Support Center > Search Results > SecureKnowledge Details
Check Point Maestro R80.20SP Known Limitations
Solution

 Table of Contents:

  • Introduction
  • Non Supported Features
  • Known Limitations

Introduction

This article lists all known limitations for Check Point Maestro R80.20SP (see sk138233).  

This is a live document that may be updated without special notice. We recommend that you register for our weekly updates in order to stay up to date. To register, go to UserCenter > ASSETS / INFO > My Subscriptions.

 

Important notes:

  • To get a fix for an issue listed below, contact Check Point Support with the issue ID.

  • To see if an issue has been fixed, search for the issue ID in Support Center.


This article contains two sections:

  • Non Supported Features
  • Known Limitations

Note: If not stated otherwise, all items listed below apply to both Security Gateway and VSX Gateway.

Non Supported Features

The following features are not supported in Check Point Maestro R80.20SP, and may be supported in future versions.

  • General
    • General
    • Gaia OS
    • Hardware
    • License
    • Cluster
    • Management and Policy
  • Infrastructure
    • SecureXL
    • VSX
  • Networking
    • Networking
    • IPv6
    • Carrier Grade NAT (CGNAT)
  • Software Blades
    • Firewall
    • VPN
    • Threat Prevention
    • HTTPS Inspection
    • DLP
    • SmartView Monitor
    • QoS
    • SmartProvisioning

Enter the string to filter this table:

