Support Center > Search Results > SecureKnowledge Details
Known Limitations for Scalable Platforms (Maestro Appliances and Chassis) Technical Level
Solution

This article lists all known limitations for R80.20SP, R80.30SP, and R81.

This is a live document that may be updated without special notice. We recommend that you register for our weekly updates in order to stay up to date. To register, go to UserCenter > ASSETS / INFO > My Subscriptions.

Important Notes:

  • If not stated otherwise, all limitations apply to both Security Gateway and VSX Gateway.
  • All limitations listed as part of R81 and above (sk166717) are relevant unless stated as resolved.
  • All limitations listed in R80.20 (sk122486) and R80.30 3.10 (sk152652) are relevant unless stated as resolved.
  • To see if a limitation has been resolved, enter its ID in the filtering field located at the top of the table.

Non-Supported Features

  • Non-Supported Features - General
    • General
    • Gaia OS
    • Hardware
    • Licensing
    • Cluster
  • Non-Supported Features - Installation / Upgrade
    • Upgrade
  • Non-Supported Features - Infrastructure
    • VSX
  • Non-Supported Features - Networking
    • Networking
    • IPv6
  • Non-Supported Features - Software Blades
    • Firewall
    • VPN
    • Identity Awareness
    • DLP
    • SmartView Monitor
    • QoS
    • SmartProvisioning

Known Limitations

  • Known Limitations - General
    • General
    • Gaia OS
    • Hardware
    • Management and Policy
    • Dual Site Deployment
    • VoIP
  • Known Limitations - Installation / Upgrade / Licensing
    • Installation
    • Licensing
  • Known Limitations - Infrastructure
    • Security Gateway
    • VSX
    • SecureXL
    • CoreXL
    • Cluster
    • Hyper-Threading
  • Known Limitations - Networking
    • Networking
    • Dynamic Routing
    • IPv6
  • Known Limitations - Software Blades
    • Firewall
    • VPN
    • Threat Prevention (Anti-Virus, Anti-Bot, Threat Emulation, Threat Extraction)
    • IPS
    • DLP
    • Identity Awareness
    • Logs
    • Application Control
    • Mobile Access
  • Known Limitations - Monitoring
    • SNMP


Enter the string to filter the below table:

ID Product Description Found in Resolved In

Non-Supported Features - General
General
PMTR-67440 All Traffic stops passing through a bridge interface after a failover in Dual Site / Dual Chassis environment. R81.10 -
MBS-8327,
PRHF-18375		 All In R81, 40000 / 60000 Appliances and Maestro Security Appliances do not support the Management Data Separation feature (sk138672). R81 -
MBS-14453 All R80.30SP and R81 for Scalable Platforms do not support the "Same VMAC" feature (support is available in R80.20SP and R81.10, see sk165674).   R80.30SP -
MBS-3246 All 40000 / 60000 Appliances and Maestro Security Appliances do not support:
  • DHCP Client configuration
  • DHCP Server configuration
  • Dynamically Assigned IP (DAIP) configuration
    • Note: DAIP is supported starting in R81 JHFA Take 34 (see MBS-15743 below). 
 R80.20SP -
MBS-15743 All Dynamically Assigned IP (DAIP) is not supported R80.20SP R81 JHFA Take 34
MBS-15740 All DHCP for Office Mode is not supported. R80.20SP R81 GA
MBS-2379 All The image auto-clone feature (set smo image auto-clone state on) only supports SGMs that run the same major version. When you add a new SGM to the R80.20SP chassis (add smo security-group), it must have the same version as SMO installed on it. R80.20SP -
MBS-1586 All The 'asg_syslog' command is no longer supported. Use the Gaia Clish 'set syslog ...' command instead. R80.20SP -
MBS-1360 All To install a license with the 'cplic put' command, before you run the Gaia First Time Configuration Wizard, you must run the 'cplic put' command in the Expert mode. R80.20SP -
MBS-8326 All 40000 / 60000 Appliances and Maestro Security Appliances do not support installation with the Central Deployment Tool (sk111158). R80.20SP -
SPC-89 All "Unified MAC for data ports" mode is not supported in VSX mode. R76SP.50 -
MBS-4866,
MBS-11960, 01517974		 All ISP Redundancy is not supported. R76SP.10 R80.20SP JHFA Take 305
PMTR-68991 All ISP Redundancy is not supported if Dynamic Routing is configured (because the ISP Redundancy feature must create a static default route that overrides the default route created by dynamic routing) R80.20SP -

PMTR-83632,
PMTR-86822

 All The Management API call "get-interfaces" (available in API v1.7.1 and above) does not support a Security Gateway object that represents a Security Group on Maestro or Scalable Chassis. The API command returns internal interfaces that must not be part of the Security Gateway object. As a result, policy installation fails, or traffic does not pass between the SMO and other Security Group Members.
To get interfaces: Open the Security Gateway object in SmartConsole > go to "Network Management" > click "Get Interfaces" > click "Get Interfaces With Topology" or Get Interfaces Without Topology" > click "Accept" > click "OK" > install Access Control Policy.		 R76SP -
01350464 All Hotfixes created for maintrain versions (and not specifically for Scalable Platforms) are not supported. R76SP -
00595914 All Security Server (FTP/HTTP with Resource) is not supported. R76SP -
00824847 All OPSEC SDK is not supported. R76SP -
01800842 All Hide NAT for traffic initiated from the Management interface of a Security Group is not supported. R76SP -
01322440 All A Security Group cannot be configured as a DHCP Server. R76SP -
SPC-929 All Dynamic NAT is not supported. R76SP -
00772706 Chassis R76SP on 40000 / 60000 Appliances does not have a WebUI to configure and monitor the system. HTTP access to the system is blocked. R76SP R80.20SP
PMTR-71298 Maestro You must disable the SMO Image Cloning in the Security Group before you assign an appliance of a model that is different from models of other appliances already assigned in this Security Group.
Run this command in Gaia gClish:
set smo image auto-clone off		 R81.10 -
PRJ-32479 Maestro Maestro Security Group does not support Bridge Mode configuration. R81.10  R81.10 JHFA Take 14
MBS-5038 Maestro You can only connect two Maestro Security Orchestrators of the same model for redundancy on the same site. R80.20SP -
MBS-5033 Maestro You can assign only appliances of the same model to the same Security Group. R80.20SP R81.10

See
sk162373
MBS-5035 Maestro Maestro Hyperscale Orchestrator does not support:
  • 40000 / 60000 Appliances
  • Small Business and Branch Offices appliances 3000, 1400, 1200R, or lower.
 R80.20SP -
MBS-5581 Maestro In R80.30 SmartConsole, when configuring a Maestro Security Gateway object, you must select only the R80.20SP version. R80.20SP -
MBS-6600 Maestro To support the auto-clone feature (set smo image auto-clone state on), you must install R80.20SP Jumbo Hotfix Accumulator (sk155832). R80.20SP -
MBS-9078 Maestro Output of the "asg_if" command on Maestro Security Group Members does not show the correct interface speed configured on the Maestro Orchestrator.
This is only a cosmetic issue.		 R80.20SP -
Gaia OS
MBS-10123 All The flag "-vv" in the "asg perf" command is not supported.
This issue is planned to be resolved in the R81 Jumbo Hotfix Accumulator.		 R81 -
MBS-13308 All The "set iphelper" (IP Broadcast Helper) commands are not supported in Gaia gClish. R80.20SP -
MBS-2836 All The 'asg profile' command is not supported. R80.20SP -
MBS-3369 All The "asg_archive" utility is no longer supported. To monitor the history data, use the CPview History mode per SGM. R80.20SP -
MBS-3625 All The 'save configuration' command in Gaia gClish is not supported. R80.20SP -
MBS-3579 All The Pingable Hosts State event type in the "asg alert" is not supported. R80.20SP -
MBS-2372 All It is not supported to manually update or install the CPUSE Agent. R80.20SP -
MBS-13635 All Gaia Message of the Day (MOTD) and banner messages do not support the pound (#) character. R80.20SP -
MBS-5488 All The Gaia Clish / Gaia gClish command 'snapshot_recover' is not supported. R80.20SP R80.20SP JHFA Take 105
MBS-13339 All The "asg_dst_route" command is not supported. R80.20SP -
PMTR-81746 All When Management Data Plane Separation (MDPS) is enabled (see sk138672), Gaia Portal is not supported on a Security Group. -
MBS-4756 Maestro 40000 / 60000 Chassis and Maestro Security Appliances do not support Gaia Cloning Groups. R80.20SP -
MBS-5309 Maestro The Gaia Portal on Maestro Hyperscale Orchestrator supports these web browsers:
  • Google Chrome 71.0 and later
  • Microsoft Edge 40.15063 and later
  • Microsoft Internet Explorer 11.0.50 and later
  • Firefox 64.0 and later
 R80.20SP -
Hardware
MBS-1244 All The Check Point Performance Sizing Utility 'cpsizeme' (see sk88160) is not supported. R80.20SP -
MBS-4754 All Central Management of Gaia Device Settings is not supported:
  1. In SmartConsole, click on "Gateways & Servers" on the navigation panel.
  2. Right-click on the Scalable Platform gateway object (or the Maestro Security Appliance gateway object).
  3. The "Scripts" menu and "Actions" menu are not supported.
 R80.20SP -
MBS-13255 Chassis Serial Over Lan (SoL) connection to SGM400 is not supported. R81 -
MBS-3010 Chassis 4 x SSMs (Dual-Dual Star) deployment is not supported. R80.20SP R80.20SP JHFA Take 242
(supported only in R80.20SP)
MBS-3992 Chassis SSM60 is not supported by R80.20SP and higher. R80.20SP -
02447213 Chassis 44000 / 64000 Appliances do not support DC Power Entry Modules (PEM). R76SP.50 -
02457673 Chassis On SSM440, interfaces eth<X>-Mgmt1 and eth<X>-Mgmt2 will not be used and should not be configured. The management interfaces are eth<X>-Mgmt4 and eth<X>-Mgmt3. R76SP.50 -
02439135 Chassis On SSM440, the auto-negotiation for Forward Error Correction (FEC) on 100Gb ports is not supported. FEC is enabled by default. The user can disable it manually in accordance with the settings on the peer side. R76SP.50 -
02160144 Chassis N+N Type Chassis (new model) and N+1 Type Chassis (old model) are not supported together in a cluster (Dual Chassis setup). R76SP.40 -
01007477 Chassis All SGMs in an environment must have the same number of CPU cores. Hybrid Systems (61000 Appliances with SGMs that have a different number of CPU cores) are not supported. Pre-R76SP -
MBS-5227 Maestro It is not supported to install both of the following expansion cards in the same Security Appliance connected to a Maestro Hyperscale Orchestrator:
  • 10 GbE and 40 GbE
  • 10 GbE and 100 GbE
 R80.20SP -
MBS-6466 Maestro All Security Appliances in the same Maestro Security Group must have identical Expansion Cards installed (the type and the amount):
  • All Security Appliances must have 1 x Quad-Port NIC, 1 x Dual-Port NIC, or 2 x Dual-Port NICs.
  • All other Expansion Cards must be removed from all Security Appliances, even if these Expansion Cards are not used.
 R80.20SP -
Licensing
MBS-7929 Maestro Central License is not supported on Maestro Security Appliances.. R80.20SP -
Cluster
MBS-12225 All Multi-Version Cluster (MVC) is not supported. R81 -
MBS-12227 All Active-Active cluster does not support Scalable Platforms. R81 -
MBS-2521 All VRRP cluster configuration is not supported. R80.20SP -

Non-Supported Features - Installation / Upgrade
Upgrade
MBS-14315 All Upgrade from R80.20SP or R80.30SP to R81 is not supported.
Only R81 Clean Install is supported.		 R80.20SP,
R80.30SP		 -

Non-Supported Features - Infrastructure
VSX
MBS-3522 All Enabling ICMP / CCP probing on cluster interfaces (setting the value of the kernel parameter fwha_enable_if_probing to 1) is not supported in VSX mode. R80.20SP -
01413513 All Virtual Routers are not supported. R76SP.10 -
01096568 All The VSX Gateway can not be managed from data ports.
The supported Management interfaces are:
  • eth1-Mgmt1, eth1-Mgmt2, eth1-Mgmt3, eth1-Mgmt4
  • eth2-Mgmt1, eth2-Mgmt2, eth2-Mgmt3, eth2-Mgmt4
 R76SP -

Non-Supported Features - Networking
Networking
MBS-14222 All Scalable Platforms do not support Dynamic Routing protocols over GRE tunnels. R81 -
MBS-14223 All Scalable Platforms do not support BGP over VXLAN tunnels. R81 -
02003875 All LACP is not supported with Management Aggregation (MAGG).

Note: Resolved for 40000 / 60000 Appliances, not for Maestro Security Appliances (see R80.20SP JHFA Take 210).		 R80.20SP R80.20SP JHFA Take 210
MBS-12823 All "6in4 tunnel" interface is not supported. R80.20SP -
MBS-14200 All Scalable Platforms do not support RIPng (IPv6). R76SP -
MBS-4024 Chassis R80.20SP does not support the Bidirectional Forwarding Detection (BFD). R80.20SP IPv4/IPv6 support from R80.20SP Take 258
01262356 Chassis PIM Sparse mode is not supported when the 60000 / 40000 Scalable Platform is defined as a Rendezvous Point (RP). R76SP -
MBS-5482 Maestro It is not supported to configure an IPv6 address on ethX-MgmtX interfaces. R80.20SP -
MBS-5293 Maestro Maestro Hyperscale Orchestrator's dedicated Sync interface cannot be part of a bond interface. R80.20SP R80.20SP JHF 210
MBS-7022 Maestro The maximum supported number of VLAN interfaces on each Uplink port on a Maestro Orchestrator is 42. Refer to sk170294. R80.20SP R80.20SP JHFA Take 304
MBS-5104 Maestro You can only connect one DAC / Fiber cable between a Quad Port Card on an Appliance and each Maestro Hyperscale Orchestrator. Connecting two cables between a Quad Port Card on an Appliance and each Maestro Hyperscale Orchestrator is not supported. R80.20SP R80.20SP JHFA Take 105
IPv6
02621541 All IPv6 VPN is not supported. R76SP -
MBS-11398 Chassis Correction is not supported for IPv6 local connections initiated from the Standby chassis. R80.20SP -

Non-Supported Features - Software Blades
Firewall
02641733 All The 'fw sam' command (sk112061) is not supported. R76SP -
SPC-986 All R76SP does not support Carrier Security (LTE) in VSX mode.. R76SP -
MBS-14173 All ConnectControl is not supported. R76SP.50 -
VPN
01685300 All SSL VPN is not supported for deployments that use NAT on Office Mode network. R76SP.20 -
01445638 All Traditional mode VPN is not supported. R76SP.10 -
00737055 All Virtual Tunnel Interfaces (VTI) are not supported. R76SP R81.10
00750851 All Route-based probing configuration is not supported for VPN Link Selection in High Availability mode. R76SP -
01344987 All Per-gateway VPN is not supported. R76SP -
01340588 All Corporate Enforcement is not supported. R76SP -
Identity Awareness
MBS-14460 Maestro Maestro Security Group does not support the Identity Awareness Captive Portal if the L4 distribution is enabled. R80.20SP -
DLP
01157859, 01349731 All DLP Fingerprint is not supported. R76SP -
SmartView Monitor
00593173 All SmartView Monitor does not support 40000 / 60000 Appliances and Maestro Security Appliances.

Statistics are only collected from a single Security Group Member and do not describe all traffic that is passing through the system.		 R76SP -
QoS
01248880,
MBS-14243		 All Scalable Platforms do not support the QoS Software Blade. R76SP R81 JHFA Take 51
MBS-2641 Chassis The DiffServ honoring on SSM is not supported. R80.20SP -
SmartProvisioning
01511158 All SmartProvisioning is not supported. R76SP -

Known Limitations - General
General
PMTR-86785 Maestro

Starting in the R81.10 version, the major software version on the Orchestrator must be equal to or higher than the major software version on the managed Security Group:

Orchestrator Version
Supported Security Group Version R81.20 R81.10 R80.20SP
R81.20
R81.10
R81
R80.30SP
R80.20SP

Note - To see which Management Server can manage your Security Group, see sk113113.

