The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
Check Point R81.10.X for 1500, 1600, and 1800 appliance Known Limitations and Resolved Issues
Technical Level
Solution ID
sk178604
Technical Level
Product
Quantum Spark Appliances
Version
R81.10.x
OS
Gaia Embedded
Platform / Model
1500, 1570R, 1600, 1800
Date Created
30-Jun-2022
Last Modified
08-Jun-2023
Solution
This article provides a list of Supported Features, Unsupported Features, Known Limitations, and Resolved Issues for Check Point R81.10.x versions on Quantum Spark Appliances.
This is a live document that may be updated without special notice. We recommend that you register for our weekly updates in order to stay up to date. To register, go to UserCenter > ASSETS / INFO > My Subscriptions.
This article contains two sections:
Supported and Unsupported Features
Known Limitations and Resolved Issues
Important Notes:
Embedded Gaia software inherits its code base from the R81.10 GA version of enterprise appliances. Therefore, although not specifically mentioned, the R81.10 Quantum Spark Gateways inherit all maintrain limitations (see sk170418).
All Known Limitations with ID 010XXXX (not SMB-XXX) originate in R77.20 versions.
For the complete list of R80.20.X Known Limitations, refer to sk159772.
Supported and Unsupported Features
Note - All features available on a Locally Managed appliance are also available in the Quantum Spark Portal (SMP portal).
Enter the string to filter this table:
Blade / Feature
Locally Managed
Centrally Managed
Comments
Unified Access
Access Rules
Yes
Yes
Application Control Blade
Yes
Yes
URL Filtering Blade
Yes
Yes
Content Awareness
No
No
QoS
Yes
Yes
Data Loss Prevention (DLP) Blade
No
No
Geo Protection
Yes
Yes
Network Address Translation (NAT)
Yes
Yes
HTTP/HTTPS proxy
No
No
UserCheck
Yes
Yes
UserCheck client on endpoint computers is not supported
Hotspot portal
Yes
Yes
Rule Hit Count
No
No
Domain Object
Yes
Yes
Time Objects
Yes
Yes
Updatable Objects
Yes
Yes
Suspicious Activity Monitoring (SAM) Rules
No
No
Rule Base Layers
No
Yes
Security Zones
No
Yes
Data Center objects
No
Yes
SSL Inspection
Inbound HTTPS Inspection
No
Yes
Probing
Yes
Yes
Categorization enabled with full SSL inspection
Yes
Yes
HTTPS layers
No
Yes
HTTP/2
Yes
Yes
SSL bypass by FQDN / Updatable Object
Yes
Yes
TLS 1.3
No
No
Identity Awareness
AD Query
Yes
Yes
Azure AD
No
No
RADIUS Accounting
No
No
Identity Collector
Yes
Yes
Identity Broker
No
Yes
Support at the Early Availability level in the Centrally Managed mode
Infinity Portal Applications
IoT Protect
No
Yes
Available from R81.10.05
SD-WAN
No
Yes
Available from R81.10.05 (at the Early Availability level) in the Centrally Managed mode
VPN and Remote Access
Central VPN Gateway in Star VPN communities
Yes
No
Locally Managed by SMP.
Limited to serve 5 Satellite Gateways (starting from R81.10.05).
Satellite VPN Gateway in Star VPN communities
Yes
Yes
IPSec VPN Blade
Yes
Yes
Mobile Access Blade
Partial
Partial
Remote Access VPN clients are supported (Endpoint, SNX).
Mobile Access Web Portal is not supported.
VTI
Yes
Yes
Traditional VPN Mode
No
No
Secure Configuration Verification (SCV) and Desktop policy
No
No
Multiple Entry Points (MEP)
No
Yes
Multiple Entry Points (MEP) using Dead Peer Detection (DPD) with 3rd-party VPN peers
The following limitations are known in R81.10 for Quantum Spark Appliances. Note that for each entry, there is a column for the version the limitation was found in, and another column for the version in which this limitation was fixed (thus becoming a resolved issue).
All previous limitations are relevant to the following version unless stated as resolved.
Enter the string to filter the below table:
ID
Description
Found In
Resolved In
General
-
-
Gaia Embedded
SMB-12119
A USB storage device used for clean installation of a new image on the 1500 series must be formatted with FAT32 file-system.
R81.10.00
-
-
'Gaia OS' Best Practices are not supported for 1550 / 1590 appliances. Refer to sk108416.
R81.10.00
-
SMB-10086
Certain CLISH commands allow configuration of a DMZ interface even though there is no DMZ port on the appliance (relevant to V0 only).
R81.10.00
-
Threat Prevention
SMB-12009
In a rare scenario, malicious emails detected by IMAP inspection are not deleted from the client. Note: The malicious content is NOT downloaded.
R81.10.00
-
SMB-13721
SNORT rules are not supported.
R81.10.00
-
SMB-9988
The "Import IPS protections" option fails if done via the WebUI. Offline updates can be installed via CLI.
R81.10.00
-
SMB-12965
Anti-Spam is supported only when SMTP is outside the branch. In case SMTP is inside the branch, then it should work with port forwarding.
R81.10.00
-
SMB-10433
In Centrally Managed Gateways, you can not fetch the IPS package from Management.
Workaround:
To install the package:
Enter expert mode.
Copy $FWDIR/state/local/AMW/local.sd_updates to /storage partition.
Policy installation in SmartConsole might fail with the "Error code 1-2000232" after a firmware upgrade from R81.10.00 to R81.10.05. To avoid the error, in the "Install Policy" window, right-click the Quantum Spark Gateway object and select the option "Do not use Install Policy Acceleration for all targets". This is only needed one time after a firmware upgrade.
R81.10.05
-
SMBGWY-2442
When configuring the First Time Configuration Wizard from the WAN interface, you cannot set the SIC One-Time-Password immediately after the FTW. To set it you need to refresh your web browser first.
R81.10.00
-
Hardware - General
SMB-14272
SFP-DSL is supported in Automatic mode only.
R8110.00
-
SMB-19564
Use of the EXT port on 1800 Quantum Spark appliance is currently not supported.
R80.20
-
SMB-14263
To disable the "Connect to the appliance by name from the Internet (DDNS)" option, it is necessary to enter the DDNS password again.
R81.10.00
-
SMB-13955
These statistics are not available from the SFP DSL modem:
RS Code Words
RS Corrected Errors
Configured G.Inp
Vectoring
HEC Errors
R81.10.00
-
SMB-13373
In 1800 appliances: When working in manual mode on the DMZ port, only 100Mbps and 10Mbps link speed are supported.
R81.10.00
-
SMB-12254
1570R, 1600 and 1800 WAN and DMZ ports support copper RJ45 and fiber interfaces. Each port can only use one interface. If both the copper and fiber of the same port are plugged in, the port may experience stability issues.
R81.10.00
-
SMB-14272
SFP-DSL support automatic mode only.
R81.10.00
-
Hardware - Flash
-
-
Hardware - CPU
-
-
Hardware - WiFi
02340182
When more than one VAP is added to a local network switch or bridge, it cannot be unassigned Workaround: delete it and then recreate it.
R81.10.00
-
SMB-13068
In rare conditions, when you enable DHCP or Relay for the bridged interface between LAN and WiFi, this message appears: "Can not add more DHCP scopes for that network." This message can be safely ignored.
R81.10.00
R81.10.05
Hardware - LTE
-
-
Hardware - USB
SMB-12119
A USB storage device used for clean installation of a new image on the 1500 series must be formatted with FAT32 file-system.
R81.10.00
-
SecureXL
SMB-17073
Internal traffic for which the source and destination are both bridges is dropped when SXL is enabled.
R81.10.00
-
SMBGWY-2444
The SecureXL penalty box mechanism is not supported.
R81.10.00
-
ClusterXL
SMBGWY-2804
Cluster cannot be used with GRE.
R81.10.07
SMBGWY-749
In Locally and Centrally Managed appliances, when a Cluster Virtual IP address belongs to a different subnet than the Internet connections of the cluster member appliances, the "probe-next-hop" option is not available in the Internet connection properties (the first option on the "Monitoring" tab).
R81.10.00
R81.10.05
SMB-16461
In locally managed Quantum Spark appliance clusters: When you configure a new network interface to High Availability after the secondary member was already connected, the cluster breaks.
It is not supported to configure a Cluster of Quantum Spark Appliances when an Internet connection is a Bond interface.
R81.10.00
R81.10.05
SMB-11948
In locally managed mode, a bond cannot be part of a cluster interface (same as with a switch and bridge).
R81.10.00
R81.10.05
SMBGWY-2468
When configuring a cluster and setting DHCP on one of the cluster interfaces, a DHCP server might include the other cluster member's IP address in its available IP addresses range. Therefore, the DHCP server might serve this IP to another computer in the same network, which will cause connectivity issues.
Workaround: Manually exclude the other cluster member's IP address from the range.
R81.10.00
R80.20
SMBGWY-2469
Before configuring a local cluster, make sure that the sync interface is unassigned by checking the Device > Local Network page in the WebUI.
R81.10.00
-
SMBGWY-2470
Cluster mode configuration of the gateway is supported from the WebUI only.
R81.10.00
-
SMBGWY-2471
When configuring a cluster, you can only use a LAN interface as the Sync interface.
R81.10.00
-
SMBGWY-2472
Configuring a Cluster Virtual IP address in a PPP interface is not supported, but the interface can still be monitored by ClusterXL.
