Support Center > Search Results > SecureKnowledge Details
Check Point 600 Appliance Known Limitations Technical Level

This article lists all of the Check Point 600 Appliance - specific known limitations.

Important notes:

  • To get a fix for an issue listed below contact Check Point Support with the issue ID.

  • To see if an issue has been fixed, search for the issue ID in Support Center.

For more information on Check Point 1100 appliance, see the Check Point 600 Appliance Release Notes and Check Point 600 Appliance home page.

You can also visit our 2012 Models Security Appliances forum, Small and Medium Business Appliances forum or any other Check Point discussion forum to ask questions and get answers from technical peers and Support experts.


Table of Contents

  • General
  • Configuration and OS
  • Networking
  • WebUI
  • Active Directory
  • VPN
  • High Availability
  • UserCheck
  • QoS (Bandwidth Control)
  • Cluster
  • IPS
  • SecureXL
  • SmartProvisioning


ID Symptoms
- HTTPS Inspection is not supported.
- DLP Blade is not supported.
01193839 Only single DC is supported per AD server. 
Configuration and OS
- Embedded Gaia OS does not support all features of the full Gaia OS.
- BGP MD5 is not supported.
- Non-TCP / Non-UDP protocols are not supported.
01102696 RADIUS servers are deleted by clearing the contents of the fields in the Configure RADIUS servers window in the WebUI (VPN tab > Authentication Servers page > RADIUS servers link) since there is no direct Delete option.
01092584 Before R75.20.30 Wireless networks only support WPA/WPA2 Personal (authentication through a single password and not authentication of users through a RADIUS server).
01118172 The only type of SD card supported is SDHC with a capacity of up to 32GB.
01140158 You cannot configure SNMP traps with Google Chrome browsers on Windows 7 and Windows 8 machines with screen resolution under 1280 x 768.
Before ejecting an SD card, you must unmount it from the WebUI or CLI.
WebUI - From the Logs & Monitoring tab, select Security Logs. From the Options menu, select Eject SD card safely.
CLI - Use the bash unmount command:
umount /dev/mmcblk1
01229771 Certificates issued by a subordinate CAs are not supported in locally managed 1100 Appliances or 600 Appliances.
01216507 When defining a local cluster with the "Strict" Firewall mode enabled, a manual internal rule must be defined to allow connectivity between the cluster members on the sync interface.
01213575 The hotspot portal is shown only when attempting to browse the internet and not immediately after connecting to Wi-Fi.
01264555 The WebUI is not supported on IE11.
01352922 Check Point supports up to 24 VLANs on Internal Network and up to 32 Internet connections (each VLAN on Internet connection are counted as one Internet connection) 
01397875 NAT forwarding of non TCP/UDP traffic (such as ICMP or GRE, as in the case of a PPTP server) will not work when the source IP addresses are hidden behind the gateway's IP address. 
01201173 NAT-T is not supported for locally managed 600 Appliance. 

This issue is resolved in R75.20.60. Refer to sk100442.
01119132 When editing a bridge configuration, Internet connectivity might be disrupted for a short time interval until the connection is reestablished.
01207911 An AD server that resides outside of the internal network is not supported.
01262416 The Internal DHCP server on the LAN network is limited to 1020 addresses. Therefore, it only supports Class C IP addresses.
01205298 When adding a manual NAT rule, user should use existing network objects only. Using plain IP addresses is not supported. 
01117150 Entering a password that does not match required validation rules and then selecting another authentication method will block you from continuing.

Workaround: Delete the password from the Password fields and then select another authentication method.
1117710 The Log In page is not shown after the appliance reboots (due to image upgrade, reboot, reverting to a previous image or reverting to factory defaults).

Workaround: Refresh the browser manually and proceed when a message is shown that the security certificate is not trusted.
01122658 After setting the LAN1 network with a new IP address in the First Time Configuration Wizard, configuring other LAN interfaces through the WebUI Device -> Local Network page will cause a loss of connectivity to the appliance.
Re-establish connectivity with one of these steps:
  • If DHCP is configured on LAN1 - the administrator's PC will obtain a new IP address automatically and will be able to reconnect.
  • If DHCP is not configured on LAN1 - the administrator should manually configure the interface on the admin PC that is connected to the appliance with the IP address that belongs to the network defined on LAN1.
01154293 When an external log server is configured:
  • A Security Gateway cluster is not supported
  • Cloud Management is not supported
01226415 Defining an external DHCP server to define Office Mode addresses is not supported.

These characters cannot be used in WebUI textual fields:

  • single quote '
  • double quote "
  • backslash \
Active Directory
01116406 An AD Domain Controller used for authenticating users that is located in the external zone of a device using hide-NAT is not supported.

Workaround: Install another Domain Controller in the internal zone of the device.
01112005 The WebUI window can get stuck when adding an Active Directory that contains more than 400 groups. Nonetheless, groups will be fetched. The appliance supports up to 1000 groups.
- VPN IKE aggressive mode is not supported.
- VPN wire mode is not supported.
- Traditional VPN mode is not supported.
01115731 You cannot use the Firefox browser to export and add certificates from one Security Gateway to another when creating a VPN site between them.

Workaround: Use another another browser such as Google Chrome.
01120812 When you click the Apply button on the WebUI -> VPN Site to Site Blade Control page, it causes the system to revert to the previous "Local encryption domain" definition.

Workaround: To change and save a new "Local encryption domain" definition, click the link, adjust the setting and click Apply in the Site to Site Local Encryption Domain window. Exit the WebUI -> VPN Site to Site Blade Control page without clicking Apply to save the new state.
01131761 When you click the Apply button on the WebUI > VPN Site to Site Blade Control page, it causes the system to revert to the previous 'Local encryption domain' definition.

Workaround: To change and save a new 'Local encryption domain' definition, click the link, adjust the setting and click Apply in the Site to Site Local Encryption Domain window. Exit the WebUI > VPN Site to Site Blade Control page without clicking Apply to save the new state.
01213552 IKEv2-only encryption may not function correctly on 1100/600 appliances.
01216260 In VPN Remote Access Office Mode, Automatic (DHCP) is not supported.
01118273 Configuring VPN site to site or VPN RA for CP Mobile with certificate-based authentication on a locally managed cluster is not supported.
01319514 No permanent tunnel support with 3rd party gateways.
01184648 VPN Link selection feature is not supported.
01316511 Route-based VPN does not work on packets routed with Policy-based Routing. Meaning, that if there is a Policy-based Routing rule with VTi as next hop, packets routed with this rule won't be encapsulated by VPN and will be sent as clear text.
01229769 Subordinate certificates are not supported on a locally managed appliance.
01371877  Check Point tunnel testing protocol does not support 3rd party Security Gateways.
High Availability
01107743 In a High Availability environment, if a network cable is pulled out and there is only one host which is in the cluster peer, failover may not occur.

Workaround: Include other hosts in the subnet to make sure failover happens when necessary.
01117967 Configuring High Availability on an interface with a PPP connection is not supported.
00948255 To enable UserCheck on TCP port 80, administrator access must be set on the interfaces.
00920190 UserCheck portal access through HTTP is not supported. It works only through HTTPS.
QoS (Bandwidth Control)
01073326 All QoS Policy rules that are set to Low Latency will share a joint limit. This limit is by default 20 percent of the interfaces bandwidth. This value can be changed from the WebUI -> Access Policy -> QoS policy page by clicking the percentage link shown in Limit low latency traffic to X percent of bandwidth.
Note that setting this value to more than 20 percent can lead to starvation of all other traffic.
01125221 In some cases, the Access Policy > QoS Blade Control page shows a message that QoS options are not selected for the configured Internet connection even when options have been configured.
- Load Sharing mode is not supported
01125000 When configuring a cluster and setting DHCP on one of the cluster interfaces, a DHCP server might include the other cluster member's IP address in its available IPs' range. Therefore, the DHCP server might serve this IP to another computer in the same network which will cause connectivity issues.

Workaround: Manually exclude the other cluster member's IP address from the range.
01124242 Before configuring a local cluster, make sure that the sync interface is unassigned by checking the Device > Local Network page in the WebUI.
01119896 When configuring a cluster, you cannot use a wireless interface as the Sync interface.
- Configuring Bridge/Switch on network interfaces is not supported in Cluster High Availability mode.
- GEO Protection is not supported.
- IPS Packet Capture is not supported.

Accelerated connections from internal networks to the Internet fail when the Internet connection is bridged.
Workaround: Turn off SecureXL by running fwaccel off command.

Resolved in R75.20.40

01154782 The fields in the Hotspot Customization page (Device > Hotspot) can only contain one word.

Workaround: Use the underscore character to divide words.

Give us Feedback
Please rate this document