 / 40000 Scalable Platform Appliances are certified for this system.  R76SP  -
Management and Policy
MBS-3001 To fetch logs from SGMs on a Scalable Platform, you must use SmartConsole. Running the 'fw fetchlog' command on the Management Server is not supported. R80.20SP -
MBS-8515 NAT64 and NAT46 objects are not supported in the Access Control policy. R80.20SP
PMTR-22530 Management API on an R80.10 Management Server does not support Security Gateways R80.20SP. R80.10 R80.10 JHFA Ongoing Take 214 
PMTR-8896 Asymmetric VoIP connections of SIP and SKINNY protocols do not survive cluster failover (between SGMs on the same chassis, and between dual chassis). R80.20SP -
Known Limitations - Installation
Installation / Upgrade
01488400 Running 'asg' or other global commands before the setup wizard completes is not supported. R76SP.10 -
01951566, MBS-4510 Installation of a Central license with SmartUpdate requires a policy installation on the Security Gateway / VSX Gateway (in the context of the VS0) object in order to propagate the license.  R76SP.40 -
Known Limitations - Infrastructure
Security Gateway
MBS-4895 The 'fw sam_policy' ('fw samp') commands are not supported for Scalable Platforms in VSX mode. R80.20SP Jumbo HFA R80.20SP
Take 266
MBS-3209 R80.20SP does not support Multi Bridge (support for multiple bridge interfaces on a Virtual System in Bridge Mode).
    R80.20SP -
    MBS-4228 After reconfiguring a VSX Gateway with the 'vsx_util reconfigure' command, you must manually install policy on each Virtual System from SmartConsole.  R80.20SP
    MBS-6306 Log Server Distribution (asg_log_servers) is not supported on 40000 / 60000 chassis. R80.20SP  Jumbo HFA R80.20SP Take 105
    MBS-5636 A reset of SIC between the chassis in VSX mode and the Management Server might cause the non-SMO members to change their state to DOWN.

    To recover: Reboot the non-SMO members.

    R80.20SP Jumbo HFA R80.20SP Take 105 
    MBS-6775 While the Image Cloning feature is enabled, a Security Group member may reboot more than one time.
    Workaround: Disable the Image Cloning feature on the SMO member to stop these reboots.
    R80.20SP -
    02024482 After running the 'vsx_util reconfigure' command on the Management Server, the VLAN interface on 60000 / 40000 chassis in VSX mode might come up without an IP address if the VLAN's MTU was set to a value larger than 1500.
    Refer to sk111513.
     R76SP.40  -
    01821671 In VSX HA mode, VLAN trunk ports cannot be monitored from the context of Virtual Systems (only from the context of the VSX Gateway itself - VS0).  R76SP.30   -
    01812597 No local configuration should be performed on 60000 / 40000 chassis while 'vsx_util reconfigure' is running on the Management Server.
    It is necessary to wait until all SGMs and Virtual Systems are up and running (otherwise, the local configuration will not be applied).
    R76SP.30   -
    01620389 You cannot configure Bond interfaces on chassis Management ports after you create the VSX object in SmartDashboard.  R76SP.20  -
    01527874 Virtual Switches without physical interfaces are not supported for Chassis VSLS. R76SP.10_VSLS   -
    01284809 To use the Sync Lost mechanism, you must keep the Management interfaces for both chassis connected.  R76SP  -
    01341918 You cannot enable IPv6 before you create and configure a new VSX Gateway. You must first create the new VSX Gateway and then enable and configure IPv6 using gclish.  R76SP
    01087321 VSX Gateway creation in SmartConsole and the 'vsx_util reconfigure' command are supported when only the left-most SGM is in the Security Group. R76SP 
    01097957 If you lower the Connections Table limit of a Virtual System, and one of the SGMs has more or the same number of connections than the limit, the new value is rejected for that SGM. The new Connections Table limit may be accepted by other SGMs


    • To see the current number of entries in the Connections Table, run this command in Expert mode: [Expert@HostName:0]# fw tab -t connections -s
    • To configure the Connections Table limit of a Virtual System: In SmartDashboard, open the Virtual System object - go to the "Capacity Optimization" pane - set the value in the "Limit the maximum concurrent connections" field - click on OK - install the policy.
    R76SP   -
    00922958 The Alerts configuration wizard does not allow setting of performance thresholds per Virtual System.

    You can manually configure thresholds for Virtual Systems using the 'dbsetcommand from the Expert shell:

    [Expert@HostName:0]# g_all dbset chassis:vs:0:alert_threshold: <alert_name> <value>

    Where <value> is the percentage of the default threshold per SGM.


    [Expert@HostName:0]# g_all dbset chassis:vs:0:alert_threshold:packet_rate_threshold_high 30

    In this example, an alert is triggered when any Virtual System packet rate is higher than 30% x 1.8MB (1.8MB is the default packet rate threshold per SGM).


    One ratio applies to all Virtual Systems.

    MBS-3259 R80.20SP does not support Fast Accelerator (see sk156672 for more details). R80.20SP

    Jumbo HFA for R80.20SP Take 178

    MBS-5415 Configuring the 'SYN Attack' protection in SmartConsole is not supported. You must only use the 'fwaccel synatk' and 'fwaccel6 synatk' CLI commands. R80.20SP  -
    MBS-5610 An Accelerated SYN Defender configuration made with the 'fwaccel synatk' / 'fwaccel6 synatk' commands might not be applied on non-SMO members. R80.20SP Jumbo HFA R80.20SP Take 105
    MBS-6834 Security Group members do not pull the SecureXL configuration from the $PPKDIR/conf/simkern.conf file on the SMO SGM. R80.20SP Jumbo HFA R80.20SP Take 121

    These SecureXL commands are not supported:

    • g_fw sam_policy batch
    • g_fw6 sam_policy batch 
    R80.20SP -
    1. Output of the 'asg perf -p' command shows that the "Throughput" is 0 in the "Firewall" column.
    2. Output of the 'asg perf -v' command shows that the "Throughput" value is lower than expected (the F2F traffic is missing).
    3. SNMP Query for OID . (asgThroughput) returns a value lower than expected (the F2F traffic is missing).
    R80.20SP -
    MBS-6084 To support asymmetric connections, it is necessary to enable the cluster synchronization in the corresponding service's properties (Advanced pane > in the Cluster and synchronization section, select Synchronize connections if Synchronization is enabled on the cluster > install policy). R80.20SP  Jumbo HFA R80.20SP Take 105
    MBS-5864 In Dual Chassis, the user must install policy after changing the mode of a bond interface (for example, from XOR to 802.3AD), so that the bond interface is monitored by the cluster. R80.20SP  Jumbo HFA R80.20SP Take 105
    MBS-3106 In VSX mode, after disabling or enabling the Hyper-Threading feature in the cpconfig menu and rebooting, another reboot is required for the system to apply the Multi-Queue configuration. R80.20SP -
    Known Limitations - Networking
    MBS-2199 After a failover of the FTP control connection in Scalable Platforms, it is not possible to open an asymmetric FTP data connection.  R80.20SP -
    MBS-4098 GRE tunnel is not supported.   R80.20SP  -
    MBS-1274 R80.20SP does not support the reserved connections feature (the 'asg_reserved_conns' command).  R80.20SP 
    MBS-3944 R80.20SP does not support asymmetric traffic between two chassis in Dual Chassis deployment.  R80.20SP 
    MBS-3897 R80.20SP does not support Alias IP addresses on its interfaces. R80.20SP  Jumbo HFA R80.20SP Take 279
    MBS-1520 R80.20SP does not support Group of Bonds (ABXOR). R80.20SP
    MBS-9798 Scalable Platforms and Maestro Security Appliances support fragmented packets with Layer 4 distribution only in Gateway mode with CoreXL enabled. R80.20SP -
    MBS-2049 After installation, a static route to is automatically created due to the preconfigured subnet for the eth1-Mgmt4 interface.

    If you need to configure another static route for the eth1-Mgmt4 interface:

    1. Remove the current static route to
    2. Add the required static route for the eth1-Mgmt4 interface. 
    R80.20SP  -
    MBS-5164 The 'asg_tmpl_special_svcs' command is no longer supported. R80.20SP  -
    MBS-5311 QoS is not supported on the SSM data ports (the 'set ssm id data-port qos status on' command). R80.20SP  -
    MBS-2354 TFTP connections do not survive failover when using SSM440 and the distribution matrix size of 16K. R80.20SP
    MBS-7014 You must configure the Bond Interface on the Management Ports (MAGG) only from gClish. Configuring MAGG in Gaia Portal is not supported. R80.20SP  -
    MBS-7769 In Dual Chassis deployment, the external synchronization network between the two Chassis on different sites must guarantee a latency of no more than 100ms and a packet loss of no more than 5%. R80.20SP  -
    MBS-7771 In Dual Chassis deployment, the external synchronization network between the two Chassis must not contain Layer 3 routers (because they drop Cluster Control Protocol packets).  R80.20SP  -
    MBS-2991, MBS-6601, SPC-994 Configuration of RX/TX ringsize is supported only on eth<X>-Mgmt4 and BPEth<X> interfaces (either with the Expert command 'ethtool -g', or the Gaia Clish command 'set interface ...'). R76SP.50 -
    MBS-9105 When IPv6 traffic passes through Security Groups, it is not supported to disable the 'Drop out of state TCP packets' setting in SmartConsole > Global properties > Stateful Inspection. R80.20SP -
    - When using SGM400, 40GB Back Plane (BP) connectivity speed is supported for both SSM160 and SSM440. In order to switch to 40GB, the SSM's downlink ports should be set to 'Auto' Speed. Refer to sk118435. R76SP.50   -
    00846789 You cannot use VLANs on a Management interface. R76SP   
    01052419 Connections may break when you change the System Distribution Mode using either the 'set distribution configuration' command or the 'set distribution interface' command. R76SP 
    01176232 Virtual System with VLAN interfaces in Bridge Mode does not support non-IP protocols. R76SP   -
    Dynamic Routing
    MBS-3951 When you configure a routemap that includes the 'direct' parameter, it will also advertise the internal communication networks CIN and Sync. On Scalable Platforms, you have to filter out manually such internal communication networks. R80.20SP  -
    MBS-3950 If you filter the 'protocol direct' on a routemap and do not specify an interface, then it will also advertise the internal communication CIN and Sync networks of the 60000 / 40000 Scalable Platform. R80.20SP  -
    MBS-4172 PIM mode 'SSM' is not supported. R80.20SP  -
    01862808 Critical Device (pnote) named routed was added to prevent traffic outage by allowing the RouteD daemon to synchronize BGP routes.
    • In BGP DR Manager failback scenarios, the old BGP DR manager will go down for 2 minutes.
    • When RouteD daemon restarts on BGP DR Manager, BGP DR Manager will go down for 2 minutes.
     R76SP.30  -
    00736037 OSPF is not supported on Management interfaces. R76SP  -
    00771254 BGP confederations are not supported.  R76SP  -
    02487403 IPv6 02487403 SSM Layer4 Distribution Mode is supported for IPv4 only. The IPv6 traffic will be distributed based on the Source/Destination IP addresses only.

