Limitations of CloudGuard Network Security NVA for Azure Virtual WAN

• All VPN Sites (branches) in Microsoft Azure must have a unique ASN Autonomous System Number. and BGP peering address.

• All Virtual Hubs must have a unique ASN and BGP peering address.

• Branch Gateways can be represented with two or more VPN Sites (in different WANs) but must have one ASN and BGP peering address.

• The Gateways in this solution send data by default to Check Point to enhance product usability. To disable this option, refer to sk94509.

• Anti-spoofing is not supported on VPN interfaces on Azure single gateways connected with VPN to the Virtual WAN VPN Gateway.

• Azure vWAN automatic script works only on regular Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. (Not on Smart-1 Cloud). The automatic script is supported on Multi-Domain Security Management Server with CME Take 261 and higher.

• QoS Check Point Software Blade on a Security Gateway that provides policy-based traffic bandwidth management to prioritize business-critical traffic and guarantee bandwidth and control latency. is not applied to interfaces when Route Based VPN is configured, see sk36157.

• When you use CME API to add ingress rules, the IP addresses for lb_public_ips must be in the same subscription as the NVA Network Virtual Appliance - A resource deployed in Azure's Virtual Hub that includes Security Gateways and other networking infrastructure..