Comparison between R81 and R81 for Scalable Platforms

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk170425
Technical Level
Product	Quantum Maestro, Quantum Scalable Chassis
Version	R81
OS	Gaia
Platform / Model	All
Date Created	14-Dec-2020
Last Modified	02-Sep-2021

Solution

This is a features comparison between R81 and R81 for Scalable Platforms.

For more information, see sk173183 - Scalable Platforms (Maestro and Chassis) comparison between versions.

Table of Contents:

Firewall and Security Policy
VSX
Gaia
Installation and Upgrade
Logging
Cluster
VPN
Remote Access VPN
Network Management
Next Generation Security Gateway
System Management and Monitoring
Rate Limiting and DoS Mitigation
Performance Tuning
Threat Prevention
CloudGuard
Mobile Access
Identity Awareness
Compliance
HTTPS Inspection
CPDiag
Access Control
Data Loss Prevention / Certificate Authority
Advanced Routing
Dynamic Routing

Firewall and Security Policy

Feature	R81	R81 for SP	Comments
L3 Firewall
L2 Firewall (Bridge mode)
QoS
ISP Redundancy
Multicast
Identity Awareness Captive Portal
NAT IPv4 / NAT IPv6
NAT 64
Dynamic Anti-Spoofing
Support for Domain objects, Updatable objects, Security Zones, Access Roles and Data Center objects
Hit Count for NAT rules
NAT Enhanced policy
Accelerated Policy Installation

VSX

Feature	R81	R81 for SP	Comments
VSX L3 Firewall
VSX L2 Firewall			No Support for VSX Multi-Bridge.
Virtual Switches
Virtual Routers
Identity Awareness Captive Portal
VSX Multicast
NAT IPv4 / NAT IPv6
NAT 64
VSX QoS, Light Weight (CPQoS) (12)			SP limitation.
QoS (Floodgate-1)
Dynamic Anti-Spoofing
"vsx_util reconfigure"			After running the "vsx_util reconfigure" command, you must install policy on all Virtual Systems.
Downgrade VSX management objects to earlier versions using the "vsx_util"
Support for Domain objects, Updatable objects, Security Zones, Access Roles and Data Center objects
NAT Enhanced policy

Installation and Upgrade

Feature	R81	R81 for SP	Comments
CPUSE			To be used via Global Clish (gclish) shell only
Hotfix Uninstall			Using the CPUSE
Licensing in SmartUpdate			Installation of a Central license with SmartUpdate requires a policy installation on the Security Gateway / VSX Gateway (context of the VS0) in order to propagate the license to all members.

Gaia OS

Feature	R81	R81 for SP	Comments
Gaia CLI	clish	gclish
Gaia Portal
First Time Configuration Wizard (Portal + CLI)
Snapshot			Restore snapshots only on the same chassis type and SGM model on which it was collected.
Backup / Restore
NTP Client
RADIUS / TACACS Users
Alias Interfaces
The Google Compute Engine Virtual Network Interface (gVNIC)
Virtual Extensible LAN (VXLAN)
Generic Routing Encapsulation (GRE)
Link Layer Discovery Protocol (LLDP) configuration trough CLISH and the Gaia Portal
IP address conflict detection
Multi-Queue for Gaia Management interfaces
Gaia REST API

Logging

Feature	R81	R81 for SP	Comments
Firewall and Software Blade logs			Logs for session connections generated by Software Blades on R81 for Scalable Platforms do not show the SGM ID.
Syslog
Fetch Logs
UserCheck

Cluster

Feature	R81	R81 for SP	Comments
Cluster HA			Chassis only, no unicast CCP
Cluster LS
Cluster VSX HA
Cluster VSX VSLS

* More than two sites are planned for Maestro.

VPN

Feature	R81	R81 for SP	Comments
IKEv1
IKEv2
Multicore VPN
Dynamic Routing VPN through Virtual Tunnel Interface (VTI)			Solved in R81 Jumbo HF Take_34 and R81.10
Link Selection
Route-Based Probing for link selection			Limitation from R80.20SP
Tunnel Sharing modes (per host, subnet, Gateway)
Wire Mode			Limitation from R80.20SP
NAT Traversal
"orig_route_params" (magic button)
Peer configured as DAIP (with Dynamic IP address)
Tunnel Test			Limitation from R80.20SP
VPN Routing configurations: 1. Gateway as satellite w/ peers through 2. Client to Site Traffic over Site to Site VPN Tunnel			Limitation from R80.20SP
Traditional VPN mode			Limitation from R80.20SP
Virtual Tunnel Interfaces (VTIs)			Limitation from R80.20SP
Corporate Enforcement			Limitation from R80.20SP
Multiple ciphers for external Security Gateways in a single VPN community
SHA-512

Remote Access VPN

Feature	R81	R81 for SP	Comments
Office Mode			DHCP, Radius
Visitor Mode (TCPT)
Client IP change
SNX
Endpoint Security
Simultaneous Login Prevention (SLP)			Limitation from R80.20SP
Hub Mode
Location Awareness
User certificate enrollment
Desktop Security
SCV Support

Network Management

Feature	R81	R81 for SP	Comments
Multi Bridge
DHCP Server
DHCP Relay
DHCP Client
Netflow IPFIX
Management Data Plane Separation (MDPS, sk138672)

Next Generation Security Gateway

Feature	R81	R81 for SP	Comments
Mirror and Decrypt			See the Security Gateway Administration Guide for changes in the configuration procedure
ICAP client			See the Security Gateway Administration Guide for changes in the configuration procedure
ICAP Server
Hardware Security Module (HSM)			See the Security Gateway Administration Guide for changes in the configuration procedure
Private ThreatCloud (PTC)			For details on how to enable PTC in R81 for Scalable Platforms, see sk161534

System Management and Monitoring

Feature	R81	R81 for SP	Comments
SNMP
Alerts			See Scalable Platforms Administration Guide for configuration procedure. For Maestro, there are no alerts on Orchestrator.
Job Scheduler
CPView			Only per SGM, statistics are not aggregated.

Rate Limiting and DoS Mitigation

Feature	R81	R81 for SP	Comments
Penalty Box
Rate Limiting rules - "fw samp" / "fw samp_policy"			Replaced by the "fwaccel dos" commands
Suspicious Activity Monitoring Rules - "fw sam"			Replaced by the "fwaccel dos" commands
Accelerated SYN Defender - "fwaccel synatk"			Supported only from Scalable Platform CLI with the "g_fwaccel synatk" command (it is not supported to configure the IPS "SYN Attack" (SYN Defender) protection in SmartConsole)

Performance Tuning

Feature	R81	R81 for SP	Comments
Dynamic Dispatcher
Priority Queues

Threat Prevention

Feature	R81	R81 for SP	Comment
IPS
Anti-Bot
Anti-Virus
Anti-Malware
Anti-Spam			Security Gateway only
Cloud Threat Emulation
Remote Threat Emulation (Dedicated appliance)
Threat Extraction			For known limitations, refer to sk148074.

CloudGuard

Feature	R81	R81 for SP	Comments
CloudGuard Controller

Mobile Access Blade

Feature	R81	R81 for SP	Comments
Mobile Access Blade

Identity Awareness

Feature	R81	R81 for SP	Comments
Identity Awareness
Azure Active Directory support
Identity Awareness nested groups
Security ID (SID) support

Compliance

Feature	R81	R81 for SP	Comments
Compliance

HTTPS Inspection

Feature	R81	R81 for SP	Comments
SSL inspection
FutureX Hardware Security Module (HSM)			Not supported with TLS 1.3
TLS 1.3			TLS 1.3 is off by default and is only applicable if User Space Firewall (USFW) is active.

CPDiag

Feature	R81	R81 for SP	Comments
CPDiag

Access Control

Feature	R81	R81 for SP	Comments
Application Control
URL Filtering
Content Awareness
Updatable Objects

Data Loss Prevention / Certificate Authority

Feature	R81	R81 for SP	Comments
DLP			Security gateway only. VSX mode not supported.
CA

Advanced Routing

Feature	R81	R81 for SP
OSPFv3 AH authentication for OSPFv3 protocol security
IPv6 route aggregation
IPv4/IPv6 NAT-pool routes
Routing Information Protocol (RIP) route sync
PIM restart capability

Dynamic Routing

Feature	R81	R81 for SP	Comment
RIP (IPv4)
RIPng (IPv6)
PIM
OSPFv2 (IPv4)
OSPFv3 (IPv6)
BGP			Supports IPv4/IPv6
BFD			Supports IPv4/IPv6
PBR
BGP support for VxLAN interfaces
Dynamic Routing support for GRE interfaces

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating