Support Center > Search Results > SecureKnowledge Details
Check Point R75.20 GA 1100 Appliance Known Limitations Technical Level

This article lists all of the Check Point R75.20 GA 1100 Appliance - specific known limitations.

To see if an issue has been fixed, search for the issue ID in Support Center.

For more information on Check Point 1100 Appliance see the Check Point 1100 Appliance Release Notes, Check Point 1100 Appliance Getting Started Guide and Check Point 1100 Appliance home page.
You can also visit our 2012 Models Security Appliances forum or any other Check Point discussion forum to ask questions and get answers from technical peers and Support experts.

Table of Contents

  • General
  • Configuration and OS
  • Networking
  • SmartProvisioning
  • WebUI
  • VPN
  • Identity Awareness
  • High Availability
  • SmartDashboard
  • UserCheck
  • QoS (Bandwidth Control)
  • Logging and Monitoring
  • Cluster
  • IPS
  • SecureXL
  • SNMP


ID Symptoms
- HTTPS Inspection is not supported.
- DLP is not supported.
01193839 Only single DC is supported per AD server.
Configuration and OS
- Embedded Gaia OS does not support all features of the full Gaia OS. 
- Before ejecting an SD card, you must unmount it from the WebUI or CLI.
WebUI: from the Logs & Monitoring tab, select Security Logs. From the Options menu, select Eject SD card safely.
CLI: use the bash unmount command:
umount /dev/mmcblk1
- BGP MD5 is not supported.
01102696 RADIUS servers are deleted by clearing the contents of the fields in the Configure RADIUS servers window in the WebUI (VPN tab > Authentication Servers page > RADIUS servers link) since there is no direct Delete option.
01092584 Before R75.20.30, wireless networks only support WPA/WPA2 Personal (authentication through a single password and not authentication of users through a RADIUS server).
01118172 The only type of SD card supported is SDHC with a capacity of up to 32GB.
01140158 You cannot configure SNMP traps with Google Chrome browsers on Windows 7 and Windows 8 machines with screen resolution under 1280 x 768.
01229771 Certificates issued by a subordinate CAs are not supported in locally managed 1100 Appliances or 600 Appliances.
01216507 When defining a local cluster with the "Strict" Firewall mode enabled, a manual internal rule must be defined to allow connectivity between the cluster members on the sync interface.
01213575 The hotspot portal is shown only when attempting to browse the internet and not immediately after connecting to Wi-Fi.
01260951 WebUI does not support Internet Explorer 11.

Resolved in: R75.20.40

The Check Point 1100 Appliance supports up to 24 VLANs on the Internal Network.

The Check Point 1100 Appliance supports up to 32 Internet connections (each VLAN on an Internet connection is counted as one Internet connection).

01397875 NAT forwarding of non TCP/UDP traffic (such as ICMP or GRE, as in the case of a PPTP server) will not work when the source IP addresses are hidden behind the gateway's IP address. 
NAT-T is not supported for Locally managed 1100 appliance.
Resolved in: R75.20.60
01119132 When editing a bridge configuration, Internet connectivity might be disrupted for a short time interval until the connection is reestablished.
01207911 An AD server that resides outside of the internal network is not supported.
01262416 The Internal DHCP server on the LAN network is limited to 1020 addresses. Therefore, it only supports Class C IP addresses.
01320639 NAT-T is supported only for 1100 Appliances that are centrally managed and are defined as a DAIP gateway on the central Security Management Server.
01205298 When adding a manual NAT rule, user should use existing network objects only. using plain IP addresses is not supported.
01096933 In a large scale deployment that uses SmartProvisioning and Identity Awareness, redirecting users to a Captive Portal requires creating a VPN certificate for the Security Gateway in SmartProvisioning.
01123551 QoS Blade is not supported in SmartLSM Profile.

Resolved in: R75.20.30 and R77.10.
01055751 To see the current firmware version on 1100 appliances, add the column "Current Version". The columns "Firmware" and "Firmware selection" are only relevant for Edge devices.
01056372 Version and synchronization information is not shown by default in the SmartProvisioning Devices view.