R81.10.00
-
SMBGWY-2633
When defining a local cluster with the "Strict" Firewall mode enabled, a manual internal rule must be defined in the WebUI to allow connectivity between the cluster members on the sync interface.
R81.10.00
-
SMBGWY-2473
In rare cases, during cluster creation or after upgrading a cluster, an "Error 00361" message is shown. This error may indicate a temporarily busy database.
Workaround: Go to the secondary cluster member, disconnect it from the cluster, and then reconnect it.
R81.10.00
R81.10.05
SMBGWY-2474
In Locally Managed small office appliances, initiate reboot after cluster reset.
R81.10.00
-
SMBGWY-2475
Following 'cpstop;cpstart' of an HA cluster member that is standby or down, it can take a few minutes for the 'cpha' state to come back up. During this time, the active member is up and running, so there is no connectivity loss.
R81.10.00
R81.10.05
SMB-9837
The "Force Member Down" button does not work in a local cluster configuration when the Internet connection interface is set to "Monitored" and the cluster members do not have similar Internet connection names.
Workaround: Rename the Internet connections so that they are the same for both cluster members.
R81.10.00
R81.10.05
-
Configuring Switch on network interfaces is not supported in Cluster High Availability mode. Configuring bridge on network interfaces is supported in Cluster High Availability in Centrally Managed mode only.
R81.10.00
-
Networking - General
SMB-19490
When configuring multiple internet connections in 'High Availability' mode, unable to access NATed services behind the standby internet connection.
R81.10.00
-
SMB-17652
BFD monitoring is not supported for static routes on Quantum Spark appliances.
R81.10.00
-
SMB-15419
Configuring a LAN port as internet connection is not supported with IPv6 internet connection types.
R81.10.00
-
VPNS2S-2220
When you use the "Connection Monitoring" feature, you must specify a reachable server or the system will disconnect. If no reachable DNS server exists within the network, disable the "Connection Monitoring" feature.
R81.10.00
-
Networking - Bond
SMB-14226
If an interface is a Bond slave, the Clish commands set interface <Name of Interface> state off and set interface <Name of Interface> down fail and this error message appears: "Could not set interface: Internal Error."
R81.10.00
-
SMB-13639
Monitor mode can only be configured for LAN1, LAN2, LAN5, LAN6, and LAN7.
R81.10.00
-
Networking - Bridge
SMBGWY-2477
When the WAN Internet connection is configured as PPPoE, an Anti-Spoofing warning appears in SmartView Tracker. You can safely ignore the warning.
R81.10.00
-
SMBGWY-2478
Bridge interfaces cannot be disabled.
R81.10.00
-
SMB-13068
In rare conditions, when you enable DHCP or Relay for the bridged interface between LAN and WiFi, this message appears: "Can not add more DHCP scopes for that network." This message can be safely ignored.
R81.10.00
R81.10.05
SMB-6597, SMB-6663
When multiple Internet connections are configured on one physical interface in High Availability mode, and primary connection failover occurs without the main connection going down/restarting, traffic will continue to be routed for the previous primary connection for more than the routing cache lifetime (20 seconds) if the QoS blade is configured.
R81.10.00
-
SMB-12567
Asymmetric-routing is not supported for SNMP traffic.
R81.10.00
-
SMB-10543
Embedded Gaia appliances conform to the Maintrain bridge (L2) limitations listed in sk101371
R81.10.00
-
DNS
SMBGWY-2441
We recommend that you configure DNS to resolve both internal and external domains.
DNS that does not resolve external domains may impact gateway operations.
R81.10.00
-
Networking - Dynamic Routing
SMBGWY-1355
In WebUI, the "Device" view > section "Advanced Routing" > page "OSPF" > section "Interfaces" does not show VLAN interfaces.
Workaround: To configure OSPF on VLAN interfaces, use Gaia Clish commands.
R81.10.05
-
SMB-17496
When configuring a BGP connection with MD5 encryption to a Quantum Spark cluster, a connection cannot be established.
R81.10.00
R81.10.05
SMB-14228
The 1600/1800 appliances support up to 1000 routes of all types.
R81.10.00
-
01475633
The CLISH command "show configuration" does not show dynamic routing configuration.
R81.10.00
R81.10.05
SMBGWY-2480
BGP MD5 is not supported.
R81.10.00
R81.10.05
SMBGWY-2481
Policy-based routing rules are not enforced on POP3 traffic when the Anti-Virus or Anti-Spam blades are active and set to inspect POP3 traffic. Policy-based routing rules are also not enforced on SMTP traffic when inspecting outgoing SMTP traffic is configured.
R81.10.00
-
CLI
SMB-12375
Attempting to assign the pivot port of a switch to a bridge using the CLI fails, but does not display an error.
R81.10.00
-
SMBGWY-2482
File related configuration (certificates, customized logo for portals) is not supported.
R81.10.00
-
CPView
SMB-16256
CPView is supported in Gaia Embedded appliances, but the History feature is not supported on the 1500 series.
R81.10.00
-
HTTPS Inspection
-
R81.10.00
-
IPS
SMB-9988, SMB-10104
"Import IPS protections" option is not supported on the WebUI. Offline updates can be installed via CLI.
R81.10.00
-
SMBGWY-2484
The IPS protection "Non compliant HTTP" drops a valid HTTP reply containing an empty zip file.
R81.10.00
-
SMBGWY-2486
Using autocomplete in CLISH after the parameter protection-name in IPS configuration takes several minutes to show all options.
R81.10.00
-
SMB-12874
On a Locally Managed Quantum Spark appliance, you can configure exceptions for the IPS protections listed below, even though they do not support Threat Prevention exceptions. Note - The protections are still enforced.
Ping of Death
SYN Attack
Sequence Verifier
Teardrop
R81.10.00
-
Application Control
SMBGWY-2487
The Signature Tool for Custom Application Control and URL Filtering Applications is not supported for Locally Managed Small Office appliances.
R81.10.00
-
SMBGWY-2488
Using autocomplete in CLISH after the parameter application name in Application Control configuration takes several minutes to show all options.
R81.10.00
-
SMBGWY-2490
In Locally Managed devices, it is not possible to configure Applications in policy base for incoming / VPN traffic. They can be configured using LAN as internet connections.
R81.10.00
-
SMB-2558
Adding a CLI category name for Application Awareness/URL filtering or SSL inspection configuration results in "Failed to find the requested category-name" error when the name is more than one word. Use the category ID instead of the application name.
R81.10.00
-
Security
SMBGWY-1291
Smart Accel does not support IPv6
R81.10.05
-
Access Policy
SMB-19492
It is not supported to use these predefined objects in the Access Policy > Firewall > Policy:
Trusted Wireless Networks
Untrusted Wireless Networks
R80.20 GA
-
SMB-17498
A device object cannot be used in a network object group.
R81.10.00
-
SMB-10398
FQDN objects are only supported in the destination column (not in the source).
R81.10.00
R80.20
SMBGWY-2491
When creating a Firewall or NAT rule in CLI, the source/destination value must be a network object and not just an IP address.
R81.10.00
-
NAT
-
-
-
-
User Check
SMBGWY-2492
User Check client is not supported in either Centrally or Locally managed mode of appliances.
R81.10.00
-
SMBGWY-2493
To search the security logs on the local web portal for a specific User Check incident ID, use this filter string "User Check Incident UID:" followed by the ID.
R81.10.00
-
SMBGWY-2494
In Centrally Managed Small Office appliances, the User Check portal does not appear if the configuration for the main URL of the User Check portal under gateway settings is set to use the gateway's external IP address.
R81.10.00
-
User / Identity Awareness
-
If the same username is defined on AD and Radius, the Security Gateway tries to authenticate only with the AD Server.
R81.10.00
-
SMB-12189
Traffic is blocked if the User Awareness blade is turned off and Browser-Based Authentication is turned on.
R81.10.00
R80.20
SMB-16255
Identity Awareness Gateway as an Active Directory Proxy feature is not supported on 1500, 1600, and 1800 Quantum Spark Appliances.
R81.10.00
R81.10.00 for R81.20 management
SMB-12516
LDAP connection is only supported on port 389.
R81.10.00
-
SMB-14519
Identity Awareness supports authentication of AD users, user groups, organization units. In addition, you can define LDAP groups with more advanced filtering.
Identity Awareness does not support authentication of Primary Groups of user and computer accounts. By default, the Primary Groups are 'Domain Users' and 'Domain Computers.'
R81.10.00
-
SMBGWY-2635
Identity Agent is not supported on 1500, 1600, and 1800 Quantum Spark Appliances.”
R81.10.00
-
SMBGWY-2495
On Locally Managed appliances, only a single DC is supported per AD server.
R81.10.00
-
SMBGWY-2486
An AD Domain Controller used for authenticating users that is located in the external zone of a device using Hide-NAT is not supported.
Workaround: Install another Domain Controller in the internal zone of the device.
R81.10.00
-
SMBGWY-2496
In Centrally Managed appliances, these user identifications methods are not supported (even though they appear in SmartConsole):
RADIUS Accounting
Terminal Servers
R81.10.00
-
SMB-6586
Automatic update of LDAP group membership does not work.
The PDP gateway becomes aware of added/removed users in LDAP groups only after policy installation.
Access Roles are not enforced for some of the users.
AD Query does not update user groups locally when a change is made to them on the Active Directory Server.
Identity awareness AD query functionality is supported when the domain controller server is part of one of the internal networks.
R81.10.00
-
Administrators
SMBGWY-2497
If the same administrator name is defined in both the local and RADIUS databases, the locally defined administrator permissions (read only, etc.) always take precedence over the permissions defined in the RADIUS server. We recommend you define unique administrator names for each database.
R81.10.00
R81.10.05
VPN - General
SMB-9711
Locally Managed appliances do not support subordinate certificates. Resolved in R77.20.80 for *.P12 files only. For .crt files, refer to sk157413.
R81.10.00
-
SMB-15573
IPv4 IPsec tunnel over an IPv6 non-IPsec tunnel is not supported.
R81.10.00
R81.10.05
SMB-13552
Tunnel test is supported only against fixed IP address.
R81.10.00
-
SMB-10127
In the Logs & Monitoring tab, the "Decrypt" action does not appear on some configurations (for example, PPPoE) but the functionality still works.
R81.10.00
R80.20
SMBGWY-2498
Configuring VPN site to site or VPN RA for CP Mobile with certificate-based authentication on a Locally Managed cluster is not supported.
R81.10.00
-
SMBGWY-2501
In Locally Managed appliances, the parameter "vpn_force_nat_t" does not force NAT-T if the remote site is configured using a hostname.
R81.10.00
-
SMBGWY-2510
In Centrally Managed appliances, the VPN overview page in SmartDashboard does not show tunnels from small office appliances.
R81.10.00
-
VPN - Remote Access
SAML for Remote Access VPN is not supported on Quantum Spark / Gaia Embedded appliances.
R81.10.00
SMBGWY-2088
DynamicID, a multi-factor authentication for VPN clients, is not supported in Centrally Managed mode.
R81.10.05
SMB-14970
When office mode is disabled on Locally Managed 1500 appliances, you can configure a manual rule with VPN Remote Access, but the rule is not enforced.
R81.10.00
-
SMB-10431
During a cluster failover, connected Remote Access users may be disconnected.
R81.10.00
-
SMB-15262
Layer 2 Tunneling Protocol (L2TP) clients are disconnected after two hours when a non-Windows client is used.
Workaround: Increase the renegotiation-interval time for Phase 2.
R81.10.00
-
SMBGWY-2505
In Locally Managed appliances, a remote site can only initiate connections when it is configured with IKEv2 and uses a pre-shared secret.
R81.10.00
R81.10.05
SMBGWY-2506
Remote Access SecurID authentication is not supported in Locally Managed mode of appliances.
R81.10.00
-
SMBGWY-2517
When you connect to the appliance with Remote Access VPN, the appliance only uses the default internal certificate.
R81.10.00
-
02115796
The "Route all traffic through gateway" option is not supported for SSL Network Extender clients.
R81.10.00
-
-
Two-Factor Authentication using mobile access is not supported.
R81.10.00
-
SMB-11978
The Remote Access feature "Location Aware Connectivity" is not supported on Locally Managed Quantum Spark appliances.
R81.10.00
-
SMB-9710
MEP is not supported in Remote Access VPN.
R81.10.00
-
SMB-12591
You cannot create a firewall rule where the source/destination is "VPN Remote Access."
R81.10.00
-
SMBGWY-2502
The WebUI Home > Security Dashboard page shows the VPN Remote Access blade as turned "ON" only if the Gateway object in SmartDashboard is set with IPSec VPN and the gateway is part of the Remote Access community.
When the object is defined but not part of the Remote Access community, the WebUI Home > Security Dashboard page shows the VPN Remote Access blade as turned "OFF".
R81.10.00
-
VTI
SMB-10109
When changing the configuration of an existing VPN Tunnel interface (VTI) from numbered to unnumbered or vice versa, routes which contain the VTI interface as a destination must be redefined.
R81.10.00
-
SMB-12842
Route base VPN (VTI) is not supported with policy based routing.
R81.10.00
-
SMB-2668
When a VPN tunnel goes down, routes that use the associated VTI as a target (next hop) remain active. Therefore, you cannot use metric-based failover between routes to different VTIs.
R81.10.00
-
SMBGWY-2500
When using numbered VTI, the traffic on Rx and Tx in vpnt interfaces is shown as z.
R81.10.00
-
SMBGWY-2499
Unnumbered VTIs can only be associated with external interfaces through the Internet connection definition. Other interface types are not supported.
R81.10.00
-
VPN Site to Site
SMBGWY-3286
VPN S2S with 5G does not work with CGNAT.
R81.10.07
-
SMB-10115
In Locally Managed mode: When configuring a VPN tunnel with PSK/certificate authentication methods in IKEv2 mode, and a peer in the community is configured with dynamic IP, the tunnel fails to establish.
Workaround:
Go to the VPN tab > Site > Encryption settings.
Select a specific encryption method instead of the default suites.
R81.10.00
-
-
Site-to-Site VPN is not supported with layer 2 (bridge) connection types.
R81.10.00
-
SMB-12173
VPN site to site is not supported when an Alias IP is assigned to one of the Gateway interfaces.
R81.10.00
-
SMBGWY-2503
In Locally Managed appliances, VPN sites configured with the IKEv2 encryption method and "Default (Most compatible)" encryption settings only support peer sites configured with Diffie-Helman group 2.
Workaround: Configure an encryption suite that matches the peer's configuration.
R81.10.00
-
SMBGWY-2504
In Locally Managed appliances with a defined proxy, if a 3rd party external Trusted CA is used in a certificate, CRL validation does not work. Disable CRL validation for the CA or disable the proxy.
R81.10.00
-
SMBGWY-2507
In Locally Managed mode, when submitting a certificate signing request that contains alternative subject names, the resulting certificate contains only the DN as the subject and not the alternative names.
R81.10.00
-
SMBGWY-2508
When the Gateway is behind NAT, the use of IKEv2 with a pre-shared secret in VPN site to site is not supported.
Workaround: Use a certificate.
R81.10.00
R81.10.05
SMBGWY-2509
When a VPN community includes dynamic IP addresses for remote sites (behind NAT or connection via hostname), only Diffie-Helman group 2 is supported.
R81.10.00
-
01664759
When configuring the aggressive mode peer ID field for VPN remote sites in Locally Managed appliances, you can only enter alphanumeric characters and these special characters: _ - . @ ~ ! # % $
R81.10.00
-
SMBGWY-2513
When configuring DHCP relay on Centrally Managed appliances, if the DHCP server is in a VPN peer's encryption domain, the implied rule "Accept Dynamic Address modules' outgoing Internet connections" must be disabled in SmartDashboard for the DHCP requests to be sent encrypted.
Workaround: Create manual rules that allow DHCP.
R81.10.00
-
SMBGWY-2514
When using aggressive mode with user peer_id, the remote VPN peer has to be a mobile peer for authentication to succeed.
R81.10.00
R80.20.XX
SMBGWY-2515
In Locally Managed appliances, when defining a remote site using a custom encryption suite and IKEv2 is selected, multiple selection of Diffie-Helman groups may cause issues.
Workaround: Choose the specific Diffie-Helman group that the remote site uses.
R81.10.00
-
SMBGWY-2516
When using Aggressive mode with peer ID in VPN site to site in Locally Managed appliances, the VPN Remote Access blade must be turned on (even if no users are defined with remote access privileges).
R81.10.00
-
SMBGWY-2518
RIM configuration is not supported in this firmware. RIM functionality is usually needed in the center Gateways of a VPN star community. This image is primarily used in satellite Gateways.
R81.10.00
-
01260760
In Locally Managed small office appliances, when a cluster failover happens, VPN Remote Access clients need to re-establish the connection. Also, a different certificate is seen when re-connecting.
R81.10.00
-
SMB-12201
Site to site directional VPN is not supported.
R81.10.00
-
SMB-2689
The "New Certificate Request" feature that allows an external CA to sign the device's certificate does not include the defined Alternative Names in the request.
R81.10.00
-
SMB-3002
In Locally Managed Gateways with a dynamic IP address: A site to site VPN configured with IKEv2 and a pre-shared key is supported only with Check Point peers and requires identifier settings.
R81.10.00
R81.10.05
SMB-1895
Locally Managed appliances cannot establish a VPN connection to a remote site that consists of multiple centrally managed hub VPN gateways in a MEP configuration.
R81.10.00
-
01663225
When configuring a remote site using a certificate and aggressive mode in VPN site to site in Locally Managed appliances, a peer ID string in aggressive mode must be configured.
R81.10.00
R80.20.X
VoIP
SMB-10136
In Locally Managed appliances, H.323 is not supported in the hide NAT configuration.
R81.10.00
-
Anti-Bot
SMBGWY-2519
The Suspicious email outbreak engine in the Anti-Bot Software Blade is not supported.
R81.10.00
-
Anti-Virus
-
-
Anti-Spam
-
-
-
-
IOC
SMB-18691
R81.10.XX does not support MD5 indicators for local management.
R81.10.00
-
SmartDashboard / SmartConsole
SMB-18388
In Centrally Managed appliances, SmartConsole sometimes shows inaccurate license information for Software Blades such as "No License" or "About to Expire."
R81.10.00
-
SMBGWY-2520
The VPN Advanced option to perform an organized shutdown of tunnels upon gateway restart is not supported.
R81.10.00
-
SMBGWY-2521
Install policy fails on Centrally Managed appliances when a rule contains an action set to User authentication.
R81.10.00
-
SMBGWY-2522
The "Monitoring" blade (Real Time Monitoring) is not supported.
R81.10.00
-
01585541
In Centrally Managed appliances, in some instances a policy fetch success pop up message is shown before the Firewall or QoS policy is actually installed.
R81.10.00
R81.10.05
SMB-3241
When a DMZ interface is used as a Local Network interface, the "Get Topology" action shows the DMZ interface as network type "Internal" instead of "DMZ."
Workaround: Manually change the network type to "DMZ."
R81.10.00
-
SmartProvisioning
SMB-1383
In Small Office appliances, Identity Sharing is not supported when managed through the SmartProvisioning LSM profile.
R81.10.00
-
SmartView Monitor
SMBGWY-2525
In Centrally Managed appliances, SmartView Monitor has limitations when working with inaccessible Gateways (for example, Gateways behind NAT). Since it requires connecting from the Security Management Server to the gateways, many of the monitoring capabilities are unavailable.
R81.10.00
-
SSL Inspection
-
-
-
-
Logging and Monitoring
SMB-15959
Although a Quantum Spark appliance is configured to forward only Security Logs to an external Syslog server, it forwards both Security Logs and System Logs.
R81.10.00
R81.10.05
SMB-13355
In Locally Managed appliances: Logs might be seen in the first few minutes after a policy change for the default outgoing rule even though the rule is configured not to generate logs.
Workaround: Turn on the connection persistence flag in Advanced Settings (this keeps established connections when installing a new policy).
R81.10.00
-
SMBGWY-2526
In Locally Managed appliances, multiple logs from different blades' engines can be shown for a single event (specifically Anti-Bot, Anti-Virus, and Application Control).
R81.10.00
R81.10.05
SMBGWY-2673
External Security Log Server cannot be configured when High Availability is turned on (not supported) on Locally Managed appliances
R81.10.00
-
SMBGWY-2674
Gaia Embedded appliances cannot send logs to more than one Security Management Server or Customer Log Server.
R81.10.00
-
SMB-1764
An external syslog server cannot be configured with an IPv6 address.
-
SSL Network Extender
01634523
The SNX command line for Linux (script that can be download from the SNX portal using the "Download command line SNX for Linux") fails on Small Office appliances.
R81.10.00
R80.20
Compliance
-
-
Online Updates
SMB-883
If the Time Zone is set after the command that turns off the First Time Wizard in a preset or auto conf script, the initial service updates might not start automatically in the first 12 hours after installation. The service updates can still be initiated manually.
Best practice: The command that turns off the First Time Wizard should be the last command in a preset or auto conf script.
R81.10.00
-
SMB-2914
If a firmware upgrade procedure is interrupted, intentionally or due to error, online updates might fail.
Workaround: reboot the device.
R81.10.00
R77
Wi-Fi
SMB-13533
Changing the VAP configuration (enable, disable, create, clone) causes all networks on the same wireless radio (2.4GHz or 5GHz) to stop working for a short period of time.
R81.10.00
-
SMBGWY-2528
In the Local Networks page in the local WebUI, the status of a wireless network for wireless appliances shows as UP even if the wireless radio is off.
R81.10.00
R81.10.05
SMB-2286
In Centrally Managed appliances, the standby member does not bring down the wireless networks.
R81.10.00
-
IoT
PMTR-58520
Enforcement of IoT assets in the Access Control policy is not supported on Centrally Managed Quantum Spark appliances running Gaia Embedded OS.
R81.10.00
R81.10.05
Hotspot Portal
SMB-3188
Hotspot portal redirection does not work when you browse to HTTPS sites. First, browse to an HTTP site, and you will be redirected to a Hotspot portal.
R81.10.00
-
QoS
SMBGWY-2529
In Centrally Managed appliances configured with QoS in Express mode, internal interfaces should not be configured for QoS as it may cause loss of connectivity.
Starting from R77.20.20, QoS works by default in accelerated mode. This decreases the chance of an interruption to internal traffic. Still, the common use-case for QoS is to be activated on the external interfaces.
R80.20
R81.10.00
SMBGWY-2530
In connected Centrally Managed small office appliances, when a push policy of QoS and Firewall is attempted on a Gateway that has been cleanly installed, the policy installation might show a failure icon on the QoS blade without additional error messages even though the push policy succeeded. If a Firewall policy push was attempted before the QoS policy installation it will also succeed.
R81.10.00
-
SMBGWY-2531
Delay Sensitivity feature and Differential Services marking feature can be used on Centrally Managed SMB appliance only under Express QoS mode.
Configuration is done in the "Advanced (UTM-1 Edge & SG80 Gateways)" section of the QoS action properties window.
Under Traditional QoS mode only Best Effort QoS class is supported. Using any other Diffserv/Latency classes will disable QoS policy.
For Delay Sensitivity feature on Centrally Managed SMB appliance, the "Bulk" option is not supported (behaves as "Normal")
On specific QoS rule, when Delay Sensitivity is set with "Interactive" value on Centrally Managed SMB appliance, or "Low Latency" is set on Locally Managed SMB appliance, limit and guarantee values for the same rule are ignored.
All rules that are configured with Delay Sensitivity = Interactive/Low Latency will share a joint limit. This limit is by default 20 percent of the interfaces bandwidth and can be configured.
R81.10.00
-
-
Centrally Managed SMB appliance can be configured to use Delay Sensitivity and Differential Services marking features only under Express QoS mode. Configuration is done in the "Advanced" section of the QoS action configuration window which is unique for Edge/SG80 appliances. Under Traditional QoS mode only Best Effort QoS class is supported, using other classes will disable QoS policy.
R81.10.00
-
SMB-10458
QoS does not support matching packets based on DiffServ tagging. QoS only supports marking the traffic with Differential Services (DiffServ) tags and preserving existing DiffServ tags.
R81.10.00
-
Unified Access
SMB-15218
The use of object names that contain spaces is not supported in clish commands. Use the object ID instead of the object name when possible.
R81.10.00
-
SMB-8464
When a QoS rule is configured to be applied to a specific time/day/date, it is not limited to those specifications.
R81.10.00
R80.20
SMB-7992
In Locally Managed appliances, H.323 is not supported in the hide NAT configuration.
R81.10.00
-
-
Identity awareness AD query functionality is supported when the domain controller server is part of one of the internal networks.
R81.10.00
-
WatchTower
-
-
-
-
WebUI
SMB-10029
Changing the order of the SSL inspection exceptions in the WebUI does not show in the WebUI display even though the order is changed and this can be seen in CLI.
Workaround: To change the order, delete the exception and then add it in the new location.
R81.10.00
R81.10.05
SMB-14832
This pop-up error message may appear in the WebUI when CPU usage is temporarily high: "Connectivity with the appliance was temporarily lost during the last operation"
Workaround: Refresh the browser
R81.10.00
-
SMB-12761
In 1590 appliances: In Firewall Access rules of the type "Incoming, Internal and VPN traffic", you cannot select "internet" as a source or destination in the WebUI.
R81.10.00
-
01261065
These characters cannot be used in WebUI textual fields:
single quote - '
double quote - "
backslash - \
R81.10.00
-
SMBGWY-2532
Toggling between Central and Local Management modes of the appliance is not supported when a cluster is configured. To change to Central Management mode, an administrator must first disable the local cluster.
R81.10.00
-
SMBGWY-2533
RADIUS servers are deleted by clearing the contents of the fields in the Configure RADIUS servers window in the WebUI (VPN tab > Authentication Servers page > RADIUS servers link) since there is no direct Delete option.
R81.10.00
R81.10.05
01469798
Configuration of the serial port through Advanced Settings is not supported when an Internet connection is configured to an analog modem through the serial port.
R81.10.00
-
SMBGWY-2534
When defining server objects, the "Force translated traffic to return to the gateway" is important for traffic originating from internal sources. However, currently, sources of all traffic to the server will be translated and hidden behind the gateway's IP address.
R81.10.00
-
SMBGWY-2537
Host objects can be defined with up to 32 characters.
R81.10.00
-
SMBGWY-2538
When a log in a Locally Managed appliance shows the "myown_obj" object, it in fact means "this appliance".
R81.10.00
-
SMBGWY-2539
In Locally Managed appliances, in the Threat Prevention Exception page > Malware Exceptions section, if the "Scope" field is not configured to "Any" it may result in the exception not being matched.
R81.10.00
-
SMBGWY-2540
The Identity Awareness portal sometimes does not show correctly in a Chrome browser.
When more than one VAP is added to a local network switch or bridge, it cannot be unassigned.
Workaround: delete it and then recreate it.
R81.10.00
-
SMB-4869
After replacing the web portal certificate, login to the administration web portal fails with a "Connectivity error. Refresh page and retry" message due to the browser's certificate caching mechanism.
Workaround: refresh the page.
R81.10.00
-
SMB-4792
Attempting to configure the same specific feature through WebUI and CLI interfaces at the same time may cause settings to be overridden or subject to submission timing.
R81.10.00
-
Zero Touch
SMB-14915
When Zero Touch is used, the appliance is always set to the Locally Managed mode before the clish script (defined by the user in the Zero Touch server) runs, as the command "set security-management mode locally-managed" is injected by default from the Zero Touch servers before the user-defined script.
R81.10.00
-
SMB-13704
Zero Touch works with WAN and LTE interfaces but not with DMZ.
R81.10.00
-
Give us Feedback
Thanks for your feedback!
Are you sure you want to rate this stars?
This is a live document that may be updated without special notice. We recommend that you register for our weekly updates in order to stay up to date. To register, go to 