Support Center > Search Results > SecureKnowledge Details
Scalable Platforms (Maestro and Chassis) comparison between versions Technical Level
Solution

Table of Contents:

  • Firewall and Security Policy
  • VSX
  • Installation and Upgrade
  • Gaia OS
  • Logging
  • Cluster
  • VPN
  • Remote Access VPN
  • Network Management
  • Quantum Security Gateway
  • System Management and Monitoring
  • Rate Limiting and DoS Mitigation
  • Performance Tuning
  • Threat Prevention
  • CloudGuard Controller
  • Mobile Access
  • Mail Transfer Agent
  • Identity Awareness
  • Compliance
  • HTTPS Inspection
  • CPDiag
  • Access Control
  • Data Loss Prevention / Certificate Authority
  • Dynamic Routing
  • Maestro Hyperscale Orchestrator
  • Related Articles

Firewall and Security Policy

Feature R80.20SP R80.30SP R81 R81.10 Comment
L3 Firewall
L2 Firewall (Bridge mode) R80.30SP, R81, R81.10: Not supported in Dual Site
QoS
ISP Redundancy R80.20SP: Supported from JHF Take 305

R80.30SP: Supported from JHF Take 73
Multicast
Identity Awareness Captive Portal
NAT IPv4
NAT IPv6
NAT 64
NAT Enhanced Policy
Dynamic Anti-Spoofing
IP Block feature R80.30SP: Supported from JHF Take 56
CGNAT R80.20SP: Requires a special Management Server based on R80.30 (sk169415)
GTP inspection
HTTP / HTTPS proxy
Point-to-Point Protocol over Ethernet (PPPoE) 
Management-as-a-Service (MaaS)

VSX

Feature R80.20SP R80.30SP R81 R81.10 Comment
VSX L3 Firewall
VSX L2 Firewall No Support for VSX Multi-Bridge.
Virtual Switches R80.20SP: Supported from JHF Take 178

R80.30SP: Supported from JHF Take 73
Virtual Routers
Identity Awareness Captive Portal
VSX Multicast
NAT IPv4
NAT IPv6
NAT 64
VSX QoS, Light Weight (CPQoS)
QoS Software Blade (Floodgate-1)
"vsx_util reconfigure" After running the "vsx_util reconfigure" command, you must install policy on all Virtual Systems

Installation and Upgrade

Feature R80.20SP R80.30SP R81 R81.10 Comment
Upgrade N/A Upgrade is supported only to R81.10 (see the Release Notes)
CPUSE To be used in the Global Clish (gclish) shell only
Hotfix Installation / Uninstall To be used in the Global Clish (gclish) shell only
Licensing in SmartUpdate Central Licensing is not supported on Maestro

Gaia OS

Feature R80.20SP R80.30SP R81 R81.10 Comment
Gaia CLI gclish gclish gclish gclish
Gaia Portal
First Time Configuration Wizard (Portal + CLI)
Snapshot R81: Does not support Scheduled Snapshots
Backup / Restore R80.30SP: Scheduled Backup is supported from JHF Take 56

R81: Gaia Backup is fully supported from JHF Take 13 (Gaia Snapshots are fully supported)
NTP Client
RADIUS / TACACS Users R80.30SP: Remote authentication for Expert mode using RADIUS / TACACS+ servers is not supported.
Alias Interfaces R80.20SP: Supported from JHF Take 279

R80.30SP: Supported from JHF Take 49

Logging

Feature R80.20SP R80.30SP R81 R81.10 Comment
Firewall and Software Blade logs Logs for session connections generated by Software Blades on Scalable Platforms R80.20SP do not show the SGM ID / Security Group Member ID.
Syslog
Fetch Logs
UserCheck
Log Server Distribution R80.20SP: Supported from JHF Take 105

R81.10: New feature - Log Server Clustering

Cluster

Feature R80.20SP R80.30SP R81 R81.10 Comment
Cluster HA Scalable Chassis only

No unicast CCP
Cluster LS
Cluster VSX HA
Cluster VSX VSLS Maestro R80.20SP: Supported from JHF Take 163
Same VMAC R80.20SP:
Supported from JHF Take 258

R81:
Early Availability

See:
sk165674 
Cluster Control Protocol (CCP) encryption
Interface Active Check feature
Unique IP per Chassis / Site

VPN

Feature R80.20SP R80.30SP R81 R81.10 Comment
IKEv1
IKEv2
Multicore VPN
Link Selection
Route-Based Probing for Link Selection
Tunnel Sharing modes (per Host, per Subnet, per Gateway)
Wire Mode
NAT Traversal
"orig_route_params" (magic button)
peer configured as DAIP (dynamic IP)
Tunnel Test
VPN Routing configuration:
1. Gateway as a Satellite with peers
2. Client-to-Site Traffic over a Site-to-Site VPN Tunnel
Traditional VPN mode
Virtual Tunnel Interfaces (VTIs)
Corporate Enforcement
Multiple ciphers for external Gateways in a single VPN community
SHA-512
Machine Certificate Authentication
SmartLSM

Remote Access VPN

Feature R80.20SP R80.30SP R81 R81.10 Comment
Office Mode DHCP, RADIUS
Visitor Mode (TCPT)
Change of a Client IP Address
SSL Network Extender (SNX)
Endpoint Security Client
Simultaneous Login Prevention (SLP)
Hub Mode
Location Awareness
User certificate enrollment
Desktop Security
Secure Configuration Verification (SCV) Support