    Note: a system can use SSM Layer4 Distribution Mode while IPv4 and IPv6 are inspected by the Security Gateway. Each IP version will use a different mechanism to distribute traffic, as described above.

       R76SP.50 -
    Known Limitations - Software Blades
    MBS-3946 R80.20SP does not support Carrier Security (LTE). R80.20SP -
    • Site-to-Site VPN with IPv6 peers is not supported.
    • Remote Access VPN from IPv6 clients is not supported.
    R80.20SP -
    MBS-2461 It is not supported to initiate a connection from an SGM if the connection's destination requires encryption. R80.20SP   -
    MBS-5242 VPN traffic on a VSX Virtual System that is connected to a VSX Virtual Switch is supported only when the distribution mode configured for the WRP interface is the same as the distribution mode configured for the physical interface on the VSX Virtual Switch.

    Example of a VSX topology:

    (Virtual System) === wrp100 === (Virtual Switch) === (eth1-01)

    The same distribution mode must be configured for the interface wrp100 as was configured for the interface eth1-01.

    R80.20SP  -
    MBS-5284 VPN Permanent Tunnels are not supported. R80.20SP
    MBS-2472 In the Security Gateway object -> IPSec VPN, the Link Selection supports only the Always use this IP address selection methods: 
    • Main address
    • Selected address from topology table
    • Statically NATed IP
    1. It is not supported to configure a Scalable Platform 40000 / 60000 object as a VPN Satellite Gateway if other VPN peers communicate through it.
    2. It is not supported to configure Client to Site traffic over the Site-to-Site VPN tunnel with a Scalable Platform 40000 / 60000.
    MBS-8298 In a Security Group object, it is not supported to configure VPN on the Management port (eth_X_-Mgmt_Y_) assigned to the Security Group. R80.20SP
    MBS-8322  VPN Wire mode is not supported. R80.20SP  -
    MBS-8316 IPv6 VPN is not supported. R80.20SP -
    02487412 A VPN can be used with SSM Layer4 Distribution Mode, but the VPN traffic will be distributed based on the Source/Destination IP addresses.  R76SP.50  -
    Threat Prevention (Anti-Virus, Anti-Bot, Threat Emulation)
    MBS-4094 Scalable Platforms 40000 / 60000 do not support ICAP Server configuration. R80.20SP -
    MBS-9405 When the Threat Extraction blade is enabled, the original attachment file might not be available for download due to a limitation in a Cluster Load Sharing environment. It is recommended to disable this blade in the corresponding Threat Prevention profile. R80.20SP Jumbo HFA R80.20SP Take 279
    (Security Gateway only)
    Identity Awareness
    SPC-990 Identity sharing must be configured with ethX-MgmtX and for communicating with the PDP side. R76SP.50 -
    MBS-10248 Identity Broker is not supported. R80.20SP -
    MBS-2832 Logs for session connections, generated by Software Blades on Scalable Platforms R80.20SP, do not show the SGM ID. R80.20SP -
    Application Control
    MBS-8969 Security Group members do not synchronize the configuration file $FWDIR/appi/update/appi_parameters.C automatically. For more information, see sk146993 - notes for Scalable Platforms. R80.20SP -
    Known Limitations - Monitoring
    MBS-3601 The 'asg alert' command does not support sending alerts in SMS. R80.20SP -
    01255170 For monitoring the 60000 / 40000 Scalable Platforms over the SNMP, the only supported OIDs are under (OID  R76SP  -
    00630753 The 'snmpwalk' or 'snmpget' commands on OIDs that have prefixes with (asgIPv4PerformanceCounters) or (asgIPv6PerformanceCounters) display values calculated on the Active Chassis only.  R76SP  -
    This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

    Give us Feedback
    Please rate this document