Support Center > Search Results > SecureKnowledge Details
Check Point R80.20 for 1500, 1600, and 1800 Appliances Features and Known Limitations Technical Level

This article lists all known limitations for Check Point R80.20 for 1500 Appliances.  

This is a live document that may be updated without special notice. We recommend that you register for our weekly updates in order to stay up to date. To register, go to UserCenter > ASSETS / INFO > My Subscriptions.

This article contains two sections:

  • Supported and Unsupported Features
  • Known Limitations
Important Note: Embedded Gaia software inherits its code base from the R80.20 GA version of enterprise appliances. Therefore, although not specifically mentioned, the R80.20 SMB Gateways inherit all maintrain limitations (see sk122486).

Important Note: All Known Limitations with ID 010XXXX (not SMB-xxx) originate in R77.20 versions.

Important Note: This may not be the latest firmware release. To see the latest firmware release, refer to sk97766.

Supported and Unsupported Features

Blade / Feature Locally
Unified Access
Access Rules  Yes  Yes  
Application Control Blade Yes Yes  
URL Filtering Blade Yes Yes  
Content Awareness No No  
QoS Yes Yes  
Data Loss Prevention (DLP) Blade No No  
Geo Protection Yes Yes  
Network Address Translation (NAT) Yes Yes  
HTTP/HTTPS proxy No No  
UserCheck Yes Yes UserCheck client is not supported
Hotspot portal Yes Yes  
Rule Hit Count No No  
Domain Object Yes Yes
  • Locally Managed: Available since R80.20.10 
  • Centrally Managed: Available since R80.20 GA
Time Objects Yes Yes  
Updatable Objects Partial Yes
  • Locally Managed: Available since R80.20.10 (Geo objects only)
  • Centrally Managed: Available since R80.20.05
Suspicious Activity Monitoring (SAM) Rules No No  
Rulebase Layers No Yes  
Security Zones Yes Yes Security Zones are not supported in the Threat Prevention policy. 
SSL Inspection
Inbound HTTPS Inspection No No 
Probing No No  
Categorization enabled with full SSL inspection  Yes  Yes  
Identity Awareness
AD Query Yes Yes  
RADIUS Accounting No No  
Identity Collector No No  
VPN and Remote Access
IPSec VPN Blade Yes Yes  
Mobile Access Blade Partial Partial
  • Remote access clients are supported (Endpoint, SNX).
  • Mobile Access Web Portal is not supported.
VPN VTI Yes Yes  
Traditional VPN Mode No No  
Secure Configuration Verification (SCV) and Desktop policy No No  
Multiple Entry Points (MEP)  No Yes   
VPN Link Selection Yes Yes Refer to sk115868.
VPN Service based link selection No Yes
Remote access client multi factor authentication Yes No SMS as second factor authentication.  
NAT-T support for Site-to-Site VPN Yes Yes  
VPN multicore performance with CoreXL Yes Yes  
Threat Prevention
IPS Blade Yes Yes  
Anti-Bot Blade Yes Yes  
Anti-Virus Blade Yes Yes  
Traditional Anti-Virus Blade Yes  Yes   
Threat Emulation Blade  Yes Yes
Threat Extraction Blade   No No  Refer to sk101553
Anti-Spam and Email Security Blade  Yes Yes   
Mail Transfer Agent (MTA) support for Threat Emulation No  No   
IPS Packet Capture  No  No  
Anti-Virus archive scanning  No  No  
Threat Emulation archive scanning  No No   
Threat Prevention Indicators  No  No  
Management and Monitoring
Monitoring Blade No No Other monitoring solutions are available
Compliance Blade No No  
SNMP Yes Yes  
SmartUpdate No Yes  
SmartProvisioning / SmartLSM No  Yes  Available starting in R80.40 Security Management Server release. 
Security Management Cloud No No
CPView No No  
SecureXL Yes Yes
Core XL Yes Yes
Span Port Yes Yes
Monitor Mode Yes Yes  Refer to sk112572.
Netflow Yes Yes Available since R80.20.10
ClusterXL Yes Yes  
VRRP No No  
Load Sharing Cluster mode No No Refer to sk115868
3rd party cluster mode No No  
Connectivity upgrade No No  
ISP Redundancy Yes Yes  
Dynamic Routing Yes Yes  
Policy Based Routing (PBR) Partial Partial Support for source routing.
IPv6 No No
IP Helper No No
DHCP Client Yes Yes  For external interfaces
DHCP Relay Yes Yes  For internal interfaces
DHCP Server Yes Yes  For internal interfaces
Jumbo Frames No No
Bond / Link aggregated interface Yes Yes  
Alias / Secondary IP address Yes Yes  
NTP Client Yes Yes  
NTP Server No No  
Local management web Portal Yes Yes  
IPv6 packet inspection No No   
"All-IN-One" license Yes Yes  Central license is still not supported.
Evaluation license Yes Yes
MAC filtering on WiFi Yes Yes  
MAC filtering on LAN No No
ARP spoofing No No   
802.1x based authentication No No   

Known Limitations

The following limitations are known in R80.20 for SMB Appliances.

All previous limitations are relevant to the following version unless stated as resolved.

Enter the string to filter the below table:

ID Description  Found In Resolved In
01668937 Configuring appliances with a DNS server that does not resolve public domain names, may cause issues in various features, including timeouts during SIC establishment, log page not being responsive, and more. Make sure to configure DNS servers that can be reached from the appliance. R77.20 -
01779796, 01782611, 01780458, 01782994, 01781560, 01749108, 01749088 Long connections with many HTTP sessions, that transfer files to the server and back, cause a high memory consumption.  R77.20 -
SMB-10301 IPv6 packet inspection is not supported and therefore IPv6 traffic will be dropped.

To allow IPv6 traffic::

1. Go to Device > Advanced Settings > Stateful Inspection - Allow IPv6 packets.
2. Set the parameter to "true".
R80.20GA -
 Embedded Gaia 
SMB-10543 Embedded Gaia appliances conform to the Maintrain bridge (L2) limitations listed in sk101371. R80.20GA -
SMB-12790 1570, 1570R and 1590 appliances do not support the use of SFP ports for installation using the Uboot menu. R80.20GA -
SMB-12119 A USB storage device used for clean installation of a new image on the 1500 series must be formatted with FAT32 file-system.  R80.20.05 -
- 'Gaia OS' Best Practices are not supported for 1550 / 1590 appliances.
Refer to sk108416.
R80.20GA -
SMB-10086 Certain CLISH commands allow configuration of a DMZ interface even though there is no DMZ port on the appliance (relevant to v0 only).  R80.20GA -
SMB-10169 Protected devices with names in a non-English language are not displayed properly in the WebUI or on a mobile device due to database restrictions. R80.20GA -
SMB-10266 Audit Logs will not be displayed for the following operations:
  • Operations that are done before the First Time Configuration Wizard has finished.
  • Operations that are done from SmartProvisioning.
  • Dynamic routing, fw, cpwd_admin, upgrade and restore CLI commands.
  • For some operations, the audit log will be "admin executed <command_name> command". The log will be written even if the command failed.
R80.20GA -
 Threat Prevention 
SMB-12009 In a rare scenario, malicious emails detected by IMAP inspection are not deleted from the client. Note: The malicious content is NOT downloaded. R80.20.02 -
SMB-11307 The Threat Emulation detect log does not display the "Interface" and "Resource" fields.

Workaround: "Interface" can be concluded from the Source IP. Most of the information about the "Resource" can be seen in the "Destination" and "File name" fields..
R80.20.01 -
SMB-9351 Threat emulation is not supported with remote emulation appliances. R80.20GA -
SMB-13721 SNORT rules are not supported. R80.20GA -
SMB-9808 FTP traffic is not inspected by the Anti-Virus blade. R80.20GA -
SMB-10233 IMAPS is not supported in the Threat Prevention Software Blades. R80.20GA R80.20.02
SMB-9988 The "Import IPS protections" option fails if done via the WebUI. Offline updates can be installed via CLI. R80.20GA -
SMB-12965 In locally managed appliances: When the Anti-Spam blade is on, SMTP traffic from external mail clients to mail servers behind the gateway is sent with the gateway IP as the source IP instead of the IP of the mail client, even though static NAT is defined for the server. For the workaround, refer to sk168061. R80.20GA -
SMB-10433 In Centrally Managed Gateways, you can not fetch the IPS package from Management.


To install the package:
  1. Enter expert mode. 
  2. Copy $FWDIR/state/local/AMW/local.sd_updates to /storage partition. 
  3. Run: online_update_cmd -b IPS -o offlineUpdate -f storage/local.sd_updates
R80.20GA -
Firmware and Configuration
01441874 Gradual deployments are not supported. R80.20GA -
01536437 When configuring the First Time Configuration Wizard from the WAN interface you cannot set the SIC One-Time-Password immediately after the FTW. To set it you need to refresh your web browser first.  R80.20GA -
SMB-12254 1570R WAN and DMZ ports support copper RJ45 and fiber interfaces. Each port can only use one interface. If both the copper and fiber of the same port are plugged in, the port may experience stability issues. R80.20GA -
01478091 The SecureXL penalty box mechanism is not supported.  R80.20GA -
SMB-11948 In locally managed mode, a bond cannot be part of a cluster interface (same as with a switch and bridge).  R80.20.05 -
01125000 When configuring a cluster and setting DHCP on one of the cluster interfaces, a DHCP server might include the other cluster member's IP address in its available IP addresses range. Therefore, the DHCP server might serve this IP to another computer in the same network which will cause connectivity issues.

Workaround: Manually exclude the other cluster member's IP address from the range.
R80.20GA -
01124242 Before configuring a local cluster, make sure that the sync interface is unassigned by checking the Device -> Local Network page in the WebUI. R80.20GA -
01502833 Cluster mode configuration of the gateway is not supported in CLI.  R80.20GA -
01119896 When configuring a cluster, you cannot use a wireless interface as the Sync interface. R80.20GA -
01117967 Configuring High Availability on an interface with a PPP connection is not supported. R80.20GA -
01216507 When defining a local cluster with the "Strict" Firewall mode enabled, a manual internal rule must be defined to allow connectivity between the cluster members on the sync interface.  R80.20GA -
01615874 When defining a locally managed cluster, the Virtual IP address of a clustered interface has to be in the same subnet as the real IP addresses of the cluster members.  R80.20GA -
01618299 In rare cases, during cluster creation or after upgrading a cluster, an "Error 00361" message is shown. This error may indicate a temporarily busy database.

Workaround: Go to the secondary cluster member, disconnect it from the cluster, and then reconnect it.
R80.20GA -
01622228 In locally managed small office appliances, after resetting cluster settings it is recommended to wait a few minutes before redefining the cluster to avoid failure.  R80.20GA -
01615544 The user cannot configure a locally managed cluster with SMP or an externally managed log server.  R80.20GA  R80.20.10
01585228 Following cpstop;cpstart of an HA cluster member that is standby or down, it can take a few minutes for the cpha state to come back up. During this time, the active member is up and running so there is no connectivity loss.  R80.20GA -
SMB-9837 The "Force Member Down" button does not work in a local cluster configuration when the Internet connection interface is set to "Monitored" and the cluster members do not have similar Internet connection names.

Workaround: Rename the Internet connections so that they are the same for both cluster members.
R77.20 -
- Configuring Switch on network interfaces is not supported in Cluster High Availability mode. Configuring bridge on network interfaces is supported in Cluster High Availability in centrally managed mode only. R77.20 -
SMB-12090 In the Local Network page, the MAC address that appears next to bridge member interfaces shows the bridge MAC address instead of the physical interface MAC address.  R80.20.05 -
SMB-11450 Connection Monitoring for all internet connections is disabled when a bridge is configured.   R80.20.05 -
SMB-11891 The LAN1 port cannot be configured as part of a Link Aggregation (Bond) interface.  R80.20.05 -
SMB-13639 Monitor mode can only be configured for LAN1, LAN2, LAN5, LAN6, and LAN7. R80.20GA -
SMB-11641 Static routes and source based routing are fully supported, but service based routing does not work on all 1500 appliances.  R80.20GA -
SMB-11473 Routing inbound traffic from a bridge slave to an internet connection which is not part of the same bridge interface is not supported. R80.20GA R80.20.10
SMB-10135 DMZ port does not exist on 1550 appliances R80.20GA -
01662062 It is not possible to configure a bridge if interfaces have not been assigned in the Local Networks WebUI page.  R80.20GA -
01678009 When trying to add a disabled LAN interface to a bridge, the operation fails with an irrelevant message about wireless.

Workaround: enable the LAN interface before adding it to the bridge. 
R80.20GA -
01664588, 01803277 When the WAN Internet connection is configured as PPPoE, an Anti-Spoofing warning appears in SmartView Tracker. You can safely ignore the warning.  R80.20GA -
02340232 Configuration of a bridge to the Internet (one leg on an external interface) with additional Internet connections (MISP configuration / Multiple ISPs) is not supported.  R80.20GA -
01663019 Bridge interfaces cannot be disabled.  R77.20 -
SMB-13068 In rare conditions, when you enable DHCP or Relay for the bridged interface between LAN and WiFi, this message appears:
"Can not add more DHCP scopes for that network." This message can be safely ignored.
R77.20 -
When multiple Internet connections are configured in High Availability mode, and primary connection failover occurs without the main connection going down/restarting, traffic will continue to be routed for the previous primary connection for more than the routing cache lifetime (20 seconds) if the QoS blade is configured. R77.20 -
SMB-12567 Asymmetric-routing is not supported for SNMP traffic. R77.20 -
Dynamic Routing
01475633 The CLISH command "show configuration" does not show dynamic routing configuration. R80.20GA -
01966190 BGP MD5 is not supported. R80.20GA -
01432740 Policy based routing rules are not enforced on POP3 traffic when the Anti-Virus or Anti-Spam blades are active and set to inspect POP3 traffic. Policy based routing rules are also not enforced on SMTP traffic when inspecting outgoing SMTP traffic is configured.  R80.20GA -
SMB-13078 Connectivity that relies on OSPF routes is lost in a ClusterXL environment with OSPF configured when a cluster failover and fallback events occur. R80.20GA -
SMB-12375 Attempting to assign the pivot port of a switch to a bridge using the CLI fails, but does not display an error. R80.20GA -
01502857  File related configuration (certificates, customized logo for portals) is not supported.  R80.20GA -
HTTPS Inspection
SMB-13344 IMAP/POP3 with STARTTLS is never inspected, even when the user selects IMAP/POP3 or IMAPS/POP3S inspection. R80.20GA -
SMB-10104 "Import IPS protections" option fails if done via the WebUI. Offline updates can be installed via CLI. R80.20GA -
01578807, 01627049, 01629010, 01571753, 01634746, 01600189, 01654753 The IPS protection "Non compliant HTTP" drops a valid HTTP reply containing an empty zip file.  R80.20GA -
01530780 Using autocomplete in CLISH after the parameter protection-name in IPS configuration takes several minutes to show all options. R80.20GA -
SMB-12874 On a locally managed SMB appliance, you can configure exceptions for the IPS protections listed below even though they do not support Threat Prevention exceptions. Note - The protections are still enforced.
  • Ping of Death
  • SYN Attack
  • Sequence Verifier
  • Teardrop
R80.20GA -
Application Control
02398227 The Signature Tool for Custom Application Control and URL Filtering Applications is not supported for locally managed Small Office appliances. R80.20GA -
02446116 In SmartDashboard, the Application Control & URLF Rule Base does not support the "securityZone" type object. Beginning with the R80 Management version, such objects can be used in the unified Rule Base for rules that do not include any matching for applications and categories.  R80.20GA -
01453249 Using autocomplete in CLISH after the parameter application name in Application Control configuration takes several minutes to show all options. R80.20GA -
- In locally managed devices, it is not possible to configure Applications in policy base for incoming / VPN traffic. R80.20GA -
SMB-14610 Application Control/URL Filtering during Remote access VPN is not supported.  R80.20GA See enhancement in R80.20.25
SMB-2558 Adding a CLI category name for Application Awareness/URL filtering or SSL inspection configuration results in "Failed to find the requested category-name" error when the name is more than one word.
  • Use the category ID instead of the application name.
R77.20 -
Access Policy
SMB-12869 Use of a "VPN Remote Access" object in the Access Policy is not supported on locally managed R80 appliances.

Workaround: Create a network object with the office mode address and use it in the access rule.
R80.20GA -
SMB-10398 FQDN objects are only supported in the destination column (not in the source). R80.20GA -
SMB-13645 Access policy rules with Updatable Objects are not enforced correctly on SmartLSM SMB Security Gateways. R80.20GA -
01467515 When creating a Firewall or NAT rule in CLI, the source/destination value must be a network object and not just an IP address. R80.20GA -
01538860 CLI does not support reordering Firewall and QoS rules. R80.20GA -
- In locally managed devices, configuring FQDN objects is not supported. R80.20GA R80.20.10
01488784 Usercheck client is not supported in either centrally or locally managed mode of appliances. R80.20GA -
01571705 To search the security logs on the local web portal for a specific UserCheck incident ID, use this filter string "UserCheck Incident UID:" followed by the ID.  R80.20GA -
02443426 In Centrally Managed Small Office appliances, the UserCheck portal does not appear if the configuration for the main URL of the UserCheck portal under gateway settings is set to use the gateway's external IP address.  R80.20GA -
User / Identity Awareness
SMB-12189 Traffic is blocked if the User Awareness blade is turned off and Browser Based Authentication is turned on.   R80.20.05 -
SMB-12516 LDAP connection is only supported on port 389. R80.20GA -
  • Identity Awareness supports authentication of AD users, user groups, organization units. In addition, you can define LDAP groups with more advanced filtering.
  • Identity Awareness does not support authentication of Primary Groups of user and computer accounts. By default, the Primary Groups are 'Domain Users' and 'Domain Computers.'
R80.20GA -
01193839 On locally managed appliances, only single DC is supported per AD server.  R80.20GA -
01116406 An AD Domain Controller used for authenticating users that is located in the external zone of a device using Hide-NAT is not supported.

Workaround: Install another Domain Controller in the internal zone of the device. 
R80.20GA -
01481995 In centrally managed appliances, these user identifications methods are not supported (even though they appear in SmartDashboard):
  • RADIUS accounting
  • Terminal servers
R80.20GA -
01508334 In locally managed appliances, when using Active Directory Queries, user and user group names are not supported in unicode.  R80.20GA -
02060386 Use of AD Query with NTLMv2 is not supported for Small Office appliances. R80.20GA -
01619298 AD group and user names that include non-English characters such as the letter o or e with an accent (') are not supported. R80.20GA -
  • Automatic update of LDAP group membership does not work.
  • The PDP gateway becomes aware of added/removed users in LDAP groups only after policy installation.
  • Access Roles are not enforced for some of the users.
  • AD Query does not update user groups locally when a change is made to them on the Active Directory Server.
R77.20 -
SMB-6786 Check Point Identity Agent is not supported together with Remote Access (RA). It is highly not recommended to enable them simultaneously. R77.20 -
02103715 If the same administrator name is defined in both the local and RADIUS databases, the locally defined administrator permissions (read only, etc.) always take precedence over the permissions defined in the RADIUS server. We recommend you define unique administrator names for each database.
R80.20GA -
02444244 When you use a RADIUS server to define the device to authenticate administrators, the password defined in the RADIUS server for each administrator must comply with the allowed characters for a password on the device: a-zA-Z0-9!@#$%^&*()?-_=+:;.,/  R80.20GA -
VPN and Remote Access
SMB-12802 L2TP does not work when two-factor authentication is turned on. R80.20.10 -
SMB-12802 VPN SNX client is not supported when Two-Factor Authentication is turned on. R80.20.10 -
SMB-14488 Encryption domain per VPN community is not supported on these SMB appliances: 1100, 1400 and 1500 series
Encryption domain per VPN community policy is not supported if an SMB appliance running pre-R80 management is one of the policy targets.
SMB-12173 VPN site to site is not supported when an Alias IP is assigned to one of the Gateway interfaces. R80.20.05 -
SMB-12055 In locally managed 1500 appliances, creating a manual rule using "VPN Remote Access" objects is not supported.  R80.20.05 -
SMB-12066 Alias IP cannot be configured on LAN ports assigned to internet connections.  R80.20.05 -
SMB-13597 When using smartLSM with ISP redundancy in which failover occurs, VPN does not failover to the secondary interface. R80.20GA -
SMB-13552 When a site is defined with a host name, the “Test” button in the Web portal which initiates a tunnel test is grayed-out. This is by design, as the "Test" operation is based on a VPN tunnel test which is not supported when peer is configured with hostname or dynamic IP. R80.20GA -
SMB-10109 When changing the configuration of an existing VPN Tunnel interface (VTI) from numbered to unnumbered or vice versa, routes which contain the VTI interface as a destination must be redefined. R80.20GA -
SMB-9846 When changing the configuration of an existing VPN Tunnel interface (VTI) from numbered to unnumbered or vice versa, routes which contain the VTI interface as a destination must be redefined. R80.20GA -
SMB-10127  In the Logs & Monitoring tab, the "Decrypt" action does not appear on some configurations (for example, PPPoE) but the functionality still works. R80.20GA -
SMB-10115 In locally managed mode: When configuring a VPN tunnel with PSK/certificate authentication methods in IKEv2 mode, and a peer in the community is configured with dynamic IP, the tunnel fails to establish.

  1. Go to the VPN tab > Site > Encryption settings.
  2. Select a specific encryption method instead of the default suites.
R80.20GA -
SMB-10431 During a cluster failover, connected Remote Access users may be disconnected. R80.20GA -
SMB-12842 Route base VPN (VTI) is not supported with policy based routing. R80.20GA -
SMB-12591 You cannot create a firewall rule where the source/destination is "VPN Remote Access." R80.20GA -
- Site-to-Site VPN is not supported with layer 2 (bridge) connection types R80.20GA -
01118273 Configuring VPN site to site or VPN RA for CP Mobile with certificate-based authentication on a locally managed cluster is not supported.  R80.20GA -
01613042 Unnumbered VTIs can only be associated with external interfaces through the Internet connection definition. Other interface types are not supported  R80.20GA -
01629314 When using numbered VTI, the traffic on Rx and Tx in vpnt interfaces is shown as z R80.20GA -
01620625 In locally managed appliances, the parameter "vpn_force_nat_t" does not force NAT-T if the remote site is configured using a hostname  R80.20GA --
01107581 The WebUI Home -> Security Dashboard page shows the VPN Remote Access blade as turned "ON" only if the Gateway object in SmartDashboard is set with IPSec VPN and the gateway is part of the Remote Access community.

When the object is defined but not part of the Remote Access community, the WebUI Home > Security Dashboard page shows the VPN Remote Access blade as turned "OFF". 
R80.20GA -
01512007 In locally managed appliances, VPN sites configured with the IKEv2 encryption method and "Default (Most compatible)" encryption settings only support peer sites configured with Diffie-Helman group 2.

Workaround: Configure an encryption suite that matches the peer's configuration. 
R80.20GA -
01598717 In locally managed appliances with a defined proxy, if a 3rd party external Trusted CA is used in a certificate, CRL validation does not work. Disable CRL validation for the CA or disable the proxy.  R80.20GA -
01606549 In locally managed appliances, a remote site can only initiate connections when it is configured with IKEv2 and uses a pre-shared secret.  R80.20GA -
01603584 Remote Access SecurID authentication is not supported in locally managed mode of appliances.  R80.20GA -
01599245 In locally managed mode, when submitting a certificate signing request that contains alternative subject names, the resulting certificate contains only the DN as the subject and not the alternative names.  R80.20GA -
01663253 When the Gateway is behind NAT, the use of IKEv2 with a pre-shared secret in VPN site to site is not supported.

Workaround: Use a certificate.
R80.20GA -
01625041 When a VPN community includes dynamic IP addresses for remote sites (behind NAT or connection via hostname), only Diffie-Helman group 2 is supported.  R80.20GA -
01624917 In centrally managed appliances, the VPN overview page in SmartDashboard does not show tunnels from small office appliances.  R80.20GA -
01619432 When a small office appliance is configured as the center of a VPN Star community, MEP configuration using IP Pool NAT is currently not supported.  R80.20GA -
01663225 When configuring a remote site using a certificate and aggressive mode in VPN site to site in locally managed appliances, a peer ID string in aggressive mode must be configured.  R80.20GA -
01663202 The combined use of IKEv2 and aggressive mode is not supported. R80.20GA -
01654907 In centrally managed Small Office Appliances, VPN Traditional Mode is not supported.  R80.20GA -
01664759 When configuring the aggressive mode peer ID field for VPN remote sites in locally managed appliances, you can only enter alphanumeric characters and these special characters _-.@~!#%$  R80.20GA -
01658035 When configuring DHCP relay on centrally managed appliances, if the DHCP server is in a VPN peer's encryption domain, the implied rule "Accept Dynamic Address modules' outgoing Internet connections" must be disabled in SmartDashboard for the DHCP requests to be sent encrypted.

Workaround: Create manual rules that allow DHCP.
R80.20GA -
01675202 When using aggressive mode with user peer_id, the remote VPN peer has to be a mobile peer for authentication to succeed.  R80.20GA -
01637449 In locally managed appliances, when defining a remote site using a custom encryption suite and IKEv2 is selected, multiple selection of Diffie-Helman groups may cause issues.

Workaround: Choose the specific Diffie-Helman group that the remote site uses. 
R80.20GA -
01663162 When using Aggressive mode with peer ID in VPN site to site in locally managed appliances, the VPN Remote Access bladed must be turned on (even if no users are defined with remote access privileges).  R80.20GA -
01679057 When the external interface is used as a bridge to local networks, VPN site to site traffic is not supported.  R80.20GA -
01690621 The combination of VPN aggressive mode and NAT-T is not supported. R80.20GA R77.20.75 and higher
01717741 When you connect to the appliance with Remote Access VPN, the appliance only uses the default internal certificate.  R80.20GA -
01922567 RIM configuration is not supported in this firmware. RIM functionality is usually needed in the center Gateways of a VPN star community. This image is primarily used in satellite Gateways. R80.20GA -
02115796 The "Route all traffic through gateway" option is not supported for SSL Network Extender clients.  R80.20GA -
01260760 In locally managed small office appliances, when a cluster failover happens, VPN Remote Access clients need to re-establish the connection. Also, a different certificate is seen when re-connecting.  R80.20GA -
02066383 Admin access (WebUI+SSH) fails when connecting via VPN Remote Access using L2TP in SMB appliances.

Use Check Point Endpoint Security VPN instead. 
R80.20GA -
- 2-Factor-Authentication using mobile access is not supported. R80.20GA -
SMB-14125 Encryption domain per VPN community is not supported on SMB devices (1100, 1400 and the 1500 series).
Encryption domain per VPN community policy is not supported if an SMB device with pre-R80 firmware is one of the policy targets
R77.2- -
SMB-12201 Site to site directional VPN is not supported. R77.20 -
SMB-11978 The Remote Access feature "Location Aware Connectivity" is not supported on locally managed SMB appliances. R77.20 -
SMB-9711  Locally managed appliances do not support subordinate certificates. Resolved in R77.20.80 for *.P12 files only. For .crt files, refer to sk157413. R77.20 -
SMB-9710 MEP is not supported in Remote Access VPN. R77.20 -
SMB-2689 The "New Certificate Request" feature that allows an external CA to sign the device's certificate does not include the defined Alternative Names in the request.  R77.20 -
SMB-2668 When a VPN tunnel goes down, routes that use the associated VTI as a target (next hop) remain active. Therefore, you cannot use metric-based failover between routes to different VTIs.  R77.20 -
SMB-3002 In locally managed Gateways with a dynamic IP address: A site to site VPN configured with IKEv2 and a pre-shared key is supported only with Check Point peers and requires identifier settings.  R77.20 -
SMB-1895 Locally managed appliances cannot establish a VPN connection to a remote site that consists of multiple centrally managed hub VPN gateways in a MEP configuration. R77.20 -
SMB-1149 Trusted links configuration for centrally managed Small Office appliances is the same as described in the VPN Administration Guide. Automatic topology is not supported. The Gateway object must be configured with manual topology. R77.20 -
SMB-12366 VoIP rule does not support a custom-service based on the SIP_UDP service, or a service group that contains this custom-service.  R80.20.05 -
SMB-10136 In locally managed appliances, H.323 is not supported in the hide NAT configuration. R80.20GA -
01448274 The Suspicious email outbreak engine in the Anti-Bot software blade is not supported. R80.20GA -
SMB-9941 The Anti-Virus engine supports these protocols only: HTTP, SMTP, and POP3. FTP traffic is not inspected by the Anti-Virus blade. R80.20GA -
SMB-14858 In 1500, 1600 and 1800 appliances: FTP protocol is not supported as an Anti-Virus scanned protocol. -
02282436 Connectivity issues with FTP traffic on centrally managed devices when Traditional Anti-Virus with IPS is activated. R80.20GA -
SMB-12362 MD5-based exceptions in Threat Prevention do not work on some of the variations of the Eicar test file when it is transferred over non-HTTP protocols (FTP, POP3, IMAP, SMTP). R77.20 -
SmartDashboard / SmartConsole
01508830 The VPN Advanced option to perform an organized shutdown of tunnels upon gateway restart is not supported. R80.20GA -
01537760 Install policy fails on centrally managed appliances when a rule contains an action set to User authentication. R80.20GA -
01563471 The "Monitoring" blade (Real Time Monitoring) is not supported. R80.20GA -
01585541 In centrally managed appliances, in some instances a policy fetch success pop up message is shown before the Firewall or QoS policy is actually installed.  R80.20GA -
02337281 Installing Security policy is supported to up to 25 centrally managed appliances simultaneously. For installing policy on a larger number of appliances it’s advised to do in smaller batches.  R80.20GA -
SMB-3241 When a DMZ interface is used as a Local Network interface, the "Get Topology" action shows the DMZ interface as network type "Internal" instead of "DMZ."

Workaround: Manually change the network type to "DMZ." 
R77.20 -
SMB-5608 Policy installation fails on a centrally manged environment with more than 255 interfaces (in total) whose "security zone" is not set to "none" (ex: internal,external, etc.).

Workaround: If there are no policy rules that use these security zones, change their configuration to "none" (in the Gateway properties -> Topology tab). 
R77.20 -
- SmartProvisioning is not supported. R80.20GA R80.20.02
SMB-1383 In Small Office appliances, Identity Sharing is not supported when managed through the SmartProvisioning LSM profile.  R77.20 -
SmartView Monitor
01575868 In centrally managed appliances, SmartView Monitor has limitations when working with inaccessible Gateways (for example, Gateways behind NAT). Since it requires connecting from the Security Management Server to the gateways, many of the monitoring capabilities are unavailable.  R80.20GA -
Logging and Monitoring
SMB-13355 In locally managed appliances: Logs might be seen in the first few minutes after a policy change for the default outgoing rule even though the rule is configured not to generate logs.

Workaround: Turn on the connection persistence flag in Advanced Settings (this keeps established connections when installing a new policy).
R80.20GA -
01628654  In locally managed appliances, multiple logs from different blades' engines can be shown for a single event (specifically Anti-Bot, Anti-Virus, and Application Control). R80.20GA -
01595069 In local management, in specific scenarios, a large number of requests and logs are created, each time an attempt is made to browse to a Web site.

Workaround: when you define a proxy on the browser, make sure to exclude the local IP address or the network of the appliance. 
R80.20GA -
02385779 Use of non-English characters in AD server user names is not supported in local monitoring and reports on the Small Office Appliances. R80.20GA -
- External Security Log Server cannot be configured when High Availability is turned on (not supported) on locally managed appliances R80.20GA -
- Gaia Embedded appliances cannot send logs to more than one Security Management Server or Customer Log Server. R80.20GA -
SMP-2018 Security logs that are sent from the SMB Security Gateway to an external Check Point Log Server are sent with the gateway time instead of UTC. If the time on the Check Point Log Server is earlier than the log time the log will not appear on the Log Server. R77.20 -
SSL Network Extender
01634523 The SNX command line for Linux (script that can be download from the SNX portal using the "Download command line SNX for Linux") fails on Small Office appliances. R80.20GA -
SMB-113 Procedures found in the "Gaia OS Best Practices" section of the Compliance blade are not supported in Small Office appliances. R77.20 -
Online Updates
SMB-883 If the Time Zone is set after the command that turns off the First Time Wizard in a preset or auto conf script, the initial service updates might not start automatically in the first 12 hours after installation. The service updates can still be initiated manually.

Best practice: the command that turns off the First Time Wizard should be the last command in a preset or auto conf script. 
R77.20 -
SMB-2914 If a firmware upgrade procedure is interrupted, intentionally or due to error, online updates might fail.

Workaround: reboot the device. 
R77.20 -
SMB-13685 After you change the SMP firmware upgrade topic from immediate upgrade to scheduled upgrade, the Security Gateway is upgraded with the new firmware (if the defined firmware is newer) immediately.

  1. Change the firmware upgrade topic from immediate upgrade to scheduled upgrade.
  2. Push policy to the Security Gateways.
  3. Update the firmware topic on the SMP with the version to be installed.
SMB-13533 Changing the VAP configuration (enable, disable, create, clone) causes all networks on the same wireless radio (2.4GHz or 5GHz) to stop working for a short period of time. R80.20GA -
01667462 In wireless appliances, to use WEP you must use the first defined Network Password. It does not support multiple passwords. R80.20GA -
01679176 In the local networks page in the local WebUI, the status of a wireless network for wireless appliances shows as UP even if the wireless radio is off.  R80.20GA -
SMB-2286 In centrally managed appliances, the standby member does not bring down the wireless networks. R77.20 -
Hotspot Portal
SMB-3188 Hotspot portal redirection does not work when you browse to HTTPS sites.
  • First, browse to an HTTP site, and you will be redirected to a Hotspot portal.
R77.20 -
01593577 In centrally managed appliances configured with QoS in Express mode, internal interfaces should not be configured for QoS as it may cause loss of connectivity.

In R77.20.20, QoS works by default in accelerated mode. This decreases the chance of an interruption to internal traffic. Still, the common use-case for QoS is to be activated on the external interfaces.
R80.20GA -
01659155 In connected centrally managed small office appliances, when a push policy of QoS and Firewall is attempted on a Gateway that has been cleanly installed, the policy installation might show a failure icon on the QoS blade without additional error messages even though the push policy succeeded. If a Firewall policy push was attempted before the QoS policy installation it will also succeed. R80.20GA -
01073326 When configuring QoS rules in SmartDashboard, the Bulk option in Delay Sensitivity is not supported.

In addition, when the Delay Sensitivity feature is configured, limit and guarantee values for the same rule are ignored. All rules that are configured with Delay Sensitivity = Interactive will share a joint limit. This limit is by default 20 percent of the interfaces bandwidth.
This value can be changed through GuiDBedit Tool (firewall_properties -> floodgate_preferences -> llq_max_percent).
Note that setting this value to more than 20 percent can lead to starvation of all other traffic.
R80.20GA -
- Centrally managed SMB appliance can be configured to use Delay Sensitivity and Differential Services marking features only under Express QoS mode. Configuration is done in the "Advanced" section of the QoS action configuration window which is unique for Edge/SG80 appliances. Under Traditional QoS mode only Best Effort QoS class is supported, using other classes will disable QoS policy. R80.20GA -
SMB-9793   QoS supports marking the traffic with Differential Services (DiffServ) tags and preserving existing DiffServ tags. QoS does not support matching packets based on DiffServ tagging. R77.20 -
Unified Access
SMB-8464 When a QoS rule is configured to be applied to a specific time/day/date, it is not limited to those specifications. R80.20GA -
SMB-7992 In locally managed appliances, H.323 is not supported in the hide NAT configuration. R80.20GA -
- Identity awareness AD query functionality is supported when the domain controller server is part of one of the internal networks. R80.20GA -
SMB-11423 Changing the Web and SSH admin access ports (4434 and 22, respectively) to customized values does not take effect.

Workaround: Add an incoming access rule to allow the customized ports.
R80.20.01 R80.20.05
SMB-11555 Before a license is applied to 1530 and 1570 appliances, the 1550 and 1590 appliance names appear in the First Time Configuration wizard and the WebUI. After the license is applied, the correct appliance names appear in the WebUI. R80.20.01 R80.20.05
SMB-10029 Changing the order of the SSL inspection exceptions in the WebUI does not show in the WebUI display even though the order is changed and this can be seen in CLI.

Workaround: To change the order, delete the exception and then add it in the new location.
R80.20GA -
SMB-14832 This pop-up error message may appear in the WebUI when CPU usage is temporarily high: "Connectivity with the appliance was temporarily lost during the last operation"

Workaround: Refresh the browser
R80.20GA -
SMB-10218 Active devices do not support object names in Hebrew. R80.20GA -
SMB-12761 In 1590 appliances: In Firewall Access rules of the type "Incoming, Internal and VPN traffic", you cannot select "internet" as a source or destination in the WebUI. R80.20GA -
01261065 These characters cannot be used in WebUI textual fields:
  • single quote - '
  • double quote - "
  • backslash - \
R80.20GA -
01098614 Toggling between Central and Local Management modes of the appliance is not supported when a cluster is configured. To change to Central Management mode, an administrator must first disable the local cluster R80.20GA -
01102696 RADIUS servers are deleted by clearing the contents of the fields in the Configure RADIUS servers window in the WebUI (VPN tab -> Authentication Servers page -> RADIUS servers link) since there is no direct Delete option.  R80.20GA -
01469798 Configuration of the serial port through Advanced Settings is not supported when an Internet connection is configured to an analog modem through the serial port. R80.20GA -
01610850 When defining server objects, the "Force translated traffic to return to the gateway" is important for traffic originating from internal sources. However, currently, sources of all traffic to the server will be translated and hidden behind the gateway's IP address.  R80.20GA -
01596220 Host objects can be defined with up to 32 characters.  R80.20GA -
01582663 When a log in a locally managed appliance shows the "myown_obj" object, it in fact means "this appliance". R80.20GA -
01675566 In locally managed appliances, in the Threat Prevention Exception page -> Malware Exceptions section, if the "Scope" field is not configured to "Any" it may result in the exception not being matched.  R80.20GA -
01667323 The Identity Awareness portal sometimes does not show correctly in a Chrome browser.

Workaround: refer to sk106125
R80.20GA -
02340182 When more than one VAP is added to a local network switch or bridge, it cannot be unassigned.

Workaround: delete it and then recreate it. 
R80.20GA -
SMB-4869 After replacing the web portal certificate, login to the administration web portal fails with a "Connectivity error. Refresh page and retry" message due to the browser's certificate caching mechanism.

Workaround: refresh the page.
R77.20 -
SMB-4792 Attempting to configure the same specific feature through WebUI and CLI interfaces at the same time may cause settings to be overridden or subject to submission timing. R77.20 -

Give us Feedback
Please rate this document