ID Symptoms Reported
In		 Resolved
In
Non Supported Features - General
General
MBS-3246
 R80.20SP does not support:
  • DHCP Client configuration
  • DHCP Server configuration
  • Dynamically Assigned IP (DAIP) configuration
 R80.20SP
 -
MBS-2379 The image auto-clone feature (set smo image auto-clone state on) only supports SGMs that run the same major version. When you add a new SGM to the R80.20SP chassis (add smo security-group), it either must not have any version installed, or it must have the R80.20SP version installed. R80.20SP  -
MBS-1586 The 'asg_syslog' command is no longer supported. Use the Gaia Clish 'set syslog ...' command instead. R80.20SP
MBS-1360 To install a license with the 'cplic put' command, before you run the Gaia First Time Configuration Wizard, you must run the 'cplic put' command in Expert mode. R80.20SP
MBS-5038 You can only connect two Maestro Security Orchestrators of the same model for redundancy. R80.20SP
MBS-5033 You can assign only appliances of the same model to the same Security Group. R80.20SP  -
MBS-5035 Maestro Security Orchestrator does not support:
  • Scalable Platforms 40000 / 60000
  • Small Business and Branch Offices appliances 3000, 1400, 1200R, or lower.
 R80.20SP  -
MBS-5581 In R80.30 SmartConsole, when configuring a Maestro Security Gateway object, you must select only the R80.20SP version. R80.20SP
MBS-6600 To support the auto-clone feature (set smo image auto-clone state on), you must install R80.20SP Jumbo Hotfix Accumulator (sk155832). R80.20SP  -
MBS-8326 Maestro Security Appliances do not support installation with the Central Deployment Tool (sk111158). R80.20SP  -
MBS-8327 Maestro Security Appliances do not support the Management Data Separation feature (sk138672). R80.20SP
SPC-89 "Unified MAC for data ports" mode is not supported by VSX. R76SP.50  -
01517974 ISP Redundancy is not supported.  R76SP.10  -
01350464 R80.20 supports only hotfixes that were created specifically for this version. Hotfixes created for maintrain versions are not supported.  R76SP
00595914 Security Server (FTP/HTTP with Resource) is not supported. R76SP
00824847 Maestro Security Appliances do not support OPSEC SDK. R76SP  -
01800842 Hide NAT for traffic initiated from the Management interface of Maestro Security Appliances is not supported.  R76SP   -
01322440 Maestro Security Appliances can not be configured as DHCP Servers.  R76SP  -
SPC-929 Dynamic NAT is not supported.   R76SP  -
Gaia OS
MBS-2836
 The 'asg profile' command is not supported.
 R80.20SP
 -
MBS-3369 The "asg_archive" utility is no longer supported. To monitor the history data, use the CPview History mode per SGM.   R80.20SP
MBS-3625 The 'save configuration' command in gclish is not supported.  R80.20SP
MBS-3579 The Pingable Hosts State event type in the "asg alert" is not supported.   R80.20SP  -
MBS-4756 Maestro Hyperscale System does not support Gaia Cloning Groups.   R80.20SP 
MBS-2372 It is not supported to manually update or install the CPUSE Agent.   R80.20SP   -
MBS-5309 The Gaia Portal on Maestro Hyperscale Orchestrator supports these web browsers:
  • Google Chrome 71.0 and later
  • Microsoft Edge 40.15063 and later
  • Microsoft Internet Explorer 11.0.50 and later
  • Firefox 64.0 and later
 R80.20SP 
MBS-5488 The Gaia Clish / Gaia gClish command 'snapshot_recover' is not supported.  R80.20SP Jumbo HFA R80.20SP Take 105
Hardware
MBS-1244 The Check Point Performance Sizing Utility 'cpsizeme' (see sk88160) is not supported.  R80.20SP 
MBS-4754 Maestro Security Appliances do not support Central Management of Gaia Device Settings:
  1. In SmartConsole, click on "Gateways & Servers" on the navigation panel.
  2. Right-click on the Maestro Security Appliance gateway object. 
  3. The "Scripts" menu and "Actions" menu are not supported.  
   R80.20SP 
MBS-5227 It is not supported to install both of the following expansion cards in the same Security Appliance connected to a Maestro Hyperscale Orchestrator:
  • 10 GbE and 40 GbE
  • 10 GbE and 100 GbE
 R80.20SP  -
MBS-5742 Maestro R80.20SP does not support Falcon Acceleration Cards (see sk116242). R80.20SP
MBS-6466 All Security Appliances in the same Maestro Security Group must have identical Expansion Cards installed (the type and the number):
  • All Security Appliances must have 1 x Quad-Port NIC, 1 x Dual-Port NIC, or 2 x Dual-Port NICs.
  • All other Expansion Cards must be removed from all Security Appliances, even if these Expansion Cards are not used.
 R80.20SP  -
License
MBS-7929
 Central License is not supported on Maestro appliances. 
 R80.20SP -
Cluster
MBS-2521
 Maestro Hyperscale System does not support VRRP configuration.
  R80.20SP   -
Management and Policy
Non Supported Features - Infrastructure
SecureXL
VSX
MBS-3522 Enabling ICMP / CCP probing on cluster interfaces (setting the value of the kernel parameter fwha_enable_if_probing to 1) is not supported in VSX mode. R80.20  -
01413513
 Virtual Routers are not supported. R76SP.10
 -
01096568 The VSX Gateway can not be managed from data ports.
The supported Management interfaces are:
  • eth1-Mgmt1, eth1-Mgmt2, eth1-Mgmt3, eth1-Mgmt4
  • eth2-Mgmt1, eth2-Mgmt2, eth2-Mgmt3, eth2-Mgmt4
    •
R76SP  -
Non Supported Features - Networking
Networking
MBS-7022 The maximum supported number of VLAN interfaces on each Uplink port on a Maestro Orchestrator is 42. Refer to sk160552
 R80.20SP  Jumbo HFA R80.20SP Take 178
MBS-4866 R80.20SP does not support ISP Redundancy configuration.   R80.20SP
MBS-4024
 R80.20SP does not support the Bidirectional Forwarding Detection (BFD).
 R80.20SP
  -
MBS-5482 It is not supported to configure an IPv6 address on ethX-MgmtX interfaces. R80.20SP  -
MBS-5293 Maestro Hyperscale Orchestrator's dedicated Sync interface cannot be part of a bond interface. R80.20SP  -
MBS-5104 You can only connect one DAC / Fiber cable between a Quad Port Card on an Appliance and each Maestro Hyperscale Orchestrator. Connecting two cables between a Quad Port Card on an Appliance and each Maestro Hyperscale Orchestrator is not supported. R80.20SP Jumbo HFA R80.20SP Take 105
02003875 LACP is not supported with Management Aggregation (MAGG). R76SP.40  -
01262356 PIM Sparse mode is not supported when the Maestro Security Appliance is defined as a Rendezvous Point (RP).  R76SP  -
IPv6
02621541
 IPv6 VPN is not supported.
 R76SP
 -
Carrier Grade NAT (CGNAT)
Non Supported Features - Software Blades
Firewall  
02641733 The 'fw sam' command (sk112061) is not supported. R76SP
SPC-986
 Carrier Security (LTE) is supported only on the Security Gateway.
 R76SP
 -
VPN
01685300 SSL VPN is not supported for deployments that use NAT on Office Mode network.  R76SP.20
01445638 Traditional mode VPN is not supported.  R76SP.10
00737055 Virtual Tunnel Interfaces (VTI) are not supported.  R76SP  
00750851 Route-based probing configuration is not supported for VPN Link Selection in High Availability mode.  R76SP  -
01344987 Per-gateway VPN is not supported.  R76SP  -
01340588 Corporate Enforcement is not supported.  R76SP  -
Threat Prevention (Anti-Virus, Anti-Bot, Anti-Spam, Threat Emulation)
HTTPS Inspection
DLP
01157859, 01349731
 DLP Fingerprint is not supported.
 R76SP
 -
SmartView Monitor
00593173
 SmartView Monitor is not supported for Maestro Security Appliances. Statistics are only collected from a single SGM and do not describe all traffic that is passing through the system.
 R76SP
 -
QoS
01248880 The QoS blade is not supported.  R76SP -
SmartProvisioning
01511158
 SmartProvisioning of Maestro Security Appliances is not supported.
 R76SP
 -