Workaround: Manually add the Firmware version, Last/Next Sync Time columns in the Devices view.
01154782 The fields in the Hotspot Customization page (Device > Hotspot) can only contain one word.

Workaround: Use the underscore character to divide words. For example - for the title ACME Hotspot, enter ACME_Hotspot.
01132456 Assigning Security Zones to interfaces on a SmartProvisioning profile is not supported.
01249327 Up to two internet connections can be defined in SmartProvisioning. If more than two connections are defined on the appliance, SmartProvisioning will not be updated with the appliance's configuration settings.
01261065 These characters cannot be used in WebUI textual fields:
  • single quote - '
  • double quote - "
  • backslash - \
01117150 Entering a password that does not match required validation rules and then selecting another authentication method will block you from continuing.

Workaround: Delete the password from the Password fields and then select another authentication method.
01098614 Toggling between Central and Local Management modes of the appliance is not supported when a cluster is configured. To change to Central Management mode, an administrator must first disable the local cluster
01122658 After setting the LAN1 network with a new IP address in the First Time Configuration Wizard, configuring other LAN interfaces through the WebUI Device -> Local Network page will cause a loss of connectivity to the appliance.
Reestablish connectivity with one of these steps:
  • If DHCP is configured on LAN1 - the administrator's PC will obtain a new IP address automatically and will be able to reconnect.
  • If DHCP is not configured on LAN1 - the administrator should manually configure the interface on the admin PC that is connected to the appliance with the IP address that belongs to the network defined on LAN1.
1117710 The Log In page is not shown after the appliance reboots (due to image upgrade, reboot, reverting to a previous image or reverting to factory defaults).

Workaround: Refresh the browser manually and proceed when a message is shown that the security certificate is not trusted.
01226415 Defining an external DHCP server to define Office Mode addresses is not supported.
01201259 When defining a gateway object for the appliance, make sure the name starts with a letter. This is necessary as the naming convention in SmartDashboard requires that object names start with a letter.
- VPN IKE aggressive mode is not supported.
Resolved in: R75.20 HFA_30
- VPN wire mode is not supported.
- Traditional VPN mode is not supported.

When the appliance is configured to work in Local Management mode: You cannot use the Firefox browser to export and add certificates from one Security Gateway to another when creating a VPN site between them.

Workaround: Use another another browser such as Google Chrome.

Resolved in: R75.20 HFA 65 with R75.47 Security Management 

01120812 When the appliance is configured to work in Local Management mode:
When you click the Apply button on the WebUI -> VPN Site to Site Blade Control page, it causes the system to revert to the previous "Local encryption domain" definition.

Workaround: To change and save a new "Local encryption domain" definition, click the link, adjust the setting and click Apply in the Site to Site Local Encryption Domain window. Exit the WebUI -> VPN Site to Site Blade Control page without clicking Apply to save the new state.
01107581 The WebUI Home > Security Dashboard page shows the VPN Remote Access blade as turned "ON" only if the gateway object in SmartDashboard is set with IPSec VPN and the gateway is part of the Remote Access community.

When the object is defined but not part of the Remote Access community, the WebUI Home > Security Dashboard page shows the VPN Remote Access blade as turned "OFF".
01213552 IKEv2-only encryption may not function correctly on 1100/600 appliances.
01216260 In VPN Remote Access Office Mode, Automatic (DHCP) is not supported.
01319504 The online tunnel test is not supported for 3rd party gateways.
01118273 Configuring VPN site to site or VPN RA for CP Mobile with certificate-based authentication on a locally managed cluster is not supported.
01319514 No permanent tunnel support with 3rd party gateways.
01184648 VPN Link selection probing is not supported.
01316511 Route-based VPN does not work on packets routed with Policy-based Routing. Meaning, that if there is a Policy-based Routing rule with VTi as next hop, packets routed with this rule won't be encapsulated by VPN and will be sent as clear text.
- Configuring the 1100 as a Center Gateway in a Star-Topology community is not supported.
01229769 Subordinate certificates are not supported on a locally managed appliance.
1100 cannot participate in MEP VPN community.
Resolved in: R77.20 R77.20 for 600 / 1100 / 1200R Appliance
01371877 Check Point tunnel testing protocol does not support 3rd party Security Gateways.
Identity Awareness
01116406 An AD Domain Controller used for authenticating users that is located in the external zone of a device using Hide-NAT is not supported.

Workaround: Install another Domain Controller in the internal zone of the device.
VPN environment workaround: disable NAT on the community
01112005 The WebUI window can get stuck when adding an Active Directory that contains more than 400 groups. Nonetheless, groups will be fetched. The appliance supports up to 1000 groups.
01175002 Identity sharing is not supported.
01258490 Identity Agent is not supported.
Refer to sk97751.
High Availability
01107743 When the appliance is configured to work in Local Management mode:
In a High Availability environment, if a network cable is pulled out and there is only one host which is in the cluster peer, failover may not occur.

Workaround: Include other hosts in the subnet to make sure failover happens when necessary.
01117967 Configuring High Availability on an interface with a PPP connection is not supported.
- External Security Log Server cannot be configured when when High Availability is turned on (not supported).
01118938 Negating a security zone object in the security policy rule base is not supported. 

Resolved in: R75.20.20 
01056852 You can create 1100 Appliance objects in SmartDashboard through the Wizard or Classic mode. However, Security Gateway 80 Appliance objects (gateway version R71) can only be created through Classic mode.
00920190 UserCheck portal access through HTTP is not supported. It works only through HTTPS.
QoS (Bandwidth Control)
- Centrally managed SMB appliance can be configured to use Delay Sensitivity and Differential Services marking features only under Express QoS mode. Configuration is done in "Advanced" section of QoS action configuration window which is unique for Edge/SG80 appliances. Under Traditional QoS mode only Best Effort QoS class is supported, using other classes will disable QoS policy.
01073326 When configuring QoS rules in SmartDashboard, the Bulk option in Delay Sensitivity is not supported.

In addition, when the Delay Sensitivity feature is configured, limit and guarantee values for the same rule are ignored. All rules that are configured with Delay Sensitivity = Interactive will share a joint limit. This limit is by default 20 percent of the interfaces bandwidth.
This value can be changed through GuiDBedit Tool (firewall_properties -> floodgate_preferences -> llq_max_percent).
Note that setting this value to more than 20 percent can lead to starvation of all other traffic.

In some cases, the Access Policy > QoS Blade Control page shows a message "QoS options are not selected..." for the configured Internet connection even when options have been configured.

Resolved in: R75.20.25

01101461 When QoS is enabled, there can be warnings when installing the policy. You can ignore these warnings.
If the Security Management server is installed on Windows, install policy will fail for an 1100 appliance object.

QoS is not supported in SmartLSM.

Resolved in: R75.20.30

- QoS logging is not supported on a Centrally Managed 1100 appliance.
Logging and Monitoring
- Top Counters in SmartView Monitor are not supported.
- Active Connections view in SmartView Tracker is not supported.
You can view Active Connections directly on the appliance through the WebUI.
Monitoring DAIP gateway behind NAT with SmartView Monitor is not supported.
Note: this is a general limitation of SmartView Monitor and it is not related to 1100 Appliance.
- External Security Log Server cannot be configured when when High Availability is turned on (not supported).
- Load Sharing mode is not supported

When configuring a cluster and setting DHCP on one of the cluster interfaces, a DHCP server might include the other cluster member's IP address in its available IP addresses range. Therefore, the DHCP server might serve this IP to another computer in the same network which will cause connectivity issues.

Workaround: Manually exclude the other cluster member's IP address from the range.

01124242 Before configuring a local cluster, make sure that the sync interface is unassigned by checking the Device > Local Network page in the WebUI.
01119896 When configuring a cluster, you cannot use a wireless interface as the Sync interface.
01340500 Centrally Managed appliance drops traffic with "encryption failure: Warning: possible replay attack. Sequence Number xxxxxxx" message when working with SecureRemote.

Resolved in: R75.20 HFA_50.
- Configuring Bridge/Switch on network interfaces is not supported in Cluster High Availability mode.
- GEO Protection is not supported.
- IPS Packet Capture is not supported.
When using a certain community name, the snmp daemon (SNMPD) crashes on 1180 appliance.
Refer to sk101711.

Give us Feedback
Please rate this document