Network Management

Feature R80.20SP R80.30SP R81 R81.10 Comment
DHCP Server
DHCP Relay
DHCP Client
Netflow IPFIX
Management Data Plane Separation (MDPS, sk138672) R80.20SP: Supported only on Scalable Chassis from JHF Take 210

R80.30SP: Supported from JHF Take 73
Proxy ARP

Quantum Security Gateway

Feature R80.20SP R80.30SP R81 R81.10 Comment
Mirror and Decrypt See the Security Gateway Administration Guide for the configuration procedure
ICAP Client See the Security Gateway Administration Guide for the configuration procedure
ICAP Server
Hardware Security Module (HSM) See the Security Gateway Administration Guide for the configuration procedure
Private ThreatCloud (PTC) R80.20SP: For details on how to enable PTC, see sk161534

System Management and Monitoring

Feature R80.20SP R80.30SP R81 R81.10 Comment
SNMP For supported SNMP MIBs and OIDs, see sk168878
Alerts See the Maestro Administration Guide / Scalable Platforms Administration Guide for the configuration procedure
Job Scheduler
CPView Only per SGM / Security Group Member.

Statistics are not aggregated.
Monitoring Software Blade (SmartView Monitor)

Rate Limiting and DoS Mitigation

Feature R80.20SP R80.30SP R81 R81.10 Comment
Penalty Box
Rate Limiting rules- "fw samp" / "fw samp_policy" g_fwaccel dos rate g_fwaccel dos rate R80.20SP: Supported in SGW mode only. Supported in VSX mode from JHF Take 266.

R81: See sk112454.
Suspicious Activity Monitoring Rules- "fw sam" This feature has been discontinued
Accelerated SYN Defender- "fwaccel synatk" Supported only from the Scalable Platform CLI with the "g_fwaccel synatk" command (not supported to use the "fwaccel synatk" command on a Management Server)

Performance Tuning

Feature R80.20SP R80.30SP R81 R81.10 Comment
CoreXL Dynamic Dispatcher See sk105261
Firewall Priority Queues See sk105762 

Threat Prevention

Feature R80.20SP R80.30SP R81 R81.10 Comment
IPS Software Blade
Anti-Bot Software Blade
Anti-Virus Software Blade
Anti-Malware
Anti-Spam Software Blade Supported in SGW mode only
Cloud Threat Emulation
Remote Threat Emulation (Dedicated appliance)
Threat Extraction Software Blade R80.20SP: Supported in SGW mode from JHF Take 279. Supported in VSX mode from JHF Take 304.

For known limitations, see sk140396.

R80.30SP: Supported from JHF Take 73
Custom Intelligence Feeds R80.20SP: Supported from JHF Take 283 (see sk132193)

CloudGuard

Feature R80.20SP R80.30SP R81 R81.10 Comment
CloudGuard Controller

Mobile Access Software Blade

Feature R80.20SP R80.30SP R81 R81.10 Comment
Mobile Access Software Blade
Mobile Access Portal Agent

Mail Transfer Agent

Feature R80.20SP R80.30SP R81 R81.10 Comment
MTA

Identity Awareness Software Blade

Feature R80.20SP R80.30SP R81 R81.10 Comment
Identity Awareness Software Blade
Azure Active Directory support
Identity Awareness nested groups
Security ID (SID) support
Identity Broker
SAML

Compliance Software Blade

Feature R80.20SP R80.30SP R81 R81.10 Comment
Compliance Software Blade

HTTPS Inspection

Feature R80.20SP R80.30SP R81 R81.10 Comment
SSL inspection
FutureX Hardware Security Module (HSM)
  • R81-R81.10: Only available when the User Space Firewall (USFW) is enabled
  • R81: Disabled by default
TLS 1.3 TLS 1.3 is disabled by default and is only applicable if the User Space Firewall (USFW) is enabled

CPDiag

Feature R80.20SP R80.30SP R81 R81.10 Comment
CPDiag

Access Control

Feature R80.20SP R80.30SP R81 R81.10 Comment
Application Control Software Blade
URL Filtering Software Blade
Content Awareness Software Blade
Updatable Objects

Data Loss Prevention / Certificate Authority

Feature R80.20SP R80.30SP R81 R81.10 Comment
Data Loss Prevention (DLP) Software Blade Supported in SGW mode only. VSX mode is not supported.

Fingerprint and "Ask" action are not supported.
Certificate Authority

Dynamic Routing

Feature R80.20SP R80.30SP R81 R81.10 Comment
RIP (IPv4)
RIPng (IPv6)
PIM R80.20SP: For more information, see sk169762
OSPFv2 (IPv4)
OSPFv3 (IPv6) R80.20SP: Supported from JHF Take 258
BGP (IPv4)
BGP (IPv6) R80.20SP: Supported from JHF Take 258
BFD R80.20SP: Supports IPv4/IPv6 from JHF Take 258
PBR R80.20SP: Supported in VSX mode from JHF take 178 (sk137232)

R80.30SP: Supported in VSX mode from JHF Take 73
IPv6 R80.20SP: Supported from JHF Take 240
BGP support for VxLAN interfaces
Dynamic Routing support for GRE interfaces

Maestro Hyperscale Orchestrator

Feature R80.20SP R81.10 Comment
Mix and Match
Shared Uplinks

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment