Known Limitations
-
Refer to sk109141 for more information on supported Jumbo Hotfix Software package installed on top of the current software version to fix a wrong or undesired behavior, and to add a new behavior. Accumulators.
-
Refer to sk157492 for more information about CME limitations.
-
To manage R80.20 VMSS with R80.10 Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server., you must install R80.10 Jumbo Hotfix Accumulator Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA. - Take 169 and above.
-
IPv6 is not supported.
-
Only Azure Resource Manager (ARM Microsoft® Azure Resource Manager. Technology to administer assets using Resource Group.) deployments are supported.
Deployment in the Azure classic environment is not supported.
-
Azure Load Balancers have limits. There is a limit on the number of front-end IP addresses it supports.
See Microsoft documentation on Azure Networking Limits.
-
East-West inspection between peered VNETs is supported only for RFC 1918 private networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
-
Anti-Spoofing is disabled by default on the VMSS instances eth0 and eth1 and must not be enabled.
-
CloudGuard Metrics are available in a subset of Azure regions. For more information, see the Azure Monitor Supported Regions documentation.
-
If the Endpoint Policy Management Check Point Software Blade on a Management Server to manage an on-premises Harmony Endpoint Security environment. Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. is enabled on the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server., then the Autoprovision feature is not supported,
-
Azure DNS does not replace the client's DNS Servers. It can be used in addition to public and ISP DNS servers. For more information, see Microsoft Azure DNS documentation.
-
Policy Server (Desktop Policy) is not supported.
-
For Endpoint Security managed clients, Enforcement of the Firewall policy from the SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. is not supported.
-
For Endpoint Security managed clients, configuration of SCV checks from the Gateway is not supported.
-
Hub Mode (Route-All-Traffic) is not supported.
-
Edit of Login Options and Legacy Authentication is not supported.
-
Automatic MEP Topology is not supported.
-
Machine Authentication is not supported.
-
For Endpoint Security VPN, SecuRemote flavor is not supported.
-
Connection enhancements for gateways with multiple external interfaces (also knows as "magic button") are not supported.
-
Site to Site VPN is not supported.
-
Creating a VMSS environment with a name for the Load Balancer that is different from the default ("frontend-lb" or "backend-lb") is not supported.
-
Remote Access VPN is not supported.
-
Modifying NIC names in Azure is not supported. The NIC names must remain "eth0", "eth1".
-
Instance Level Public IP (ILPIP) address
Because of Microsoft Azure Collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centers managed by Microsoft®. design, if you deploy a Check Point Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. with an ILPIP address to manage the VMSS by its public IP addresses:
-
Each instance is configured in Check Point SmartConsole with the original (first) ILPIP address.
-
If the deployed Check Point Security Gateway is restarted, the ILPIP address could be released by Microsoft Azure and a new IP address is dynamically allocated.
In this condition:
-
The Check Point Security Gateway continues to function.
-
But, the Check Point Management Server is no longer able to communicate with the Check Point Security Gateway (this affects policy installation, receiving logs, and monitoring).
These two options are available:
-
Delete the instance in Azure portal and let Azure bring up a new one (which is then automatically recognized by the Check Point Management Server)
-
a. Reset the SIC in SmartConsole and on the Check Point Security Gateway instance.
b. In SmartConsole, manually change the IP address of the Check Point Security Gateway object to the new dynamically assigned IP address.
c. In SmartConsole, manually initialize the SIC.
-