Support Center > Search Results > SecureKnowledge Details
Known Limitations for Scalable Platform and Maestro Appliances Technical Level
Solution

This article lists all known limitations for R80.20SPR80.30SP, and R81.  

This is a live document that may be updated without special notice. We recommend that you register for our weekly updates in order to stay up to date. To register, go to UserCenter > ASSETS / INFO > My Subscriptions.

Important Notes:

  • If not stated otherwise, all limitations apply to both Security Gateway and VSX Gateway.
  • All limitations listed as part of R81 and above (sk166717) are relevant unless stated as resolved.
  • All limitations listed in R80.20 (sk122486) and R80.30 3.10 (sk152652) are relevant unless stated as resolved.
  • To see if a limitation has been resolved, enter its ID in the filtering field located at the top of the table. 

Non-Supported Features

  • Non-Supported Features - General
    • General
    • Gaia OS
    • Hardware
    • Licensing
    • Cluster
  • Non-Supported Features - Infrastructure
    • VSX
  • Non-Supported Features - Networking
    • Networking
    • IPv6
  • Non-Supported Features - Software Blades
    • Firewall
    • VPN
    • DLP
    • SmartView Monitor
    • QoS
    • SmartProvisioning

Known Limitations

  • Known Limitations - General
    • General
    • Gaia OS
    • Hardware
    • Management and Policy
    • Dual Site Deployment
    • VoIP
  • Known Limitations - Installation
    • Installation
    • Licensing
  • Known Limitations - Infrastructure
    • Security Gateway
    • VSX
    • SecureXL
    • CoreXL
    • Cluster
    • Hyper-Threading
  • Known Limitations - Networking
    • Networking
    • Dynamic Routing
    • IPv6
  • Known Limitations - Software Blades
    • Firewall
    • VPN
    • Threat Prevention (Anti-Virus, Anti-Bot, Threat Emulation, Threat Extraction)
    • IPS
    • DLP
    • Identity Awareness
    • Logs
    • Application Control
    • Mobile Access
  • Known Limitations - Monitoring
    • SNMP


Enter the string to filter the below table:

ID Product Description Found in Resolved In

Non-Supported Features - General

General
MBS-3246 All 40000 / 60000 Appliances do not support:
  • DHCP Client configuration
  • DHCP Server configuration
  • DHCP for Office Mode 
  • Dynamically Assigned IP (DAIP) configuration
R80.20SP -
MBS-2379 All The image auto-clone feature (set smo image auto-clone state on) only supports SGMs that run the same major version. When you add a new SGM to the R80.20SP chassis (add smo security-group), it must have the same version as SMO installed on it R80.20SP -
MBS-1586 All The 'asg_syslog' command is no longer supported. Use the Gaia Clish 'set syslog ...' command instead. R80.20SP -
MBS-8327 All 40000 / 60000 Appliances and Maestro Security Appliances do not support the Management Data Separation feature (sk138672). R80.20SP -
MBS-1360 All To install a license with the 'cplic put' command, before you run the Gaia First Time Configuration Wizard, you must run the 'cplic put' command in Expert mode. R80.20SP -
MBS-8326 All 40000 / 60000 Appliances and Maestro Security Appliances do not support installation with the Central Deployment Tool (sk111158). R80.20SP -
SPC-89 All "Unified MAC for data ports" mode is not supported in VSX mode. R76SP.50 -
MBS-4866,
MBS-11960, 01517974
All ISP Redundancy is not supported. R76SP.10 JHFA R80.20SP Take 305
01350464 All Hotfixes created for maintrain versions (and not specifically for Scalable Platforms) are not supported. R76SP -
00595914 All Security Server (FTP/HTTP with Resource) is not supported. R76SP -
00824847 All OPSEC SDK is not supported. R76SP -
01800842 All Hide NAT for traffic initiated from the Management interface of a Security Group is not supported. R76SP -
01322440 All A Security Group cannot be configured as a DHCP Server. R76SP -
SPC-929 All Dynamic NAT is not supported.  R76SP -
00772706 Chassis R76SP on 40000 / 60000 Appliances does not have a WebUI to configure and monitor the system. HTTP access to the system is blocked. R76SP R80.20SP 
MBS-5038 Maestro You can only connect two Maestro Security Orchestrators of the same model for redundancy. R80.20SP -
MBS-5033 Maestro You can assign only appliances of the same model to the same Security Group. R80.20SP -
MBS-5035 Maestro Maestro Hyperscale Orchestrator does not support:
  • 40000 / 60000 Appliances
  • Small Business and Branch Offices appliances 3000, 1400, 1200R, or lower.
R80.20SP -
MBS-5581 Maestro In R80.30 SmartConsole, when configuring a Maestro Security Gateway object, you must select only the R80.20SP version. R80.20SP -
MBS-6600 Maestro To support the auto-clone feature (set smo image auto-clone state on), you must install R80.20SP Jumbo Hotfix Accumulator (sk155832). R80.20SP -
MBS-9078 Maestro Output of the "asg_if" command on Maestro Security Group Members does not show the correct interface speed configured on the Maestro Orchestrator.
This is only a cosmetic issue.
R80.20SP -
Gaia OS
MBS-13308 All The "set iphelper" (IP Broadcast Helper) commands are not supported in Global Clish. R80.20SP -
MBS-2836 All The 'asg profile' command is not supported. R80.20SP -
MBS-3369 All The "asg_archive" utility is no longer supported. To monitor the history data, use the CPview History mode per SGM.  R80.20SP -
MBS-3625 All The 'save configuration' command in gclish is not supported. R80.20SP -
MBS-3579 All The Pingable Hosts State event type in the "asg alert" is not supported.  R80.20SP -
MBS-2372 All It is not supported to manually update or install the CPUSE Agent. R80.20SP -
MBS-5488 All The Gaia Clish / Gaia gClish command 'snapshot_recover' is not supported. R80.20SP JHFA R80.20SP Take 105
MBS-13339 All The "asg_dst_route" command is not supported. R80.20SP -
MBS-4756 Maestro Maestro Hyperscale System does not support Gaia Cloning Groups. R80.20SP -
MBS-5309 Maestro The Gaia Portal on Maestro Hyperscale Orchestrator supports these web browsers:
  • Google Chrome 71.0 and later
  • Microsoft Edge 40.15063 and later
  • Microsoft Internet Explorer 11.0.50 and later
  • Firefox 64.0 and later
R80.20SP -
Hardware
MBS-1244 All The Check Point Performance Sizing Utility 'cpsizeme' (see sk88160) is not supported. R80.20SP -
MBS-4754 All Central Management of Gaia Device Settings is not supported:
  1. In SmartConsole, click on "Gateways & Servers" on the navigation panel.
  2. Right-click on the Scalable Platform gateway object (or the Maestro Security Appliance gateway object). 
  3. The "Scripts" menu and "Actions" menu are not supported.  
R80.20SP -
MBS-13255 Chassis Serial Over Lan (SoL) connection to SGM400 is not supported. R81 -
MBS-3010 Chassis 4 x SSMs (Dual-Dual Star) deployment is not supported.  R80.20SP JHFA R80.20SP Take 242
MBS-3992 Chassis SSM60 is not supported by R80.20SP and higher. R80.20SP  -
02447213 Chassis 44000 / 64000 Appliances do not support DC Power Entry Modules (PEM). R76SP.50  -
02457673 Chassis On SSM440, interfaces eth<X>-Mgmt1 and eth<X>-Mgmt2 will not be used and should not be configured. The management interfaces are eth<X>-Mgmt4 and eth<X>-Mgmt3. R76SP.50 -
02439135 Chassis On SSM440, the auto-negotiation for Forward Error Correction (FEC) on 100Gb ports is not supported. FEC is enabled by default. The user can disable it manually in accordance with the settings on the peer side. R76SP.50 -
02160144 Chassis N+N Type Chassis (new model) and N+1 Type Chassis (old model) are not supported together in a cluster (Dual Chassis setup). R76SP.40 -
01007477 Chassis All SGMs in an environment must have the same number of CPU cores. Hybrid Systems (61000 Appliances with SGMs that have a different number of CPU cores) are not supported. Pre-R76SP -
MBS-5227 Maestro It is not supported to install both of the following expansion cards in the same Security Appliance connected to a Maestro Hyperscale Orchestrator:
  • 10 GbE and 40 GbE
  • 10 GbE and 100 GbE
R80.20SP -
MBS-6466 Maestro All Security Appliances in the same Maestro Security Group must have identical Expansion Cards installed (the type and the amount):
  • All Security Appliances must have 1 x Quad-Port NIC, 1 x Dual-Port NIC, or 2 x Dual-Port NICs.
  • All other Expansion Cards must be removed from all Security Appliances, even if these Expansion Cards are not used.
R80.20SP -
Licensing
MBS-7929 Maestro Central License is not supported on Maestro Security Appliances..  R80.20SP -
Cluster
MBS-12225 All Multi-Version Cluster (MVC) is not supported. R81 -
MBS-12227 All Active-Active cluster does not support Scalable Platforms  R81 -
MBS-2521 All VRRP cluster configuration is not supported. R80.20SP -

Non-Supported Features - Infrastructure

VSX
MBS-3522 All Enabling ICMP / CCP probing on cluster interfaces (setting the value of the kernel parameter fwha_enable_if_probing to 1) is not supported in VSX mode. R80.20 -
01413513 All Virtual Routers are not supported. R76SP.10 -
01096568 All The VSX Gateway can not be managed from data ports.
The supported Management interfaces are:
  • eth1-Mgmt1, eth1-Mgmt2, eth1-Mgmt3, eth1-Mgmt4
  • eth2-Mgmt1, eth2-Mgmt2, eth2-Mgmt3, eth2-Mgmt4
R76SP -

Non-Supported Features - Networking

Networking
02003875 All LACP is not supported with Management Aggregation (MAGG).

Note: Resolved for 40000 / 60000 Appliances, not for Maestro Security Appliances (see JHFA R80.20SP Take 210). 
R80.20SP JHFA R80.20SP Take 210
MBS-12823 All "6in4 tunnel" interface is not supported. R80.20SP -
MBS-4024 Chassis R80.20SP does not support the Bidirectional Forwarding Detection (BFD). R80.20SP IPv4/IPv6 support from R80.20SP Take 258
01262356 Chassis PIM Sparse mode is not supported when the 60000 / 40000 Scalable Platform is defined as a Rendezvous Point (RP). R76SP -
MBS-5482 Maestro It is not supported to configure an IPv6 address on ethX-MgmtX interfaces. R80.20SP -
MBS-5293 Maestro Maestro Hyperscale Orchestrator's dedicated Sync interface cannot be part of a bond interface. R80.20SP R80.20SP JHF 210
MBS-7022 Maestro The maximum supported number of VLAN interfaces on each Uplink port on a Maestro Orchestrator is 42. Refer to sk170294 R80.20SP JHFA R80.20SP Take 304
MBS-5104 Maestro You can only connect one DAC / Fiber cable between a Quad Port Card on an Appliance and each Maestro Hyperscale Orchestrator. Connecting two cables between a Quad Port Card on an Appliance and each Maestro Hyperscale Orchestrator is not supported. R80.20SP  JHFA R80.20SP Take 105
IPv6
02621541 All IPv6 VPN is not supported. R76SP -
MBS-11398 Chassis Correction is not supported for IPv6 local connections initiated from the Standby chassis.  R80.20SP -

Non-Supported Features - Software Blades

Firewall
02641733 All The 'fw sam' command (sk112061) is not supported.  R76SP -
SPC-986 All R76SP does not support Carrier Security (LTE) in VSX mode.. R76SP -
VPN  VPN
01685300 All SSL VPN is not supported for deployments that use NAT on Office Mode network. R76SP.20 -
01445638 All Traditional mode VPN is not supported. R76SP.10 -
00737055 All Virtual Tunnel Interfaces (VTI) are not supported. R76SP -
00750851 All Route-based probing configuration is not supported for VPN Link Selection in High Availability mode. R76SP -
01344987 All Per-gateway VPN is not supported. R76SP -
01340588 All Corporate Enforcement is not supported. R76SP -
DLP
01157859, 01349731 All DLP Fingerprint is not supported. R76SP -
SmartView Monitor
00593173 All SmartView Monitor does not support 40000 / 60000 Appliances and Maestro Security Appliances.

Statistics are only collected from a single Security Group Member and do not describe all traffic that is passing through the system.
R76SP -
QoS
01248880 All The QoS blade is not supported. R76SP -
MBS-2641 Chassis The DiffServ honoring on SSM is not supported. R80.20SP -
SmartProvisioning
01511158 All SmartProvisioning is not supported. R76SP -

