The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
Check Point R80.20 for 1500 Appliances Features and Known Limitations
Branch Office Appliances
Platform / Model
Show more details
Show less details
This article lists all known limitations for Check Point R80.20 for 1550 / 1590 Appliances.
This is a live document that may be updated without special notice. We recommend that you register for our weekly updates in order to stay up to date. To register, go to UserCenter > ASSETS / INFO > My Subscriptions.
This article contains two sections:
Supported and Unsupported Features
Supported and Unsupported Features
Enter the string to filter the below table:
Blade / Feature
Application Control Blade
URL Filtering Blade
Data Loss Prevention (DLP) Blade
Network Address Translation (NAT)
UserCheck client is not supported
Rule Hit Count
Suspicious Activity Monitoring (SAM) Rules
Inbound HTTPS Inspection
Categorization enabled with full SSL inspection
VPN and Remote Access
IPSec VPN Blade
Mobile Access Blade
Basic VPN remote access through mobile application is supported
Configuring appliances with a DNS server that does not resolve public domain names, may cause issues in various features, including timeouts during SIC establishment, log page not being responsive, and more. Make sure to configure DNS servers that can be reached from the appliance.
Long connections with many HTTP sessions, that transfer files to the server and back, cause a high memory consumption.
Bridge interfaces cannot be disabled.
'Gaia OS' Best Practices are not supported for 1550 / 1590 appliances. Refer to sk108416.
Firmware and Configuration
Gradual deployments are not supported.
When configuring the First Time Configuration Wizard from the WAN interface you cannot set the SIC One-Time-Password immediately after the FTW. To set it you need to refresh your web browser first.
The "Force Member Down" button does not work in a local cluster configuration when the Internet connection interface is set to "Monitored" and the cluster members do not have similar Internet connection names.
Workaround: Rename the Internet connections so that they are the same for both cluster members.
When configuring a cluster and setting DHCP on one of the cluster interfaces, a DHCP server might include the other cluster member's IP address in its available IP addresses range. Therefore, the DHCP server might serve this IP to another computer in the same network which will cause connectivity issues.
Workaround: Manually exclude the other cluster member's IP address from the range.
Before configuring a local cluster, make sure that the sync interface is unassigned by checking the Device -> Local Network page in the WebUI.
Cluster mode configuration of the gateway is not supported in CLI.
When configuring a cluster, you cannot use a wireless interface as the Sync interface.
Configuring High Availability on an interface with a PPP connection is not supported.
When defining a local cluster with the "Strict" Firewall mode enabled, a manual internal rule must be defined to allow connectivity between the cluster members on the sync interface.
When defining a locally managed cluster, the Virtual IP address of a clustered interface has to be in the same subnet as the real IP addresses of the cluster members.
In rare cases, during cluster creation or after upgrading a cluster, an "Error 00361" message is shown. This error may indicate a temporarily busy database. Go to the secondary cluster member, disconnect it from the cluster, and then reconnect it.
In locally managed small office appliances, after resetting cluster settings it is recommended to wait a few minutes before redefining the cluster to avoid failure.
The user cannot configure a locally managed cluster with SMP or an externally managed log server.
Following cpstop;cpstart of an HA cluster member that is standby or down, it can take a few minutes for the cpha state to come back up. During this time, the active member is up and running so there is no connectivity loss.
The SecureXL penalty box mechanism is not supported.
When multiple Internet connections are configured in High Availability mode, and primary connection failover occurs without the main connection going down/restarting, traffic will continue to be routed for the previous primary connection for more than the routing cache lifetime (20 seconds) if the QoS blade is configured.
It is not possible to configure a bridge if interfaces have not been assigned in the Local Networks WebUI page.
When trying to add a disabled LAN interface to a bridge, the operation fails with an irrelevant message about wireless.
Workaround: enable the LAN interface before adding it to the bridge.
When the WAN Internet connection is configured as PPPoE, an Anti-Spoofing warning appears in SmartView Tracker. You can safely ignore the warning.
Configuration of a bridge to the Internet (one leg on an external interface) with additional Internet connections (MISP configuration / Multiple ISPs) is not supported.
DMZ port does not exist on 1550 appliances
The CLISH command "show configuration" does not show dynamic routing configuration.
BGP MD5 is not supported.
Policy based routing rules are not enforced on POP3 traffic when the Anti-Virus or Anti-Spam blades are active and set to inspect POP3 traffic. Policy based routing rules are also not enforced on SMTP traffic when inspecting outgoing SMTP traffic is configured.
Command Line Interface (CLI)
File related configuration (certificates, customized logo for portals) is not supported.
The SNX command line for Linux (script that can be download from the SNX portal using the "Download command line SNX for Linux") fails on Small Office appliances.
