The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
IPv6 Limitations on Quantum Spark Appliances
Quantum Spark Appliances
Platform / Model
700, 900, 1200R, 1400, 1500, 1570R, 1600, 1800
This article lists all known limitations for R80.20.X firmware versions on Quantum Spark Appliances.
Access and NAT
Management and Log Servers
Non-Supported Features for IPv6
Note - IPv6 is not supported on 600/1100 devices.
IPv6 is not supported in LSM and SmartProvisioning
IPv6 is not supported in Security Management Portal (SMP)
Policy-based routing in IPv6
External syslog server
Single IPv6 Internet connection
Threat Emulation (works only in dual-stack)
Updatable objects - Geo location
Route-based Site-to-Site VPN
Site-to-Site VPN with multiple links, hostname, dynamic IP address environments
VPN Remote Access
IPv4 IPsec tunnel over ipv6 non-IPsec tunnel is not supported
Cluster High Availability in pure IPv6
NAT64 / NAT46
SSL Inspection is supported only on Locally Managed appliances
Browser-Based Authentication does not work in pure IPv6
Reach My Device (RMD) - does not support pure IPv6 connections
Security Management Portal (SMP) - does not support pure IPv6 connections
Zero Touch - does not support pure IPv6 connections (you can configure IPv6 CLI configurations)
Firmware upgrade service - does not support pure IPv6 connections
Enter the string to filter this table:
In IPv6 mode, you can only configure a bridge to the internet through the WebUI, and not CLISH.
Resolved in build 990171652
During the reboot after you switch the device to IPv6 mode via the WebUI, a session timeout popup is sometimes shown.
Configuring a LAN port as internet connection is not supported with IPv6 internet connection types.
You cannot configure IPv6 addresses for SNMP Trap Receivers.
When you change a LAN interface that was previously defined with an IPv4 address and DHCP server to be pure IPv6, the DHCPv4 server must be disabled.
In IPv6-mode (dual stack), you can configure multiple IPv4 internet connections in HA/LS mode, but only a single IPv6 internet connection.
Netflow is not supported for IPv6 traffic.
Dynamic routing is not supported for IPv6 traffic. Specific options relevant for IPv6 in dynamic routing CLISH do not apply.
Configuring additional loopback interfaces via CLISH does not support dual stack and IPv6.
DNS trap functionality in Anti-Malware is not supported for IPv6 traffic.
Bridging an IPv4 or IPv6 internet connection which is part of a dual stack is not supported. You must bridge both of the dual stack internet connections, or separate the connections on different interfaces before bridging.
IPv6-only LAN alias isn't supported - an IPv4 address is required for each alias alongside the IPv6 address.
Access and NAT
The ability to inspect 6in4 or 6to4 tunnels using a service called SIT_with_Intra_Tunnel_Inspection, and to handle IPv6 extension headers (see sk39374) are not supported.
In Small and Medium Business appliances, NAT related policy changes do not apply immediately on existing ICMPv6 traffic until timeout within the connections table or reboot. New ICMPv6 connections will use the new policy immediately.
In locally managed appliances, server objects are network objects with automatic access and NAT configuration. In these appliances, server objects do not support IPv6 or dual stack. Functionality for IPv6 addresses can still be obtained by manually configuring access and NAT rules.
In locally managed appliances, the ability to write a free IP address for a Rule Base source and destination (access, NAT, Threat Prevention exceptions) is only available for IPv4 addresses. For IPv6/dual stack addresses, a network object must be defined and used.
NAT64 is not supported for Embedded Gaia appliances (and is not supported in the R80.10 Security Management Server).
Manual NAT rules that are configured on a dual stack locally managed cluster and that use "This gateway" object apply only to IPv4 VIP (Virtual IP address of the cluster). To create manual NAT rules for the IPv6 VIP, a manual network object must be created and used.
Threat emulation is not supported in pure ipv6 mode. It is only supported in dual stack mode.
SMB-490, SMB-1214, 01170605
Threat Emulation does not support IPv6 traffic on Embedded Gaia appliances.
On Embedded Gaia appliances, the Anti-Spam blade does not support IPv6 traffic. Refer to sk39374.
In centrally managed 1430/1450 appliances, when IPv6 mode is enabled, installing policy with all blades active and a large IPS policy as the built-in strict profile may fail with an "Installation Failed. Reason: Failed to load Policy on Security Gateway" message. To optimize the IPS profile, refer to sk105217.
POP3 deep inspection is not supported for IPv6 traffic.
When using AD based rules, to make the rules apply both on IPv6 traffic and IPv4 traffic, the AD server must support dual stack and both its IPv6 and its IPv4 addresses must be configured in the Security policy.
The URL address for the browser based authentication portal in Identity/User awareness needs to use a "<dynamic-ip>" string instead of a hardcoded IP address to work simultaneously in a dual stack environment for both IPv4 and IPv6 traffic.
In Small Office appliances, when you define a RADIUS server in a dual stack network for authentication purposes (for a captive portal or hotspot), if an IPv4 address is configured, that will be the address used. You can configure an IPv6 address without also configuring an IPv4 address. In dual stack networks, configure the primary RADIUS server with an IPv4 address only, and the second RADIUS server with an IPv6 address only.
"Invalid object name. Name should begin with a letter and contain up to 32 alphanumeric (0-9, a-z, _ -.) characters without spaces" error when creating pure IPv6 Active Directory.
When adding Active Directory as an Authentication Server, it must be configured in Dual Stack mode.
Management and Log Servers
In the Security Management web page on the gateway, the IP address used in the recent connection between management and gateway is shown. If both are defined with dual stack IPv4 and IPv6 addresses, the web page will still show the single IP address which was used.
An external syslog server cannot be configured with an IPv6 address.
When configuring IPv6-only NTP servers, issues arise when changing mode to manual time and then back to NTP.
In locally managed appliances, to change an existing cluster in pure IPv4 mode to dual stack mode, you should break and rebuild the cluster, as this is a major change in network configuration. Both members should be configured in IPv6 mode.
IPv4 IPsec tunnel over an IPv6 non-IPsec tunnel is not supported.
Site to site and remote access VPN are not supported when the internet connection is of type DS-Lite.