Limitations

• CME cannot work in parallel with the Autoprovision Add-On. When you install CME on a Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. with the Autoprovision Add-On already deployed, the Autoprovision Add-On is disabled. The configuration for the old service remains the same, and the new CME service uses it. Reverting to the Autoprovision Add-On is not supported.

• When you install a new CME package on the Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server., you may need to re-log in to the shell before you can use this package.

• The cme_menu interactive UI requires a terminal with a minimum width of 150 characters and 40 lines height. It does not support mouse navigation. Keyboard-only navigation is required.

Controllers (Accounts)

• Each Controller in the configuration must have unique credentials, with the exception of the Multi-Domain Security Management Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS. configuration.

• The Controller name (-cn parameter) must be unique.

• The Controller name cannot be part of another Controller name. For example,if the first Controller is named "Nonprod-xxx", the second Controller cannot be named "Prod-xxx" (because "Nonprod" contains "Prod").

• The -ct (Controller Templates) parameter is mandatory for Multi-Domain Security Management Server environments with more than one domain configured.

• The sub-account name must be unique.

CME API

• The CME API is not supported in Azure GOV and Azure China regions.

• When Autonomous Threat Prevention and Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Software Blades are activated with the CME API, they cannot be deactivated by re-running the API.

AWS

• Role Authentication (IAM) for AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. is available only in on-premises Security Management Server deployments. It is not available in Smart-1 Cloud.

• The AWS Access Key ID parameter is mandatory unless Role Authentication (IAM) is selected.

• These ports/tags are not supported when used with Auto Scaling groups in AWS: x-chkp-ignore-ports, x-chkp-http-ports, x-chkp-https-ports, x-chkp-ssl-ports, x-chkp-source-object.

• The maximum allowed size for a Finding sent to AWS Security Hub is 240 kilobytes. A Finding larger than 240 kilobytes is dropped.

• Findings are uploaded to AWS Security Hub in bulks of up to 100 Findings.

• AWS limits the ProductFields to 50 elements only. To view the full log, use SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

• Multi-Domain Security Management Servers and dedicated Log Servers are not supported for the AWS Security Hub integration.

• Only Active states are reported to AWS Security Hub.

• The AWS Security Hub feature does not work with manual modifications. All modifications must be done using the cme_menu command.

Azure

• The Automatic NAT and Access Rules feature works only with Azure Application Gateways and AWS Auto Scale Group solutions. Azure Load Balancers (layer 4) are currently not supported.

• The total combined length of the parameters account_id, nva_resource_group, and nva_name must be less than 99 characters.

• Maximum 600 public IP addresses for load balancing per NVA Network Virtual Appliance - A resource deployed in Azure's Virtual Hub that includes Security Gateways and other networking infrastructure..

• Maximum 300 ports per public IP address of a Load Balancer.

• Maximum 1,500 total ports across all NVA rules.

• When using the CME API to add ingress rules, the IP addresses for lb_public_ips must be in the same subscription as the NVA.

• The NVA must have a minimum of one public IP address attached to it.

• Do not change NAT and access rules generated by the vWAN ingress feature manually. All modifications must be done via cme_menu.

GCP

• The default Security Management Server name ("MGMT") must be changed to an all-lowercase name before adding a GCP See 'Google Cloud Platform'. account. This is a GCP platform limitation.

• If the Security Management Server name is changed, it must also be changed in the configuration of the Cloud Firewall solution.

• Google Cloud Security Command Center (CSCC) integration supports only Security Management Server and Security Management Server High Availability. Multi-Domain Security Management Servers are not supported.

• Only active states are reported to CSCC.

• GCP Instance information is updated only every 30 minutes.

• Only compute instances are supported by the CSCC integration.

• The CSCC feature does not work with manual modifications. All modifications must be done via cme_menu.

• Two or more GCP instances with the same private IP address in the same project is not a supported scenario. In this case, only one instance is displayed in the CSCC Finding.

• On-premises appliances with a source IP address that matches the IP address of an instance in the configured GCP project are not supported. In this case, the resource name of the GCP instance is displayed in the Findings instead.

Configuration Templates

• The restrictive policy name (-rp parameter) cannot be the same as the main policy name (-po parameter).

• The One-Time Password (-otp) must be a random string with a minimum of 8 alphanumeric characters.

• Threat Extraction Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX. and Zero Phishing Check Point Software Blade on a Security Gateway (R81.20 and higher) that provides real-time phishing prevention based on URLs. Acronym: ZPH. Threat Prevention blades are not supported with Auto Scaling instances and are therefore inactivated in the Threat Prevention Global Exception rules when Autonomous Threat Prevention is enabled.

• To use Log Server Dedicated Check Point server that runs Check Point software to store and process logs. parameters, a minimum of one Primary Log Server must be configured with the -sl parameter.

• To remove all Primary Log Servers, the Backup and Alert Log Servers must be removed first.

• If Primary/Backup/Alert Log Servers are configured with the new key parameter (-nk) together with Log Server parameters (-sl, -sbl, -sa), the new key parameter is ignored.

• Log Server settings are not supported in the Smart-1 Cloud environment.

Automatic Hotfix Deployment

• Automatic Hotfix Software package installed on top of the current software version to fix a wrong or undesired behavior, and to add a new behavior. Deployment is supported only on Azure, AWS, and GCP.

• Automatic Hotfix deployment and setting a prefix for all SmartConsole objects feature cannot be activated in parallel for the same Controller.

• The Hotfix package is only installed on new instances. To install on all existing instances, the administrator must remove existing instances and scale out new ones.

• CDT version 1.9 is not compatible with Automatic Hotfix Deployment in CME.

• When another CDT operation is in progress, the Display Hotfix Deployment Status option cannot be used. The administrator must wait until the CDT operation finishes.

• When scaling out multiple instances simultaneously, the Hotfix package is not installed in parallel - it is installed sequentially.

• Enabling Automatic Hotfix Deployment significantly increases the time until a scaled-out instance finishes provisioning, due to the Hotfix or Jumbo Hotfix Accumulator Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA. installation time.

• Only Hotfixes and Jumbo Hotfix Accumulators are supported. Minor and Major upgrades are not supported.

• Automatic Hotfix Deployment does not support name-prefix.

• The Jumbo Hotfix Accumulator is installed only after the Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. installation.

Network Group Object

• CME creates only one unique network group object for each scale set.

• If an empty network group object (a scale set with 0 instances) is used in the Access Policy "Install On" column, policy installation will fail.

• For network group objects whose Platform Unique Identifier is larger than 150 characters, CME replaces it with the SHA256 hash of the identifier to comply with Security Management Server object name restrictions.

• Network Group objects can be used in NAT rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. columns for Original Source and Original Destination only.

Multi-Domain Servers

• On a Multi-Domain Security Management Server, CME processes configured Domains sequentially - not in parallel.

• CME cannot be installed on a Multi-Domain Log Server Dedicated Check Point server that runs Check Point software to store and process logs in a Multi-Domain Security Management environment. The Multi-Domain Log Server consists of Domain Log Servers that store and process logs from Security Gateways that are managed by the corresponding Domain Management Servers. Acronym: MDLS..

• For the use case of multiple domains with multiple cloud accounts, each set of cloud credentials must return a mutually exclusive set of objects. Different sets of credentials must not return the same instance. If two accounts return the same Cloud Firewall Gateway instance, CME attempts to provision it twice.

• In a Multi-Domain environment with more than one domain, the -ct (Controller Templates) parameter is mandatory for each controller.

• In a Multi-Domain HA configuration, there must be exactly two instances of the CME service - one for each Multi-Domain Security Management Server - responsible for provisioning all Domain Management Servers.

• The first deployed Multi-Domain Security Management Server must be configured as Primary in the First Time Configuration Wizard. All other Multi-Domain Servers must be configured as Secondary.

• The CME service script must run on both Primary and Secondary Multi-Domain Servers.

• The Multi-Domain Security Management Server login credentials must allow the script to access all applicable Domain Management Servers in each Multi-Domain Security Management Server.

• Multi-Domain Security Management Server (MDS) is not supported in the AIOps integration.