 R81.10 -
MBS-12259 All R81 does not support Carrier Security (LTE). R81 R81 JHFA Take 42
CST-302 All It is not possible to enable the "Carrier Security" checkbox using SmartConsole on any platform other than an open server. R81 -
MBS-12327 All R81 does not support "Generic Data Center" objects (described in sk167210). R81 -
MBS-11195 All R81 does not support Accelerated Policy Install. R81 -
MBS-10252 All R81 does not support Zero Touch. R81 -
MBS-12257 All R81 does not support the detection of IP address conflict in Gaia OS. R81 -
MBS-12307 All Management-as-a-Service (MaaS) is not supported. This applies to both Chassis and Maestro Security Appliances. R81 -
MBS-3363 All R80.20SP does not support the 'asg_selective_template_exclude' command. R80.20SP -
MBS-12749 All If you enabled and configured the ISP Redundancy on a Security Group, then to force an ISP Link State you must run the g_fw isp_link command in the Expert mode.
If you run the fw isp_link command on a specific Security Group Member, the command only changes the state of the ISP link on that Security Group Member.		 R80.20SP -
MBS-13348 All ISP Redundancy is supported only on data interfaces.
Management interfaces and other internal control interfaces (for example, CIN) are not supported.		 R80.20SP -
MBS-6188 All
  • Active-Backup bond is supported only when a Primary slave is configured (for example: set bonding group 1 primary eth1-05).
  • Active-Backup bond supports a maximum of 2 slaves.
 R80.20SP -
MBS-9128 All The Unique IP address per Chassis (UIPC) feature is not supported for IPv6 addresses. R80.20SP -
SPC-1104 All Connections that arrive via the data interface and are sent out via the management interface are not supported. R76SP.50 For R81.10 and above, see
sk179005.  
SPC-1111 All Connections that arrive via the management interface and sent out via the data interface are not supported R76SP.50 For R81.10 and above, see
sk179005
02476852 All Before importing a snapshot on SGM, you must check if there is enough free disk space. If necessary, delete old snapshots and other unneeded files to free up disk space. SGMs that do not have enough disk space will not create the snapshot in their database, and there will be no error message to indicate this. R76SP.50 -
01247865 All The 'cpstop' and 'cpstart' commands are not supported. R76SP -
MBS-3114 Chassis You can restore snapshots only on the same chassis type and SGM model on which it was collected. R80.20SP -
MBS-6190,
MBS-9202		 Chassis R80.20SP on 40000 / 60000 Appliances does not support the Multiple Security Groups feature. R80.20SP R80.20SP JHFA Take 240
(supported only in R80.20SP)
00738754 Chassis If SGMs lose connectivity to the CMM, the 'asg stat' command displays the most recent status of the system. For example, a chassis module that was "UP" before the CMM lost connectivity, continues to have the status "UP". The state of the CMM is changed to "DOWN". R76SP -
PMTR-33894 All Maestro Security Group supports version R80.20SP only. R80.30 -
MBS-14365 Maestro Dynamic Anti-Spoofing is not supported in R80.30SP. R80.30SP -
PMTR-71380 Maestro On an Orchestrator that runs the R81.10 version, you can assign appliances of different supported models (see sk162373) to the same Security Group only if these appliances run the R81.10 version. R80.20SP / R80.30SP / R81 / R81.10 -
MBS-9590 Maestro After you add a new member to a Security Group using the SMO Image Auto-Clone feature, it might stay in the DOWN state (as the 'asg stat -v' command shows).

To resolve: Manually reboot the new Security Group Member.		 R80.30SP -
MBS-6968 Maestro When you configure an R80.30SP Security Gateway object in R80.x SmartConsole, in the "Version" field you must select "R80.30". R80.30.SP R80.30 JHFA Take 163 (and above)
MBS-9698 Maestro The 'installer uninstall' command in Gaia gClish on Security Group members might not show an installed Hotfix / Jumbo Hotfix Accumulator package.

To resolve: run these commands in Gaia gClish:
  1. show installer packages
  2. installer uninstall <Full Name of Package>
 R80.30.SP -
MBS-6140 Maestro Each Security Group must have a unique hostname. R80.20SP -
MBS-14805 Maestro CPView is not supported on R80.20SP for Maestro Orchestrator. CPView is only supported on Maestro Orchestrators that run R81.10.  R80.20SP R81.10
MBS-14811 Maestro Maestro Orchestrators and Security Group CIN interfaces are configured in the subnet of 198.51.10<SG_ID>.0. You cannot use this subnet for data and management interfaces. This applies to Maestro Gateways and Orchestrators on all Maestro versions.  R80.20SP -
MBS-7289 Maestro "Added FTW configuration on MHOs:" is displayed in the Orchestrator Gaia Portal in the Security Group Summary window, even when the First Time Wizard settings are not configured. R80.20SP -
MBS-5754 Maestro It is not possible to access the new Security Group after its Management IP address was configured in the subnet 192.168.1.0/24.

To resolve: Refer to sk164372.		 R80.20SP -
MBS-9830 Maestro Installing a Hotfix / Jumbo Hotfix Accumulator on all Security Group members at the same time (and not gradually) overrides the configuration of traffic distribution to default: general and L4 Distribution is enabled. R80.20SP R80.20SP JHFA
Take 266
Gaia OS (Global Shell / Commands)
PRJ-28252,
PRJ-28273,
PMTR-70624		 All Scalable Platforms support only the local Gaia snapshot.
Scalable Platforms do not support:
  • Export of Gaia snapshots to a remote server when collecting a snapshot
  • Import of Gaia snapshots from a remote server when restoring a snapshot
 R81 -
PMTR-70630,
PMTR-70624		 All Scalable Platforms do not support the export and import of Gaia snapshots in Gaia Portal.
You must use the applicable Gaia gClish commands.		 R81 -
MBS-10755 All R81 does not support Gaia Scheduled Snapshots. R81 -
PRJ-20639,
PMTR-63145		 All R81 requires a hotfix to support Gaia Backup (Gaia Snapshots do not require a hotfix). Contact Check Point Support. R81 R81.10
MBS-10753 All R81 does not support the configuration of the Link Layer Discovery Protocol (LLDP) in Gaia Portal or Gaia Clish. R81 -
MBS-10832 All R81 does not support Gaia REST API for Security Gateway configurations. R81 -
MBS-12114 All Scalable Platforms do not support restoring of a Gaia Backup from an FTP server. R81 -
MBS-4080 All Gaia OS does not support Bond interface in Round Robin mode. R80.20SP -
MBS-964 All A Security Group cannot be configured as an NTP Server. R80.20SP -
MBS-14992

 All To prevent the Gaia configuration mismatch between Security Group Members, it is not supported to change the user's password on a Security Group in these ways:
  • In Gaia Portal > User Management > Change My Password
  • In Gaia gClish with the command "set selfpasswd"
To change the user's password on a Security Group, run one of these commands in Gaia gClish:
  • set user <UserName> password
  • set user <UserName>password-hash <Password Hash>
(Applies to Maestro and Chassis R80.20SP and higher.)		 R80.20SP -
02476859 All Gaia Clish command 'show snapshots' might display the following error: "NMSNAP9999 Timeout waiting for response from database server".

To resolve: Run the 'show snapshots' command again.		 R76SP.50 -
02476902 All Gaia Clish command 'show snapshots' might display the following error: "NMSNAP0042 Snapshot mechanism is not supported in this system".

To resolve: Run the 'show snapshots' command again.		 R76SP.50 -
00738300 All The 'asg' commands are an extension of native Gaia gClish commands.
The 'asg' commands have different syntax and there is no auto-completion.		 R76SP -
00642401 All A CLI command that uses a range for the parameter can only operate if all the relevant SGMs are defined in the security group. R76SP -
00621838 All Running the 'show hostname' command in Gaia Clish returns the hostname shared by all the SGMs, but not the specific ID for each SGM. The specific ID is displayed as %m. R76SP -
00633262 All The arguments of the global commands are processed before the local (native) arguments, and this can cause the local arguments to be ignored. For example, the 'g_ls -l /tmp/' command is processed as 'ls /tmp/' on the local SGM instead of as 'ls -l /tmp/' on all SGMs.

Relocating the local arguments within the command (where applicable) can resolve the problem. For example, run the 'g_ls /tmp/ -l' command instead of the 'g_ls -l /tmp/' command.		 R76SP -
01061553 All When exporting or importing a snapshot, you must export from or import to the /var/log directory.
  • To export a snapshot, run: set snapshot export <image_name> path /var/log/
  • To import a snapshot, run: set snapshot import <image_name> path /var/log/ name <new_name_for_image>
 R76SP -
01089206 All Running the 'asg_hard_shutdown' command on an SGM two times, one after the other, causes a reboot and not a shutdown.

It takes one minute for the SGM to shut down after running the 'asg_hard_shutdown' command. During this interval, do not run the 'asg_hard_shutdown' command again.		 R76SP -
01237799 All When you run multiple Gaia gClish 'set ...' commands, one after another, some of these commands can stop running. When this happens, the message "Processing Transaction" shows in the output. R76SP -
MBS-6514 Chassis Setting the Minimum Number of Slaves in a Bond interface is not supported. R80.20SP -
PMTR-71458 Maestro

Collecting Gaia Backup and restoring Gaia Backup in Global Clish (gclish) is not supported on a Security Group that contains appliances of different models.

To collect Gaia Backup and restore Gaia Backup, you must use Gaia Clish (clish) on each appliance in the Security Group.

 R81.10
MBS-7145 Maestro R80.30SP does not support the Dynamic CLI as described in sk144112. R80.30SP
MBS-12642 Maestro Gaia scheduled backup fails to run.
The /var/log/messages file contains the error "scheduled_backup: SGM isn't SMO, skipping scheduled backup".		 R80.30SP R80.30SP JHFA Take 56
MBS-9357 Maestro R80.30SP does not support these CPUSE commands in Gaia Clish or Gaia gClish:
  • installer uninstall VALUE completely
  • installer uninstall VALUE last-take
Note: The command 'installer uninstall <Name of Package>' removes only the specified Hotfix / Jumbo Hotfix Accumulator package.		 R80.30SP -
MBS-7069 Maestro Remote authentication for the Expert mode using RADIUS / TACACS+ servers (the Gaia gClish command 'set expert-authentication-method {<shared-password> | <user-password>}') is not supported. R80.30SP -
MBS-5478 Maestro The 'asg_drop_monitor' command does not support the "-ssm -t <timeout>" parameter. R80.20SP -
PMTR-75303 Maestro Gaia OS backup on Maestro Orchestrators does not contain the Maestro configuration files (for example, sgdb.json).

To back up the Maestro Orchestrator configuration, use this Gaia Clish command on the Maestro Orchestrator:

set maestro export <options>

For a use case, see sk174202.		 R80.20SP -
MBS-11339 Maestro

In R80.20SP and R81.10, the Maestro Orchestrator Clish command "set maestro port X/Y/Z admin-state <down/up>" does not survive reboot. 

 R80.20SP -
MBS-5177 Maestro R80.20SP does not support the following Gaia Clish commands:
  • set chassis id VALUE alert_threshold cpus_temperature_threshold_low VALUE
  • set chassis id VALUE alert_threshold fans_threshold_high VALUE
  • set chassis id VALUE alert_threshold fans_threshold_low VALUE
  • set chassis id VALUE alert_threshold power_consumption_threshold_perc_high VALUE
  • set chassis id VALUE alert_threshold power_consumption_threshold_perc_low VALUE
  • set chassis id VALUE modules_amount cmm VALUE
  • set chassis id VALUE modules_amount fans VALUE
  • set chassis id VALUE modules_amount power_units VALUE
  • show chassis high-availability factors sensor cmm
  • show chassis high-availability factors sensor fans
  • show chassis high-availability factors sensor power_supplies
  • show chassis id VALUE alert_threshold cpus_temperature_threshold_high
  • show chassis id VALUE alert_threshold cpus_temperature_threshold_low
  • show chassis id VALUE alert_threshold fans_threshold_high
  • show chassis id VALUE alert_threshold fans_threshold_low
  • show chassis id VALUE alert_threshold power_consumption_threshold_perc_high
  • show chassis id VALUE alert_threshold power_consumption_threshold_perc_low
  • show chassis id VALUE modules_amount cmm
  • show chassis id VALUE modules_amount fans
  • show chassis id VALUE modules_amount power_units
 R80.20SP -
MBS-7009 Maestro When creating Gaia OS users on Maestro Orchestrator, you must configure these users with UID 0. R80.20SP -
MBS-9523 Maestro It is not supported to create a Gaia snapshot on one Maestro Security Appliance and revert that Gaia snapshot on a Maestro Security Appliance in the same Security Group (for example, with the command 'snapshot_recover'). R80.20SP R80.20SP JHFA Take 273
Hardware
SPC-214 Chassis On SSM440, when working with 1G copper transceiver in ethX-Mgmt4, after SSM reboot the interface will show the link as up but traffic will not pass. Refer to sk126612. R76SP.50 -
02434343 Chassis On SSM440, error "Dot3Ah: Failed getting variable from bm" may appear when running the 'system reload' command. R76SP.50 -
02169635 Chassis On SSM440, the MTU is limited to a maximum of 9000 bytes. R76SP.50 -
02496928 Chassis Verification is needed after changing QSFP mode on SSMs:
"show smo verifiers print name <Port_Speed>".

If verification fails, change the QSFP mode on SSMs again:
"set ssm id <SSM_ID> qsfp-ports-mode <Port_Speed>"		 R76SP.50 -
00624269 All The Ethernet ports on the SGMs are not used. Each SGM has two Ethernet ports that are not used by the system and must not be configured. The output of the 'ifconfig' command displays these ports as eth1 and eth2. R76SP -
MBS-3870 Chassis R80.20SP supports a maximum of two SSMs in a chassis (SSM1 and SSM2). R80.20SP -
02439227 Chassis On a 44000 chassis, PXE installation on Slot 6 (SGM 2_06 / SGM 1_06) is supported by changing the kdevice to eth3. R76SP.50 -
00894653 Chassis Transceivers for the 40000 / 60000 Appliance are not interchangeable with transceivers from other Check Point appliances. Only transceivers provided with the 40000 / 60000 Appliance are certified for this system. R76SP -
MBS-5205 Maesto Hardware Health Monitoring is not supported in Maestro Orchestrator. R80.20SP -
MBS-6583 Maesto After the Gaia OS installation completes on Maestro Security Appliances 5600, you must manually reboot them. R80.20SP -
Management and Policy
MBS-3001 All To fetch logs from Security Members, you must use SmartConsole. Running the 'fw fetchlog' command on the Management Server is not supported. R80.20SP -
MBS-8515 All NAT64 and NAT46 objects are not supported. R80.20SP Resolved in R81.10 for Security Gateway only. See sk91905
PMTR-22530 Chassis Management API on an R80.10 Management Server does not support 40000 / 60000 Appliances that run R80.20SP. R80.10 R80.10 JHFA Take 214
Dual Site Deployment
MBS-7771 All In Dual Chassis deployment, the external synchronization network between the two Chassis (or between Orchestrators on different sites) must not contain Layer 3 routers (because they drop Cluster Control Protocol packets). R80.20SP -
MBS-7769 All In Dual Site deployment, the external synchronization network between the Orchestrators on different sites (or between the two Chassis on different sites) must guarantee a latency of no more than 100ms and a packet loss of no more than 5%. R80.20SP -
MBS-6991 Maestro After Dual Site is configured, it is not supported to change the Site ID on the Orchestrators. R80.20SP -
MBS-7606 Maestro In Dual-site deployment, a Security Group stretched across two sites must include at least one Security Appliance at each site. R80.20SP -
MBS-7028 Maestro In Dual Site Deployment, the following requirements apply to ports (and cables) on the Orchestrators that synchronize with each other on both sites:

(1) The same port type (mgmt / uplink / downlink / external sync / internal sync) must be configured for the same ports.

