Limitations

• Changes in connection properties (such as credentials or URL) of existing Data Center Virtual centralized repository, or a group of physical networked hosts, Virtual Machines, and datastores. They are collected in a group for secured remote storage, management, and distribution of data. Servers will take effect (for example importing objects, updating objects updates, and so on) only after policy installation on all the Security Gateways that have Data Center Objects from this Data Center Server (VSECC-589).

• In a High-Availability deployment, the Standby server does not have complete Data Center information. The message "Standby machine (partial data)" appears in SmartView or when you run "cpstat vsec" from the CLI (VSECC-311).

• For Multi-Domain Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. HA managing a VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. gateway, a domain server must be deployed on all MDS servers that manage the VSX gateway installed with imported Data Center Objects.

  Note: This instruction applies to the VSX object. This is not mandatory for the virtual systems (VSECC-1069).

• IPv6 information is not imported for Data Center Objects in Public Cloud (VSECC-1097).

• VS Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing.'s first policy installation should not include Data Center Objects (VSECC-1070).

  Note: If this cannot be achieved, a full-sync must be run on the cluster. Run these commands on the Standby member:

  1. fw ctl setsync off

  2. fw ctl setsync start

• Non-ASCII characters (non-English languages) in 'Data Center Server' properties (i.e., user, password and shared secret fields) are not supported. If an object name contains one of the above characters, enforcement will not work (VSECC-1064).
  

• If Data Center Object's name includes Non-ASCII characters (non-English languages), enforcement will work, but its name might not be displayed properly in Security Logs and Events (VSECC-1064).

• After executing the commands: reboot, cprestart, and cloudguard off, Data Centers that have no imported objects, are not automatically shown in the Data Center table.To see the Data Centers in the table, open each Data Center individually in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. (VSECC-422).

• CloudGuard Objects (Data Center Servers and Data Center Objects) are not supported in Global Domain (VSECC-1063).

• Cluster objects (ClusterXL and 3rd party Cluster with the exception of CloudGuard for NSX) must be configured with reachable VIP as the main Cluster IP address to receive updates on Data Center imported objects (VSECC-1059).

• Policy Verification for overlapping, hiding, or contradicting rules that include Data Center Objects is not supported (VSECC-1066).

• If a Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. works with CloudGuard Controller Provisions SDDC services as Virtual Data Centers that provide virtualized computer networking, storage, and security. and other Identity Sources, there must not be IP addresses belonging to Data Center Objects also associated with Machines in other Identity Sources. Such overlapping can result in disassociation of the IP addresses from either the Data Center Object, or Access Roles with such Machines, and improper Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. enforcement (VSECC-1071).

• If a Data Center Object name contains these characters in its name (VSECC-1065):

  • "{" - opening curly bracket

  • "}" - closing curly bracket

  • "[" - opening square bracket

  • "]" - closing square bracket

  • "<" - less than

  • ">" - greater than

  Then, the Data Center Object name will appear in SmartLog with double quotes "" without a content, instead of each of the above characters.

  For example: "{Name1}" will appear as "Name1_".

• Logs for rules with Subnets, AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. Security Groups, Microsoft Azure Collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centers managed by Microsoft®. Network Security Groups or VMware NSX VMware NSX is a network virtualization and security platform that enables the virtual cloud network, a software-defined approach to networking that extends across data centers, clouds, and application frameworks Security Groups will contain only the IP address, and will not contain the instance name (VSECC-1096).

• Data Center Tags (VSECC-1098):

  • Tags keys and values longer than 100 characters will be truncated to the first 100 characters, and "..." will be padded to the end of the tag.

  • In Microsoft Azure, Tag keys are case-insensitive, whereas Tag values are case-sensitive. In CloudGuard Controller, both Tag key and Tag value will be treated as case-sensitive. Meaning, the same key/value in different cases will be shown on 2 different lines in SmartConsole.

• The IP addresses of Datacenter objects which were deleted from the Datacenter while CloudGuard Controller was stopped are not removed from the Security Gateway when CloudGuard Controller starts and scans the Datacenter again. VSECC-1580