Limitations

• Supports Check Point Management Servers version R81.20 only.

• Anti-Spoofing is not supported.

• Stateful failover is supported for VPN, Inbound & East-West.

• Site-to-Site and Remote Access VPN are supported only with the Primary Elastic IP (VIP). You cannot use additional Elastic IP addresses for VPN.

• Adding more Elastic Network Interfaces (ENIs) is not supported.

  If the secondary IP limit for your instance size is reached, it is possible to increase the instance size to enable adding additional secondary IP address. See AWS secondary IPs limit per instance size.

• When configuring inbound protection with NAT rules, the failover for these connections is stateless, as the secondary IP is different on each Cluster member Security Gateway that is part of a cluster..

• When configuring inbound protection with NAT rules, these connections are not accelerated by SecureXL Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway..

• QoS Check Point Software Blade on a Security Gateway that provides policy-based traffic bandwidth management to prioritize business-critical traffic and guarantee bandwidth and control latency. is not applied to interfaces when Route Based VPN is configured, see sk36157.

• The maximum number of secondary private IP addresses and associated Elastic IP addresses on the network interface (eni) depends on instance size (see IP addresses per network interface per instance type).

• When Using Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. with the collection method "Captive Portal" and configuring the portal to run on the Cross-AZ Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., you can set the portal's IP only to the Cluster's public IP.

  Note - When you set the portal's IP to the Cluster's public IP, make sure that the Cluster's public IP is routable from all the hosts that are redirected to the portal.

• IPv6 is not supported.