Limitations for configuring site-to-site VPN in Threat Defense devices

General limitations

IKEv1 does not support CC/UCAPL-compliant devices. IKEv2 is recommended for these devices.
VPN does not support network objects with a 'range' option.
Firewall Threat Defense VPNs do not support PDF export and policy comparison.
Tunnel status is not updated realtime, but at an interval of five minutes in the Cloud-Delivered Firewall Management Center.
You cannot use the double quote character (") in pre-shared keys, replace it if already in use.

Crypto ACL limitations

Cloud-Delivered Firewall Management Center supports only point-to-point VPN with crypto ACL and does not support tunnel health events.
Cloud-Delivered Firewall Management Center does not verify the device interface address verification for transport mode when you select a crypto ACL.
There is no support for automatic mirror ACE generation. Mirror ACE generation for the peer is a manual process on either side.

Topology management limitations

You cannot move a VPN topology between domains.
There is no per-tunnel or per-device edit option for Firewall Threat Defense VPNs, you can edit only the whole topology.