 

Known Limitations

The following limitations are known in Check Point Maestro R80.20SP.

  • General
    • General
    • Gaia OS (Global Shell / Commands)
    • Hardware
    • Management and Policy
    • Dual Site Deployment
    • VoIP


  • Installation
    • Installation / Upgrade
    • Licensing
  • Infrastructure
    • Security Gateway
    • VSX
    • SecureXL
    • CoreXL
    • Cluster
    • Hyper-Threading


  • Networking
    • Networking
    • Dynamic Routing
    • IPv6
  • Software Blades
    • IPS
    • VPN
    • Threat Prevention
    • URL Filtering
    • HTTPS Inspection
    • Identity Awareness
    • ConnectControl
    • DLP
    • Logs
  • Monitoring
    • SNMP
    • CPView

Enter the string to filter this table:

ID Symptoms Reported
In		 Resolved
In
Known Limitations - General
General
MBS-3114
 You can restore snapshots only on the same appliance type on which it was collected.
 R80.20SP
 -
MBS-3363 R80.20SP does not support the 'asg_selective_template_exclude' command.  R80.20SP  -
MBS-6140 Each Security Group must have a unique hostname. R80.20SP  -
SPC-1104 Connections that arrive via the data interface and are sent out via the management interface are not supported. R76SP.50
SPC-1111 Connections that arrive via management interface and sent out via data interface are not supported. R76SP.50  -
02476852 Before importing a snapshot on SGM, you must check if there is enough free disk space. If necessary, delete old snapshots and other unneeded files to free up disk space. SGMs that do not have enough disk space will not create the snapshot in their database, and there will be no error message to indicate this. R76SP.50   -
01247865 'cpstop' and 'cpstart' commands are not supported for Maestro Security Appliances.  R76SP
Gaia OS (Global Shell / Commands)
MBS-4080
 Gaia OS does not support Bond interface in Round Robin mode. R80.20SP
 -
MBS-964 Maestro Hyperscale System does not support the NTP Server configuration.  R80.20SP  -
MBS-5177 Maestro appliances do not support the following Gaia Clish commands: 
  • set chassis id VALUE alert_threshold cpus_temperature_threshold_low VALUE
  • set chassis id VALUE alert_threshold fans_threshold_high VALUE
  • set chassis id VALUE alert_threshold fans_threshold_low VALUE
  • set chassis id VALUE alert_threshold power_consumption_threshold_perc_high VALUE
  • set chassis id VALUE alert_threshold power_consumption_threshold_perc_low VALUE
  • set chassis id VALUE modules_amount cmm VALUE
  • set chassis id VALUE modules_amount fans VALUE
  • set chassis id VALUE modules_amount power_units VALUE
  • show chassis high-availability factors sensor cmm
  • show chassis high-availability factors sensor fans
  • show chassis high-availability factors sensor power_supplies
  • show chassis id VALUE alert_threshold cpus_temperature_threshold_high  
  • show chassis id VALUE alert_threshold cpus_temperature_threshold_low  
  • show chassis id VALUE alert_threshold fans_threshold_high
  • show chassis id VALUE alert_threshold fans_threshold_low
  • show chassis id VALUE alert_threshold power_consumption_threshold_perc_high
  • show chassis id VALUE alert_threshold power_consumption_threshold_perc_low
  • show chassis id VALUE modules_amount cmm
  • show chassis id VALUE modules_amount fans
  • show chassis id VALUE modules_amount power_units
  R80.20SP
MBS-5478 The asg_drop_monitor command does not support the "-ssm -t<timeout>" parameter. R80.20SP   -
MBS-5488 The Gaia Clish / Gaia gClish command 'snapshot_recover' is not supported. R80.20SP  -
MBS-7009 When creating Gaia OS users on Maestro Orchestrator, you must configure these users with UID 0. R80.20SP
02476859 Gaia Clish command 'show snapshots' might display the following error: "NMSNAP9999 Timeout waiting for response from database server".