Known Limitations - General

General
MBS-12259 All R81 does not support Carrier Security (LTE). R81 -
MBS-12327 All R81 does not support "Generic Data Center" objects (described in sk167210). R81 -
MBS-11195 All R81 does not support Accelerated Policy Install. R81 -
MBS-10252 All R81 does not support Zero Touch. R81 -
MBS-12257 All R81 does not support the detection of IP address conflict in Gaia OS. R81 -
MBS-12307 All Management-as-a-Service (MaaS) is not supported. This applies to both Chassis and Maestro Security Appliances. R81 -
MBS-3363 All R80.20SP does not support the 'asg_selective_template_exclude' command. R80.20SP -
MBS-12749 All If you enabled and configured the ISP Redundancy on a Security Group, then to force an ISP Link State you must run the g_fw isp_link command in the Expert mode.
If you run the fw isp_link command on a specific Security Group Member, the command only changes the state of the ISP link on that Security Group Member.
R80.20SP -
MBS-13348 All ISP Redundancy is supported only on data interfaces.
Management interfaces and other internal control interfaces (for example, CIN) are not supported.
R80.20SP -
MBS-6188 All
  • Active-Backup bond is supported only when a Primary slave is configured (for example: set bonding group 1 primary eth1-05).
  • Active-Backup bond supports a maximum of 2 slaves.
R80.20SP -
MBS-9128 All The Unique IP address per Chassis (UIPC) feature is not supported for IPv6 addresses. R80.20SP -
SPC-1104 All Connections that arrive via the data interface and are sent out via the management interface are not supported.  R76SP.50 -
SPC-1111 All Connections that arrive via the management interface and sent out via the data interface are not supported R76SP.50 -
02476852 All Before importing a snapshot on SGM, you must check if there is enough free disk space. If necessary, delete old snapshots and other unneeded files to free up disk space. SGMs that do not have enough disk space will not create the snapshot in their database, and there will be no error message to indicate this. R76SP.50  -
01247865 All 'cpstop' and 'cpstart' commands are not supported. R76SP -
MBS-3114 Chassis You can restore snapshots only on the same chassis type and SGM model on which it was collected. R80.20SP -
MBS-6190,
MBS-9202
Chassis R80.20SP on 40000 / 60000 Appliances does not support the Multiple Security Groups feature. R80.20SP JHFA R80.20SP Take 240
00738754 Chassis If SGMs lose connectivity to the CMM, the 'asg stat' command displays the most recent status of the system. For example, a chassis module that was "UP" before the CMM lost connectivity, continues to have the status "UP". The state of the CMM is changed to "DOWN". R76SP  -
PMTR-33894 All Maestro Security Group supports version R80.20SP only. R80.30 -
MBS-9590 Maestro After a new member was added to a Security Group using the image auto-clone feature, it might stay in the DOWN state (as the 'asg stat -v' command shows).
To resolve: Manually reboot the new member.
R80.30SP -
MBS-6968 Maestro When you configure an R80.30SP Security Gateway object in R80.x SmartConsole, in the "Version" field you must select "R80.30". R80.30.SP R80.30 JHFA Take 163 (and above)
MBS-9698 Maestro The 'installer uninstall[TAB]' command in Gaia gClish on Security Group members might not show an installed Hotfix / Jumbo Hotfix Accumulator package.

To resolve: run these commands in Gaia gClish:
  1. show installer packages
  2. installer uninstall <Full Name of Package>
R80.30.SP -
MBS-6140 Maestro Each Security Group must have a unique hostname. R80.20SP -
MBS-7289 Maestro "Added FTW configuration on MHOs:" is displayed in the Orchestrator Gaia Portal in the Security Group Summary window, even when the First Time Wizard settings are not configured. R80.20SP -
MBS-5754 Maestro It is not possible to access the new Security Group after its Management IP address was configured in the subnet 192.168.1.0/24.

Tresolve: Refer to sk164372
R80.20SP -
MBS-9830 Maestro Installing a Hotfix / Jumbo Hotfix Accumulator on all Security Group members at the same time (and not gradually) overrides the configuration of traffic distribution to default: general and L4 Distribution is enabled. R80.20SP JHFA R80.20SP
Take 266
Gaia OS (Global Shell / Commands)
MBS-10755 All R81 does not support Gaia Scheduled Snapshots. R81 -
PRJ-20639, PMTR-63145 All R81 requires a hotfix to support Gaia Backup (Gaia Snapshots do not require a hotfix). Contact Check Point Support. R81 -
MBS-10753 All R81 does not support the configuration of the Link Layer Discovery Protocol (LLDP) in Gaia Portal or Gaia Clish. R81 -
MBS-10832 All R81 does not support Gaia REST API for Security Gateway configurations. R81 -
MBS-4080 All Gaia OS does not support Bond interface in Round Robin mode. R80.20SP -
MBS-964 All A Security Group cannot be configured as an NTP Server. R80.20SP -
02476859 All Gaia Clish command 'show snapshots' might display the following error: "NMSNAP9999 Timeout waiting for response from database server".

To resolve: Run the 'show snapshots' command again.
R76SP.50  -
02476902 All Gaia Clish command 'show snapshots' might display the following error: "NMSNAP0042 Snapshot mechanism is not supported in this system".

To resolve: Run the 'show snapshots' command again.
R76SP.50  -
00738300 All The 'asg' commands are an extension of native gclish commands.
The 'asg' commands have different syntax and there is no auto-completion.
R76SP  -
00642401 All A CLI command that uses a range for the parameter can only operate if all the relevant SGMs are defined in the security group. R76SP -
00621838 All From gclish, running the 'show hostname' command returns the hostname shared by all the SGMs, but not the specific ID for each SGM. The specific ID is displayed as %m. R76SP -
00633262 All The arguments of the global commands are processed before the local (native) arguments, and this can cause the local arguments to be ignored. For example, the 'g_ls -l /tmp/' command is processed as 'ls /tmp/' on the local SGM instead of as 'ls -l /tmp/' on all SGMs.

Relocating the local arguments within the command (where applicable) can resolve the problem. For example, run the 'g_ls /tmp/ -l' command instead of the 'g_ls -l /tmp/' command.
R76SP -
01061553 All When exporting or importing a snapshot, you must export from or import to the /var/log directory.
  • To export a snapshot, run the 'set snapshot export <image_name> path /var/log/' command.
  • To import a snapshot, run the 'set snapshot import <image_name> path /var/log/ name <new_name_for_image>' command.
R76SP -
01089206 All Running the 'asg_hard_shutdown' command on an SGM two times, one after the other, causes a reboot and not a shutdown.

It takes one minute for the SGM to shut down after running the 'asg_hard_shutdown' command. During this interval, do not run the 'asg_hard_shutdown' command again.
R76SP  -
01237799 All When you run multiple gclish 'set ...' commands, one after another, some of these commands can stop running. When this happens, the message "Processing Transaction" shows in the output.
MBS-6514  Chassis Setting the Minimum Number of Slaves in a Bond interface is not supported. R80.20SP  -
MBS-7145 Maestro R80.30SP does not support the Dynamic CLI as described in sk144112. R80.30SP -
MBS-12642 Maestro Gaia scheduled backup fails to run.
The /var/log/messages file contains the error "scheduled_backup: SGM isn't SMO, skipping scheduled backup".
R80.30SP JHFA R80.30SP Take 56
MBS-9357 Maestro R80.30SP does not support these CPUSE commands in Gaia Clish or Gaia gClish:
  • installer uninstall VALUE completely
  • installer uninstall VALUE last-take
Note: The command installer uninstall VALUE removes only the Hotfix / Jumbo Hotfix Accumulator specified in the "VALUE" parameter.
R80.30SP -
MBS-7069  Maestro Remote authentication for Expert mode using RADIUS / TACACS+ servers (the Gaia gClish command set expert-authentication-method {<shared-password> / <user-password>}) is not supported. R80.30SP -
MBS-5478 Maestro The 'asg_drop_monitor' command does not support the "-ssm -t<timeout>" parameter. R80.20SP -
MBS-5177 Maestro R80.20SP does not support the following Gaia Clish commands:
  • set chassis id VALUE alert_threshold cpus_temperature_threshold_low VALUE
  • set chassis id VALUE alert_threshold fans_threshold_high VALUE
  • set chassis id VALUE alert_threshold fans_threshold_low VALUE
  • set chassis id VALUE alert_threshold power_consumption_threshold_perc_high VALUE
  • set chassis id VALUE alert_threshold power_consumption_threshold_perc_low VALUE
  • set chassis id VALUE modules_amount cmm VALUE
  • set chassis id VALUE modules_amount fans VALUE
  • set chassis id VALUE modules_amount power_units VALUE
  • show chassis high-availability factors sensor cmm
  • show chassis high-availability factors sensor fans
  • show chassis high-availability factors sensor power_supplies
  • show chassis id VALUE alert_threshold cpus_temperature_threshold_high  
  • show chassis id VALUE alert_threshold cpus_temperature_threshold_low  
  • show chassis id VALUE alert_threshold fans_threshold_high
  • show chassis id VALUE alert_threshold fans_threshold_low
  • show chassis id VALUE alert_threshold power_consumption_threshold_perc_high
  • show chassis id VALUE alert_threshold power_consumption_threshold_perc_low
  • show chassis id VALUE modules_amount cmm
  • show chassis id VALUE modules_amount fans
  • show chassis id VALUE modules_amount power_units
R80.20SP -
MBS-7009 Maestro When creating Gaia OS users on Maestro Orchestrator, you must configure these users with UID 0. R80.20SP -
MBS-9523 Maestro It is not supported to create a Gaia snapshot on one Maestro Security Appliance and revert that Gaia snapshot on a Maestro Security Appliance in the same Security Group (for example, with the command 'snapshot_recover'). R80.20SP JHFA R80.20SP Take 273
Hardware
SPC-214 Chassis On SSM440, when working with 1G copper transceiver in ethX-Mgmt4, after SSM reboot the interface will show the link as up but traffic will not pass. Refer to sk126612. R76SP.50 -
02434343 Chassis On SSM440, error "Dot3Ah: Failed getting variable from bm" may appear when running the 'system reload' command. R76SP.50 -
02169635 Chassis On SSM440, the MTU is limited to a maximum of 9000 bytes. R76SP.50 -
02496928 Chassis Verification is needed after changing QSFP mode on SSMs:
"show smo verifiers print name <Port_Speed>".

If verification fails, change the QSFP mode on SSMs again:
"set ssm id <SSM_ID> qsfp-ports-mode <Port_Speed>"
R76SP.50  -
00624269 All The Ethernet ports on the SGMs are not used. Each SGM has two Ethernet ports that are not used by the system and must not be configured. The output of the 'ifconfig' command displays these ports as eth1 and eth2. R76SP -
MBS-3870 Chassis R80.20SP supports a maximum of two SSMs in a chassis (SSM1 and SSM2). R80.20SP -
02439227 Chassis On a 44000 chassis, PXE installation on Slot 6 (SGM 2_06 / SGM 1_06) is supported by changing the kdevice to eth3. R76SP.50  -
00894653 Chassis Transceivers for the 40000 / 60000 Appliance are not interchangeable with transceivers from other Check Point appliances. Only transceivers provided with the 40000 / 60000 Appliance are certified for this system. R76SP -
MBS-5205 Maesto Hardware Health Monitoring is not supported in Maestro Orchestrator. R80.20SP -
MBS-6583 Maesto After the Gaia OS installation completes on Maestro Security Appliances 5600, you must manually reboot them. R80.20SP -
Management and Policy
MBS-3001 All To fetch logs from Security Members, you must use SmartConsole. Running the 'fw fetchlog' command on the Management Server is not supported. R80.20SP -
MBS-8515 All NAT64 and NAT46 objects are not supported in the Access Control policy. R80.20SP -
PMTR-22530 Chassis Management API on an R80.10 Management Server does not support 40000 / 60000 Appliances that run R80.20SP. R80.10 JHFA R80.10 Ongoing Take 214 
Dual Site Deployment
MBS-7771 All In Dual Chassis deployment, the external synchronization network between the two Chassis (or between Orchestrators on different sites) must not contain Layer 3 routers (because they drop Cluster Control Protocol packets).  R80.20SP -
MBS-7769 All In Dual Site deployment, the external synchronization network between the Orchestrators on different sites (or between the two Chassis on different sites) must guarantee a latency of no more than 100ms and a packet loss of no more than 5%. R80.20SP -
MBS-6991 Maestro After Dual Site is configured, it is not supported to change the Site ID on the Orchestrators. R80.20SP -
MBS-7606 Maestro In Dual Site Deployment, each Security Group must contain at least one Security Appliance from each site. R80.20SP -
MBS-7028 Maestro In Dual Site Deployment, the following requirements apply to ports (and cables) on the Orchestrators that synchronize with each other on both sites:

(1) The same port type (mgmt / uplink / downlink / external sync / internal sync) must be configured for the same ports.

Example 1: 

If Port 5 on Orchestrator 1_1 is configured as uplink, then Port 5 on Orchestrator 2_1 must also be configured as uplink.

Example 2:

If Port 20 on Orchestrator 1_2 is configured as downlink, then Port 20 on Orchestrator 2_2 must also be configured as downlink.

(2) The split cables and ports, to which they are connected. must be identical.

Example 1:

If a 4x10 DAC is connected to Port 5 on Orchestrator 1_1, then an identical 4x10 DAC must also be connected to Port 5 on Orchestrator 2_1.

Example 2:

If a 4x10 DAC is connected to Port 20 on Orchestrator 1_2, then an identical 4x10 DAC must also be connected to Port 20 on Orchestrator 2_2.
R80.20SP -
MBS-6947 Maestro In Dual Site deployment, no warning is displayed when changing the "type" of the QSFP port in Gaia Clish on Maestro Hyperscale Orchestrators on the local site, while the Maestro Hyperscale Orchestrators on the remote site are down. R80.20SP -
MBS-7744 Maestro In Dual Site deployment, the external synchronization connection between the Orchestrators on different sites must be a direct Layer 2 link. 

Note: L2 switches are supported beginning in Jumbo HFA 178, but Q-in-Q is required on the switch side. 
R80.20SP -
MBS-7773 Maestro In Dual Site deployment, each Security Group can contain a maximum of 28 Security Appliances (14 Security Appliances from each site). R80.20SP -
VoIP
PMTR-8896 All Asymmetric VoIP connections of SIP and SKINNY protocols do not survive cluster failover (between SGMs on the same chassis, and between dual chassis). R80.20SP -

Known Limitations - Installation

Installation / Upgrade
MBS-10552 All At the end of the installation of the R81 image on a Scalable Platform (Chassis / Maestro Security Appliance), a message appears "You may safely reboot your system".
You must manually reboot the Chassis / Security Appliance.
R81 -
01488400 All Running 'asg' or other global commands before the setup wizard completes is not supported R76SP.10 -
Licensing
01951566, MBS-4510 All Installation of a Central license with SmartUpdate requires a policy installation on the Security Gateway / VSX Gateway (in the context of the VS0) object in order to propagate the license.  R76SP.40 -
MBS-6099 Maestro A Maestro Security Appliance that was removed from a Security Group and then added back to the same Security Group might not pull the license from the existing members of the Security Group. As a result, this Security Appliance remains in the DOWN state. R80.20SP JHFA R80.20SP Take 105

Known Limitations - Infrastructure

Security Gateway
MBS-4895 All R80.20SP does not support the 'fw sam_policy' ('fw samp') commands. R80.20SP JHFA R80.20SP Take 105
VSX
MBS-12240 All R81 does not support Threat Emulation and Identity Awareness Software Blades on VSX Virtual Systems in Bridge mode. R81 -
PMTR-64090 All A newly added Security Group Member remains in the DOWN state, if there was a Virtual System with the 'InitialPolicy' in the Security Group before you added that Security Group Member.
(The output of the cphaprob list command on the new Security Group Member shows that the Critical Device pull_config reports its state as problem.)

To avoid this issue:
  1. Examine the VSX state and policies on all Virtual Systems in the Security Group (with the vsx stat command)
  2. If there is a Virtual System with the 'InitialPolicy', install the applicable Access Control policy on that Virtual System
R81 -
MBS-12664 All To configure VSX Virtual Switches to forward IPv4 multicast traffic or any IPv6 traffic, it is necessary to disable the correction of local connections:
1. Connect to the command line on the applicable Security Group
2. Log in to Expert mode
3. Run this command to disable the correction of local IPv4 connections in the current session:
g_fw ctl set int fwha_local_chassis_state_correction 0
4. Run this command to disable the correction of local IPv6 connections in the current session:
g_fw6 ctl set int fwha_local_chassis_state_correction 0
5. Run this command to disable the correction of all local connections permanently:
g_update_conf_file fwkern.conf fwha_local_chassis_state_correction=0
R81 -
MBS-12574 All In rare scenarios, after you change the number of CoreXL Firewall instances in a Virtual System object in SmartConsole and click OK:
  1. In SmartConsole, the VSX Operation Progress window shows "Operation ended with errors".
  2. On the Security Group, the output of the "asg stat -v" command shows that the state of the SMO Security Group Member changed to "DOWN".
To resolve:
  1. Reboot the affected Security Group Member (reboot -b <ID>)
  2. In SmartConsole, change the number of CoreXL Firewall instances in the Virtual System object and click OK.
  3. Install policy on the Virtual System object. 
R81 -
MBS-9806 Maestro

R80.30SP does not support VSX Virtual Switches.

Important Note: If you created Virtual Switches in R80.30SP with the R80.30SP Jumbo Hotfix Accumulator Take 56 or Take 49, you must install a special hotfix before you install the R80.30SP Jumbo Hotfix Accumulator Take 73 or higher. See sk171917.

R80.30SP R80.30SP JHFA Take 73
PRJ-19784 Maestro In rare cases, after you reconfigure a VSX Gateway with the "vsx_util reconfigure" command, static routes or MTU might not be configured on Virtual Systems.

To resolve:

  1. Connect with SmartConsole to the Management Server that manages the affected Virtual System and open the Virtual System object.
  2. To resolve an issue with static routes: write down the current static routes in some text editor > remove the static routes > click OK > open the Virtual System object again > add the static routes > click OK.
  3. To resolve an issue with an MTU value: change the current MTU value to the required MTU value > click OK.
R80.30SP -
MBS-6306 All R80.20SP does not support Log Server Distribution (asg_log_servers). R80.20SP JHFA R80.20SP Take 105
MBS-5636 All A reset of SIC between the chassis in VSX mode and the Management Server (or between the Security Appliances in VSX mode and the Management Server) might cause the non-SMO members to change their state to DOWN.

To recover: Reboot the non-SMO members.
R80.20SP JHFA R80.20SP Take 105
MBS-3209 All R80.20SP does not support Multi Bridge (support for multiple bridge interfaces on a Virtual System in Bridge Mode). R80.20SP -
MBS-4228 All After re-configuring a VSX Gateway with the 'vsx_util reconfigure' command, you must manually install policy on each Virtual System from SmartConsole. R80.20SP -
MBS-6775 All While the Image Cloning feature is enabled, a Security Group member may reboot more than one time.
To resolve: Disable the Image Cloning feature on the SMO member to stop these reboots.
R80.20SP -
02024482 All After running the 'vsx_util reconfigure' command on the Management Server, the VLAN interface on a Security Group in VSX mode might come up without an IP address if the VLAN's MTU was set to a value larger than 1500.
Refer to sk111513.
R76SP.40 -
01821671 All In VSX HA mode, VLAN trunk ports cannot be monitored from the context of Virtual Systems (only from the context of the VSX Gateway itself - VS0).  R76SP.30  -
01812597 All No local configuration should be performed on a Security Group or on a Security Group Members while 'vsx_util reconfigure' is running on the Management Server.

It is necessary to wait until all Security Group Members and Virtual Systems are up and running (otherwise, the local configuration will not be applied).
R76SP.30  -
01620389 All You cannot configure Bond interfaces on chassis Management ports after you create the VSX object in SmartDashboard. R76SP.20 -
01097957 All If you lower the Connections Table limit of a Virtual System, and one of the SGMs has more or the same number of connections than the limit, the new value is rejected for that SGM. The new Connections Table limit may be accepted by other SGMs.

Notes:
  • To see the current number of entries in the Connections Table, run this command in Expert mode: [Expert@HostName:0]# fw tab -t connections -s
  • To configure the Connections Table limit of a Virtual System: In SmartDashboard, open the Virtual System object - go to the "Capacity Optimization" pane - set the value in the "Limit the maximum concurrent connections" field - click on OK - install the policy.
R76SP  -
00922958 All The Alerts configuration wizard does not allow setting of performance thresholds per Virtual System.You can manually configure thresholds for Virtual Systems using the 'dbset' command from the Expert shell:

[Expert@HostName:0]# g_all dbset chassis:vs:0:alert_threshold: <alert_name> <value>

Where <value> is the percentage of the default threshold per Security Group Member.

Example:

[Expert@HostName:0]# g_all dbset chassis:vs:0:alert_threshold:packet_rate_threshold_high 30

In this example, an alert is triggered when any Virtual System packet rate is higher than 30% x 1.8MB (1.8MB is the default packet rate threshold per SGM).

Note:

One ratio applies to all Virtual Systems.
R76SP -
01341918 All You cannot enable IPv6 before you create and configure a new VSX Gateway. You must first create the new VSX Gateway and then enable and configure IPv6 using gclish. R76SP -
01527874 Chassis Virtual Switches without physical interfaces are not supported for Chassis VSLS. R76SP.10_VSLS  -
01284809 Chassis To use the Sync Lost mechanism, you must keep the Management interfaces for both chassis connected. R76SP -
01087321 Chassis VSX Gateway creation in SmartConsole and the 'vsx_util reconfigure' command are supported when only the left-most SGM is in the Security Group. R76SP  -
MBS-10271 Maestro The 'drop_monitor' command fails with "Error! Failed to get current VS id." on a Security Group in VSX mode.
Solution is planned for future Takes of the R80.30 Jumbo Hotfix Accumulator (sk165312).
R80.30SP -
MBS-8837  Maestro In the context of a Virtual System in Bridge Mode:
  • The output of the asg diag verify "ARP Consistency" command shows "Failed" in the "Result" column.
  • The output of the asg_arp command shows "No matches found".
R80.30SP -
MBS-5214 Maestro R80.20SP does not support VSX Virtual Switches.. R80.20SP JHFA R80.20SP Take 178
MBS-5457 Maestro If after creating a new Virtual System object, policy installation on a Security Group object fails with "Error code: 0-2000240", wait 2-3 minutes and install the policy again. R80.20SP JHFA R80.20SP Take 105
MBS-6572 Maestro A change in the number of CoreXL Firewall instances (in a VSX Virtual System object in SmartConsole) in Dual Chassis VSLS setup requires a downtime, because the Virtual System must be restarted. During this restart, traffic cannot pass through the Virtual System. R80.20SP -
MBS-6176 Maestro To create a VSX Gateway object in SmartConsole for a Maestro Security Group:
  1. Assign at least two interfaces to the Security Group.
  2. Install the R80.20SP Jumbo Hotfix Accumulator (sk155832) on all Security Appliances in the Security Group.
  3. In SmartConsole, create a VSX Gateway object.
R80.20SP -
MBS-7888 Maestro Interface Active Check is not supported in VSX mode.  R76SP.30  -
SecureXL
MBS-3259 All R80.20SP does not support Fast Accelerator (see sk156672 for more details). R80.20SP JHFA R80.20SP Take 178
MBS-5415 All Configuring the 'SYN Attack' protection in SmartConsole is not supported. You must only use the 'fwaccel synatk' and 'fwaccel6 synatk' CLI commands. R80.20SP -
MBS-6834 All Security Group members do not pull the SecureXL configuration from the $PPKDIR/conf/simkern.conf file on the SMO SGM. R80.20SP JHFA R80.20SP Take 121
MBS-8143 All These SecureXL commands are not supported:

  • g_fw sam_policy batch
  • g_fw6 sam_policy batch 
R80.20SP -
MBS-5610 Chassis An Accelerated SYN Defender configuration made with the 'fwaccel synatk' / 'fwaccel6 synatk' commands might not be applied on non-SMO members. R80.20SP JHFA R80.20SP Take 105
MBS-9650 Chassis
  1. Output of the 'asg perf -p' command shows that the "Throughput" is 0 in the "Firewall" column.
  2. Output of the 'asg perf -v' command shows that the "Throughput" value is lower than expected (the F2F traffic is missing).
  3. SNMP Query for OID .1.3.6.1.4.1.2620.1.48.20.1.0 (asgThroughput) returns a value lower than expected (the F2F traffic is missing).
R80.20SP -
CoreXL
MBS-10244 All R81 does not support CoreXL Dynamic Balancing. R81 -
MBS-12224 All If only one CPU core runs as a CoreXL SND on Security Group Members, these cosmetic issues can occur:
  • Output of the "asg_perf" command is empty.
  • Output of the "cores_verifier" command shows "Error: unable to obtain value from smodb". 
  • Output of the "cores_verifier" command shows "Error: BPEth0 doesn't exist in /proc/interrupts". 
R80.30SP -
MBS-8151 Maestro By default, CoreXL is disabled on Maestro Security Appliances 5600. To enable and configure CoreXL, refer to the R80.20SP Maestro Performance Tuning Guide (chapter: CoreXL).  R80.20SP -
Cluster
MBS-6084 All To support asymmetric connections, it is necessary to enable the cluster synchronization in the corresponding service's properties (Advanced pane > in the Cluster and synchronization section, select Synchronize connections if Synchronization is enabled on the cluster > install policy). R80.20SP JHFA R80.20SP Take 105
MBS-5864 All It is necessary to install policy after changing the mode of a bond interface (for example, from XOR to 802.3AD), so that the bond interface is monitored by the cluster. For 40000 / 60000 Appliances, applies to Dual Chassis. R80.20SP JHFA R80.20SP Take 105
MBS-7913 Maestro Cluster Control Protocol (CCP) encryption is not supported. R80. 30SP -
MBS-7946 Maestro The Interface Active Check feature (setting the value of the kernel parameter fwha_enable_if_probing to 1) is not supported. R80. 30SP -
Hyper-Threading
MBS-3106 All In VSX mode, after disabling or enabling the Hyper-Threading feature in the cpconfig menu and rebooting, another reboot is required for the system to apply the Multi-Queue configuration. R80.20SP -

Known Limitations - Networking

Networking
PMTR-60868 All R81 does not support GRE interfaces. R81 -
MBS-11278 All Unique IP address per Chassis (UIPC) feature is not supported. R81 -
MBS-2199 All After a failover of the FTP control connection in Scalable Platforms, it is not possible to open an asymmetric FTP data connection.  R80.20SP -
MBS-4098 All GRE tunnel is not supported.  R80.20SP -
MBS-1274 All R80.20SP does not support the reserved connections feature (the 'asg_reserved_conns' command). R80.20SP -
MBS-3897 All R80.20SP does not support Alias IP addresses on its interfaces. R80.20SP JHFA R80.20SP Take 279, JHFA R80.30SP Take 49
MBS-2049 All After installation, a static route to 192.168.1.254 is automatically created due to the preconfigured subnet for the eth1-Mgmt4 interface.

If you need to configure another static route for the eth1-Mgmt4 interface:

  1. Remove the current static route to 192.168.1.254
  2. Add the required static route for the eth1-Mgmt4 interface. 
R80.20SP -
MBS-9105 All When IPv6 traffic passes through Security Groups, it is not supported to disable the 'Drop out of state TCP packets' setting in SmartConsole > Global properties > Stateful Inspection. R80.20SP -
MBS-9713 All "Failed to set MTU 9000 on interface magg0. Maximum value allowed is 9710." error when running the Gaia gClish command "set interface magg0 mtu <Value>" for a Management Aggregation (MAGG) interface.

Workaround:
  1. Configure the MTU on any of the data interfaces to a value greater than 1500.
  2. Configure the MTU on the MAGG interface to a required value. 
R80.20SP -
MBS-9798 All Scalable Platforms and Maestro Security Appliances support fragmented packets with Layer 4 distribution only in Gateway mode with CoreXL enabled. R80.20SP -
01052419 All Connections may break when you change the System Distribution Mode using either the 'set distribution configuration' command or the 'set distribution interface' command. R76SP  -
01176232 All Virtual System with VLAN interfaces in Bridge Mode does not support non-IP protocols. R76SP  -
MBS-3944 Chassis Asymmetric traffic between two chassis in Dual Chassis deployment is not supported. R80.20SP  -
MBS-1520 Chassis Group of Bonds (ABXOR) is not supported. R80.20SP -
MBS-5164 Chassis The 'asg_tmpl_special_svcs' command is no longer supported. R80.20SP -
MBS-5311 Chassis QoS is not supported on the SSM data ports (the 'set ssm id data-port qos status on' command). R80.20SP -
MBS-2354 Chassis TFTP connections do not survive failover when using SSM440 and the distribution matrix size of 16K. R80.20SP -
MBS-7014 Chassis You must configure the Bond Interface on the Management Ports (MAGG) only from gClish. Configuring MAGG in Gaia Portal is not supported. R80.20SP -
- Chassis When using SGM400, 40GB Back Plane (BP) connectivity speed is supported for both SSM160 and SSM440. In order to switch to 40GB, the SSM's downlink ports should be set to 'Auto' Speed. Refer to sk118435. R76SP.50  -
MBS-2991, MBS-6601, SPC-994 Chassis Configuration of RX/TX ringsize is supported only on eth<X>-Mgmt4 and BPEth<X> interfaces (either with the Expert command 'ethtool -g', or the Gaia Clish command 'set interface ...'). R76SP.50 -
00846789 Chassis R76SP does not support VLANs on a Management interface. R76SP  -
PMTR-60874 Maestro R81 does not support VxLAN interfaces. R81 -
MBS-3859 Maestro If you installed a 40 GbE card or a 100 GbE card on a Check Point appliance you wish to connect to the Maestro Security Orchestrator, and you did not receive this card as part of the Maestro product, make sure this card meets the minimal requirements:

1. Connect to the command line of the Check Point appliance.

2. Log into Expert mode.

3. Run this single long command:

[Expert@Appliance:0]# for NIC in $(ifconfig | grep ethsBP | awk '{print $1}') ; do echo $NIC: ; ethtool -i $NIC | grep firmware ; done

4. The 'firmware-version' has to be '12.22.1002' or higher.

Example output:

ethsBP4-01:
firmware-version: 12.22.1002
ethsBP4-02:
firmware-version: 12.22.1002
R80.20SP -
MBS-5216 Maestro When VLAN traffic needs to traverse the Security Group in Bridge mode, you must configure all relevant VLAN IDs on the Uplink ports assigned to the Security Group in the Gaia Portal on the Maestro Orchestrator.

Note: Configure these VLAN IDs in the Gaia Portal on the Maestro Orchestrator.

Example Topology: (VLAN Trunk port) ==== (Uplink ports on Maestro Orchestrator that are assigned to a Security Group in Bridge mode).
R80.20SP -
MBS-8480 Maestro It is not supported to configure a Bonding Group in LACP mode (8023AD) if at least one slave interface is shared between different Security Groups. R80.20SP -
MBS-4993 Maestro Configuring the state of the Forward Error Correction (FEC) manually is not supported. This feature is in the auto state by default. R80.20SP -
MBS-5225 Maestro Interfaces cannot be shared between Security Groups.

Resolved in Jumbo HFA R80.20SP Take 105: Added support for sharing of management interfaces between Security Groups. This applies to management interfaces that are not part of a MAGG interface in 802.3AD (LACP) mode (a Bond Interface on the Management Ports).”
R80.20SP JHFA R80.20SP Take 105 
MBS-5339 Maestro VLAN interfaces are not supported on Maestro Hyperscale Orchestrator "Management" ports (ethX-MgmtY). R80.20SP -
MBS-4668 Maestro When two Maestro Hyperscale Orchestrators are connected together, and you need to disconnect many cables from one of the Maestro Hyperscale Orchestrators, first disconnect the cable from the dedicated Synchronization port. This prevents the LSP mechanism from disabling all ports on the other Maestro Hyperscale Orchestrator. R80.20SP -
MBS-7636 Maestro When several Downlink ports on an Orchestrator are connected to the same Security Appliance, these Downlink connections work only in the Active/Backup mode for IPv6 traffic (and not in the Load Sharing mode). R80.20SP -
Dynamic Routing
MBS-3951 All When you configure a routemap that includes the 'direct' parameter, it will also advertise the internal communication networks CIN and Sync. On  Scalable Platforms and Maestro Security Appliances, you have to filter out manually such internal communication networks. R80.20SP -
MBS-3950 All If you filter the 'protocol direct' on a routemap and do not specify an interface, then it will also advertise the internal communication CIN and Sync networks. R80.20SP -
MBS-4172 All
  • PIM mode 'SSM' is not supported on 40000 / 60000 Appliances.
  • PIM is not supported on Maestro Security Appliances.
R80.20SP
01862808 All Critical Device (pnote) named routed was added to prevent traffic outage by allowing the RouteD daemon to synchronize BGP routes.
  • In BGP DR Manager failback scenarios, the old BGP DR manager will go down for 2 minutes.
  • When RouteD daemon restarts on BGP DR Manager, BGP DR Manager will go down for 2 minutes.
R76SP.30 -
00736037 All OSPF is not supported on Management interfaces. R76SP -
00771254 All BGP confederations are not supported. R76SP -
IPv6
02487403 Chassis IPv6 02487403 SSM Layer4 Distribution Mode is supported for IPv4 only. The IPv6 traffic will be distributed based on the Source/Destination IP addresses only.

Note: a system can use SSM Layer4 Distribution Mode while IPv4 and IPv6 are inspected by the Security Gateway. Each IP version will use a different mechanism to distribute traffic, as described above.
R76SP.50 -

Known Limitations - Software Blades

Firewall
PMTR-58383 All R81 does not support CGNAT with the Layer 4 distribution. R81 -
MBS-10099,
MBS-10790
All R81 does not support Global NAT (GNAT) feature. R81 -
MBS-3946 All R80.20SP does not support Carrier Security (LTE). R80.20SP -
MBS-10788 Maestro Client Authentication is not supported when the Layer 4 distribution mode is enabled. R80.20SP -
VPN
MBS-11504 All R81 does not support the configuration of different VPN encryption domains on a Security Gateway that is a member of multiple VPN communities. R81 -
MBS-12310 All R81 does not support Large Scale VPN (LSV). R81 -
MBS-12312 All R81 does not support Route Based VPN. R81 -
MBS-4097 All
  • Site-to-Site VPN with IPv6 peers is not supported.
  • Remote Access VPN from IPv6 clients is not supported.
R80.20SP -
MBS-2461 All It is not supported to initiate a connection from an SGM if the connection's destination requires encryption. R80.20SP -
MBS-5242 All VPN traffic on a VSX Virtual System that is connected to a VSX Virtual Switch is supported only when the distribution mode configured for the WRP interface is the same as the distribution mode configured for the physical interface on the VSX Virtual Switch.Example of a VSX topology:

(Virtual System) === wrp100 === (Virtual Switch) === (eth1-01)

The same distribution mode must be configured for the interface wrp100 as was configured for the interface eth1-01.
R80.20SP -
MBS-5284 All VPN Permanent Tunnels are not supported. R80.20SP -
MBS-2472 All In the Security Gateway object -> IPSec VPN, the Link Selection supports only the Always use this IP address selection methods: 
  • Main address
  • Selected address from topology table
  • Statically NATed IP
R80.20SP -
MBS-8298 All In a Security Group object, it is not supported to configure VPN on the Management port (eth_X_-Mgmt_Y_) assigned to the Security Group. R80.20SP -
MBS-8319 All
  • It is not supported to configure a Scalable Platform 40000 / 60000 object or a Maestro Security Group object as a VPN Satellite Gateway if other VPN peers communicate through it.
  • It is not supported to configure Client to Site traffic over the Site-to-Site VPN tunnel with a a Scalable Platform 40000 / 60000 or a Maestro Security Group.
R80.20SP -
MBS-8322  All VPN Wire mode is not supported. R80.20SP -
MBS-8316 All IPv6 VPN is not supported. R80.20SP -
02487412 All A VPN can be used with SSM Layer4 Distribution Mode, but the VPN traffic will be distributed based on the Source/Destination IP addresses. R76SP.50 -
MBS-7914 Maestro Multiple Entry Points (MEP) configuration using Dead Peer Detection (DPD) is not supported. R80.30SP -
MBS-9085  Maestro VPN is not supported in VSX mode if VPN traffic needs to pass through a VSX Virtual Switch. R80.30SP -
MBS-8938 Maestro R80.30SP does not support L2TP traffic passing to Security Groups. R80.30SP -
Threat Prevention (Anti-Virus, Anti-Bot, Threat Emulation, Threat Extraction)
MBS-12236 All R81 does not support SSH Deep Packet Inspection (SSH DPI). R81 -
MBS-12330 All R81 does not support inspection of SMBv3 multi-channel with Anti-Virus and SandBlast Threat Emulation Software Blades. R81 -
MBS-12070 Maestro If a Threat Prevention policy is installed on a Security Group, while a Security Group Member reboots, that Security Group Member may remain in the Down state after it boots.

To resolve: Manually reboot this Security Group Member.
R81 -
- Maestro FTP protocol inspection with Anti-Virus and SandBlast Threat Emulation is not supported in R80.30SP.  R80.30SP R81
PMTR-41415 Maestro In a ClusterXL Load Sharing mode:

1. Due to the nature of transferring files over multiple connections, the following protocol features might not be inspected properly:
  • HTTP 206 Partial Content
  • SMBv3 Multi-Channel
  • FTP REST command used over multiple connections
2. Protection based on threshold count (between connections) might not work properly:
  • Static protections
    • DNS tunnel
    • Sweep Scan protection 
    • VoIP SIP
    • MGCP protection may not work over NAT
  • Protections that contain cross-connection logic
R80.30SP -
MBS-9931 Maestro R80.30SP does not support the Threat Extraction Software Blade. Contact Check Point Support to get a Hotfix.  R80.30SP -
MBS-4094 All R80.20SP does not support ICAP Server configuration. R80.20SP -
MBS-9405 All When the Threat Extraction blade is enabled, the original attachment file might not be available for download due to a limitation in a Cluster Load Sharing environment. It is recommended to disable this blade in the corresponding Threat Prevention profile.  R80.20SP JHFA R80.20SP Take 279
IPS
PMTR-62718 Maestro "Packet Capture was not found" error when clicking the "View Packet Capture" link in the IPS log. R81 -
DLP
MBS-13102, MBS-13243 All The Data Loss Prevention Software Blade does not support rules with the Action "Ask". R80.20SP -
Identity Awareness
MBS-12593 All You must enable the SMO Image Cloning before you add new members to a Security Group, if in the Security Gateway object you enabled the Identity Awareness Software Blade and an Identity Source (for example, AD Query or Identity Collector).
Note: If you do not enable the SMO Image Cloning, the new Security Group Member reboots several times before it is completely configured.
R81 -
IDA-2339 All R81 does not support Microsoft Azure AD. R81 -
MBS-12840 All If you made changes in one of the Identity Session Conciliation files listed below in a Security Group, and you add a new Security Group Member:
  1. Manually copy these files to each new Security Group Member with the "asg_cp2blades" command
  2. In SmartConsole, install the applicable Access Control policy on the applicable Security Gateway object
List of files:
  • $FWDIR/conf/identity_sources_scores.C
  • $FWDIR/conf/pep_conciliation_scores.C
  • $FWDIR/conf/pdp_session_conciliation.C
R81 -
MBS-10248 All R80.20SP does not support Identity Broker configuration. R80.20SP -
SPC-990 All Identity sharing must be configured with ethX-MgmtX and for communicating with the PDP side. R76SP.50 -
SPC-1569 All Identity Sharing is not supported with "Smart Pull". Contact Customer Support for assistance with replacing the configuration.  R76SP.50 R80.20SP
Logs
MBS-2581 All Logs generated by Software Blades on Scalable Platforms, do not show the Group ID and SGM ID. R80.20SP R80.20SP (Take 302) /
R80.30SP (Take 73)
Application Control
MBS-8969 All Security Group members do not synchronize the configuration file $FWDIR/appi/update/appi_parameters.C automatically. For more information, see sk146993 - notes for Scalable Platforms. R80.20SP -
Mobile Access
MBS-8443 Maestro It is not supported to configure the IP address of the Security Group as the main URL of the Mobile Access Portal: In SmartConsole > R80.30SP Security Gateway object > Mobile Access > Portal Settings > Main URL.   R80.30SP -

Known Limitations - Monitoring

SNMP
MBS-3601 All The 'asg alert' command does not support sending alerts in SMS. R80.20SP -
01255170 Chassis For monitoring the 60000 / 40000 Scalable Platforms over the SNMP, the only supported OIDs are under iso.org.dod.internet.private.enterprise.checkpoint.products.asg (OID 1.3.6.1.4.1.2620.1.48). R76SP -
00630753 Chassis The 'snmpwalk' or 'snmpget' commands on OIDs that have prefixes with 1.3.6.1.4.1.2620.1.44.20 (asgIPv4PerformanceCounters) or 1.3.6.1.4.1.2620.1.44.21 (asgIPv6PerformanceCounters) display values calculated on the Active Chassis only. R76SP -
MBS-13073 Maestro SNMP OIDs 1.3.6.1.4.1.2021.10 (CPU load average) are not supported on Maestro Orchestrator. R80.20SP -

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment