Known Limitations
-
Refer to sk109141 for more information on supported Jumbo Hotfix Accumulators.
-
Refer to sk157492 for more information about CME limitations.
-
To manage R80.20 VMSS with R80.10 Management Server, you must install R80.10 Jumbo Hotfix Accumulator - Take 169 and above.
-
IPv6 is not supported.
-
Only Azure Resource Manager (ARM) deployments are supported.
Deployment in the Azure classic environment is not supported.
-
Azure Load Balancers have limits. There is a limit on the number of front-end IP addresses it supports.
See Microsoft documentation on Azure Networking Limits.
-
East-West inspection between peered VNETs is supported only for RFC 1918 private networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
-
Anti-Spoofing is disabled by default on the VMSS instances eth0 and eth1 and must not be enabled.
-
CloudGuard Metrics are available in a subset of Azure regions. For more information, see the Azure Monitor Supported Regions documentation.
-
If the Endpoint Policy Management Software Blade is enabled on the Security Management Server, then the Autoprovision feature is not supported,
-
Azure DNS does not replace the client's DNS Servers. It can be used in addition to public and ISP DNS servers. For more information, see Microsoft Azure DNS documentation.
-
Policy Server (Desktop Policy) is not supported.
-
For Endpoint Security managed clients, Enforcement of the Firewall policy from the SmartConsole is not supported.
-
For Endpoint Security managed clients, configuration of SCV checks from the Gateway is not supported.
-
Hub Mode (Route-All-Traffic) is not supported.
-
Edit of Login Options and Legacy Authentication is not supported.
-
Automatic MEP Topology is not supported.
-
Machine Authentication is not supported.
-
For Endpoint Security VPN, SecuRemote flavor is not supported.
-
Edit of office mode configuration is not supported. This includes Office Mode IP Address for each User (IPAssignment.conf).
-
Edit of Link Selection configurations is not supported.
-
To do Anti-Spoofing on Office Mode addresses is not supported.
-
Connection enhancements for gateways with multiple external interfaces (also knows as "magic button") are not supported.
-
Site to Site VPN is not supported.
-
Creating a VMSS environment with a name for the Load Balancer that is different from the default ("frontend-lb" or "backend-lb") is not supported.
-
Instance Level Public IP (ILPIP) address
Because of Microsoft Azure design, if you deploy a Check Point Security Gateway with an ILPIP address to manage the VMSS by its public IP addresses:
-
Each instance is configured in Check Point SmartConsole with the original (first) ILPIP address.
-
If the deployed Check Point Security Gateway is restarted, the ILPIP address could be released by Microsoft Azure and a new IP address is dynamically allocated.
In this condition:
-
The Check Point Security Gateway continues to function.
-
But, the Check Point Management Server is no longer able to communicate with the Check Point Security Gateway (this affects policy installation, receiving logs, and monitoring).
These two options are available:
-
Delete the instance in Azure portal and let Azure bring up a new one (which is then automatically recognized by the Check Point Management Server)
-
Manually reset the SIC:
a. Reset the SIC in SmartConsole and on the Check Point Security Gateway instance.
b. In SmartConsole, manually change the IP address of the Check Point Security Gateway object to the new dynamically assigned IP address.
c. In SmartConsole, manually initialize the SIC.
-