In SmartDashboard, the Application Control & URLF Rule Base does not support the "securityZone" type object. Beginning with the R80 Management version, such objects can be used in the unified Rule Base for rules that do not include any matching for applications and categories.
Using autocomplete in CLISH after the parameter application name in Application Control configuration takes several minutes to show all options.
Adding a CLI category name for Application Awareness/URL filtering or SSL inspection configuration results in "Failed to find the requested category-name" error when the name is more than one word.
Use the category ID instead of the application name.
In locally managed devices, it is not possible to configure Applications in policy base for incoming / VPN traffic.
When creating a Firewall or NAT rule in CLI, the source/destination value must be a network object and not just an IP address.
CLI does not support reordering Firewall and QoS rules.
In locally managed devices, configuring FQDN objects is not supported.
Usercheck client is not supported in either centrally or locally managed mode of appliances.
To search the security logs on the local web portal for a specific UserCheck incident ID, use this filter string "UserCheck Incident UID:" followed by the ID.
In Centrally Managed Small Office appliances, the UserCheck portal does not appear if the configuration for the main URL of the UserCheck portal under gateway settings is set to use the gateway's external IP address.
User / Identity Awareness
On locally managed appliances, only single DC is supported per AD server.
An AD Domain Controller used for authenticating users that is located in the external zone of a device using Hide-NAT is not supported.
Workaround: Install another Domain Controller in the internal zone of the device.
In centrally managed appliances, these user identifications methods are not supported (even though they appear in SmartDashboard):
In locally managed appliances, when using Active Directory Queries, user and user group names are not supported in unicode.
Use of AD Query with NTLMv2 is not supported for Small Office appliances.
AD group and user names that include non-English characters such as the letter o or e with an accent (') are not supported.
Automatic update of LDAP group membership does not work.
The PDP gateway becomes aware of added/removed users in LDAP groups only after policy installation.
Access Roles are not enforced for some of the users.
AD Query does not update user groups locally when a change is made to them on the Active Directory Server.
Check Point Identity Agent is not supported together with Remote Access (RA). It is highly not recommended to enable them simultaneously.
Site-to-Site VPN is not supported with layer 2 (bridge) connection types
Configuring VPN site to site or VPN RA for CP Mobile with certificate-based authentication on a locally managed cluster is not supported.
Unnumbered VTIs can only be associated with external interfaces through the Internet connection definition. Other interface types are not supported
When using numbered VTI, the traffic on Rx and Tx in vpnt interfaces is shown as zero.
In locally managed appliances, the parameter "vpn_force_nat_t" does not force NAT-T if the remote site is configured using a hostname
The WebUI Home -> Security Dashboard page shows the VPN Remote Access blade as turned "ON" only if the gateway object in SmartDashboard is set with IPSec VPN and the gateway is part of the Remote Access community.
When the object is defined but not part of the Remote Access community, the WebUI Home > Security Dashboard page shows the VPN Remote Access blade as turned "OFF".
In locally managed appliances, VPN sites configured with the IKEv2 encryption method and "Default (Most compatible)" encryption settings only support peer sites configured with Diffie-Helman group 2.
Workaround: Configure an encryption suite that matches the peer's configuration.
In locally managed appliances with a defined proxy, if a 3rd party external Trusted CA is used in a certificate, CRL validation does not work. Disable CRL validation for the CA or disable the proxy.
In locally managed appliances, a remote site can only initiate connections when it is configured with IKEv2 and uses a pre-shared secret.
Remote Access SecurID authentication is not supported in locally managed mode of appliances.
In locally managed mode, when submitting a certificate signing request that contains alternative subject names, the resulting certificate contains only the DN as the subject and not the alternative names.
When the gateway is behind NAT, the use of IKEv2 with a pre-shared secret in VPN site to site is not supported.
Workaround: Use a certificate.
When a VPN community includes dynamic IP addresses for remote sites (behind NAT or connection via hostname), only Diffie-Helman group 2 is supported.
In centrally managed appliances, the VPN overview page in SmartDashboard does not show tunnels from small office appliances.
When a small office appliance is configured as the center of a VPN Star community, MEP configuration using IP Pool NAT is currently not supported.
When configuring a remote site using a certificate and aggressive mode in VPN site to site in locally managed appliances, a peer ID string in aggressive mode must be configured.
The combined use of IKEv2 and aggressive mode is not supported.
In centrally managed Small Office Appliances, VPN Traditional Mode is not supported.
When configuring the aggressive mode peer ID field for VPN remote sites in locally managed appliances, you can only enter alphanumeric characters and these special characters _-.@~!#%$
When configuring DHCP relay on centrally managed appliances, if the DHCP server is in a VPN peer's encryption domain, the implied rule "Accept Dynamic Address modules' outgoing Internet connections" must be disabled in SmartDashboard for the DHCP requests to be sent encrypted.
Workaround: Create manual rules that allow DHCP.
When using aggressive mode with user peer_id, the remote VPN peer has to be a mobile peer for authentication to succeed.
In locally managed appliances, when defining a remote site using a custom encryption suite and IKEv2 is selected, multiple selection of Diffie-Helman groups may cause issues.
Workaround: Choose the specific Diffie-Helman group that the remote site uses.
When using Aggressive mode with peer ID in VPN site to site in locally managed appliances, the VPN Remote Access bladed must be turned on (even if no users are defined with remote access privileges).
When the external interface is used as a bridge to local networks, VPN site to site traffic is not supported.
VPN aggressive mode and NAT-T are not supported.
Resolved in: Added support for NAT-T in Aggressive Mode for versions R77.20.75 and higher.
When you connect to the appliance with Remote Access VPN, the appliance only uses the default internal certificate.
RIM configuration is not supported in this firmware. RIM functionality is usually needed in the center gateways of a VPN star community. This image is primarily used in satellite gateways.
The "Route all traffic through gateway" option is not supported for SSL Network Extender clients.
In locally managed small office appliances, when a cluster failover happens, VPN Remote Access clients need to re-establish the connection. Also, a different certificate is seen when re-connecting.
Trusted links configuration for centrally managed Small Office appliances is the same as described in the VPN Administration Guide. Automatic topology is not supported. The gateway object must be configured with manual topology.
Locally managed appliances cannot establish a VPN connection to a remote site that consists of multiple centrally managed hub VPN gateways in a MEP configuration.
In locally managed gateways with a dynamic IP address: A site to site VPN configured with IKEv2 and a pre-shared key is supported only with Check Point peers and requires identifier settings.
When a VPN tunnel goes down, routes that use the associated VTI as a target (next hop) remain active. Therefore, you cannot use metric-based failover between routes to different VTIs.
The "New Certificate Request" feature that allows an external CA to sign the device's certificate does not include the defined Alternative Names in the request.
Admin access (WebUI+SSH) fails when connecting via VPN Remote Access using L2TP in SMB appliances.
Use Checkpoint Endpoint Security VPN instead.
When changing the configuration of an existing VPN Tunnel interface (VTI) from numbered to unnumbered or vice versa, routes which contain the VTI interface as a destination must be redefined.
2-Factor-Authentication using mobile access is not supported.
The Suspicious email outbreak engine in the Anti-Bot software blade is not supported.
The Anti-Virus engine supports these protocols only: HTTP, SMTP, and POP3. FTP traffic is not inspected by the Anti-Virus blade.
Connectivity issues with FTP traffic on centrally managed devices when Traditional Anti-Virus with IPS is activated.
These characters cannot be used in WebUI textual fields:
single quote - '
double quote - "
backslash - \
Toggling between Central and Local Management modes of the appliance is not supported when a cluster is configured. To change to Central Management mode, an administrator must first disable the local cluster
RADIUS servers are deleted by clearing the contents of the fields in the Configure RADIUS servers window in the WebUI (VPN tab -> Authentication Servers page -> RADIUS servers link) since there is no direct Delete option.
Configuration of the serial port through Advanced Settings is not supported when an Internet connection is configured to an analog modem through the serial port.
When defining server objects, the "Force translated traffic to return to the gateway" is important for traffic originating from internal sources. However, currently, sources of all traffic to the server will be translated and hidden behind the gateway's IP address.
Host objects can be defined with up to 32 characters.
When a log in a locally managed appliance shows the "myown_obj" object, it in fact means "this appliance".
In locally managed appliances, in the Threat Prevention Exception page -> Malware Exceptions section, if the "Scope" field is not configured to "Any" it may result in the exception not being matched.
The Identity Awareness portal sometimes does not show correctly in a Chrome browser.
When more than one VAP is added to a local network switch or bridge, it cannot be unassigned.
Workaround: delete it and then recreate it.
After replacing the web portal certificate, login to the administration web portal fails with a "Connectivity error. Refresh page and retry" message due to the browser's certificate caching mechanism.
Workaround: refresh the page.
Attempting to configure the same specific feature through WebUI and CLI interfaces at the same time may cause settings to be overridden or subject to submission timing.
Changing the order of the SSL inspection exceptions in the WebUI does not show in the WebUI display even though the order is changed and this can be seen in CLI.
Workaround: To change the order, delete the exception and then add it in the new location.
Active devices not supporting Hebrew objects name
SmartDashboard / SmartConsole
The VPN Advanced option to perform an organized shutdown of tunnels upon gateway restart is not supported.
Install policy fails on centrally managed appliances when a rule contains an action set to User authentication.
The "Monitoring" blade (Real Time Monitoring) is not supported.
Dynamic objects added in the Application Control and URL Filtering rule base are not matched.
In centrally managed appliances, in some instances a policy fetch success pop up message is shown before the Firewall or QoS policy is actually installed.
Installing Security policy is supported to up to 25 centrally managed appliances simultaneously. For installing policy on a larger number of appliances its advised to do in smaller batches.
When a DMZ interface is used as a Local Network interface, the "Get Topology" action shows the DMZ interface as network type "Internal" instead of "DMZ."
Manually change the network type to "DMZ."
Policy installation fails on a centrally manged environment with more than 255 interfaces (in total) whose "security zone" is not set to "none" (ex: internal,external, etc.).
Workaround: If there are no policy rules that use these security zones, change their configuration to "none" (in the Gateway properties -> Topology tab).
SmartProvisioning is not Supported
In centrally managed appliances, SmartView Monitor has limitations when working with inaccessible gateways (for example, gateways behind NAT). Since it requires connecting from the Security Management Server to the gateways, many of the monitoring capabilities are unavailable in this
Logging and Monitoring
In locally managed appliances, multiple logs from different blades' engines can be shown for a single event (specifically Anti-Bot, Anti-Virus, and Application Control).
In local management, in specific scenarios, a large number of requests and logs are created, each time an attempt is made to browse to a Web site.
Workaround: when you define a proxy on the browser, make sure to exclude the local IP address or the network of the appliance.
Use of non-English characters in AD server user names is not supported in local monitoring and reports on the Small Office Appliances.
External Security Log Server cannot be configured when High Availability is turned on (not supported) on locally managed appliances
Gaia Embedded appliances cannot send logs to more than one Security Management Server or Customer Log Server.
Security logs that are sent from the SMB Security Gateway to an external Check Point Log Server are sent with the gateway time instead of UTC. If the time on the Check Point Log Server is earlier than the log time the log will not appear on the Log Server.
If the same administrator name is defined in both the local and RADIUS databases, the locally defined administrator permissions (read only, etc.) always take precedence over the permissions defined in the RADIUS server. We recommend you define unique administrator names for each database.
When you use a RADIUS server to define the device to authenticate administrators, the password defined in the RADIUS server for each administrator must comply with the allowed characters for a password on the device: a-zA-Z0-9!@#$%^&*()?-_=+:;.,/
SSL Network Extender
The SNX command line for Linux (script that can be download from the SNX portal using the "Download command line SNX for Linux") fails on Small Office appliances.
Procedures found in the "Gaia OS Best Practices" section of the Compliance blade are not supported in Small Office appliances.
If the Time Zone is set after the command that turns off the First Time Wizard in a preset or auto conf script, the initial service updates might not start automatically in the first 12 hours after installation. The service updates can still be initiated manually.
Best practice: the command that turns off the First Time Wizard should be the last command in a preset or auto conf script.
If a firmware upgrade procedure is interrupted, intentionally or due to error, online updates might fail.
Workaround: reboot the device.
In centrally managed appliances, the standby member does not bring down the wireless networks.
In wireless appliances, to use WEP you must use the first defined Network Password. It does not support multiple passwords.
In the local networks page in the local WebUI, the status of a wireless network for wireless appliances shows as UP even if the wireless radio is off.
Hotspot portal redirection does not work when you browse to HTTPS sites.
First, browse to an HTTP site, and you will be redirected to a Hotspot portal.
In locally managed appliances, H.323 is not supported in the hide NAT configuration.
Centrally managed SMB appliance can be configured to use Delay Sensitivity and Differential Services marking features only under Express QoS mode. Configuration is done in "Advanced" section of QoS action configuration window which is unique for Edge/SG80 appliances. Under Traditional QoS mode only Best Effort QoS class is supported, using other classes will disable QoS policy.
In centrally managed appliances configured with QoS in Express mode, internal interfaces should not be configured for QoS as it may cause loss of connectivity. in R77.20.20 QoS works by default in accelerated mode. This decreases the chance of an interruption to internal traffic. Still, the common use-case for QoS is to be activated on the external interfaces.
In connected centrally managed small office appliances, when a push policy of QoS and Firewall is attempted on a gateway that has been cleanly installed, the policy installation might show a failure icon on the QoS blade without additional error messages even though the push policy succeeded. If a Firewall policy push was attempted before the QoS policy installation it will also succeed.
When configuring QoS rules in SmartDashboard, the Bulk option in Delay Sensitivity is not supported.
In addition, when the Delay Sensitivity feature is configured, limit and guarantee values for the same rule are ignored. All rules that are configured with Delay Sensitivity = Interactive will share a joint limit. This limit is by default 20 percent of the interfaces bandwidth. This value can be changed through GuiDBedit Tool (firewall_properties -> floodgate_preferences -> llq_max_percent). Note that setting this value to more than 20 percent can lead to starvation of all other traffic.
Give us Feedback
Thanks for your feedback!
Are you sure you want to rate this stars?