Example 1:

If Port 5 on Orchestrator 1_1 is configured as uplink, then Port 5 on Orchestrator 2_1 must also be configured as uplink.

Example 2:

If Port 20 on Orchestrator 1_2 is configured as downlink, then Port 20 on Orchestrator 2_2 must also be configured as downlink.

(2) The split cables and ports, to which they are connected, must be identical.

Example 1:

If a 4x10 DAC is connected to Port 5 on Orchestrator 1_1, then an identical 4x10 DAC must also be connected to Port 5 on Orchestrator 2_1.

Example 2:

If a 4x10 DAC is connected to Port 20 on Orchestrator 1_2, then an identical 4x10 DAC must also be connected to Port 20 on Orchestrator 2_2.		 R80.20SP -
MBS-6947 Maestro In Dual Site deployment, no warning is displayed when changing the "type" of the QSFP port in Gaia Clish on Maestro Hyperscale Orchestrators on the local site, while the Maestro Hyperscale Orchestrators on the remote site are down. R80.20SP -
MBS-7744 Maestro In Dual Site deployment, the external synchronization connection between the Orchestrators on different sites must be a direct Layer 2 link.

Note: L2 switches are supported beginning in Jumbo HFA 178, but Q-in-Q is required on the switch side.		 R80.20SP -
MBS-7773 Maestro In Dual Site deployment, each Security Group can contain a maximum of 28 Security Appliances (14 Security Appliances from each site). R80.20SP -
VoIP
PMTR-8896 All Asymmetric VoIP connections of SIP and SKINNY protocols do not survive cluster failover (between SGMs on the same chassis, and between dual chassis). R80.20SP -

Known Limitations - Installation
Installation / Upgrade
MBS-10552 All At the end of the installation of the R81 image on a Scalable Platform (Chassis / Maestro Security Appliance), a message appears "You may safely reboot your system".
You must manually reboot the Chassis / Security Appliance.		 R81 -
01488400 All Running 'asg' or other global commands before the setup wizard completes is not supported R76SP.10 -
PMTR-71148 Chassis In a rare scenario, after upgrading the 40000 / 60000 chassis to R81.10, the output of the "asg diag print 20" command shows that the test "Configuration File" fails with "Database inconsistent".

To resolve: Reboot the problematic SGM with the "reboot -b <SGM ID>" command.		 R81.10 -
Licensing
01951566, MBS-4510 All Installation of a Central license with SmartUpdate requires a policy installation on the Security Gateway / VSX Gateway (in the context of the VS0) object in order to propagate the license. R76SP.40 -
MBS-6099 Maestro A Maestro Security Appliance that was removed from a Security Group and then added back to the same Security Group might not pull the license from the existing members of the Security Group. As a result, this Security Appliance remains in the DOWN state. R80.20SP R80.20SP JHFA Take 105

Known Limitations - Infrastructure
Security Gateway
MBS-4895 All R80.20SP does not support the 'fw sam_policy' ('fw samp') commands. R80.20SP R80.20SP JHFA Take 105
VSX
MBS-12240 All R81 does not support Threat Emulation and Identity Awareness Software Blades on VSX Virtual Systems in Bridge mode. R81 R81.10
PMTR-64090 All A newly added Security Group Member remains in the DOWN state, if there was a Virtual System with the 'InitialPolicy' in the Security Group before you added that Security Group Member.
(The output of the 'cphaprob list' command on the new Security Group Member shows that the Critical Device pull_config reports its state as problem.)

To avoid this issue:
  1. Examine the VSX state and policies on all Virtual Systems in the Security Group (with the vsx stat command)
  2. If there is a Virtual System with the 'InitialPolicy', install the applicable Access Control policy on that Virtual System
 R81 -
MBS-12664 All To configure VSX Virtual Switches to forward IPv4 multicast traffic or any IPv6 traffic, it is necessary to disable the correction of local connections:
  1. Connect to the command line on the applicable Security Group
  2. Log in to Expert mode
  3. Run this command to disable the correction of local IPv4 connections in the current session:
    g_fw ctl set int fwha_local_chassis_state_correction 0
  4. Run this command to disable the correction of local IPv6 connections in the current session:
    g_fw6 ctl set int fwha_local_chassis_state_correction 0
  5. Run this command to disable the correction of all local connections permanently:
    g_update_conf_file fwkern.conf fwha_local_chassis_state_correction=0
 R81 -
MBS-12574 All In rare scenarios, after you change the number of CoreXL Firewall instances in a Virtual System object in SmartConsole and click OK:
  1. In SmartConsole, the VSX Operation Progress window shows "Operation ended with errors".
  2. On the Security Group, the output of the "asg stat -v" command shows that the state of the SMO Security Group Member changed to "DOWN".
To resolve:
  1. Reboot the affected Security Group Member (reboot -b <ID>)
  2. In SmartConsole, change the number of CoreXL Firewall instances in the Virtual System object and click OK.
  3. Install policy on the Virtual System object.
 R81 -
MBS-9806 Maestro

R80.30SP does not support VSX Virtual Switches.

Important Note: If you created Virtual Switches in R80.30SP with the R80.30SP Jumbo Hotfix Accumulator Take 56 or Take 49, you must install a special hotfix before you install the R80.30SP Jumbo Hotfix Accumulator Take 73 or higher. See sk171917.

 R80.30SP R80.30SP JHFA Take 73
PRJ-19784 Maestro In rare cases, after you reconfigure a VSX Gateway with the "vsx_util reconfigure" command, static routes or MTU might not be configured on Virtual Systems.

To resolve:
  1. Connect with SmartConsole to the Management Server that manages the affected Virtual System and open the Virtual System object.
  2. To resolve an issue with static routes: write down the current static routes in some text editor > remove the static routes > click OK > open the Virtual System object again > add the static routes > click OK.
  3. To resolve an issue with an MTU value: change the current MTU value to the required MTU value > click OK.
 R80.30SP -
MBS-6306 All R80.20SP does not support Log Server Distribution (asg_log_servers). R80.20SP R80.20SP JHFA Take 105 (R81.10: new LS Server Clustering feature)
MBS-15684 All NAT64 and NAT46 are not supported in VSX. R80.20SP -
MBS-5636 All A reset of SIC between the chassis in VSX mode and the Management Server (or between the Security Appliances in VSX mode and the Management Server) might cause the non-SMO members to change their state to DOWN.

To recover: Reboot the non-SMO members.		 R80.20SP R80.20SP JHFA Take 105
MBS-3209 All R80.20SP does not support Multi Bridge (support for multiple bridge interfaces on a Virtual System in Bridge Mode). R80.20SP -
MBS-4228 All After re-configuring a VSX Gateway with the 'vsx_util reconfigure' command, you must manually install policy on each Virtual System from SmartConsole. R80.20SP -
MBS-6775 All While the Image Cloning feature is enabled, a Security Group member may reboot more than one time.
To resolve: Disable the Image Cloning feature on the SMO member to stop these reboots.		 R80.20SP -
02024482 All After running the 'vsx_util reconfigure' command on the Management Server, the VLAN interface on a Security Group in VSX mode might come up without an IP address if the VLAN's MTU was set to a value larger than 1500.
Refer to sk111513.		 R76SP.40 -
01821671 All In VSX HA mode, VLAN trunk ports cannot be monitored from the context of Virtual Systems (only from the context of the VSX Gateway itself - VS0). R76SP.30 -
01812597 All No local configuration should be performed on a Security Group or on a Security Group Members while the 'vsx_util reconfigure' command is running on the Management Server.

It is necessary to wait until all Security Group Members and Virtual Systems are up and running (otherwise, the local configuration will not be applied).		 R76SP.30 -
01620389 All You cannot configure Bond interfaces on chassis Management ports after you create the VSX object in SmartDashboard. R76SP.20 -
01097957 All If you lower the Connections Table limit of a Virtual System, and one of the SGMs has more or the same number of connections than the limit, the new value is rejected for that SGM. The new Connections Table limit may be accepted by other SGMs.

Notes:
  • To see the current number of entries in the Connections Table, run this command in the Expert mode: fw tab -t connections -s
  • To configure the Connections Table limit of a Virtual System: In SmartDashboard, open the Virtual System object - go to the "Capacity Optimization" pane - set the value in the "Limit the maximum concurrent connections" field - click on OK - install the policy.
 R76SP -
00922958 All The Alerts configuration wizard does not allow setting of performance thresholds per Virtual System.You can manually configure thresholds for Virtual Systems using the 'dbset' command from the Expert mode:

g_all dbset chassis:vs:0:alert_threshold: <alert_name> <value>

Where <value> is the percentage of the default threshold per Security Group Member.

Example:

[Expert@HostName:0]# g_all dbset chassis:vs:0:alert_threshold:packet_rate_threshold_high 30

In this example, an alert is triggered when any Virtual System packet rate is higher than 30% x 1.8MB (1.8MB is the default packet rate threshold per SGM).

Note: One ratio applies to all Virtual Systems.		 R76SP -
01341918 All You cannot enable IPv6 before you create and configure a new VSX Gateway. You must first create the new VSX Gateway and then enable and configure IPv6 using Gaia gClish. R76SP -
01527874 Chassis Virtual Switches without physical interfaces are not supported for Chassis VSLS. R76SP.10_VSLS -
01284809 Chassis To use the Sync Lost mechanism, you must keep the Management interfaces for both chassis connected. R76SP -
01087321 Chassis VSX Gateway creation in SmartConsole and the 'vsx_util reconfigure' command are supported when only the left-most SGM is in the Security Group. R76SP -
MBS-10271 Maestro The 'drop_monitor' command fails with "Error! Failed to get current VS <ID>" on a Security Group in VSX mode.
Solution is planned for future Takes of the R80.30 Jumbo Hotfix Accumulator (sk165312).		 R80.30SP -
MBS-8837 Maestro In the context of a Virtual System in Bridge Mode:
  • The output of the 'asg diag verify "ARP Consistency"' command shows "Failed" in the "Result" column.
  • The output of the 'asg_arp' command shows "No matches found".
 R80.30SP -
MBS-5214 Maestro R80.20SP does not support VSX Virtual Switches. R80.20SP R80.20SP JHFA Take 178
MBS-5457 Maestro If after creating a new Virtual System object, policy installation on a Security Group object fails with "Error code: 0-2000240", wait 2-3 minutes and install the policy again. R80.20SP R80.20SP JHFA Take 105
MBS-6572 Maestro A change in the number of CoreXL Firewall instances (in a VSX Virtual System object in SmartConsole) in Dual Chassis VSLS setup requires a downtime, because the Virtual System must be restarted. During this restart, traffic cannot pass through the Virtual System. R80.20SP -
MBS-6176 Maestro To create a VSX Gateway object in SmartConsole for a Maestro Security Group:
  1. Assign at least two interfaces to the Security Group.
  2. Install the R80.20SP Jumbo Hotfix Accumulator (sk155832) on all Security Appliances in the Security Group.
  3. In SmartConsole, create a VSX Gateway object.
 R80.20SP -
MBS-7888 Maestro Interface Active Check is not supported in VSX mode. R76SP.30 R81.10
SecureXL
MBS-11846 All To support the configuration of DoS Rate Limiting rules in Gaia gClish with the "fwaccel dos rate add" command, or in the Expert mode with the "g_fwaccel dos rate add" command, you must install a required hotfix on the Security Group.
Contact Check Point Support.		 R81 -
MBS-3259 All R80.20SP does not support Fast Accelerator (see sk156672 for more details). R80.20SP
MBS-5415 All Configuring the 'SYN Attack' protection in SmartConsole is not supported. You must only use the 'fwaccel synatk' and 'fwaccel6 synatk' CLI commands. R80.20SP -
MBS-6834 All Security Group members do not pull the SecureXL configuration from the $PPKDIR/conf/simkern.conf file on the SMO SGM. R80.20SP R80.20SP JHFA Take 121
MBS-8143 All These SecureXL commands are not supported:
  • g_fw sam_policy batch
  • g_fw6 sam_policy batch
 R80.20SP -
MBS-5610 Chassis An Accelerated SYN Defender configuration made with the 'fwaccel synatk' / 'fwaccel6 synatk' commands might not be applied on non-SMO members. R80.20SP R80.20SP JHFA Take 105
MBS-9650 Chassis
  1. Output of the 'asg perf -p' command shows that the "Throughput" is 0 in the "Firewall" column.
  2. Output of the 'asg perf -v' command shows that the "Throughput" value is lower than expected (the F2F traffic is missing).
  3. SNMP Query for OID .1.3.6.1.4.1.2620.1.48.20.1.0 (asgThroughput) returns a value lower than expected (the F2F traffic is missing).
 R80.20SP -
CoreXL
MBS-10244 All R81 does not support CoreXL Dynamic Balancing. R81 -
MBS-12224 All If only one CPU core runs as a CoreXL SND on Security Group Members, these cosmetic issues can occur:
  • Output of the "asg_perf" command is empty.
  • Output of the "cores_verifier" command shows "Error: unable to obtain value from smodb".
  • Output of the "cores_verifier" command shows "Error: BPEth0 doesn't exist in /proc/interrupts".
 R80.30SP -
MBS-8151 Maestro By default, CoreXL is disabled on Maestro Security Appliances 5600. To enable and configure CoreXL, refer to the R80.20SP Maestro Performance Tuning Guide (chapter: CoreXL). R80.20SP -
PMTR-74532 All After you change the CoreXL configuration in the "cpconfig" menu on a Security Group, you must reboot all Security Group Members at the same time.
Run:
reboot -b all
Important - During this reboot, no traffic passes through the Security Group.		 R80.20SP -
Cluster
MBS-6084 All To support asymmetric connections, it is necessary to enable the cluster synchronization in the corresponding service's properties (Advanced pane > in the Cluster and synchronization section, select Synchronize connections if Synchronization is enabled on the cluster > install policy). R80.20SP R80.20SP JHFA Take 105
MBS-5864 All It is necessary to install policy after changing the mode of a bond interface (for example, from XOR to 802.3AD), so that the bond interface is monitored by the cluster. For 40000 / 60000 Appliances, applies to Dual Chassis. R80.20SP R80.20SP JHFA Take 105
MBS-7913 Maestro Cluster Control Protocol (CCP) encryption is not supported. R80. 30SP -
MBS-7946 Maestro The Interface Active Check feature (setting the value of the kernel parameter fwha_enable_if_probing to 1) is not supported. R80. 30SP -
MBS-13481 Maestro Installing R80.30SP JHFA Take 82 when using multicast traffic might cause high CPU utilization.  R80.20SP -
Hyper-Threading
MBS-3106 All In VSX mode, after disabling or enabling the Hyper-Threading feature in the cpconfig menu and rebooting, another reboot is required for the system to apply the Multi-Queue configuration. R80.20SP -

Known Limitations - Networking
Networking
PMTR-60868 All R81 does not support GRE interfaces. R81 -
MBS-11278 All Unique IP address per Chassis (UIPC) feature is not supported. R81 -
MBS-2199 All After a failover of the FTP control connection in Scalable Platforms, it is not possible to open an asymmetric FTP data connection. R80.20SP -
MBS-4098 All GRE tunnel is not supported. R80.20SP -
MBS-1274 All R80.20SP does not support the reserved connections feature (the 'asg_reserved_conns' command). R80.20SP -
MBS-8379 All R80.20SP does not support Alias IP addresses on its interfaces. R80.20SP R80.20SP JHFA Take 279,
R80.30SP JHFA Take 49
MBS-2049 All After installation, a static route to 192.168.1.254 is automatically created due to the preconfigured subnet for the eth1-Mgmt4 interface.

If you need to configure another static route for the eth1-Mgmt4 interface:
  1. Remove the current static route to 192.168.1.254
  2. Add the required static route for the eth1-Mgmt4 interface.
 R80.20SP -
MBS-9105 All When IPv6 traffic passes through Security Groups, it is not supported to disable the 'Drop out of state TCP packets' setting in SmartConsole > Global properties > Stateful Inspection. R80.20SP -
MBS-9713 All "Failed to set MTU 9000 on interface magg0. Maximum value allowed is 9710." error when running the Gaia gClish command "set interface magg0 mtu <Value>" for a Management Aggregation (MAGG) interface.

Workaround:
  1. Configure the MTU on any of the data interfaces to a value greater than 1500.
  2. Configure the MTU on the MAGG interface to a required value.
 R80.20SP -
MBS-9798 All Scalable Platforms and Maestro Security Appliances support fragmented packets with Layer 4 distribution only in Gateway mode with CoreXL enabled. R80.20SP -
01052419 All Connections may break when you change the System Distribution Mode using either the 'set distribution configuration' command or the 'set distribution interface' command. R76SP -
01176232 All Virtual System with VLAN interfaces in Bridge Mode does not support non-IP protocols. R76SP -
MBS-3944 Chassis Asymmetric traffic between two chassis in Dual Chassis deployment is not supported. R80.20SP -
MBS-1520 Chassis Group of Bonds (ABXOR) is not supported. R80.20SP -
MBS-5164 Chassis The 'asg_tmpl_special_svcs' command is no longer supported. R80.20SP -
MBS-5311 Chassis QoS is not supported on the SSM data ports (the 'set ssm <ID> data-port qos status on' command). R80.20SP -
MBS-2354 Chassis TFTP connections do not survive failover when using SSM440 and the distribution matrix size of 16K. R80.20SP -
MBS-7014 Chassis You must configure the Bond Interface on the Management Ports (MAGG) only from Gaia gClish. Configuring MAGG in Gaia Portal is not supported. R80.20SP R81
- Chassis When using SGM400, 40GB Back Plane (BP) connectivity speed is supported for both SSM160 and SSM440. In order to switch to 40GB, the SSM's downlink ports should be set to 'Auto' Speed. Refer to sk118435. R76SP.50 -
MBS-2991, MBS-6601, SPC-994 Chassis Configuration of RX/TX ringsize is supported only on eth<X>-Mgmt4 and BPEth<X> interfaces (either with the Expert command 'ethtool -g', or the Gaia Clish command 'set interface ...'). R76SP.50 -
00846789 Chassis R76SP does not support VLANs on a Management interface. R76SP -
PMTR-60874 Maestro R81 does not support VxLAN interfaces. R81 -
MBS-3859 Maestro If you installed a 40 GbE card or a 100 GbE card on a Check Point appliance you wish to connect to the Maestro Security Orchestrator, and you did not receive this card as part of the Maestro product, make sure this card meets the minimal requirements:
  1. Connect to the command line of the Check Point appliance.
  2. Log in to the Expert mode.
  3. Run this single long command:
    for NIC in $(ifconfig | grep ethsBP | awk '{print $1}') ; do echo $NIC: ; ethtool -i $NIC | grep firmware ; done
  4. The 'firmware-version' has to be '12.22.1002' or higher.
Example output:
ethsBP4-01:
firmware-version: 12.22.1002
ethsBP4-02:
firmware-version: 12.22.1002
 R80.20SP -
MBS-5216 Maestro When VLAN traffic needs to traverse the Security Group in Bridge mode, you must configure all relevant VLAN IDs on the Uplink ports assigned to the Security Group in the Gaia Portal on the Maestro Orchestrator.

Note: Configure these VLAN IDs in the Gaia Portal on the Maestro Orchestrator.

Example Topology: (VLAN Trunk port) ==== (Uplink ports on Maestro Orchestrator that are assigned to a Security Group in Bridge mode).		 R80.20SP -
MBS-8480 Maestro It is not supported to configure a Bonding Group in LACP mode (8023AD) if at least one slave interface is shared between different Security Groups. R80.20SP -
MBS-4993 Maestro Configuring the state of the Forward Error Correction (FEC) manually is not supported. This feature is in the auto state by default. R80.20SP -
MBS-5225 Maestro Interfaces cannot be shared between Security Groups.

Resolved in Jumbo HFA R80.20SP Take 105: Added support for sharing of management interfaces between Security Groups. This applies to management interfaces that are not part of a MAGG interface in 802.3AD (LACP) mode (a Bond Interface on the Management Ports).”		 R80.20SP R80.20SP JHFA Take 105
(not supported in R81)
MBS-5339 Maestro VLAN interfaces are not supported on Maestro Hyperscale Orchestrator "Management" ports (ethX-MgmtY). R80.20SP -
MBS-4668 Maestro When two Maestro Hyperscale Orchestrators are connected together, and you need to disconnect many cables from one of the Maestro Hyperscale Orchestrators, first disconnect the cable from the dedicated Synchronization port. This prevents the LSP mechanism from disabling all ports on the other Maestro Hyperscale Orchestrator. R80.20SP -
MBS-7636 Maestro When several Downlink ports on an Orchestrator are connected to the same Security Appliance, these Downlink connections work only in the Active/Backup mode for IPv6 traffic (and not in the Load Sharing mode). R80.20SP -
Dynamic Routing
MBS-14221 All R80.30SP Security Groups do not support IPv6 Dynamic Routing protocols. R80.30SP R80.30SP JHFA Take 82
MBS-3951 All When you configure a routemap that includes the 'direct' parameter, it will also advertise the internal communication networks CIN and Sync. On Scalable Platforms and Maestro Security Appliances, you have to filter out manually such internal communication networks. R80.20SP -
MBS-3950 All If you filter the 'protocol direct' on a routemap and do not specify an interface, then it will also advertise the internal communication CIN and Sync networks. R80.20SP -
MBS-4172 All
  • PIM SSM mode is not supported on 40000 / 60000 Chassis.
  • PIM (all modes) is not supported on Maestro Security Groups.
 R80.20SP R81.10 JHFA Take 61
MBS-14222 All Scalable Platforms (Maestro and Chassis) do not support PIM. R80.20SP R80.20SP JHFA Take 313

R81.10 JHFA Take 61
01862808 All Critical Device (pnote) named routed was added to prevent traffic outage by allowing the RouteD daemon to synchronize BGP routes.
  • In BGP DR Manager failback scenarios, the old BGP DR manager will go down for 2 minutes.
  • When RouteD daemon restarts on BGP DR Manager, BGP DR Manager will go down for 2 minutes.
 R76SP.30 -
00736037 All OSPF is not supported on Management interfaces. R76SP -
00771254 All BGP confederations are not supported. R76SP -
MBS-14202 Maestro R80.30SP Security Groups do not support IPv6 OSPFv3. R80.30SP R80.30SP JHFA Take 97
IPv6
02487403 Chassis IPv6 02487403 SSM Layer4 Distribution Mode is supported for IPv4 only. The IPv6 traffic will be distributed based on the Source/Destination IP addresses only.

Note: a system can use SSM Layer4 Distribution Mode while IPv4 and IPv6 are inspected by the Security Gateway. Each IP version will use a different mechanism to distribute traffic, as described above.		 R76SP.50 -

Known Limitations - Software Blades
Firewall
PMTR-58383 All R81 does not support CGNAT with the Layer 4 distribution. R81 -
MBS-10099,
MBS-10790		 All R81 does not support Global NAT (GNAT) feature. R81 -
MBS-3946 All R80.20SP does not support Carrier Security (LTE). R80.20SP -
MBS-10788 Maestro Client Authentication is not supported when the Layer 4 distribution mode is enabled. R80.20SP -
VPN
MBS-11504 All R81 does not support the configuration of different VPN encryption domains on a Security Gateway that is a member of multiple VPN communities. R81 -
MBS-12310 All R81 does not support Large Scale VPN (LSV). R81 -
MBS-12312 All R81 does not support Route Based VPN. R81 R81 JHF Take 34 
MBS-14272 All Machine Certificate Authentication is not supported. RR0.20SP R81
MBS-14262 All Multiple ciphers for external Security Gateways in a single VPN community are not supported. R80.20SP R81
MBS-14268 All SHA512 is not supported in VPN Communities. R80.20SP R81
MBS-14408 All Simultaneous Login Prevention (SLP) is not supported on all Scalable Platforms versions (R76SP and higher).  R80.20SP -
MBS-4097 All
  • Site-to-Site VPN with IPv6 peers is not supported.
  • Remote Access VPN from IPv6 clients is not supported.
 R80.20SP -
MBS-2461 All It is not supported to initiate a connection from an SGM if the connection's destination requires encryption. R80.20SP R81.10
R81 JHF Take 34
MBS-5242 All VPN traffic on a VSX Virtual System that is connected to a VSX Virtual Switch is supported only when the distribution mode configured for the WRP interface is the same as the distribution mode configured for the physical interface on the VSX Virtual Switch.Example of a VSX topology:

(Virtual System) === wrp100 === (Virtual Switch) === (eth1-01)

The same distribution mode must be configured for the interface wrp100 as was configured for the interface eth1-01.		 R80.20SP -
MBS-5284 All VPN Permanent Tunnels are not supported. R80.20SP R81 JHF Take 34
MBS-2472 All In the Security Gateway object -> IPSec VPN, the Link Selection supports only the Always use this IP address selection methods:
  • Main address
  • Selected address from topology table
  • Statically NATed IP
 R80.20SP R81 JHFA Take 34
MBS-8298 All In a Security Group object, it is not supported to configure VPN on the Management port (eth_X_-Mgmt_Y_) assigned to the Security Group. R80.20SP -
MBS-8319 All
  • It is not supported to configure a Scalable Platform 40000 / 60000 object or a Maestro Security Group object as a VPN Satellite Gateway if other VPN peers communicate through it.
  • It is not supported to configure Client to Site traffic over the Site-to-Site VPN tunnel with a Scalable Platform 40000 / 60000 or a Maestro Security Group.
 R80.20SP R81 JHFA Take 34
MBS-8322 All VPN Wire mode is not supported. R80.20SP -
MBS-8316 All IPv6 VPN is not supported. R80.20SP -
02487412 All A VPN can be used with SSM Layer4 Distribution Mode, but the VPN traffic will be distributed based on the Source/Destination IP addresses. R76SP.50 R81 JHFA Take 34
MBS-7914 Maestro Multiple Entry Points (MEP) configuration using Dead Peer Detection (DPD) is not supported. R80.30SP -
MBS-9085 Maestro VPN is not supported in VSX mode if VPN traffic needs to pass through a VSX Virtual Switch. R80.30SP R81 JHFA Take 34
MBS-8938 Maestro R80.30SP does not support L2TP traffic passing to Security Groups. R80.30SP R81 JHFA Take 34
Threat Prevention (Anti-Virus, Anti-Bot, Threat Emulation, Threat Extraction)
MBS-12236 All R81 does not support SSH Deep Packet Inspection (SSH DPI). R81 R81.10
MBS-12330 All R81 does not support inspection of SMBv3 multi-channel with Anti-Virus and SandBlast Threat Emulation Software Blades. R81 -
MBS-13295 All R80.30SP and R81SP do not support Custom Intelligence Feeds. R80.30SP Supported in R80.20SP and in R81.10
MBS-4094 All R80.20SP does not support ICAP Server configuration. R80.20SP -
MBS-9405 All When the Threat Extraction blade is enabled, the original attachment file might not be available for download due to a limitation in a Cluster Load Sharing environment. It is recommended to disable this blade in the corresponding Threat Prevention profile. R80.20SP R80.20SP JHFA Take 279
(not supported in R81)
MBS-12070 Maestro If a Threat Prevention policy is installed on a Security Group, while a Security Group Member reboots, that Security Group Member may remain in the Down state after it boots.

To resolve: Manually reboot this Security Group Member.		 R81 -
- Maestro FTP protocol inspection with Anti-Virus and SandBlast Threat Emulation is not supported in R80.30SP. R80.30SP R81
PMTR-41415 Maestro In a ClusterXL Load Sharing mode:
  1. Due to the nature of transferring files over multiple connections, the following protocol features might not be inspected properly:
    • HTTP 206 Partial Content
    • SMBv3 Multi-Channel
    • FTP REST command used over multiple connections
  2. Protection based on threshold count (between connections) might not work properly:
    • Static protections
      • DNS tunnel
      • Sweep Scan protection
      • VoIP SIP
      • MGCP protection may not work over NAT
    • Protections that contain cross-connection logic
 R80.30SP -
MBS-9931 Maestro R80.30SP does not support the Threat Extraction Software Blade.
Contact Check Point Support to get a Hotfix.		 R80.30SP -
IPS
PMTR-62718 Maestro "Packet Capture was not found" error when clicking the "View Packet Capture" link in the IPS log. R81 -
DLP
MBS-13102, MBS-13243 All The Data Loss Prevention Software Blade does not support rules with the Action "Ask". R80.20SP -
Identity Awareness
MBS-14238 All Scalable Platforms do not support SAML for Identity Awareness. R81.10 -
MBS-12593 All You must enable the SMO Image Cloning before you add new members to a Security Group, if in the Security Gateway object you enabled the Identity Awareness Software Blade and an Identity Source (for example, AD Query or Identity Collector).
Note: If you do not enable the SMO Image Cloning, the new Security Group Member reboots several times before it is completely configured.		 R81 -
IDA-2339 All R81 does not support Microsoft Azure AD. R81 -
MBS-12840 All If you made changes in one of the Identity Session Conciliation files listed below in a Security Group, and you add a new Security Group Member:
  1. Manually copy these files to each new Security Group Member with the "asg_cp2blades" command
  2. In SmartConsole, install the applicable Access Control policy on the applicable Security Gateway object
List of files:
  • $FWDIR/conf/identity_sources_scores.C
  • $FWDIR/conf/pep_conciliation_scores.C
  • $FWDIR/conf/pdp_session_conciliation.C
 R81 -
MBS-10248 All Identity Broker configuration is not supported. R81 -
SPC-990 All Identity sharing must be configured with ethX-MgmtX and for communicating with the PDP side. R76SP.50 -
SPC-1569 All Identity Sharing is not supported with "Smart Pull".
Contact Check Point Support for assistance with replacing the configuration.		 R76SP.50 R80.20SP
Logs
MBS-2581 All Logs generated by Software Blades on Scalable Platforms, do not show the Group ID and SGM ID. R80.20SP R80.20SP (Take 302) /
R80.30SP (Take 73)
Application Control
MBS-8969 All Security Group members do not synchronize the configuration file $FWDIR/appi/update/appi_parameters.C automatically. For more information, see sk146993 - notes for Scalable Platforms. R80.20SP -
Mobile Access
MBS-14368 All The Mobile Access Portal Agent is not supported in R80.20SP and R80.30SP. R80.20SP -
MBS-8443 Maestro It is not supported to configure the IP address of the Security Group as the main URL of the Mobile Access Portal:
In SmartConsole > R80.30SP Security Gateway object > Mobile Access > Portal Settings > Main URL.		 R80.30SP -

Known Limitations - Monitoring
SNMP
MBS-3601 All The 'asg alert' command does not support sending alerts in SMS. R80.20SP -
01255170 Chassis For monitoring the 60000 / 40000 Scalable Platforms over the SNMP, the only supported OIDs are under iso.org.dod.internet.private.enterprise.checkpoint.products.asg (OID 1.3.6.1.4.1.2620.1.48). R76SP -
00630753 Chassis The 'snmpwalk' or 'snmpget' commands on OIDs that have prefixes with 1.3.6.1.4.1.2620.1.44.20 (asgIPv4PerformanceCounters) or 1.3.6.1.4.1.2620.1.44.21 (asgIPv6PerformanceCounters) display values calculated on the Active Chassis only. R76SP -
MBS-13073 Maestro SNMP OIDs 1.3.6.1.4.1.2021.10 (CPU load average) are not supported on Maestro Orchestrator. R80.20SP -
MBS-13867 Maestro The 'snmpwalk' and 'snmpget' commands executed for the IP address of the Security Group on OIDs that have prefixes other than 1.3.6.1.4.1.2620.1.44 or 1.3.6.1.4.1.2620.1.48 return information only for the current SMO Security Group Member.
To get the same information from non-SMO Security Group Members, connect to the command line of each non-SMO Security Group Member and run the 'snmpwalk' or 'snmpget' command for the 'localhost'.		 R80.20SP -

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment 

SECURE YOUR EVERYTHING

©

Copyright | Privacy Policy
Follow Us