Known Limitations

IPv6-only Virtual Machines (VMs) or Virtual Machines Scale Sets (VMSS) are not supported. IPv6/IPv4 VMs or VMSS are supported. Refer to sk170760 and sk163313 for more information.
Only Azure Resource Manager (ARM Microsoft® Azure Resource Manager. Technology to administer assets using Resource Group.) deployments are supported.

Deployment in the Azure classic environment is not supported.
Azure Load Balancers have limits on the number of supported front-end IP addresses.

See Microsoft documentation on Azure Networking Limits.
East-West traffic inspection between peered VNETs is supported only for RFC 1918 private networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
Anti-Spoofing is disabled by default on the VMSS instances eth0 and eth1 and must not be enabled.
CloudGuard Metrics are available in a subset of Azure regions. For more information, see the Azure Monitor Supported Regions documentation.
If the Endpoint Policy Management Check Point Software Blade on a Management Server to manage an on-premises Harmony Endpoint Security environment. Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. is enabled on the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server., then the Autoprovision feature is not supported,
Azure DNS does not replace client DNS servers. It can be used in addition to public and ISP DNS servers. For more information, see Microsoft Azure DNS documentation.
Policy Server (Desktop Policy) is not supported.
For Endpoint Security managed clients, enforcement of the Firewall policy from the SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. is not supported.
For Endpoint Security managed clients, configuration of SCV checks from the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. is not supported.

Hub Mode (Route-All-Traffic) is not supported.
Editing of Login Options and Legacy Authentication is not supported.
Automatic MEP Topology is not supported.
Machine Authentication is not supported.
For Endpoint Security VPN, SecuRemote flavor is not supported.
Connection enhancements for Security Gateways with multiple external interfaces (also knows as "magic button") are not supported.
Site to Site VPN is not supported.
Creating a VMSS environment with a name for the Load Balancer that is different from the default ("frontend-lb" or "backend-lb") is not supported.
Remote Access VPN is not supported.
Modifying NIC names in Azure is not supported. The NIC names must remain "eth0", "eth1".
Instance Level Public IP (ILPIP) Address Management
Because of Microsoft Azure Collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centers managed by Microsoft®. design, if you deploy a Check Point Security Gateway with an ILPIP address to manage the VMSS by its public IP addresses:
1. Each instance is configured in Check Point SmartConsole with the original (first) ILPIP address.
2. If the deployed Check Point Security Gateway is restarted, the ILPIP address could be released by Microsoft Azure and a new IP address is dynamically allocated.
In this case:
- The Check Point Security Gateway continues to work.
- The Check Point Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. is no longer able to communicate with the Check Point Security Gateway (this affects policy installation, receiving logs, and monitoring).
To fix communication issues:
- Delete the instance in Azure portal and let Azure bring up a new instance (which is then automatically recognized by the Check Point Management Server)
- Reset SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. manually:
  
  a. Reset SIC in SmartConsole and on the Check Point Security Gateway instance.
  
  b. In SmartConsole, manually change the IP address of the Check Point Security Gateway object to the new dynamically assigned IP address.
  
  c. In SmartConsole, manually initialize SIC.

Notes:

Refer to sk109141 for more information on supported Jumbo Hotfix Software package installed on top of the current software version to fix a wrong or undesired behavior, and to add a new behavior. Accumulators.
Refer to sk157492 for more information about CME limitations.