Workaround: Run the 'show snapshots' command again.

 R76SP.50   -
02476902 Gaia Clish command 'show snapshots' might display the following error: "NMSNAP0042 Snapshot mechanism is not supported in this system".

Workaround: Run the 'show snapshots' command again.

 R76SP.50   -
00738300 The 'asg' commands are an extension of native gclish commands.
The 'asg' commands have different syntax and there is no auto-completion.		 R76SP   -
00621838 From gclish, running the 'show hostname' command returns the hostname shared by all the SGMs, but not the specific ID for each SGM. The specific ID is displayed as %m.  R76SP  -
00642401 A CLI command that uses a range for the parameter can only operate if all the relevant SGMs are defined in the security group.  R76SP  -
00633262 The arguments of the global commands are processed before the local (native) arguments, and this can cause the local arguments to be ignored. For example, the 'g_ls -l /tmp/' command is processed as 'ls /tmp/' on the local SGM instead of as 'ls -l /tmp/' on all SGMs.

Relocating the local arguments within the command (where applicable) can resolve the problem. For example, run the 'g_ls /tmp/ -l' command instead of the 'g_ls -l /tmp/' command.

  R76SP  -
01061553 When exporting or importing a snapshot, you must export from or import to the /var/log directory.
  • To export a snapshot, run the 'set snapshot export <image_name> path /var/log/' command.
  • To import a snapshot, run the 'set snapshot import <image_name> path /var/log/ name <new_name_for_image>' command.
 R76SP   -
01089206
 Running the 'asg_hard_shutdown' command on an SGM two times, one after the other, causes a reboot and not a shutdown.

It takes one minute for the SGM to shut down after running the 'asg_hard_shutdown' command. During this interval, do not run the 'asg_hard_shutdown' command again.

 R76SP   -
01237799 When you run multiple gclish 'set ...' commands, one after another, some of these commands can stop running. When this happens, the message "Processing Transaction" shows in the output. R76SP   -
Hardware
MBS-5205 Hardware Health Monitoring is not supported in Maestro Orchestrator. R80.20SP  -
MBS-6583 After the Gaia OS installation completes on Maestro Security Appliances 5600, you must manually reboot them. R80.20SP
SPC-214 On SSM440, when working with 1G copper transceiver in ethX-Mgmt4, after SSM reboot the interface will show the link as up but traffic will not pass.
Refer to sk126612.		  R76SP.50
02434343 On SSM440, error "Dot3Ah: Failed getting variable from bm" can appear when running the 'system reload' command.  R76SP.50
02169635 On SSM440, the MTU is limited to a maximum of 9000 bytes.  R76SP.50  -
02496928 Verification is needed after changing QSFP mode on SSMs:
"show smo verifiers print name <Port_Speed>".

If verification fails, change the QSFP mode on SSMs again:
"set ssm id <SSM_ID> qsfp-ports-mode <Port_Speed>"

 R76SP.50   -
00624269 The Ethernet ports on the SGMs are not used. Each SGM has two Ethernet ports that are not used by the system and must not be configured. The output of the 'ifconfig' command displays these ports as eth1 and eth2.  R76SP
Management and Policy
MBS-3001
 To fetch logs from SGMs on a Maestro Security Appliance, you must use SmartConsole. Running the 'fw fetchlog' command on the Management Server is not supported.
 R80.20SP
 -
MBS-8515 NAT64 and NAT46 objects are not supported in the Access Control policy. R80.20SP  -
Dual Site Deployment
MBS-6991 After Dual Site is configured, it is not supported to change the Site ID on the Orchestrators. R80.20SP 
MBS-7606 In Dual Site Deployment, each Security Group must contain at least one Security Appliance from each site. R80.20SP  -
MBS-7028 In Dual Site Deployment, the following requirements apply to ports (and cables) on the Orchestrators that synchronize with each other on both sites:

(1) The same port type (mgmt / uplink / downlink / external sync / internal sync) must be configured for the same ports.

Example 1: 

If Port 5 on Orchestrator 1_1 is configured as uplink, then Port 5 on Orchestrator 2_1 must also be configured as uplink.

Example 2:

If Port 20 on Orchestrator 1_2 is configured as downlink, then Port 20 on Orchestrator 2_2 must also be configured as downlink.

(2) The split cables and ports, to which they are connected. must be identical.

Example 1:

If a 4x10 DAC is connected to Port 5 on Orchestrator 1_1, then an identical 4x10 DAC must also be connected to Port 5 on Orchestrator 2_1.

Example 2:

If a 4x10 DAC is connected to Port 20 on Orchestrator 1_2, then an identical 4x10 DAC must also be connected to Port 20 on Orchestrator 2_2.

 R80.20SP
MBS-6947 In Dual Site deployment, no warning is displayed when changing the "type" of the QSFP port in Gaia Clish on Maestro Hyperscale Orchestrators on the local site, while the Maestro Hyperscale Orchestrators on the remote site are down. R80.20SP  -
MBS-7744 In Dual Site deployment, the external synchronization connection between the Orchestrators on different sites must be a direct Layer 2 link (switches are not supported).  R80.20SP  -
MBS-7771 In Dual Site deployment, the external synchronization network between the Orchestrators on different sites must not contain Layer 3 routers (because they drop Cluster Control Protocol packets).  R80.20SP  -
MBS-7773 In Dual Site deployment, each Security Group can contain a maximum of 28 Security Appliances (14 Security Appliances from each site). R80.20SP  -
MBS-7769 In Dual Site deployment, the external synchronization network between the Orchestrators on different sites must guarantee a latency of no more than 100ms and a packet loss of no more than 5%. R80.20SP
VoIP
PMTR-8896
 Asymmetric VoIP connections of SIP and SKINNY protocols do not survive cluster failover.  R80.20SP
 -
Known Limitations - Installation
Installation / Upgrade
01488400
 Running 'asg' or other global commands before the setup wizard completes is not supported.
 R76SP.10
 -
Licensing
MBS-6099 A Maestro Security Appliance that was removed from a Security Group and then added back to the same Security Group might not pull the license from the existing members of the Security Group. As a result, this Security Appliance remains in the DOWN state. R80.20SP  Jumbo HFA R80.20SP Take 105
01951566, MBS-4510
 Installation of a Central license with SmartUpdate requires a policy installation on the Security Gateway / VSX Gateway (in the context of the VS0) object in order to propagate the license. 
 R76SP.40
 -
Known Limitations - Infrastructure
Security Gateway
MBS-4895
 The 'fw sam_policy' ('fw samp') commands are not supported for Maestro Security Appliancesin VSX mode.
 R80.20SP
 -
VSX
MBS-3209
 R80.20SP does not support Multi Bridge (support for multiple bridge interfaces on a Virtual System in Bridge Mode).
R80.20SP
 -
MBS-4228 After reconfiguring a VSX Gateway with the 'vsx_util reconfigure' command, you must manually install policy on each Virtual System from SmartConsole.  R80.20SP
MBS-5214 VSX Virtual Switch is not supported.  R80.20SP R80.20SP Jumbo HFA Take 178
MBS-5457 If after creating a new Virtual System object, policy installation on a Security Group object fails with "Error code: 0-2000240", wait 2-3 minutes and install the policy again.  R80.20SP Jumbo HFA R80.20SP Take 105
MBS-6306 Log Server Distribution (asg_log_servers) is not supported on Maestro Security Appliances.  R80.20SP Jumbo HFA R80.20SP Take 105
MBS-6572
 A change in the number of CoreXL Firewall instances (in a VSX Virtual System object in SmartConsole) in Dual Chassis VSLS setup requires a downtime, because the Virtual System must be restarted. During this restart, traffic cannot pass through the Virtual System. R80.20SP   -
MBS-5636

A reset of SIC between the Security Appliances in VSX mode and the Management Server might cause the non-SMO members to change their state to DOWN.

To recover: Reboot the non-SMO members.

 R80.20SP  Jumbo HFA R80.20SP Take 105
MBS-6176 To create a VSX Gateway object in SmartConsole for a Maestro Security Group:
  1. Assign at least two interfaces to the Security Group.
  2. Install the R80.20SP Jumbo Hotfix Accumulator (sk155832) on all Security Appliances in the Security Group.
  3. In SmartConsole, create a VSX Gateway object.
 R80.20SP
02024482 After running the 'vsx_util reconfigure' command on the Management Server, the VLAN interface on 60000 / 40000 chassis in VSX mode might come up without an IP address if the VLAN's MTU was set to a value larger than 1500.
Refer to sk111513.		  R76SP.40  -
01821671 In VSX HA mode, VLAN trunk ports cannot be monitored from the context of Virtual Systems (only from the context of the VSX Gateway itself - VS0).  R76SP.30   -
01812597 No local configuration should be performed on 60000 / 40000 chassis while 'vsx_util reconfigure' is running on the Management Server.
It is necessary to wait until all SGMs and Virtual Systems are up and running (otherwise, the local configuration will not be applied).		 R76SP.30   -
01620389 You cannot configure Bond interfaces on chassis Management ports after you create the VSX object in SmartDashboard.  R76SP.20  -
01341918 You cannot enable IPv6 before you create and configure a new VSX Gateway. You must first create the new VSX Gateway and then enable and configure IPv6 using gclish.  R76SP
01097957 If you lower the Connections Table limit of a Virtual System, and one of the SGMs has more or the same number of connections than the limit, the new value is rejected for that SGM. The new Connections Table limit may be accepted by other SGMs

Notes:

  • To see the current number of entries in the Connections Table, run this command in Expert mode: [Expert@HostName:0]# fw tab -t connections -s
  • To configure the Connections Table limit of a Virtual System: In SmartDashboard, open the Virtual System object - go to the "Capacity Optimization" pane - set the value in the "Limit the maximum concurrent connections" field - click on OK - install the policy.
 R76SP   -
00922958 The Alerts configuration wizard does not allow setting of performance thresholds per Virtual System.

You can manually configure thresholds for Virtual Systems using the 'dbsetcommand from the Expert shell:

[Expert@HostName:0]# g_all dbset chassis:vs:0:alert_threshold: <alert_name> <value>

Where <value> is the percentage of the default threshold per SGM.

Example:

[Expert@HostName:0]# g_all dbset chassis:vs:0:alert_threshold:packet_rate_threshold_high 30

In this example, an alert is triggered when any Virtual System packet rate is higher than 30% x 1.8MB (1.8MB is the default packet rate threshold per SGM).

Note:

One ratio applies to all Virtual Systems.

  R76SP
SecureXL
MBS-3259
 R80.20SP does not support the Fast Accelerator (the 'sim fastaccel' command).
 R80.20SP
 Jumbo HFA R80.20SP Take 178
MBS-5415 Configuring the 'SYN Attack' protection in SmartConsole is not supported. You must only use the 'fwaccel synatk' and 'fwaccel6 synatk' CLI commands. R80.20SP  -
MBS-6834 Security Appliances do not pull the SecureXL configuration from the $PPKDIR/conf/simkern.conf file on the SMO Security Appliance. R80.20SP Jumbo HFA R80.20SP Take 121 
MBS-8143

These SecureXL commands are not supported:

  • g_fw sam_policy batch
  • g_fw6 sam_policy batch
 R80.20SP -
CoreXL
MBS-6572
 A change in the number of CoreXL Firewall instances (in a VSX Virtual System object in SmartConsole) in Dual Chassis VSLS setup requires a downtime, because the Virtual System must be restarted. During this restart, traffic cannot pass through the Virtual System. R80.20SP   -
MBS-8151 By default, CoreXL is disabled on Maestro Security Appliances 5600. To enable and configure CoreXL, refer to the R80.20SP Maestro Performance Tuning Guide (chapter: CoreXL).  R80.20SP  -
Cluster
MBS-6084
 To support asymmetric connections, it is necessary to enable the cluster synchronization in the corresponding service's properties (Advanced pane > in the Cluster and synchronization section, select Synchronize connections if Synchronization is enabled on the cluster > install policy). 
 R80.20SP  -
MBS-5864 The user must install policy after changing the mode of a bond interface (for example, from XOR to 802.3AD), so that the bond interface is monitored by the cluster. R80.20SP  Jumbo HFA R80.20SP Take 105
Hyper-Threading
MBS-3106
 In VSX mode, after disabling or enabling the Hyper-Threading feature in the cpconfig menu and rebooting, another reboot is required for the system to apply the Multi-Queue configuration.
 R80.20SP
 -
Known Limitations - Networking
Networking
MBS-2199
 After a failover of the FTP control connection in Maestro Security Appliances, it is not possible to open an asymmetric FTP data connection. 
 R80.20SP
 -
MBS-4098 GRE tunnel is not supported.   R80.20SP  -
MBS-1274 R80.20SP does not support the reserved connections feature (the 'asg_reserved_conns' command).  R80.20SP 
MBS-3897 R80.20SP does not support Alias IP addresses on its interfaces. R80.20SP   -
MBS-2049 After installation, a static route to 192.168.1.254 is automatically created due to the preconfigured subnet for the eth1-Mgmt4 interface.

If you need to configure another static route for the eth1-Mgmt4 interface:

  1. Remove the current static route to 192.168.1.254
  2. Add the required static route for the eth1-Mgmt4 interface. 
 R80.20SP  -
MBS-3859 If you installed a 40 GbE card or a 100 GbE card on a Check Point appliance you wish to connect to the Maestro Security Orchestrator, and you did not receive this card as part of the Maestro product, make sure this card meets the minimal requirements:

1. Connect to the command line of the Check Point appliance.

2. Log into Expert mode.

3. Run this single long command:

[Expert@Appliance:0]# for NIC in $(ifconfig | grep ethsBP | awk '{print $1}') ; do echo $NIC: ; ethtool -i $NIC | grep firmware ; done

4. The 'firmware-version' has to be '12.22.1002' or higher.

Example output:

ethsBP4-01:
firmware-version: 12.22.1002
ethsBP4-02:
firmware-version: 12.22.1002

 R80.20SP  -
MBS-5216 When VLAN traffic needs to traverse the Security Group in Bridge mode, you must configure all relevant VLAN IDs on the Uplink ports assigned to the Security Group in the Gaia Portal on the Maestro Orchestrator.

Note: Configure these VLAN IDs in the Gaia Portal on the Maestro Orchestrator.

Example Topology: (VLAN Trunk port) ==== (Uplink ports on Maestro Orchestrator that are assigned to a Security Group in Bridge mode).

 R80.20SP
MBS-4993 Configuring the state of the Forward Error Correction (FEC) manually is not supported. This feature is in the auto state by default. R80.20SP  -
MBS-5225 Interfaces cannot be shared between Security Groups. R80.20SP  -
MBS-5339 VLAN interfaces are not supported on Maestro Hyperscale Orchestrator "Management" ports (ethX-MgmtY). R80.20SP
MBS-4668 When two Maestro Hyperscale Orchestrators are connected together, and you need to disconnect many cables from one of the Maestro Hyperscale Orchestrators, first disconnect the cable from the dedicated Synchronization port. This prevents the LSP mechanism from disabling all ports on the other Maestro Hyperscale Orchestrator. R80.20SP
MBS-7636 When several Downlink ports on an Orchestrator are connected to the same Security Appliance, these Downlink connections work only in the Active/Backup mode for IPv6 traffic (and not in the Load Sharing mode). R80.20SP  -
01052419 Connections may break when you change the System Distribution Mode using either the 'set distribution configuration' command or the 'set distribution interface' command. R76SP 
01176232 Virtual System with VLAN interfaces in Bridge Mode does not support non-IP protocols. R76SP   -
Dynamic Routing
MBS-3951 When you configure a routemap that includes the 'direct' parameter, it will also advertise the internal communication networks CIN and Sync. On Maestro Security Appliances, you have to filter out manually such internal communication networks. R80.20SP  -
MBS-3950 If you filter the 'protocol direct' on a routemap and do not specify an interface, then it will also advertise the internal communication CIN and Sync networks of the Maestro Security Appliances. R80.20SP  -
MBS-4172 PIM mode 'SSM' is not supported. R80.20SP  -
01862808 Critical Device (pnote) named routed was added to prevent traffic outage by allowing the RouteD daemon to synchronize BGP routes.
  • In BGP DR Manager failback scenarios, the old BGP DR manager will go down for 2 minutes.
  • When RouteD daemon restarts on BGP DR Manager, BGP DR Manager will go down for 2 minutes.
  R76SP.30  -
00736037 OSPF is not supported on Management interfaces. R76SP  -
00771254 BGP confederations are not supported.  R76SP  -
IPv6
Known Limitations - Software Blades
Firewall
MBS-3946
 R80.20SP does not support Carrier Security (LTE).
 R80.20SP
 -
IPS
VPN
MBS-4097
  • Site-to-Site VPN with IPv6 peers is not supported.
  • Remote Access VPN from IPv6 clients is not supported.
 R80.20SP -
MBS-2461 It is not supported to initiate a connection from an SGM if the connection's destination requires encryption. R80.20SP   -
MBS-5242 VPN traffic on a VSX Virtual System that is connected to a VSX Virtual Switch is supported only when the distribution mode configured for the WRP interface is the same as the distribution mode configured for the physical interface on the VSX Virtual Switch.

Example of a VSX topology:

(Virtual System) === wrp100 === (Virtual Switch) === (eth1-01)

The same distribution mode must be configured for the interface wrp100 as was configured for the interface eth1-01.

 R80.20SP  -
MBS-5284 VPN Permanent Tunnels are not supported. R80.20SP
MBS-2472 In the Security Gateway object -> IPSec VPN, the Link Selection supports only the Always use this IP address selection methods: 
  • Main address
  • Selected address from topology table
  • Statically NATed IP
 R80.20SP
MBS-8298 In a Security Group object, it is not supported to configure VPN on the Management port (ethX-MgmtY) assigned to the Security Group. R80.20SP  -
MBS-8319 It is not supported to configure a Maestro Security Group object as a VPN Satellite Gateway if other VPN peers communicate through it.
 R80.20SP  -
MBS-8322  VPN Wire mode is not supported. R80.20SP
02487412 A VPN can be used with SSM Layer4 Distribution Mode, but the VPN traffic will be distributed based on the Source/Destination IP addresses.  R76SP.50  -
Threat Prevention (Anti-Virus, Anti-Bot, Threat Emulation)
MBS-4094
 Maestro Hyperscale System does not support ICAP Server configuration.
 R80.20SP
 -
URL Filtering
HTTPS Inspection
Identity Awareness
SPC-990
 Identity sharing must be configured with ethX-MgmtX and for communicating with the PDP side.
 R76SP.50
 -
ConnectControl
DLP
Logs  
MBS-2832
 Logs for session connections, generated by Software Blades on Maestro Security Appliances, do not show the SGM ID.
 R80.20SP -
Known Limitations - Monitoring
SNMP
MBS-3601
 The 'asg alert' command does not support sending alerts in SMS.
 R80.20SP
 -
CPView
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment