Download Print this page

Check Point HARMONY R81 Administration Manual

Endpoint server

Table Of Contents

Table of Contents

Advertisement

Quick Links

Download this manual

26 December 2023

HARMONY ENDPOINT

SERVER

R81

Administration Guide

Table of Contents

Advertisement

Table of Contents

Troubleshooting

Need help?

Need help?

Do you have a question about the HARMONY R81 and is the answer not in the manual?

Questions and answers

Summary of Contents for Check Point HARMONY R81

Page 1 26 December 2023 HARMONY ENDPOINT SERVER Administration Guide...
Page 2 Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions.
Page 3 Open the latest version of this document in a Web browser. Download the latest version of this document in PDF format. Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments.
Page 4 Revision History Date Description 30 January 2022 Updated "Rule Types for Each Endpoint Security Component" on page 140 "Rule Types for Each Endpoint Security Component" on 09 January 2022 Updated page 140 02 January 2022 Added "Logging Into SmartEndpoint" on page 54 05 September Added "Uninstalling Endpoint Security Using Challenge-Response in 2021...
Page 5: Table Of Contents
Table of Contents Table of Contents Introduction to Endpoint Security Managing the Security of Users, Not Just Machines Organization-Centric model Policy-centric Model Endpoint Security Client Centralized Monitoring Centralized Deployment Endpoint Security Architecture Endpoint Security Server and Client Communication SmartEndpoint Console and Server to Server Communication Client to Server Communication The Heartbeat Interval SHA-256 Certificate Support...
Page 6 Table of Contents Demo and Temporary Licenses License Enforcement Getting Licenses Getting and Applying Contracts Configuring a Proxy for Internet Access License Status Logging Into SmartEndpoint Using SmartEndpoint Overview Tab Opening SmartEndpoint Policy Tab Users and Computers Tab Monitoring Endpoint Security Deployment and Policy Alerts Configuring Alert Messages Configuring an Email Server...
Page 7 Table of Contents Licenses Report Deployment Tab Client Logging Finding Components Show/Hide components Users and Computers Using the Users and Computers Tab Using the Object Details Window Changing Authentication Settings Using the Users and Computers Tree Managing Users Managing OUs or Groups Managing Computers Managing Users of a Computer Resetting a Computer...
Page 8 Table of Contents Configuring Software Signatures for Packages for Export Seeing the Deployment Status Deploying Mac Clients Getting the Mac Client Manual Deployment Uninstalling the Client on Mac Upgrading Endpoint Security Clients Upgrading with Deployment Rules Upgrading with an Exported Package Gradual Upgrade Upgrading Legacy Clients Offline Upgrades...
Page 9 Table of Contents Creating a Rule The Order in Which the Client Applies the Rules Changing the Order in Which the Client Applies the Rules Editing a Rule Editing a Shared Action What Happens when you Delete an Entity Saving and Installing Policy Changes on Clients Showing the Policy that Applies to a User or Computer Direct Assignment of Rules to Users and Computers Virtual Groups in Policy Rules...
Page 10 Troubleshooting Authentication in Server Logs Troubleshooting Authentication in Client Logs Full Disk Encryption Check Point Full Disk Encryption Configuring a Check Point Full Disk Encryption Policy Volume Encryption Custom Disk Encryption Settings Self-Encrypting Drives Authentication before the Operating System Loads (Pre-boot)
Page 11 User Settings for the Self-Help Portal Monitoring the Self-Help Portal Policy BitLocker Encryption for Windows Clients Configuring a BitLocker Encryption Policy Switching Between Check Point Full Disk Encryption and BitLocker Management Taking Control of Unmanaged BitLocker Computers BitLocker Recovery Installing and Deploying Full Disk Encryption...
Page 12 Table of Contents Managing Authorized Pre-boot Users and Nodes Creating Pre-boot Users AD Groups for Pre-boot Authentication Before You Configure Smart Card Authentication Smart Card Scenarios Scenario 1: Moving from Password to Smart Card Scenario 2: Mix of Password and Smart Card Authentication Notes on Using Smart Cards Changing a User's Password Managing Dynamic Tokens...
Page 13 Table of Contents Working with Advanced Actions in a Media Encryption & Port Protection Rule Offline Access Actions Custom Offline Access Settings Configuring Encryption Container Settings Password Constraints for Offline Access Media Lockout Settings Device Scanning and Authorization Actions Custom Scan and Authorization Actions Log Actions UserCheck Actions Media Encryption Site Actions...
Page 14 Table of Contents Capsule Docs Recovery Anti-Malware Prerequisites for Anti-Malware Configuring Anti-Malware Policy Rules Scan All Files on Access Malware Signature Updates Performing Periodic Anti-Malware Scans Periodic Scan Options Exclude Files and Folders from Scan Scan Optimization Malware Treatment Submitting Malware and False Detections Harmony Endpoint Anti-Ransomware, Behavioral Guard and Forensics Anti-Ransomware Files Configuring Forensics and Anti-Ransomware Policy Rules...
Page 15 Table of Contents Harmony Endpoint Use Case Ransomware Use Case Quarantine Management Using the Quarantine Manager for Administrators Harmony Endpoint Anti-Bot The Need for Anti-Bot The Harmony Endpoint Anti-Bot Solution Configuring Anti-Bot Policy Rules Activating the Anti-Bot Component Defining Entities that are Trusted by Anti-Bot Anti-Bot Protection Mode Harmony Endpoint Threat Extraction, Emulation and Anti-Exploit Configuring Threat Extraction and Threat Emulation Rules...
Page 16 Table of Contents Planning for Compliance Rules Configuring Compliance Policy Rules Ensuring Alignment with the Deployed Profile VPN Client Verification Compliance Action Rules Compliance Check Objects Compliance Remediation Objects Service Packs for Compliance Required Applications and Files Prohibited Applications and Files Anti-Malware for Compliance Ensuring that Windows Server Updates Are Installed Monitoring Compliance States...
Page 17 Table of Contents Configuring Client Settings Policy Rules Client User Interface Settings Log Upload Installation and Upgrade Settings Users Disabling Network Protection Sharing Data with Check Point Remote Access VPN Access Zones Trusted Zone Changing the Access Zones Policy Network Objects...
Page 18 Table of Contents Offline Mode Configuring Offline Mode Creating Offline Administrators Editing Pre-boot Users Moving from Offline to Online Mode Endpoint Offline Management Tool Logging In to the Offline Tool Password Assistance Selecting a User Challenge from User Response to User Disk Recovery Select a User Account Select Media...
Page 19: Introduction To Endpoint Security
Introduction to Endpoint Security Introduction to Endpoint Security Check Point endpoint security includes data security, network security, advanced threat prevention, forensics, and remote access VPN solutions. It offers simple and flexible security administration: The entire endpoint security suite can be managed centrally using a single management console.
Page 20 Introduction to Endpoint Security Component Description Compliance Allows you to enforce endpoint compliance on multiple checks before users log into the network. You can check that the: appropriate endpoint security components are installed correct OS service pack are installed on the endpoint only approved applications are able to run on the endpoint appropriate anti-malware product and version is running on the endpoint.
Page 21: Centralized Monitoring
Introduction to Endpoint Security Component Description Capsule Docs Provides security classifications and lets organizations protect and share documents safely with various groups - internal and external. URL Filtering Lets organizations control access to web sites by category, user or group. Harmony Endpoint Detects bot-infected machines and blocks bot C&C communication Anti-Bot...
Page 22: Centralized Deployment
Introduction to Endpoint Security Historical data for clients and servers can be viewed in the Logs tab of the SmartConsole Logs & Monitor view. Centralized Deployment Deployment in the Endpoint Security Management Server lets you control specific components and Endpoint Security versions installed on the protected end-user computers. R81 Harmony Endpoint Server Administration Guide | 22...
Page 23: Endpoint Security Architecture
Endpoint Security Architecture Endpoint Security Architecture An Endpoint Security environment includes the SmartEndpoint console, Endpoint Security Management Server, and Endpoint Security clients. It is integrated with the Check Point Security Management and SmartConsole. Endpoint Security Management Server Item Description Active Directory The repository of the user information of the organization.
Page 24 This includes Endpoint Security Management Servers and the (optional) Endpoint Policy Servers. SmartEndpoint A Check Point SmartConsole application to deploy, monitor and configure Endpoint Security clients and policies. Install on the Endpoint Security Management Server or on a Windows computer that supports the client installation.
Page 25 Endpoint Security Architecture Item Description Secondary One additional Endpoint Security Management Server for High Endpoint Availability. This makes sure that a backup server is available if Security the primary server is down. Management Server Endpoint Policy Endpoint Policy Servers improve performance in large Servers environments by managing most communication with the Endpoint Security clients.
Page 26: Endpoint Security Server And Client Communication
There is routing between the Endpoint Security elements. SmartEndpoint Console and Server to Server Communication Communication between these elements uses the Check Point Secure Internal Communication (SIC) service. The elements authenticate each other using certificates. HTTPS (TCP/443) is used for sending events, for SmartEvent Views and Reports, from the Endpoint Policy Server to Primary Management.
Page 27: Client To Server Communication
Endpoint Security Server and Client Communication Client to Server Communication These services are used by the client to communicate with the Endpoint Policy Server or the Endpoint Security Management Server. The client is always the initiator of the connections. Service Communication Notes (Protocol/Port)
Page 28: The Heartbeat Interval
Endpoint Security Server and Client Communication The Heartbeat Interval Endpoint clients send "heartbeat" messages to the Endpoint Security Management Server to check the connectivity status and report updates. The time between heartbeat messages is known as the heartbeat interval. Note - The default heartbeat interval is 60 seconds. A shorter heartbeat interval can cause additional load on the management.
Page 29 Endpoint Security Server and Client Communication To configure servers to support TLSv1.2 only: On each Endpoint Security server: 1. Run: cpstop 2. Edit: $UEPMDIR/apache/conf/ssl.conf 3. Change the value of the SSLProtocol attribute from: SSLProtocol +TLSv1 +TLSv1.2 SSLProtocol TLSv1.2 4. Save the changes. 5.
Page 30: External Pki Certificates For Client-Server Communication
External PKI Certificates for Client-Server Communication By default, Check Point servers and clients use certificates signed by the internal Check Point Certificate Authority (CA) for client-server communication, authentication, and data encryption. You can overwrite the default certificates with certificates generated by an external CA.
Page 31: Installing Ca Certificates On Clients
External PKI Certificates for Client-Server Communication a. Select the certificate type. b. Insert the certificate file. You can drag and drop the file into the window or navigate to it from the folder icon. c. Optional: Enter the file's password. d.
Page 32: Installing Ssl Certificates On Servers
External PKI Certificates for Client-Server Communication 4. Select Push CA Certificate and click Next. 5. Select the computers to push the certificate to. 6. Click Next. 7. Click Manage. 8. Select the certificate and click Assign. 9. Optional: Enter a descriptive Comment. 10.
Page 33: Replacing Ssl Certificates In An Existing Environment
External PKI Certificates for Client-Server Communication Replacing SSL Certificates in an Existing Environment We recommend that you implement the new SSL certificates gradually. After an SSL certificate is replaced on a server, clients who do not have the related CA certificate will not be able to send SSL messages (for example, Full Disk Encryption blade payloads and Audit logs) to that server.
Page 34: Installing Certificates For Offline Groups
External PKI Certificates for Client-Server Communication Installing Certificates for Offline Groups Offline Groups can use external certificates for Remote Help. The default setting is Use internally generated certificate, which uses the internally generated certificate. To install an external certificate for an Offline Group: When creating an offline group: 1.
Page 35: Connection Port To Services On An Endpoint Security Management Server
Connection Port to Services on an Endpoint Security Management Server Connection Port to Services on an Endpoint Security Management Server R81 Harmony Endpoint Server Administration Guide | 35...
Page 36: Background
Connection Port to Services on an Endpoint Security Management Server Background R81 Harmony Endpoint Server Administration Guide | 36...
Page 37 Server>/smartview/ Management API Web https://<IP Address of Management Services Server>/web_api/<command> Check Point (see Management API Reference If you upgraded a Security Management Server with enabled Endpoint Policy Management Software Blade to R81, then the SSL port configuration remains as it was in the previous version, from which you upgraded: R81 Harmony Endpoint Server Administration Guide | 37...
Page 38 Address of Management Services Server>:4434/web_api/<command> (see Check Point Management API Reference In R81 and higher, an administrator can manually configure different TCP ports for the Gaia Portal (and other services) and Endpoint Security - 443 or 4434. For the applicable procedures, see "Connection Port to Services on an Endpoint Security...
Page 39: Procedures
Configuration URL and Port Default https://<IP Address of Management Server>/smartview/ https://<IP Address of Management Server>:4434/smartview/ Management API Web Services (see Check Point Management API Reference Configuration URL and Port Default https://<IP Address of Management Server>/web_api/<command> https://<IP Address of Management Server>:4434/web_api/<command>...
Page 40 Connection Port to Services on an Endpoint Security Management Server Gaia Portal Gaia Portal Listening Endpoint Security Scenario Certificate Port Listening Port External SSL 4434 certificate Self-signed SSL 4434 certificate External SSL 4434 certificate Scenario 1 - Gaia Portal uses the default self-signed SSL certificate, Gaia Portal listens on TCP port 443, and Endpoint Security listens on TCP port 4434 1.
Page 41 Save the changes in the file and exit the editor. 5. Configure the SSL port to 443 in the Gaia database. Run these two commands: dbset httpd:ssl_port 443 dbset :save 6. Generate the Apache configuration. Run: $UEPMDIR/system/install/gaia_apache_conf_generate 7. Restart Check Point services. Run: R81 Harmony Endpoint Server Administration Guide | 41...
Page 42 Connection Port to Services on an Endpoint Security Management Server cpstop && cpstart Scenario 2 - Gaia Portal uses an external SSL certificate, Gaia Portal listens on TCP port 443, and Endpoint Security listens on TCP port 4434 1. Import and install the certificates: a.
Page 43 Connection Port to Services on an Endpoint Security Management Server d. In the "SSL Virtual Host Context" section, configure this value in the "VirtualHost" directive: <VirtualHost _default_:4434> e. Save the changes in the file and exit the editor. 5. Modify the /web/templates/httpd-ssl.conf.templ file: a.
Page 44 :save 7. Generate the Apache configuration. Run: $UEPMDIR/system/install/gaia_apache_conf_generate 8. Restart Check Point services. Run: cpstop && cpstart Scenario 3 - Gaia Portal uses the default self-signed SSL certificate, Gaia Portal listens on TCP port 4434, and Endpoint Security listens on TCP port 443 1.
Page 45 5. Configure the SSL port to 4434 in the Gaia database. Run these two commands: dbset httpd:ssl_port 4434 dbset :save 6. Generate the Apache configuration. Run: $UEPMDIR/system/install/gaia_apache_conf_generate 7. Restart Check Point services. Run: cpstop && cpstart R81 Harmony Endpoint Server Administration Guide | 45...
Page 46 Connection Port to Services on an Endpoint Security Management Server Scenario 4 - Gaia Portal uses an external SSL certificate, Gaia Portal listens on TCP port 4434, and Endpoint Security listens on TCP port 443 1. Import and install the certificates: a.
Page 47 Save the changes in the file and exit the editor. 6. Configure the SSL port to 4434 in the Gaia database. Run these two commands: dbset httpd:ssl_port 4434 dbset :save 7. Generate the Apache configuration. Run: $UEPMDIR/system/install/gaia_apache_conf_generate 8. Restart Check Point services. Run: R81 Harmony Endpoint Server Administration Guide | 47...
Page 48 Connection Port to Services on an Endpoint Security Management Server cpstop && cpstart R81 Harmony Endpoint Server Administration Guide | 48...
Page 49: Endpoint Security Licenses
Endpoint Security Licenses Endpoint Security Licenses This chapter includes license information for Endpoint Security Servers and Clients. All Endpoint Security licenses are physically installed on the Endpoint Security Management Server. Endpoint Security Product Licenses You need to have a license for: Every Endpoint Security client.
Page 50: Getting Licenses
License validation occurs when the client sends a SYNC or heartbeat messages to the server. Getting Licenses This procedure assumes that you have a user account for the Check Point User Center, and that the necessary licenses and contracts are purchased. To get the license for your Endpoint Security Management Server: 1.
Page 51: Getting And Applying Contracts
To change the default time interval: 1. Edit this file: $CPDIR/conf/downloads/dl_prof_CNTRCTMNGR.xml 2. Change the <interval> value as necessary. 3. Restart Check Point services: cpstop ; cpstart To apply a contract manually: 1. Log in to Check Point User Center 2.
Page 52: Configuring A Proxy For Internet Access
Endpoint Security Licenses To download a contract to a different computer: 1. In the User Center, click Products > Additional Services. 2. Select the account of the contract. 3. Click Email File or Download Now. 4. When you have the contract file, move it to the Endpoint Security Management Server. 5.
Page 53 Endpoint Security Licenses Percentage of total licenses in use Expiration date IP address of license host R81 Harmony Endpoint Server Administration Guide | 53...
Page 54: Logging Into Smartendpoint
Logging Into SmartEndpoint Logging Into SmartEndpoint 1. Install an on-premises Endpoint Security Management Server. See the R81 Installation and Upgrade Guide > Chapter Installing an Endpoint Server > Section Installing an Endpoint Security Management Server . 2. Connect with SmartConsole to the Endpoint Security Management Server. 3.
Page 55: Using Smartendpoint
Using SmartEndpoint Using SmartEndpoint Use SmartEndpoint, which connects to the Endpoint Security Management Server, to manage your Endpoint Security environment. This section shows what you can do on each tab in SmartEndpoint. Overview Tab The Overview tab shows a graphical summary of important security information about the endpoint clients in your organization.
Page 56: Opening Smartendpoint
"Uploading Client Packages to the Repository" on page 103 Opening SmartEndpoint You can open SmartEndpoint in these ways: Go to Start > All Programs > Check Point SmartConsole <Version> > SmartEndpoint <Version>. Open SmartConsole, and from the Menu, select SmartEndpoint. Policy Tab You define and manage the policy for each Endpoint Security component in the Policy tab.
Page 57: Users And Computers Tab
Users and Computers Tab Users and Computers Tab The nodes of the Users and Computers tree are filled automatically by an Active Directory scan, or when installed Endpoint Security clients connect to the Endpoint Security Management Server. The only node whose contents you define and manage is the Networks node. To create a network: 1.
Page 58: Monitoring Endpoint Security Deployment And Policy
Monitoring Endpoint Security Deployment and Policy Monitoring Endpoint Security Deployment and Policy Monitoring your Endpoint Security policy and deployment should be a very important part of your-day-to-day work. The Reporting tab includes many different types of Endpoint Security status reports. To see monitoring reports: 1.
Page 59: Alerts
Monitoring Endpoint Security Deployment and Policy Alerts The alerts pane shows which endpoint computers are in violation of critical security rules. These violation types can trigger alerts: Certificate Expiration Compliance Warning Deployment Failed Encryption Problem Anti-Malware Issues The lower section of the pane contains two tabs: Trend - Shows a line chart showing the trend of security violations over time Endpoints - Shows the standard endpoint computer list Configuring Alert Messages...
Page 60: Configuring An Email Server
Monitoring Endpoint Security Deployment and Policy Trigger alert when the condition reaches - When the initial alert message is sent. Optional: After the alert was triggered, turn off when less than - When an alert resolved message is sent. 4. In the Notification Settings area, select which type of messages to send: Select Notify on alert activation to send an Initial Alert message.
Page 61 Monitoring Endpoint Security Deployment and Policy If the verification succeeds, an email is sent to the email address entered and a Success message shows in the Email Server Settings window. If the verification fails, an Error message shows in the Email Server Settings window.
Page 62: Push Operations
(Maximum amount, Most common information, or Minimum amount). Logs are stored in a shared folder on the client computer. You can upload the logs to Check Point servers, and to corporate FTP servers. Repair client - Repair the Endpoint Security client installation. This requires a computer restart.
Page 63: Starting Push Operations
Push Operations In the top pane: See all recent Push Operation activities, and their details. This includes: which objects were included in the operation, the status. Create new, Abort (stop), and Remove Push Operations. Click Configure Defaults to configure the default settings for a selected operation. These settings will apply each time you run Push Operations and do not configure different settings.
Page 64: Push Operations Settings
Push Operations Push Operations Settings Click Configure Defaults to configure the default settings for a selected operation. These settings will apply each time you run Push Operations and do not configure different settings. Select the operation to configure. For each operation you can configure: User Notification -Are users notified about the operation and can they cancel or postpone it.
Page 65: Compliance Status Reports
Compliance Status Reports Compliance Status Reports Compliance Status - Shows endpoint compliance policies that make sure: The correct version of Endpoint Security is installed. The operating system includes all required updates and service packs. Only approved software applications are installed. If a user or computer is in violation of a rule, the name of the rule is shown in the Compliance Violations column.
Page 66: Activity Reports
Activity Reports Activity Reports The Activity Reports group includes these endpoint and Endpoint Policy Server status reports: Endpoint Connectivity - Shows the last time each endpoint computer connected to the network. Endpoints with Not Running Blades - Shows the status of components for users and endpoint computers.
Page 67: Software Deployment Status Reports
Software Deployment Status Reports Software Deployment Status Reports You can select reports that show deployment status by: Deployment Status - Shows deployment by the status category of deployment. Top Deployment Errors - Shows the top errors. Deployment by Package - Shows deployment status by package name Deployment by Policy - Shows deployment status by profile name For all Deployment reports, the available status categories are: Completed...
Page 68: Full Disk Encryption Status Reports
Full Disk Encryption Status Reports Full Disk Encryption Status Reports There are reports that contain information about the computer encryption and reports that contain information about the Pre-boot. Encryption Status - Shows the endpoint computer encryption status. The encryption status categories are: Encrypted Decrypting Unencrypted...
Page 69: User Authentication (Onecheck) Status Reports
User Authentication (OneCheck) Status Reports User Authentication (OneCheck) Status Reports Pre-boot Access Status - Shows the status of the Full Disk Encryption Pre-boot on each endpoint computer. The status categories are: Pre-boot Enabled Pre-boot Disabled (WIL) Pre-boot Temporarily Disabled (WOL) Not running Status information is missing Not Installed - Full Disk Encryption is not installed on the endpoint.
Page 70 User Authentication (OneCheck) Status Reports Grace Period Enabled - If a new authentication method is configured, do users have a period of time that they can still authenticate with the previous method. Grace Period Active - Is the grace period active at this time for this user. R81 Harmony Endpoint Server Administration Guide | 70...
Page 71: Media Encryption & Port Protection Status Reports
Media Encryption & Port Protection Status Reports Media Encryption & Port Protection Status Reports The main Media Encryption & Port Protection report includes a chart that shows: Allowed devices Blocked Devices Approved by UserCheck (operations) The Endpoint List shows all devices connected to endpoint computers during the last 14 days. It also shows the file operations that were approved by UserCheck justification User and computer name Status (see above)
Page 72: Anti-Malware Status Reports
Anti-Malware Status - Shows scanning detection statistics Top Infections - Shows the top ten infections during the past 30 days Anti-Malware Provider Brands - Shows which endpoints use Check Point Anti-Malware and which use a third-party Anti-Virus provider. Anti-Malware Scanned Date - Shows status by the last scan date Anti-Malware Updated On - Shows computers that have Anti-Malware updates installed R81 Harmony Endpoint Server Administration Guide | 72...
Page 73: Harmony Endpoint Anti-Bot Status Reports
Harmony Endpoint Anti-Bot Status Reports Harmony Endpoint Anti-Bot Status Reports These reports show the status of Anti-Bot detection and prevention. These reports are available: Anti-Bot Status - Shows detection and prevention statistics Top bots - Shows the top ten bots during the past 30 days R81 Harmony Endpoint Server Administration Guide | 73...
Page 74: Policy Reports
Policy Reports Policy Reports A policy report shows information about the assigned policies on each Endpoint Security Client computer in the organization. You cannot see the Policy Report in SmartEndpoint. It is a CSV file that is created on the Endpoint Security Management Server at scheduled times. To enable scheduled Policy Reports: 1.
Page 75 Policy Reports General fields: User Name - ntlocal for local user, ntdomain://<DOMAIN-NAME>/<USER LOGON NAME> for domain users Computer Name - Name of the computer User Location - User domain distinguished name (empty for local users) Group Names - The names of the groups the user is in IP Address - The most updated IP address of the device Last Contact - The last time the computer had contact with the Endpoint Security Management Server...
Page 76: Licenses Report
Licenses Report Licenses Report The Licenses Status Report shows the status of the container and component licenses. The summary chart shows the number of seats licensed and the number of seats in use. The licenses list shows detailed license information and status for a selected component or the container.
Page 77: Deployment Tab
Deployment Tab Deployment Tab You use this tab to: Create Deployment Rules Configure Endpoint security client packages for export Configure these advanced package settings: VPN client settings The Package repository once uploaded to the server The file signing method to protect the integrity of the client package R81 Harmony Endpoint Server Administration Guide | 77...
Page 78: Client Logging
Client Logging Client Logging Endpoint Security clients upload logs to the Endpoint Security Management Server On the server, the logs are stored in the common log database, which you can see in the Logs tab of the SmartConsole Logs & Monitor view. Note - The VPN component uploads SCV logs to the VPN Security Gateway.
Page 79: Finding Components
Finding Components Finding Components You can use a search feature to find components such as computers, users, directories, and programs. To find a component: 1. In the Search field tool bar, enter a string to match a component. 2. Click Search. The Search Results show on the Users and Computers tab.
Page 80: Show/Hide Components
Show/Hide components Show/Hide components You can choose which components show in SmartEndpoint and which are hidden. To show or hide a component in SmartEndpoint: 1. From the Menu icon, select Tools > Show/Hide Blades. 2. Click on a component to see if it is Visible or Hidden. 3.
Page 81: Users And Computers
Users and Computers Users and Computers You use the Users and Computers tab to see and manage these object types: Users Computers Active Directory OUs and nodes Computer and user groups Networks Virtual Groups R81 Harmony Endpoint Server Administration Guide | 81...
Page 82: Using The Users And Computers Tab
Using the Users and Computers Tab Using the Users and Computers Tab The Users and Computers tab includes these elements: The Directory Tree - Shows the Users and Computers hierarchy and structure as folders and objects. Global Actions - From here you can perform different SmartEndpoint operations. The Blades Pane - Shows the components and their status for the selected object.
Page 83: Using The Object Details Window
Using the Object Details Window Using the Object Details Window The Object Details window shows more detailed information for the selected object than the Rules and Status pane. You cannot add or change policy rules in this window. To show the Object Details window: 1.
Page 84: Using The Users And Computers Tree
Remote Help. OneCheck User Settings - Opens a list of operations related to OneCheck User Settings, Pre-boot, and the "Check Point Full Disk Encryption Self-Help Portal" on page 205 Anti-Malware - Opens a list of Push Operations related to Anti-Malware, Client Settings, "Push Operations"...
Page 85 Using the Users and Computers Tree Harmony Endpoint Forensics and Remediation - Opens a list of Push Operations related to Harmony Endpoint Forensics and Remediation. See "Push Operations" on page 62 Client Settings - Opens a list of Push Operations related to Client Settings. See "Push Operations"...
Page 86: Managing Users
Managing Users Managing Users The Users and Computers tab shows status and assigned rules for each component. You can also edit rules and create custom rules as necessary. To see user details: 1. Select the Users and Computers tab. 2. Right-click a user in the Users and Computers tree and select Edit. "Using the Object Details Window"...
Page 87: Managing Ous Or Groups
Managing OUs or Groups Managing OUs or Groups You can manage Active Directory OUs and groups in the Users and Computers tab. To see OU or group details: 1. Select an OU or group in the Users and Computers tree. 2.
Page 88: Managing Computers
Managing Computers Managing Computers You manage individual computers in the Users and Computers window. This window shows computer details and the policies and user assigned to them. You can configure which users can log on the computer. To see computer details: 1.
Page 89: Resetting A Computer
Managing Computers 5. Click OK. 6. On the SmartEndpoint toolbar, select File > Save. To remove authorized users from the computer: 1. Right-click a computer in the Users and Computers tree and select Full Disk Encryption > Authorize Pre-boot users. 2.
Page 90 Managing Computers To reset a computer: 1. In the Users and Computers tab or anywhere in SmartEndpoint where a computer object is shown, right-click a computer and select Reset Computer Data. 2. When the Reset Computer message shows, click Yes to confirm. 3.
Page 91: Editing Properties Of Non-Ad Objects
Editing Properties of Non-AD Objects Editing Properties of Non-AD Objects All objects that are not part of an Active Directory are in the Other Users/Computers node in the Users and Computers tab. From this location you can: Edit user and computer properties. You can edit all fields that show a pencil icon. Right-click an object and select Delete to delete non-AD objects from your environment.
Page 92: Managing Virtual Groups
Managing Virtual Groups Managing Virtual Groups "Virtual In the Users and Computers tab you can see and manage Virtual Groups. See Groups in Policy Rules" on page 152 R81 Harmony Endpoint Server Administration Guide | 92...
Page 93: Active Directory Scanner
Active Directory Scanner Active Directory Scanner If your organization uses Microsoft Active Directory (AD), you can import users, groups, Organizational units (OUs) and computers from multiple AD domains into the Endpoint Security Management Server. After the objects have been imported, you can assign policies. When you first log in to SmartEndpoint, the Users and Computers tree is empty.
Page 94 Active Directory Scanner Note - If the scanner is for a specific OU in the domain, only the groups and group members in the OU are included in the scan. If your groups contain members from different OUs we highly recommend configuring the LDAP Path of the scan to the root of the domain, to avoid inconsistencies.
Page 95: The Organization Scanners Page
Active Directory Scanner SSL Enabled - Uses SSL Tunneling. You must have an SSL certificate installed on the Domain Controller. By default, this is not selected. Port - The port over which the scan occurs. Scan Interval - The Endpoint Security Management Server sends a request to the Domain Controller to see if changes were made to the domain.
Page 96: Troubleshooting The Directory Scanner
Active Directory Scanner Computers deleted from the Active Directory that do not have Endpoint Security are deleted from Users and Computers. Computers deleted from the Active Directory that do have Endpoint Security move to the Deleted Users/Computers folder because they might require recovery. You can delete these computers manually from the Management Console.
Page 97: Configuring Dns For Gss Connections
Active Directory Scanner Issue Solution SSL certificate is not Get an SSL certificate from your Domain Controller and installed import it to the Endpoint Security Management Server. Disable SSL. Configuring DNS for GSS Connections GSSAPI, Generic Security Service API, is an interface used to access security services. Kerberos is the implementation of GSSAPI used in Microsoft's Windows platform and is supported by Active Directory authentication protocols.
Page 98 Active Directory Scanner To configure LDAPS - Change use.ssl=false to use.ssl=true To configure GSSAPI - Change use.gssapi=false to use.gssapi=true You can set LDAPS and GSSAPI to true. 3. Save the file. For GSSAPI, no additional configuration is necessary. Additional steps for LDAPS: Configure the Domain Controller to use LDAPS.
Page 99 Active Directory Scanner ================ Certificate 0 ================ X509 Certificate: Version: 3 Serial Number: 610206fb000000000002 Signature Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA Algorithm Parameters: 05 00 Issuer: CN=mulberry-DC-CA DC=mulberry DC=com NotBefore: 23/06/2014 13:12 NotAfter: 23/06/2015 13:12 Subject: CN=DC.mulberry.com Public Key Algorithm: Certificate Extensions: 9 1.3.6.1.4.1.311.20.2: Flags = 0, Length = 22 Certificate Template Name (Certificate Type) DomainController...
Page 100 Active Directory Scanner 8. Click YES on Trust this Certificate. A confirmation message Certificate was added to the keystore appears. 9. Restart the Endpoint Security servers. Run: uepm_stop uepm_start R81 Harmony Endpoint Server Administration Guide | 100...
Page 101: Endpoint Security Administrator Roles
Endpoint Security Administrator Roles Endpoint Security Administrator Roles Endpoint Security uses the Permissions Profiles configured in SmartConsole to define administrator roles. Configure Administrators and Permissions in: SmartConsole > Manage & Settings tab > Permissions & Administrators. R81 Harmony Endpoint Server Administration Guide | 101...
Page 102: Deploying Endpoint Security Clients
Deploying Endpoint Security Clients Deploying Endpoint Security Clients This chapter contains information and procedures for deploying Endpoint Security clients to endpoint computers. Before deploying the clients, you must add packages to the Repository on the Endpoint Security Management Server. See "Uploading Client Packages to the Repository"...
Page 103: Uploading Client Packages To The Repository
Uploading Client Packages to the Repository Uploading Client Packages to the Repository Upload new client versions to the Package Repository on the Endpoint Security Management Server. Endpoint Security Client packages contain the components (also known as Blades ) to be installed on Endpoint Security clients.
Page 104 Best Practice - Use the Dynamic Package for your client release. Dynamic packages are available for release E82.40 and higher. To use Dynamic Packages for releases E81.40 Check Point to E82.30, open a Service Request on the Support Center Endpoint Security client for unattended machines, such as ATMs (automated teller machines for bank customers).
Page 105 Uploading Client Packages to the Repository Directory Package Master_ENCRYPTION Full Disk Encryption and Media Encryption & Port Protection Client for 32-bit systems Full Disk Encryption and Media Encryption & Port Protection Master_ENCRYPTION_ Client for 64-bit systems Master_TP Threat Prevention Client for 32-bit systems: Desktop Firewall and Application Control Anti-Malware Forensics and Anti-Ransomware...
Page 106 Load the latest supported client version from the internet - Download a zip file that contains the most recent packages from the Check Point Support Center Load a folder containing client installers - Select a folder that contains packages from your network.
Page 107 Uploading Client Packages to the Repository Page Option Dependencies Select the dependencies to include in the package: .NET Framework 4.6.1 Installer (60MB) - Recommended for Windows 7 computers without .NET installed. 32-bit support (40MB) - Selected by default. Recommended for 32-bit computers. Visual Studio Tools for Office Runtime 10.0.50903 (40 MB) - Recommended if the package includes Capsule Docs.
Page 108: Automatic Deployment Using Deployment Rules
Automatic Deployment Using Deployment Rules Automatic Deployment Using Deployment Rules Use Deployment rules to automatically download and install pre-configured packages on endpoint computers. Define deployment rules and manage deployments using SmartEndpoint. See the status of all deployments in the Reporting tab. When you deploy Endpoint Security clients with automatic deployment, we recommend that you install two deployment packages on endpoint clients: 1.
Page 109 Automatic Deployment Using Deployment Rules a. Select Support R73 client upgrade. b. Optional: To upgrade without user input, select Silent Upgrade. If this is not selected, users are prompted to upgrade. c. Optional: To force reboot after a silent upgrade, select Force reboot. If this is not selected, users are asked to reboot.
Page 110 Automatic Deployment Using Deployment Rules For upgrades from E80.x and higher, use a complete software package, not the Initial Client. To upgrade legacy R73 clients, use the PreUpgrade.exe Initial Client, which unlocks legacy files using a predefined uninstallation password. It then continues to install the Initial Client package.
Page 111 Automatic Deployment Using Deployment Rules c. Select components to install and clear components that are not to be installed with this rule. 6. Click Next. 7. In the Name and Comment window, enter a unique name for this rule and an optional comment.
Page 112 Automatic Deployment Using Deployment Rules Changing Existing Deployment Rules To edit rules for automatic Deployment: 1. Click the Deployment tab and select Deployment Rules. 2. Select a rule. 3. From most columns, right-click to get these options: Clone Rule - Make a new rule with the same contents. Delete Rule - Delete the rule.
Page 113 Automatic Deployment Using Deployment Rules 3. Select the Rules to install and then click Install. To make sure that a rule does not install: Right-click in the Actions column of a Deployment rule and select Do not install. R81 Harmony Endpoint Server Administration Guide | 113...
Page 114: Manual Deployment Using Packages For Export
Manual Deployment Using Packages for Export Manual Deployment Using Packages for Export You can export a package of Endpoint Security components from the Endpoint Security Management Server to endpoint clients using third party deployment software, a shared network path, email or other method. When you create package of Endpoint Security components for export, the Initial Client is usually included in the package, and not installed first.
Page 115 Manual Deployment Using Packages for Export Double-click the legacy upgrade option and select Support client pre-install upgrade. Select Silent mode active or Silent mode not active. Select the Legacy Secure Access option and click Configure Upgrade Password to enter and confirm the password. Select the Legacy Full Disk Encryption EW option and click Configure Upgrade Password to enter and confirm the applicable passwords.
Page 116 Manual Deployment Using Packages for Export Username-password - Endpoint users authenticate using their VPN user name and password CAPI certificate - Endpoint users authenticate using the applicable certificate P12 certificate - Endpoint users authenticate using the applicable certificate SecurID KeyFob - Endpoint users authenticate using a KeyFob hard token SecurID PinPad - Endpoint users authenticate using the an SDTID token file and PIN Challenge-response - Endpoint users authenticate using an administrator...
Page 117 Manual Deployment Using Packages for Export You can also use third party deployment software, a shared network path, email, or some other method R81 Harmony Endpoint Server Administration Guide | 117...
Page 118: Configuring Software Signatures For Packages For Export
Configuring Software Signatures for Packages for Export Configuring Software Signatures for Packages for Export You can select a file signing method for MSI files that will be deployed using an external distribution system. The Endpoint Security Management Server keeps the certificate in the specified folder. By default, the client uses an internal signature to authenticate.
Page 119: Seeing The Deployment Status
Seeing the Deployment Status Seeing the Deployment Status To see the component deployment status: 1. Go to the Reporting tab. 2. Select Deployment from the tree. 3. Select one of the Deployment status reports. R81 Harmony Endpoint Server Administration Guide | 119...
Page 120: Deploying Mac Clients
1. Double-click the ZIP file to expand it. 2. Click the APP file that shows next to the zip file. The Check Point Endpoint Security Installer opens. 3. Click Install. 4. Enter a Name and Password to authorize the installation.
Page 121: Uninstalling The Client On Mac
Deploying Mac Clients Click Close. If the installation was successful, the Endpoint Security icon shows in the menu bar. Uninstalling the Client on Mac To uninstall the Endpoint Security client on Mac computers: 1. Open a terminal window. 2. Run: sudo "/Library/Application Support/Checkpoint/Endpoint Security/uninstall.sh"...
Page 122: Upgrading Endpoint Security Clients
Upgrading Endpoint Security Clients Upgrading Endpoint Security Clients This section includes procedure for upgrading endpoint clients: You can upgrade to E8X.x clients from earlier versions of E8X.x clients with these requirements: You must upgrade both the Initial Client and the Endpoint Security Component Package at the same time.
Page 123: Upgrading With An Exported Package
Upgrading Endpoint Security Clients 5. The Endpoint Agent on each assigned client downloads the new package. The client installation starts based on the settings in the Client Settings policy rule. You can configure: If the Client Settings policy forces installation and automatically restarts without user notification.
Page 124: Gradual Upgrade
Upgrading Endpoint Security Clients Gradual Upgrade To upgrade more gradually, you can create a new deployment profile and distribute it only to specified computers. Note - For an exported package, save the new package in a different location than the previous package When you are prepared to upgrade all clients, upgrade all deployment profiles.
Page 125: Upgrading Legacy Clients
Upgrading Legacy Clients Upgrading Legacy Clients Release Notes for the Endpoint Security client To see the supported upgrade paths, see the version, to which you want to upgrade . Legacy clients are those earlier than version E80. You must enter password information to upgrade legacy Secure Access and Full Disk Encryption. Offline Upgrades During an offline upgrade, the endpoint has no connection with the Endpoint Security Management Server.
Page 126: Online Upgrades
Upgrading Legacy Clients c. Legacy Full Disk Encryption upgrade - To enable an upgrade from legacy Full Disk Encryption EW, you must enter the uninstallation password. Click on Legacy Full Disk Encryption EW upgrade not supported and select Configure Upgrade Password.
Page 127: Upgrading Legacy Full Disk Encryption
Upgrading Legacy Clients The Installation window opens. 3. Click Legacy Client Uninstall Password. 4. Enter uninstall passwords for: Legacy Secure Access Legacy FDE EW 5. Click OK. 6. On the Deployment tab, select Packages for Export from the tree. 7. Click Add. 8.
Page 128 Upgrading Legacy Clients The client remains encrypted. All existing user and policy settings are discarded. Only partition keys are kept. Full Disk Encryption goes through the Deployment Phase To upgrade a client package from Full Disk Encryption EW: "Upgrading Endpoint Security If you know the Validation Password, do the procedure in Clients"...
Page 129 Upgrading Legacy Clients Do not: Upgrade when the disk is not fully encrypted. Start another upgrade before a computer is fully protected with the first upgrade. Uninstall the upgrade before a computer is fully protected with the upgraded version. R81 Harmony Endpoint Server Administration Guide | 129...
Page 130: Troubleshooting The Installation
Troubleshooting the Installation Troubleshooting the Installation Administrative Privileges Installation of Endpoint Security requires the user to have administrator privileges. Installing or uninstalling the client on Windows 7 and higher with active UAC (User Access Control) requires the user to invoke the installer with the "run as administrator" option.
Page 131: Uninstalling The Client On Windows
If the VPN client is unable to connect to the configured Security Gateway, a Connectivity to the VPN server is lost message shows. To resolve this: 1. Make sure that the Check Point Endpoint Security service (the EPS service) is up and running.
Page 132: Configuring Logging
Configuring Logging Configuring Logging Each Endpoint Security client sends logs to the Endpoint Security Server (Endpoint Policy Server or Endpoint Security Management Server) to which the client is connected. To see all collected logs together in the Logs tab of the SmartConsole Logs & Monitor view, you must configure Log Indexing for each Endpoint Security Server in the SmartConsole.
Page 133: Backup And Restore
Certificates for client packages Endpoint Management database Security Management Server database The migration utility: Only exports and imports files that are related to Check Point components installed on the target server. Copies configuration files to the correct path.smartda Prerequisites The two Endpoint Security servers must have the same Endpoint Security version.
Page 134: Updating The Pat Version On The Server After Restore
Backup and Restore Updating the PAT Version on the Server after Restore Restoring an earlier configuration (.tgz) file to a new Endpoint Security Management Server also restores the older Policy Assignment Table (PAT). If the PAT version on the restored server is lower than the PAT version on the client, the client will not download policy updates.
Page 135: Defining Endpoint Security Policies
Defining Endpoint Security Policies Defining Endpoint Security Policies To manage the Security Policies for Endpoint Security, use the Policy tab of the SmartEndpoint console. The Policy tab contains the Policy Management Toolbar and the Policy Rule Base. The Policy Rule Base contains a policy for each of the Endpoint Security components (formerly known as a Blades) .
Page 136: Columns Of A Policy Rule Base
Columns of a Policy Rule Base Columns of a Policy Rule Base These are the columns in a policy rule: Column Description Rule Number Name Rule Name The part of the organization (the entity ) to which the rule applies Applies To Actions The configurations that apply to the Endpoint Security component...
Page 137: The Policy Toolbar
The Policy Toolbar The Policy Toolbar The Policy tab contains the Policy Toolbar and the Policy Rule Base. This is the Policy Toolbar: Click To do this this Add and delete rules Save, refresh and install policy changes Show only the actions that are different than the default rule for that component Change the order of the rules for the component.
Page 138: User And Computer Rules
User and Computer Rules User and Computer Rules One user may have multiple computers. Some computers may have multiple users. One user with multiple computers: One computer with multiple users: The policies for some Endpoint Security components are enforced for each user. See "Rule Types for Each Endpoint Security Component"...
Page 139: Connected, Disconnected And Restricted Rules
Connected, Disconnected and Restricted Rules Connected, Disconnected and Restricted Rules Endpoint Security can enforce policy rules on computers and users based on their connection and compliance state. When you create a policy rule, you select the connection and compliance states for which the rule is enforced.
Page 140: Rule Types For Each Endpoint Security Component
Rule Types for Each Endpoint Security Component Rule Types for Each Endpoint Security Component The table shows if the policy for each Endpoint Security component is enforced for each user or for each computer (the Rule Type ). It is also possible to define a Connected policy for all components. For some components you can also define Disconnected and Restricted policies.
Page 141: Rule Entities
Rule Entities Rule Entities When you configure a rule, you specify the entities that the rule Applies To . These are some of the entities you can specify: Entire Organization (the root of the organization folders) Network IP ranges AD Groups Virtual Groups Users (for User Policies only) Computers (for Computer Policies only)
Page 142: Protection For Servers
Protection for Servers Protection for Servers These components can be installed on supported servers in the same way that they are installed on workstations: Anti-Malware Firewall Compliance Important - Application Control is not supported on all versions of Windows Server. Do not deploy this component on clients that run operating systems that are not supported.
Page 143: Working With Rules
Working With Rules Working With Rules The policy for each Endpoint Security component is made up of rules. Each component has a default rule that applies to the Entire Organization. You can change the default rule for the component, but you cannot delete it. For each component, you can add rules that apply to specific parts (entities) of the organization.
Page 144: The Order In Which The Client Applies The Rules
Working With Rules Disconnected state rule is enforced when an endpoint computer is not connected to the Endpoint Security Management Server. For example, you can enforce a more restrictive policy if users are working from home and are not protected by organizational resources.
Page 145: Changing The Order In Which The Client Applies The Rules
Working With Rules Example Read the comments in the rules. Name Applies to Comment Firewall Default Firewall This rule applies to Entire Organization settings for the users who do not entire belong to the OUs organization "Europe" or "US", and do not belong to the AD group "Managers".
Page 146 Working With Rules Example This is how the Endpoint Security client applies the rules after you change order of the rules in the previous example policy. If there is more than one rule for an Endpoint Security component, the Endpoint Security client applies the rules in this order: First rule that applies to the user or computer in the "more rule(s)"section.
Page 147: Editing A Rule
Working With Rules Example 2 Read the comments in the rules. Name Applies to Comment - Firewall Default Firewall This rule applies to Entire Organization settings for the users who do not entire belong to the OUs organization "Europe" or "US", and do not belong to the AD group "Managers".
Page 148: Editing A Shared Action
Working With Rules To edit name or comment of a rule: Double-click the text in the name or comment of the rule, and modify it. To add an entity to a rule: 1. In the Applies To column of the rule, click Add Assignment 2.
Page 149: What Happens When You Delete An Entity
Working With Rules To edit a rule action: 1. In the Policy rule, click the action. 2. Edit the action in one of these ways: Edit Shared Action to edit the properties of the action. Changes affect all the rules that use the action.
Page 150: Showing The Policy That Applies To A User Or Computer
Working With Rules Changes to Virtual Groups If you make changes to an object that is related to Virtual Groups, the changes are enforced immediately. For example, if you move an object into a virtual group, the rules for that group apply to the object immediately.
Page 151 Working With Rules To assign a rule to an entity: 1. Open the Users and Computers tab. 2. In the All Organization Folders area, search for the entity 3. In the Blades area, select a component. 4. In the Rule area, review the rule that is assigned to the entity for this component. 5.
Page 152: Virtual Groups In Policy Rules
Virtual Groups in Policy Rules Virtual Groups in Policy Rules You can use these types of groups in SmartEndpoint: Active Directory group - These are synchronized automatically from Active Directory using the Directory Scanner. You cannot modify an Active Directory group. Virtual group - Create these in SmartEndpoint or use one of the predefined virtual groups.
Page 153: Prerequisites For Using Virtual Groups
Virtual Groups in Policy Rules Using Active Directory but do not want to use it for Endpoint Security. For example: Different administrators manage the Active Directory and Endpoint Security. Your Endpoint Security requirements are more complex than the Active Directory groups.
Page 154: Managing Virtual Groups
Virtual Groups in Policy Rules All Servers All Mac OS X Desktops All Mac OS X Laptops All Windows Desktops All Windows Laptops Capsule Docs external users - Users that are not part of the organization's Active Directory but are registered on the Endpoint Security Management Server as an external user.
Page 155: Using A Computer Group In A User-Based Policy
Virtual Groups in Policy Rules Enter a name for the group. Optional: Enter a Comment. Select Virtual Group or Computer Group. 3. Click Next. 4. In the Select Entities window, select the members of the group. 5. Click Finish. To add computers and users from Active Directory to a Virtual Group: 1.
Page 156: Example Deployment Rules For Virtual Groups
Virtual Groups in Policy Rules Name Applies to Comment Media Encryption & Port Protection Default Media This rule applies to all users that are not Entire Encryption & logged into computers in "Media Encryption Organization Port Protection computer Group" settings for the entire organization 1 more rule...
Page 157: Adding Objects With An Installation Package
Virtual Groups in Policy Rules Name Applies to Actions Comment Deployment to Endpoint Desktops Desktops Client Version 80.88.4122 \Virtual Groups Selected blades Deployment to Same as desktop plus Full All Laptops Endpoint laptops Disk Encryption and Client Version \Virtual Groups Endpoint Security VPN 80.88.4122 Selected...
Page 158: Monitoring Virtual Groups
Virtual Groups in Policy Rules Monitoring Virtual Groups Virtual Groups show in Reporting reports like other objects. You can create for monitoring and other purposes. Endpoints can be members of more than one group. For example, if you want to do a test of a new Endpoint Security upgrade, you can create a Virtual Group that contains only those endpoints included in the test.
Page 159: External Endpoint Policy Servers
External Endpoint Policy Servers External Endpoint Policy Servers If no external Endpoint Policy Servers are configured, the Endpoint Security Management Server, which contains an Endpoint Policy Server, manages all client requests and communication. If you install more Endpoint Policy Servers, they manage most communication with the Endpoint Security clients.
Page 160 External Endpoint Policy Servers 4. Optional: Type the FQDN (Fully Qualified Domain Name) of the Endpoint Policy Server. For example, somehost.example.com If you specify the FQDN, the Endpoint clients use the FQDN and not the IP address to communicate with the Endpoint Policy Server. The advantage of specifying the FQDN is that if the IP address of the server changes, communication between the server and the clients is not interrupted.
Page 161: How Do Endpoint Policy Servers Work
How do Endpoint Policy Servers Work? How do Endpoint Policy Servers Work? External Endpoint Policy Servers decrease the load of the Endpoint Security Management Server and reduce the bandwidth required between sites. By default, the Endpoint Security Management Server also acts as an Endpoint Policy Server, in addition to the other Endpoint Policy Servers.
Page 162 How do Endpoint Policy Servers Work? Anti-Malware updates All Endpoint Security client logs (the Endpoint Policy Server is configured as Log Server by default). The Endpoint Policy Server sends this data to the Endpoint Security Management Server: All component-specific messages (which require information to be stored in the database).
Page 163: Configuring Policy Server Settings
Configuring Policy Server Settings Configuring Policy Server Settings The primary aspects of working with Endpoint Policy Servers that you can configure are: The interval after which the clients do an analysis to choose which Endpoint Policy Server to connect to. If the Endpoint Security Management Server also behaves as an Endpoint Policy Server or not.
Page 164: Configuring Endpoint Policy Server Connections
Configuring Policy Server Settings Clients continue to connect to the closest Endpoint Policy Server until the next proximity analysis. Note - You cannot figure which particular Endpoint Policy Servers a client should use, only a list of servers for the client to choose from. Configuring Endpoint Policy Server Connections To configure Endpoint Policy Server connections: 1.
Page 165: Policy Server And Management Server Communication
Configuring Policy Server Settings To configure the Endpoint Security Management Server to behave as an Endpoint Policy Server only if all Endpoint Policy Servers do not respond: 1. In SmartEndpoint, select Manage > Endpoint Connection Settings. 2. Clear Enable Endpoint Management Server to be Endpoint Policy Server. 3.
Page 166 Configuring Policy Server Settings The first synchronization can take a long time, based on the amount of policies and installation packages that the Endpoint Policy Server must download from the Endpoint Security Management Server. When the first synchronization is complete, the Endpoint Policy Server will show as Active in the Reporting tab.
Page 167: Configuring An Alert For A Non-Synchronized Policy Server
Configuring an Alert for a Non-Synchronized Policy Server Configuring an Alert for a Non-Synchronized Policy Server You can configure the Endpoint Security Management Server to send an email alert to one or more people if one or more of the Policy Servers are not synchronized with the Endpoint Security Management Server.
Page 168 Configuring an Alert for a Non-Synchronized Policy Server 1 Week None 8. Click OK. Example Alert Email About Policy Server Out-of-Sync This is an example of an alert mail that the Endpoint Security Management Server sends when an Endpoint Policy Server becomes out-of-sync. This is an automated message about Active Alerts from the Endpoint Security Management server.
Page 169: Monitoring Endpoint Policy Server Activity
Monitoring Endpoint Policy Server Activity Monitoring Endpoint Policy Server Activity You can see the status of Endpoint Policy Servers in the Reporting tab of SmartEndpoint. In the Reporting tab, select Endpoint Policy Servers Status. In the Status list, select which Endpoint Policy Servers to see: All.
Page 170: Management High Availability
2. In SmartConsole, connect to the primary server. 3. Create a network object for the secondary server: In the Gateways & Servers tab, click the New icon and select Network Objects > Gateways and Servers > Check Point Host. R81 Harmony Endpoint Server Administration Guide | 170...
Page 171 7. In the window that opens enter these configuration parameters: One-time password (twice to confirm) - SIC Activation Key that you entered in the Check Point Configuration Tool Click Initialize to create a state of trust between the Endpoint Security Management Servers.
Page 172: Synchronizing Msi Files, Dynamic Packages And Drivers
Management High Availability Synchronizing MSI Files, Dynamic Packages and Drivers Each time you download a new MSI package, Dynamic Package or a driver related to Endpoint Security client, for example, a Smart Card driver, you must manually synchronize these files in all the High Availability environments. The synchronization is not performed automatically due to large file size.
Page 173: Online Automatic Sync
Management High Availability d. Run: i. cd $FWDIR/conf/SMC_Files/uepm ii. chmod –R u+rwx,g+rwx,0-rwx msi/ iii. chmod –R u+rwx,g+rwx,0-rwx packages/ iv. chmod –R u+rwx,g+rwx,0-rwx recimg/ v. chmod –R u+rwx,g+rwx,0-rwx archives/ vi. find msi/ -type d –exec chmod g+s {} \; vii. find packages/ -type d –exec chmod g+s {} \; viii.
Page 174: Database Migration In A High Availability Environment
Management High Availability Notes - A standby Endpoint Security Management Server cannot be changed to Active until the first synchronization of the Endpoint Security database is completed. While the Primary server is offline and the Secondary server is active, external Remote Help servers do not get updates.
Page 175: Deleting A Server
Management High Availability The Edit String window opens. 4. Copy the number in the Value data field. This is the PAT version number. To change the PAT version on the server: 1. Open a command prompt. 2. Run the Endpoint Security Management Security utility (uepm.exe) and set the new PAT version: uepm patver set <old_PAT_version_number>...
Page 176: Active Directory Authentication
Active Directory Authentication Active Directory Authentication Endpoint Security Active Directory Authentication When an Endpoint Security client connects to the Endpoint Security Management Server, an authentication process identifies the endpoint client and the user currently working on that computer. The Endpoint Security system can function in these authentication modes: Unauthenticated mode - Client computers and the users on those computers are not authenticated when they connect to the Endpoint Security Management Server.
Page 177: Configuring Active Directory Authentication
Active Directory Authentication 4. The Endpoint Security Management Server returns an acknowledgment of authentication to the Endpoint Security client (1). The default behavior after Security Management Server installation is Unauthenticated mode. It is recommended that you use this mode when you are evaluating Endpoint Security, in a lab environment.
Page 178 Active Directory Authentication 3. Create a domain user and clear the User must change password at next logon option. 4. Run this command to map a service to a user: Syntax: ktpass princ ServiceName/realm@REALM mapuser <userName>@REALM pass <userPass> out <name of outFile> Example: ktpass princ tst/nac1.com@NAC1.COM mapuser auth- user@NAC1.COM pass 123456 out outfile.keytab...
Page 179 Active Directory Authentication Notes - Make sure that the clock times on the Endpoint Security servers and the Kerberos server are less than 5 minutes apart. If difference in the clock times is more than 5 minutes, a runtime exception shows and Active Directory authentication fails.
Page 180: Upn Suffixes And Domain Names
Active Directory Authentication Field Description Version Key Enter the version number according to the Active Directory output in the vno field. For example: 7 Encryption Select the encryption method according to the Active Directory method output in the etype field. For example: RC4-HMAC Password Enter (and confirm) the password of the Active Directory Domain...
Page 181: Configuring Alternative Domain Names
Active Directory Authentication When you configure a new user account in AD, you are given the option to select a UPN suffix, which by default will be the DNS name for your AD domain. It can be useful to have a selection of UPN suffixes available.
Page 182 Active Directory Authentication To see full debugging information in the Authentication.log file on an Endpoint Security server: 1. On the Endpoint Security server, run: export TDERROR_ALL_KERBEROS_SERVER=5 2. Restart the Endpoint Security server. Run: uepm_stop ; uepm_start Results in Authentication.log If the Authentication.log file on the server shows: ERROR: Config file contains no principals The database was cleaned or the process to include authentication in the client package was faulty.
Page 183: Troubleshooting Authentication In Client Logs
Active Directory Authentication Make sure that in the Windows Date and Time Properties window, the Automatically adjust clock for daylight saving changes option has the same value (selected or cleared) for all computers in the system, including the Active Directory server. The following workaround is not recommended, for security reasons, but is offered if you cannot fix the clock skew error with synchronization changes.
Page 184 The specified target is unknown or unreachable Check the service name. Make sure that there are no typing errors and that the format is correct. If there was an error, correct it on the Check Point Endpoint Security Management Server. R81 Harmony Endpoint Server Administration Guide | 184...
Page 185: Full Disk Encryption
Configure the settings for Check Point Full Disk Encryption in SmartEndpoint in the Policy tab > Full Disk Encryption rules. R81 Harmony Endpoint Server Administration Guide | 185...
Page 186: Configuring A Check Point Full Disk Encryption Policy
Edit the actions of the rule to your requirements. and install the policy. Alternatively, use the following procedure to create a new Check Point Full Disk Encryption policy rule and configure actions for a specific organizational unit. After you install the Full Disk Encryption policy, make sure the policy is installed on the client.
Page 187 Configuring a Check Point Full Disk Encryption Policy R81 Harmony Endpoint Server Administration Guide | 187...
Page 188: Volume Encryption
Volume Encryption Volume Encryption These actions define if the volumes of the hard disk are encrypted or not. Action Description Encrypt all local hard disks All volumes of the hard disk are automatically fully encrypted. The encrypted disk is only accessible to authorized users.
Page 189: Custom Disk Encryption Settings
Volume Encryption Custom Disk Encryption Settings If you select Custom Volume Encryption for the Encrypted disks and volumes setting, configure the encryption and Pre-boot settings for each volume. To configure the settings for each volume: 1. In the Custom Volume Encryption Settings window, click Add. 2.
Page 190 Volume Encryption 3. Find the row for your client version. 4. In the Additional information column, click Documentation. 5. Click the link to the Release Notes. R81 Harmony Endpoint Server Administration Guide | 190...
Page 191: Authentication Before The Operating System Loads (Pre-Boot)
Authentication before the Operating System Loads (Pre-boot) Authentication before the Operating System Loads (Pre-boot) The Pre-boot Protection action of a Full Disk Encryption rule defines if users must authenticate in the Pre-boot before the operating system loads. Configure the Pre-boot authentication method and other settings related to user authentication in the OneCheck User Settings rules.
Page 192: Temporary Pre-Boot Bypass
Authentication before the Operating System Loads (Pre-boot) If you choose Do not authenticate user before OS loads (Not recommended), the user experience is simpler, but it is less secure. Users log in to Windows only, and the options in Integrate with OS login part of the action properties become available. To reduce security issues, configure settings in Require Pre-boot if one or more of these conditions are met: Single Sign-On (SSO) together with Pre-boot Authentication.
Page 193 Authentication before the Operating System Loads (Pre-boot) 2. Click Temporarily Disable Pre-boot. 3. Click Yes. The Pre-boot is enabled again when you click Revert to Policy Configuration or when the criteria in the Temporary Pre-boot Bypass settings are met. To configure Temporary Pre-boot Bypass settings: 1.
Page 194: Temporary Pre-Boot Bypass With A Script
Authentication before the Operating System Loads (Pre-boot) Temporary Pre-boot Bypass with a Script If you run scripts to do unattended maintenance or installations (for example, SCCM) you might want the script to reboot the system and let the script continue after reboot. This requires the script to turn off Pre-boot when the computer is rebooted.
Page 195: Advanced Pre-Boot Settings
Authentication before the Operating System Loads (Pre-boot) The computer cannot reach any of the configured locations - Requires Pre-boot when Location Awareness requirements are not filled. If you select this, configure the locations that the computer tries to reach in the list below. 3.
Page 196 Authentication before the Operating System Loads (Pre-boot) Permission Notes Maximum If active, specify the maximum number of failed logons allowed number of failed before a reboot takes place. logons allowed This setting does not apply to smart cards. Smartcards have their before reboot own thresholds for failed logons.
Page 197: User Authorization Before Encryption
User Authorization before Encryption User Authorization before Encryption Full Disk Encryption policy settings enable user acquisition by default. If user acquisition is disabled, the administrator must assign at least one Pre-boot user account to each client computer before encryption can start. You can require one or more users to be acquired before encryption can start.
Page 198 User Authorization before Encryption At least one user has been acquired after x day(s) - Select how long to wait before Pre-boot is enforced on acquired users. This setting limits the number of days when user acquisition is active for the client. If the limit expires and one user is acquired, Pre-boot is enforced and encryption can start.
Page 199: Single Sign-On With Onecheck Logon
Double-click an action to edit the Properties. To configure OneCheck Logon properties: 1. Select Enable lock screen authentication (OneCheck). 2. Optional: Configure the Check Point Endpoint Security screensaver. The screensaver is active only after a Full Disk Encryption policy has been installed on the client.
Page 200 Single Sign-On With OneCheck Logon After selecting the Check Point Endpoint Security screensaver option, enter the: Text that shows when the screensaver is active. Number of minutes the client remains idle before the screensaver activates. 3. Optional: Select Require that only an authorized Pre-boot user is allowed to log into Windows.
Page 201: Check Point Full Disk Encryption Recovery
Check Point Full Disk Encryption Recovery Check Point Full Disk Encryption Recovery If system failure prevents the operating system from starting on a client computer, Check Point Full Disk Encryption has these options: Full Recovery with Recovery Media - Decrypts the failed disk. This takes more time than Full Disk Encryption Drive Slaving Utility and Dynamic Mount Utility that let you access data quickly.
Page 202 Check Point Full Disk Encryption Recovery To create recovery media from the Endpoint Security Management Server: 1. In Smart Endpoint, select Tools > Encryption Recovery Media. The Full Disk Encryption Recovery Media Tool window opens. 2. Double-click a folder from the navigation tree to see the users and computers that it contains.
Page 203: Using Data Recovery Media
Check Point Full Disk Encryption Recovery Using Data Recovery Media Use the newly created Full Disk Encryption recovery media to decrypt the failed computer. To recover an encrypted computer: 1. On the failed computer, run the recovery media from a CD/DVD or bootable USB device.
Page 204: Using The Drive Slaving Utility
Using the Drive Slaving Utility To use the Full Disk Encryption Drive Slaving Utility: 1. On a computer with Check Point Full Disk Encryption installed, run this command to start the Full Disk Encryption Drive Slaving Utility: <x:>\Program files (x86)\CheckPoint\Endpoint Security\Full Disk Encryption\fde_ drive_slaving.exe...
Page 205: Check Point Full Disk Encryption Self-Help Portal
Check Point Full Disk Encryption Self-Help Portal Check Point Full Disk Encryption Self-Help Portal The Self-Help Portal lets users reset their own passwords for Full Disk Encryption. To use the Self-Help Portal, the user must register to the portal first. After registration users can use the Self-Help Portal for password recovery.
Page 206: Configuring The Self-Help Portal
Check Point Full Disk Encryption Self-Help Portal Configuring the Self-Help Portal The Self-Help Portal only works with Active Directory users. Before you can use the Portal, make sure that the Endpoint Security Active Directory Scanner is configured and that the Active Directory is scanned.
Page 207: Monitoring The Self-Help Portal Policy
Check Point Full Disk Encryption Self-Help Portal Select Lock Password Self-Help to prevent users from recovering passwords in the portal. 3. A confirmation message shows. Click Yes. Monitoring the Self-Help Portal Policy To see the status of user enrollment and recovery for the Self-Help Portal: In SmartEndpoint, in the Reporting tab, select User Authentication Policy >...
Page 208: Bitlocker Encryption For Windows Clients
Windows. Check Point BitLocker uses the Endpoint Security Management Server, Client Agent and the SmartEndpoint UI to manage BitLocker. BitLocker Management is implemented as a Windows service component called Check Point BitLocker Management. It runs on the client together with the Client Agent (the Device Agent). Check Point BitLocker Management uses APIs provided by Microsoft Windows to control and manage BitLocker.
Page 209: Configuring A Bitlocker Encryption Policy
Alternatively, you can create a new rule and configure actions for a specific organizational unit. Best Practices - 1. When you change the encryption policy for clients from Check Point Full Disk Encryption to BitLocker Management, the disk on the client is decrypted and then encrypted.
Page 210 Configuring a BitLocker Encryption Policy 8. Click Yes. Two actions remain: Encryption Engine and Access Management. 9. Edit the BitLocker Management policy: Click Use BitLocker Management and select Edit Shared Action. 10. Configure these settings: Setting Options Initial encryption type Encrypt entire drive - Recommended for computers that are in production and already have user data, such as documents and emails.
Page 211 Configuring a BitLocker Encryption Policy 15. In the main toolbar, click Save rule , and Install the Policy Making sure the BitLocker Management policy is installed on the Client 1. On the Windows client computer, in the system tray, right-click the lock icon of Endpoint Security client.
Page 212: Switching Between Check Point Full Disk Encryption And Bitlocker Management
Switching the encryption engine from Check Point Full Disk Encryption to BitLocker Management 1. Open SmartEndpoint and go to the Policy tab. 2. In the rule for Check Point Full Disk Encryption, in the Actions column, change the Encryption Engine action: From Use Check Point Full Disk Encryption To Use BitLocker Management.
Page 213 Switching the encryption engine from BitLocker Management to Check Point Full Disk Encryption 1. Open SmartEndpoint and go to the Policy tab. 2. In the rule for Check Point Full Disk Encryption, in the Actions column, change the Encryption Engine action: From Use BitLocker Management To Use Check Point Full Disk Encryption.
Page 214: Taking Control Of Unmanaged Bitlocker Computers
After the computers are under Check Point BitLocker Management, define a rule with Check Point Full Disk Encryption that Applies To to either the Entire Organization or only to the entities that need Check Point Full Disk Encryption. Follow the procedure in "Configuring a Check Point Full Disk Encryption Policy"...
Page 215: Bitlocker Recovery
BitLocker Recovery BitLocker Recovery BitLocker recovery is the process by which you can restore access to a BitLocker-protected drive in the event that you cannot unlock the drive normally. In SmartEndpoint you can use the Recovery Key ID for a computer to find the Recovery Key for an encrypted client computer.
Page 216 BitLocker Recovery c. If the disk sectors containing the encrypted keys are damaged or unreadable, you can export to external media a BitLocker Key Package to use for recovery. In Select File name and location, browse to a location. To learn how to use the Microsoft recovery tools to decrypt the disk, see the Microsoft BitLocker Recovery Guide.
Page 217: Installing And Deploying Full Disk Encryption
Installing and Deploying Full Disk Encryption Installing and Deploying Full Disk Encryption After a package that includes Full Disk Encryption is successfully installed on a client, many requirements must be met before the Full Disk Encryption policy can be enforced. Before these requirements are met, the Pre-boot does not open.
Page 218: Completing Full Disk Encryption Deployment On A Client
Installing and Deploying Full Disk Encryption Hybrid Drive or other similar Drive Cache Technologies. See sk107381. A compressed root directory. Subdirectories of the root directory can be compressed. Other Requirements: All disks that are encrypted by FDE must have the same format (MBR or GPT) GPT-formatted disks are supported only on UEFI devices.
Page 219 Installing and Deploying Full Disk Encryption Waiting for Restart - The user must reboot the client. After it is rebooted, users will see the Pre-boot. Users get a message to log in with their Windows credentials. Then Full Disk Encryption starts to encrypt the volumes according to the policy. Encryption in Progress - Full Disk Encryption is encrypting the volumes.
Page 220: Upgrading Full Disk Encryption
Upgrading Full Disk Encryption Upgrading Full Disk Encryption If you upgrade Endpoint Security from an earlier version of R80, R80.X, or E80.x, no special actions are required for Full Disk Encryption. To upgrade Full Disk Encryption: You must follow these procedures: "Upgrading Endpoint Security Clients"...
Page 221: Troubleshooting Full Disk Encryption
CPinfo is used to collect data about components in the Full Disk Encryption environment on the client. We recommend that you send the collected data to Check Point for analysis. If you do not enter an output folder, CPinfo collects data about components in the Full Disk Encryption Pre-boot environment on the client.
Page 222 Troubleshooting Full Disk Encryption The information is collected. A window opens that shows the location of the cab file. 6. Press a key to exit CPinfo. To Run CPinfo manually: 1. Open a command prompt. 2. Go to the CPinfo tool path location: cd \path\ 3.
Page 223 You can use the debug logs to examine the deployment phase or problems that occur. The information there is included in CPinfopreboot. Send the full results of CPinfopreboot to Check Point Technical Support for analysis. The client debug log file is on the user's Endpoint Security client computer (for Windows 7...
Page 224 User authentication/user locked events Upgrade Issues The FDEInstallDLL.dll file creates the upgrade log: %ALLUSERSPROFILE%\Application Data\Check Point\Full Disk Encryption\FDE_dlog.txt. Always examine the log file for possible installation errors. The log file sometimes contains Win32 error codes with suggested solutions. To show the Win32 error code text, run the HELPMSG command: C:\>net helpmsg...
Page 225 Troubleshooting Full Disk Encryption Full Disk Encryption Deployment Phase Issues Here are some issues that can occur in the Deployment Phase and possible causes and solutions. Problem: The deployment is stuck at the user acquisition stage Causes and Solutions: 1. The User Acquisition policy might say that multiple users must log on to a computer.
Page 226 Troubleshooting Full Disk Encryption Problem: The deployment is slow or hanging Causes and Solutions: Make sure that the computer has all client requirements. Disk fragmentation or a damaged hard drive can cause problems with Full Disk Encryption. Run disk defragmentation software on the volume to repair fragmentation and damaged sectors.
Page 227: User Authentication To Endpoint Security Clients (Onecheck)
User Authentication to Endpoint Security Clients (OneCheck) User Authentication to Endpoint Security Clients (OneCheck) OneCheck User Settings define how users authenticate to Endpoint Security client computers. OneCheck User Settings include: How users authenticate to Endpoint Security. If users can access Windows after they are authenticated to Endpoint Security or if they must also log on to Windows.
Page 228: Configuring Onecheck User Settings Policy Rules
Configuring OneCheck User Settings Policy Rules Configuring OneCheck User Settings Policy Rules For each Action in a rule, select an option, which defines the Action behavior. You can select a predefined Action option or select New to define a custom Action option. Right-click an Action and select Edit or Edit Shared Action to change the Action behavior.
Page 229 Enter a text string in the Search field. Click Import to import a driver from your computer. If necessary, you can download drivers to import from the Check Point Support Center. 5. In the Directory Scanner area, select Scan user certificates from Active Directory if you want the Directory Scanner to scan user certificates.
Page 230: Changing The User Pre-Boot Authentication Settings
Configuring OneCheck User Settings Policy Rules Scan all user certificates Scan only user certificates containing the Smart Card Logon OID - The OIDs are: 1.3.6.1.4.1.311.20.2.2. 7. Click OK. If necessary, use the Pre-boot Reporting reports to troubleshoot issues with drivers or user certificates.
Page 231 Configuring OneCheck User Settings Policy Rules 7. If you select Dynamic Token, click Select token. The user can only authenticate with the selected token. See "Managing Dynamic Tokens" on page 245 Select a token from the list or click Add or Import to add a new token. Click OK.
Page 232: Password Complexity And Security
Password Complexity and Security Password Complexity and Security Policy view > OneCheck These Actions define the requirements for user passwords for OneCheck User Settings: Action Description Use Windows The standard Windows password requirements are enforced: password The password must: complexity Have at least six characters Have characters from at least 3 of these categories: uppercase, lowercase, numeric characters, symbols.
Page 233: Password Synchronization
Password Synchronization Password Synchronization Pre-boot is a program that prevents the operating system from booting until the user authenticates. You can synchronize the Pre-boot and operating system passwords. Notes and Recommendations: Password Synchronization only works if Pre-boot authentication is enabled. If you plan to use OneCheck Logon, we recommend that you keep the OS and Pre-boot passwords synchronized.
Page 234: Account Lock
Account Lock Account Lock You can configure Full Disk Encryption to lock user accounts after a specified number of unsuccessful Pre-boot login attempts: Temporarily - If an account is locked temporarily, users can try to log on again after a specified time.
Page 235 Account Lock Option Description Duration of a temporary Duration of a temporary lockout period, in minutes. lockout Maximum number of Maximum number of successful logins before an account successful logons is permanently locked. You can use this option to let a allowed before the temporary user log in for a specified number of logins.
Page 236: Logon Settings
Logon Settings Logon Settings OneCheck User Settings Logon Settings define additional settings for how users can access computers. Expand the Advanced section in the OneCheck User Settings rule to configure this. Option Description Allow logon Lets a different user than the logged on user authenticate in Pre-boot to a to system system in hibernate mode.
Page 237: Remote Help Permissions
USB receive tokens, or Check Point Smart Card. It is also useful if the user made One-Time too many failed attempts but does not want to change the password.
Page 238: Managing Authorized Pre-Boot Users And Nodes
Managing Authorized Pre-boot Users and Nodes Managing Authorized Pre-boot Users and Nodes When users are added to an Active Directory group that has a Pre-boot assignment, the new users are automatically added as authorized Pre-boot users. If the new users bring the total Pre-boot users of a device above 1000, a message shows that only the first 1000 users are authorized to the device.
Page 239: Creating Pre-Boot Users
Managing Authorized Pre-boot Users and Nodes Creating Pre-boot Users Pre-boot users can be within a node or not assigned to a node. To create new online Pre-boot user: 1. in the Users and Computers tab, right-click on an OU under Directories or Other Users/Computers.
Page 240: Ad Groups For Pre-Boot Authentication
Managing Authorized Pre-boot Users and Nodes 4. Click Unlink. A new link is created with a different Windows account at the next Windows log in. AD Groups for Pre-boot Authentication You can add Active Directory users and groups to devices, OUs, or groups for Pre-boot authentication.
Page 241: Before You Configure Smart Card Authentication
Scenario 1: Moving from Password to Smart Card Scenario Your organization uses Check Point Endpoint Security with username and password authentication for Full Disk Encryption Pre-boot. You want to move all users to Smart Card authentication for even greater security. Your organization uses Active Directory.
Page 242: Scenario 2: Mix Of Password And Smart Card Authentication
Scenario 2: Mix of Password and Smart Card Authentication Scenario Your organization is preparing to install Check Point Endpoint Security for the first time. Most users will use username and password Pre-boot authentication. Administrators with high administrative privileges will use Smart Card authentication. Your organization does not use Active Directory.
Page 243: Notes On Using Smart Cards
Notes on Using Smart Cards Check Point does not supply Smart Card features to use with Windows. You can use third-party software, supplied by Windows or the Smart Card vendor. To use recovery media with a Smart Card-only user, when you create the recovery media, create a temporary user who can authenticate to it.
Page 244: Changing A User's Password
Changing a User's Password Changing a User's Password Users can change their own passwords from the Pre-boot. You can manage user Pre-boot passwords from the User Details window. To change a user's Pre-boot password from SmartEndpoint: 1. In the User Details > Security Blades > OneCheck User Settings in the Pre-boot authentication method area, click Change Password.
Page 245: Managing Dynamic Tokens
Managing Dynamic Tokens Managing Dynamic Tokens Manage the tokens that users can use in SmartEndpoint. Adding a Token To add a dynamic token: 1. In SmartEndpoint, go to Manage > Dynamic Token Management. 2. Click Add. The Add Token window opens. 3.
Page 246: Removing A Token
Managing Dynamic Tokens Removing a Token. To remove a dynamic token: 1. In SmartEndpoint, go to Manage > Dynamic Token Management. 2. Select a token you want to remove. 3. Click Remove. The token is removed immediately. Important - After a token is removed, it cannot be restored. Importing Tokens To import tokens: 1.
Page 247 Managing Dynamic Tokens To upgrade legacy token users: Set the value of AllowTokenUpgrade in the Full Disk Encryption registry key. Refer to sk95466. R81 Harmony Endpoint Server Administration Guide | 247...
Page 248: Media Encryption & Port Protection
Media Encryption & Port Protection Media Encryption & Port Protection The Media Encryption & Port Protection component protects sensitive information by encrypting data and requiring authorization for access to storage devices, removable media and other input/output devices. Administrators use the SmartEndpoint to create rules for data encryption, authorization and access to devices.
Page 249: Media Encryption & Port Protection Terminology
Media Encryption & Port Protection Terminology Media Encryption & Port Protection Terminology Storage Device -Removable media device on which users can save data files. Examples include: USB storage devices, SD cards, CD/DVD media and external disk drives. Peripheral Device - Devices on which users cannot save data and that cannot be encrypted. Device Category - Also called Device Class, an Industry standard device type that identifies the base functionality of a storage or peripheral device.
Page 250: Working With Actions In A Media Encryption & Port Protection Rule
Working with Actions in a Media Encryption & Port Protection Rule Working with Actions in a Media Encryption & Port Protection Rule Each Media Encryption & Port Protection rule includes these main action types: "Configuring the Read Action" on page 251 - Controls how users can read devices that are protected by the policy "Configuring a Write Action"...
Page 251: Configuring The Read Action
Configuring the Read Action Configuring the Read Action The Read Action defines the default settings for read access to files on storage devices. For each action, you can define different settings for specified device types. The default predefined actions are: Action Description Allow reading any data...
Page 252: Configuring A Write Action
Configuring a Write Action Configuring a Write Action You define the default settings for write access to storage devices in the Removable Media Write Access window. This action can let users: Create new files Copy or move files to devices Delete files from devices Change file contents on devices Change file names on devices...
Page 253 Configuring a Write Action To configure a storage device Write Action: 1. Right-click a Write Access action and select Edit Properties. The Removable Media Access window opens. 2. Optional: Select a different action from the list. Click New to create a custom action. 3.
Page 254: Configuring Business Related File Types
Configuring a Write Action Configuring Business Related File Types If you enable the Encrypt business-related data written to storage devices option, users must encrypt all file types that are defined as business-related. Users can save non business- related file types without encryption. If you enable the Force encryption of all outgoing data option, all data, including Non- Business related data, must be encrypted.
Page 255: Creating A Custom User Message
You can customize the text that shows in all sections of the user message window, including the banner and the option buttons. You cannot change the Check Point logos. . This feature is useful for translating user messages into different languages.
Page 256: Configuring Peripheral Device Access
Configuring Peripheral Device Access Configuring Peripheral Device Access Peripheral devices cannot be encrypted and do not contain storage. These predefined actions define which peripheral devices can be used with an endpoint computer. Action Description Allow connecting essential Access to necessary peripheral devices for basic devices (keyboard, mouse, and computer functionality is allowed.
Page 257 Configuring Peripheral Device Access 2. In the Peripheral Device Access window, click Edit Name & Description and change settings as necessary. 3. For each device in the list, change the Access Type as necessary (Allow or Block). 4. For each device in the list, change the Log settings as necessary: Log - Create log entries when a peripheral device is connected to an endpoint computer (Action IDs 11 and 20) None - Do not create log entries...
Page 258: Defining Exceptions For Devices
Defining Exceptions for Devices Defining Exceptions for Devices You can configure custom settings for specified devices or device types. These device settings are typically used as exceptions to settings defined in Media Encryption & Port Protection rules. You can define device-specific exceptions for: One device, which is based on its serial number.
Page 259: Creating A Device With Automatic Device Discovery
Defining Exceptions for Devices Allow encryption - Select this option if the device can be encrypted (storage devices only). Can generate device arrival audit event - Select this option to create a log entry when this device connects to an endpoint computer (Event ID 11 or 20 only). Creating a Device with Automatic Device Discovery You can use the Device Discovering Wizard to create new devices that have been connected to endpoint computers.
Page 260: Creating A Device Manually
Defining Exceptions for Devices Creating a Device Manually You can manually define a device that was not inserted into a client computer. To manually create a new device: 1. Open the Storage Devices Read Access, Storage Devices Write Action, or Peripheral Devices Access action.
Page 261: Using Wild Card Characters
Defining Exceptions for Devices 3. If you selected a group, Add or Remove objects until the Selected Objects list contains all applicable devices. 4. Select or clear these options as applicable. The options that show are based on the action you are working with. For Storage Devices Write Access see "Configuring a Write Action"...
Page 262 Defining Exceptions for Devices Serial Number with Matches Does Not Match Wildcard 1234* 1234AB, 1234BCD, 12345 1233 1234??? 1234ABC, 1234XYZ, 1234AB, 1234x, 1234567 12345678 Because definitions that use wildcard characters apply to more endpoints than those without wildcards, rules are enforced in this order of precedence: 1.
Page 263: Working With Advanced Actions In A Media Encryption & Port Protection Rule
Working with Advanced Actions in a Media Encryption & Port Protection Rule Working with Advanced Actions in a Media Encryption & Port Protection Rule You can configure advanced actions in a Media Encryption & Port Protection policy rule. Offline Access Actions You can select one of these predefined actions to define encryption behavior for storage devices: Allow offline access to encrypted media - Users can enter a password to access...
Page 264 Working with Advanced Actions in a Media Encryption & Port Protection Rule Setting Description Allow user to Lets users upgrade storage devices that were encrypted by File Encryption upgrade from version R73. legacy drives When Select one of these actions for existing data on a storage device upon encrypting, encryption: Non-...
Page 265: Configuring Encryption Container Settings
Working with Advanced Actions in a Media Encryption & Port Protection Rule Setting Description Copy utility to media Copies the Explorer utility to the storage device. This utility lets to enable media users access the device from computers that are not connected to access in non- an Endpoint Security Management Server.
Page 266: Media Lockout Settings
Working with Advanced Actions in a Media Encryption & Port Protection Rule Action Description Use Windows The standard Windows password requirements are enforced: password The password must: complexity Have at least six characters Have characters from at least 3 of these categories: uppercase, lowercase, numeric characters, symbols.
Page 267 Working with Advanced Actions in a Media Encryption & Port Protection Rule Temporarily - If a device is locked temporarily, users can try to authenticate again after a specified time. Permanently - If the device is locked permanently, it stays locked until an administrator unlocks it.
Page 268: Device Scanning And Authorization Actions
Device Scanning and Authorization Actions Device Scanning and Authorization Actions You can configure a Media Encryption & Port Protection rule to require malware and unauthorized file type scans when a storage device is attached. You also can require a user or an administrator to authorize the device.
Page 269: Custom Scan And Authorization Actions
Device Scanning and Authorization Actions Unauthorized - Configure the file types that are blocked. All other file types are allowed. Authorized - Configure the file types that are allowed. All other file types are blocked. The default is unauthorized with all file types allowed. 4.
Page 270 Device Scanning and Authorization Actions Parameter Description Name Unique action name. Comments Optional textual comments. Scan storage Select to scan the device when inserted. Clear to skip the devices and scan. authorize them for access Enable self- If this option is selected, users can scan the storage device authorization manually or automatically.
Page 271: Log Actions
Log Actions Log Actions This setting defines when Media Encryption & Port Protection creates log entries when a storage device is attached to an endpoint computer. You can select one of these predefined log actions: Action Description Do not log security Disable all log entries.
Page 272 Log Actions Event Description Classification A storage device file operation is allowed Security You can define different log settings for "Defining Exceptions for Devices " on page 258 Log entries are initially stored on client computers and then uploaded to the server at predefined intervals.
Page 273: Usercheck Actions
UserCheck Actions UserCheck Actions UserCheck for Media Encryption & Port Protection tells users about policy violations and shows them how to prevent unintentional data leakage. When a user tries to do an action that is not allowed by the policy, a message shows that explains the policy. You can optionally let users write to a storage device even though the policy does not allow them to do so.
Page 274: Media Encryption Site Actions
Media Encryption Site Actions Media Encryption Site Actions Site Actions control when to allow or prevent access to encrypted devices that were encrypted by different Endpoint Security Management Servers. Each Endpoint Security Management Server (known as a Site) has a Universally Unique Identifier (UUID). When you encrypt a storage device on an Endpoint Security client, the Endpoint Security Management Server UUID is written to the device.
Page 275 Media Encryption Site Actions To allow access to devices encrypted on other trusted Endpoint Security Management Servers: 1. Right-click a Media Encryption Site action and select Edit. 2. Select Endpoint client will allow access only to encrypted media that was encrypted by an Endpoint client connected to one of the following management servers.
Page 276 Media Encryption Site Actions 6. Select Endpoint Client will allow access to encrypted media which was encrypted by an endpoint client connected to any management server. 7. Click OK. When Media Encryption Sites is disabled, Endpoint Security clients can access storage devices that were encrypted by all Endpoint Security Management Servers.
Page 277: Global Automatic Access Action
Global Automatic Access Action Global Automatic Access Action You can select a global action that defines automatic access to encrypted devices. This has an effect on all Media Encryption & Port Protection rules, unless overridden by a different rule or action.
Page 278 Global Automatic Access Action 2. Click Add. 3. In the Encrypted Media Owner field, click the arrow and select one of these options: Any - This action applies to any media owner Choose User/Group/OU from your organization - Select the applicable user, group or OU that this action applies to 4.
Page 279: Capsule Docs
Capsule Docs policy, monitoring, and deployment through SmartEndpoint. Overview of Capsule Docs Check Point Capsule Docs provides these benefits: Control the parties that can access the data Restrict access to individuals, groups or entire organizations.
Page 280: Prerequisites For Capsule Docs
Capsule Docs Access protected documents easily from your platform of choice Seamless integration with Microsoft Office and Adobe Acrobat on Windows platforms. Lightweight Windows Viewer that does not require administrative privileges or Microsoft Office or Adobe Acrobat clients installed. Access protected documents from proprietary Apps on Android, and iOS mobile devices. Full Integration with Organizational Active Directory Users that are defined in the Active Directory are automatically provisioned to use Capsule Docs.
Page 281: Configuring Capsule Docs
Capsule Docs Item Description Item Description Active Directory Server External Network SMTP Server Public-facing DNS Server Internal users Mobile users Management Console External users Notes: Management Server (1) - A Secondary Management Server and Endpoint Policy Servers can be used for redundancy and load balancing. Active Directory Server (2) - Each user account in the Active Directory must have a valid email address.
Page 282 Capsule Docs To configure the Active Directory server as the primary DNS server in Gaia: a. In the Portal, Network Management navigation tree menu, select Hosts and DNS. b. Enter the IP address of the Active Directory server as the Primary DNS Server. c.
Page 283 Capsule Docs Enable the Mobile Access component on the Security Gateway. Configure the Reverse Proxy on the Security Gateway or server to point to the Endpoint Security Management Server. Note - Make sure the name of the Endpoint Security Management Server resolves correctly in DNS.
Page 284 Capsule Docs To configure the Capsule Docs proxy on the Security Gateway: a. On the Security Gateway, run: ReverseProxyCLI add application capsule_docs <public_ server_name> <capsule_docs_server> Where: <public_server_name> is the Capsule Docs Server public name, configured in SmartEndpoint. This hostname should be resolved to the Reverse Proxy Gateway (for example: capsuledocs.externalsite.com).
Page 285 Capsule Docs e. Click New. The Web Application window opens. f. In the General Properties screen, enter the Name of the new Capsule Docs Web Application g. In the Authorized Locations screen, select the Host name or the DNS name of the Endpoint Security Management Server.
Page 286 Capsule Docs j. In the Link in Portal screen, configure these settings: i. Select Add a link to this Web application in the Mobile Access Portal. ii. In the Link text field, enter a label for the link. This does not affect users. iii.
Page 287 Capsule Docs To send protected documents to external users, you must configure your email server. Two types of email servers are supported: SMTP (default) FileSystem To configure the email server: a. In SmartEndpoint, select Manage > Email Server Settings > Configure Settings.
Page 288: Using Capsule Docs
Capsule Docs b. In the Email Server Settings window select User authentication is required. Configure these parameters: Port - Leave the default (25). User Name -Enter a fictitious email address. This address will show as the sender of email alerts. Password -Enter a fictitious password.
Page 289: Configuring Capsule Docs Policy Rules
Capsule Docs Change document Classification Change Community Remove protection Add or remove users and groups Set a document expiration date (only document Authors can do this) Create Favorites lists of users and groups. Note - The Favorites lists can be used across the supported applications, to share the documents with different sets of users.
Page 290 Capsule Docs To delete a classification: Click Revoke Classification. To change the order of the classifications that end-users see in the Capsule Docs menu: Select a classification from the table and click the up and down arrows For each Classification, define its properties and permissions in the table. For more details about the options see sk105076.
Page 291: Email Domains For Sharing Documents
Capsule Docs Column Description Screen Capture Can users take screenshots of the document: Ask, Yes, or No. If Ask is selected, users must give a reason that they require screenshots. Copy Paste Can users copy from the document and paste in their device: Yes or No. Markings Double-click to change the selection.
Page 292: Initial Protection Configuration
Capsule Docs Initial Protection Configuration Define the default protection settings that are assigned to newly protected documents. Users with the required permissions can edit these settings from the document. The settings are: Select the classification, for example, Restricted or Highly Restricted. The classifications and permissions shown are those configured in the Classifications and Permissions Action.
Page 293: Client Access Settings
Capsule Docs Allow inviting users from any domain Do not allow inviting users If you select Allow inviting users from any domains, you can also limit the users who can be invited to those from specified domains. To limit the users who can be invited to a document: 1.
Page 294: Troubleshooting Capsule Docs Reverse Proxy
Capsule Docs Invited - A user added the external user to a document but the new user did not register yet. Registered - The user downloaded the Capsule Docs client and registered with an email address. Revoked - The administrator revoked the user and the user cannot log in to Capsule Docs or see documents.
Page 295 Capsule Docs Identify Reverse Proxy logs by these criteria: Category: Mobile Access Application: Reverse Proxy The Access section of the log can show: Allowed - Authorized URL - The Reverse Proxy allowed the URL request (only shows if the All access events logging option is configured) Denied - Unauthorized URL -The Reverse Proxy blocked the URL request.
Page 296: Capsule Docs Recovery
Capsule Docs Server response was too slow - Operation timeout. Page not found Action that the Reverse Proxy took in relationship to this URL - Allowed, Denied, or Failed Capsule Docs Recovery The Capsule Docs Recovery Tool generates a master key that can open all documents in a situation of disaster recovery.
Page 297: Anti-Malware
Anti-Malware Anti-Malware Check Point Anti-Malware protects your network from all kinds of malware threats, ranging from worms and Trojans to adware and keystroke loggers. Use Anti-Malware to centrally manage the detection and treatment of malware on your endpoint computers. The Endpoint Security Management Server regularly updates Anti-Malware definitions from a Check Point update server.
Page 298 Anti-Malware e. On the Endpoint Security Management Server, run: cpstart Configure the Firewall Gateway to accept traffic from Anti-Malware signature update servers and Cloud Reputation services After configuring the proxy server, configure the Firewall Gateway to accept the traffic to the Anti-Malware update servers. a.
Page 299: Configuring Anti-Malware Policy Rules
Configuring Anti-Malware Policy Rules Configuring Anti-Malware Policy Rules For each action in a rule, select an option, which defines the action behavior. You can select a predefined Action option or select New to define a custom action. Right-click an Action and select Edit or Edit Shared Action to change the action behavior. Changes to policy rules are enforced only after you install the policy.
Page 300 Configuring Anti-Malware Policy Rules C:\Program Files\MyTrustedDirectory\MyTrustedProgram.exe %programdata%\MyTrustedProgram.exe 3. Click OK. The trusted program shows in the Trusted Processes list. R81 Harmony Endpoint Server Administration Guide | 300...
Page 301: Malware Signature Updates
Update Signatures From - The server or servers that the client gets updates from. Signature Source: External Check Point Signatures Server - Get updates from a dedicated, external Check Point server through the internet. Local Endpoint Servers - Get updates from the Endpoint Security Management Server or configured Endpoint Policy Server.
Page 302 Malware Signature Updates If second update fails - Set a second fallback update source to use if the other sources fail. Note - If only Update from Local Endpoint Servers is selected, clients that are disconnected from an Endpoint Security server cannot get updates. R81 Harmony Endpoint Server Administration Guide | 302...
Page 303: Performing Periodic Anti-Malware Scans
Performing Periodic Anti-Malware Scans Performing Periodic Anti-Malware Scans Anti-Malware scans computers for malware at regular intervals to make sure that suspicious files are treated, quarantined, or deleted. Choose one of the Select Action options to define the frequency of the scans. Action Description Perform periodic anti-malware...
Page 304: Periodic Scan Options
A contextual scan is a scan that the user runs from the right-click menu of the file that the user wants to scan: The user does a right-click on a file and selects Scan with Check Point Anti-Malware. Skip archives and non executables - When selected, these types of files are not scanned.
Page 305 Malware. Exclude a process only if you fully trust it and are sure it is not malware. Excluded items are not scanned during full computer, scheduled, and on access scans. They are not excluded from scans initiated by users with a right-click > Scan with Check Point Anti- Malware.
Page 306: Scan Optimization
Scan Optimization Scan Optimization The scan optimization options let you do malware scan quickly and with less impact on performance and system resources. Scan priority is lower than other running processes by default. The options are: Do not optimize malware scan - Scan optimization is disabled. Optimize malware scan: Perform scan optimizations - Optimize the scan by storing file checksums and NTFS file system data during the first scan.
Page 307: Malware Treatment
Contextual scans are done even if the file is in the Exclude Infections by Name list. A contextual scan is a scan that the user runs from the right-click menu of the file that the user wants to scan: The user does a right-click on a file and selects Scan with Check Point Anti- Malware.
Page 308 Malware Treatment 4. Click OK. 5. Click OK. R81 Harmony Endpoint Server Administration Guide | 308...
Page 309: Submitting Malware And False Detections
Submitting Malware and False Detections Submitting Malware and False Detections Reporting suspected malware or false detections to Check Point helps to improve the security and protection of all Internet users. If you think that you have malware in your organization that was not detected by Anti-Malware, contact Check Point Technical Support.
Page 310: Harmony Endpoint Anti-Ransomware, Behavioral Guard And Forensics
The Harmony Endpoint Forensics and Anti-Ransomware component monitors file operations, processes, and network activity for suspicious behavior. It also analyzes attacks detected by other client components or the Check Point Security Gateway. It applies Remediation to malicious files. Anti-Ransomware constantly monitors files and processes for unusual activity. Before a Ransomware attack can encrypt files, Anti-Ransomware backs up your files to a safe location.
Page 311: Anti-Ransomware Files
C:\Users\<User>\Pictures (MyPictures) You can identify these folders by the lock icon that is associated with the name of the folder. For example The file names include these strings, or similar: CheckPoint Check Point Check-Point Sandblast Agent Sandblast Zero-Day Endpoint You can open and look at the files. They are real documents, images, videos, and music.
Page 312: Configuring Forensics And Anti-Ransomware Policy Rules
Define the automatic threat analysis settings in the Triggers and Automatic Response Action. The automatic options are: Automatically analyze threats - Analyze incidents based on Check Point's recommended triggers (default). Automatically analyze and remediate infections - Analyze incidents based on Check Point's recommended triggers and apply Remediation automatically.
Page 313: Configuring Network Blades For Forensics Triggers And Remediation
Configuring Forensics and Anti-Ransomware Policy Rules The Triggers include: Events detected by Endpoint Security components: Anti-Bot, Threat Emulation, Anti- Malware Events detected by Network components: Anti-Bot, Threat Emulation, Anti-Malware, URL Filtering Configuring Network Blades for Forensics Triggers and Remediation To make triggers and Remediation work for events detected by Network Threat Prevention components, you must configure Security Gateway policy for the Threat Prevention components: Anti-Bot, Anti-Virus, and Threat Emulation.
Page 314: Monitoring And Exclusions
Monitoring and Exclusions Monitoring and Exclusions Define which processes are monitored by the Forensics component. In the default monitoring settings, processes with certificates from some trusted companies are excluded. You can Add, Edit, and Remove exclusions from the list. To exclude a process from monitoring: 1.
Page 315: Disk Space For Forensics
You can configure more settings related to space usage in Database Tool (GuiDBEdit Tool) (see sk13009) or dbedit (see skI3301). Important - Do NOT use these tools unless instructed by Check Point Support or R&D. Incorrect use may corrupt settings in the management database.
Page 316: Quarantine Settings And Attack Remediation
Backup - Delete the file and create an accessible duplicate. None - No action is taken. Trusted Files are those defined as trusted by the Check Point Reputation Service. The Remediation options for Trusted Files are: Terminate - Stop the suspicious process.
Page 317: File Quarantine Settings
File Quarantine Settings File Quarantine Settings Define the settings for files that are quarantined. In the Default File Quarantine Settings, files are kept in quarantine for 90 days and users can permanently delete items from quarantine. You can edit the Quarantine settings: Click Add exclusion to exclude a file or process from quarantine.
Page 318: Anti-Ransomware Backup Settings
Anti-Ransomware Backup Settings Anti-Ransomware Backup Settings When Anti-Ransomware is enabled, it constantly monitors files and processes for unusual activity. Before a Ransomware attack can encrypt files, Anti-Ransomware backs up your files to a safe location. After the attack is stopped, it deletes files involved in the attack and restores the original files from the backup location.
Page 319: Manual Anti-Ransomware Restoration
Anti-Ransomware Backup Settings Folder - To exclude all files in a folder, enter the Folder Name or browse to it. Optional: Select Include all sub folders to exclude all files contained in all sub folders. Process - To exclude an executable. You can also include Certificate information. In Process name, enter the name of the executable.
Page 320 Anti-Ransomware Backup Settings The Anti-Ransomware Restoration windows open. 4. Click Restore to start the restoration process. If you see a note that the files were already restored, click Cancel. It is not necessary to restore the files again. 5. In the Restore Step 1 of 2 window: a.
Page 321: Integration With Third Party Anti-Virus Vendors
Integration with Third Party Anti-Virus Vendors Integration with Third Party Anti-Virus Vendors Forensics can use information from the Windows Event Log to monitor and analyze malware events from third party anti-virus vendors. Based on the Windows Event Log, Forensics can analyze attacks, terminate processes, delete or quarantine files, and do other attack Remediation.
Page 322: Manual Analysis With Cli
Manual Analysis with CLI Manual Analysis with CLI You can configure the Forensics component to analyze incidents that are detected by a third party Anti-Malware solution. To use this, after an incident is triggered you can run analysis manually on the client computer or use a dedicated tool. To run analysis manually on a client computer with CLI: Use the command: C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\cpefrcli.exe...
Page 323 Manual Analysis with CLI 4. C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\cpefrcli.exe HYPERLINK "url:www.Malicious.com" md5:10010010010010010010010010010010 -q -b c:\ backupToFile.txt 5. C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\cpefrcli.exe -b c:\backupToFile.txt Notes: 1. All combination between optional parameters are allowed, the order is not important. 2. Backup option does not require Mandatory parameters (example 5). R81 Harmony Endpoint Server Administration Guide | 323...
Page 324: Manual Analysis With Push Operations
Manual Analysis with Push Operations Manual Analysis with Push Operations You can trigger incident analysis for a client on a one-time basis with Push Operations. You can run the Push Operations from SmartEndpoint or from the CLI. The analysis occurs without the need to install policy.
Page 325: Forensics
Harmony Endpoint Forensics analyzes attacks detected by other detection features like Anti- Ransomware or Behavioral Guard, the Check Point Security Gateway and some third party security products. On detection of a malicious event or file, Forensics is informed and a Forensics analysis is automatically initiated.
Page 326: Opening Forensics Analysis Reports
Manual Analysis with Push Operations Opening Forensics Analysis Reports The Forensics Analysis Report opens in your internet browser. To open a Forensics Analysis Report for an incident: SmartLog - From the Log Details of a Forensics, Threat Emulation, or Anti-Bot log, under Forensics, click Report.
Page 327: Harmony Endpoint Dynamic Updates
Harmony Endpoint Dynamic Updates Harmony Endpoint Dynamic Updates Harmony Endpoint dynamic updates enable stronger security for endpoints, with regular updates to Harmony Endpoint files. This keeps clients protected from the latest threats. By default, the Threat Emulation component runs the EPNetUpdate.exe process every 6 hours to get updates and update relevant files.
Page 328: Harmony Endpoint Use Case
Harmony Endpoint Use Case Harmony Endpoint Use Case Scenario: You see a Threat Emulation or Anti-Bot detection log. What can you do? Recommendations: 1. From the Forensics, Threat Emulation, or Anti-Bot log, open the Forensics Analysis Report. 2. Open the Remediation tab to see the components of the attack and how they were treated.
Page 329: Ransomware Use Case
Ransomware Use Case Ransomware Use Case Scenario: A client computer is attacked by Ransomware. What can you do? Recommendations: 1. From the Forensics log, open the Forensics Analysis Report. 2. Open the Remediation tab to see the components of the attack and how they were treated.
Page 330: Quarantine Management
Quarantine Management Quarantine Management When Harmony Endpoint components (Forensics and Anti-Ransomware, Anti-Bot, and Threat Extraction and Threat Emulation), detect malicious files, they can quarantine those files automatically based on policy. All components use the same Remediation service, that: Receives the request to quarantine a file. Terminates the file's process, if running.
Page 331 Quarantine Management "File Best practice is to configure Copy quarantine files to a central location in the Quarantine Settings" on page 317 . Then you can use the Quarantine Manager for Administrators to import all files related to an incident from one location that you can access. From the Quarantine Manager for Administrators you can: Restore files in a protected location to test them.
Page 332: Harmony Endpoint Anti-Bot
Advanced Persistent Threats (APTs) where cyber criminals pinpoint individuals or organizations for attack. A botnet is a collection of compromised computers. The Check Point Endpoint Anti-Bot component detects and prevents these bot threats. R81 Harmony Endpoint Server Administration Guide | 332...
Page 333: The Harmony Endpoint Anti-Bot Solution
Bots can attempt to connect to thousands of potentially dangerous sites. It is a challenge to know which sites are legitimate and which are not. Check Point uses the ThreatCloud repository to find bots based on these procedures. The ThreatCloud repository contains more than 250 million addresses that were analyzed for bot discovery and more than 2,000 different botnet communication patterns.
Page 334: Configuring Anti-Bot Policy Rules
Configuring Anti-Bot Policy Rules Configuring Anti-Bot Policy Rules For each Action in a rule, select an option, which defines the Action behavior. You can select a predefined Action option or select New to define a custom Action option. Right-click an Action and select Edit or Edit Shared Action to change the Action behavior. Changes to policy rules are enforced only after you install the policy.
Page 335: Defining Entities That Are Trusted By Anti-Bot
Defining Entities that are Trusted by Anti-Bot Defining Entities that are Trusted by Anti-Bot By default, the Anti-Bot component inspects all domains. You can configure trusted entities, which will not be inspected by the Anti-Bot component. These are called Detection Exclusions. To configure detection exclusions: 1.
Page 336: Anti-Bot Protection Mode
Anti-Bot Protection Mode Anti-Bot Protection Mode By default, the Anti-Bot Default protection mode allows connections while it checks for bots in the background. You can choose to block connections until the threat check is complete. To configure General Settings: 1. In the Properties of the General Settings Action, select an option from the Select action drop-down menu.
Page 337: Harmony Endpoint Threat Extraction, Emulation And Anti-Exploit
Harmony Endpoint Threat Extraction, Emulation and Anti-Exploit Harmony Endpoint Threat Extraction, Emulation and Anti- Exploit Threat Emulation detects zero-day and unknown attacks. Files on the endpoint computer are sent to a sandbox for emulation to detect evasive zero-day attacks. Threat Extraction proactively protects users from malicious content. It quickly delivers safe files while the original files are inspected for potential threats.
Page 338: Configuring Threat Extraction And Threat Emulation Rules
Configuring Threat Extraction and Threat Emulation Rules Configuring Threat Extraction and Threat Emulation Rules For each Action in a rule, select an option, which defines the Action behavior. You can select a predefined Action option or select New to define a custom Action option. Right-click an Action and select Edit or Edit Shared Action to change the Action behavior.
Page 339: Web Download Protection
Web Download Protection Web Download Protection Define the settings for the Harmony Endpoint Browser Extension to protect against malicious files that come from internet sources. The Browser Extension is supported on Google Chrome. The automatic options are: Protect web downloads with Threat Extraction and Emulation - Send files for emulation.
Page 340 Web Download Protection Emulate and suspend original file until emulation completes - Send files for emulation. Users only receive the files after the emulation finishes and the file was found to be safe. Emulate original file without suspending access - Send files for emulation. Users can download and access the file while it is tested.
Page 341: File System Emulation
File System Emulation File System Emulation Define the default settings for emulation of files on the file system. The automatic options are: Emulate files written to file system - All files that can be emulated are automatically sent for emulation when they are written to the file system. Do not emulate files written to file system - Files are not automatically sent for emulation when they are written to the file system.
Page 342: Harmony Environment Settings
Harmony Environment Settings Harmony Environment Settings By default, Harmony Endpoint uses the SandBlast Cloud for Threat Extraction and Threat Emulation. If you have one or more Harmony Appliances, you can use them as an alternative to SandBlast Cloud. To configure Harmony Endpoint to work with a Harmony Appliance: 1.
Page 343: Exclusions And Inspection Settings
Exclusions and Inspection Settings Exclusions and Inspection Settings The default behavior is Inspect all domains and files. All files in the file system are inspected and sent for emulation when applicable. You can configure exclusions that are not inspected. Click Add exclusion to exclude a file or process from inspection. You can define an exclusion by many different criteria.
Page 344: Zero Phishing Settings
Zero Phishing Settings Zero Phishing Settings To access Zero Phishing Settings, in the Policy tab, expand Threat Extraction, Threat Emulation and Anti-Exploit rule, right click Zero Phishing Settings under the Actions column and click Edit Shared Action . Define setting for phishing prevention and password reuse prevention. Phishing Prevention - Checks different characteristics of a website to make sure that a site does not pretend to be a different site and use personal information maliciously.
Page 345 Zero Phishing Settings Alert User Only - If a user enters a corporate passwords in a non-corporate site, the user gets an alert. Protected Domains - Add domains for which Password Reuse Protection is enforced. Harmony Endpoint keeps a cryptographic secure hash of the passwords used in these domains and compares them to passwords entered outside of the protected domains.
Page 346: Firewall
Firewall Firewall Firewall rules allow or block network traffic to endpoint computers based on connection information, such as IP addresses, ports, and protocols. There are two types of Firewall rules: Inbound rules - Rules that allow or block incoming network traffic to the endpoint computer.
Page 347: Inbound Traffic Rules
Inbound Traffic Rules Inbound Traffic Rules Inbound traffic rules define which network traffic can reach endpoint computers (known as localhost). Select an Action: Action Description Allow inbound traffic Allows all incoming traffic to the endpoint computer, Allow inbound traffic from Allows all incoming traffic from trusted zones and IP trusted zones and connectivity obtaining traffic from the internet.
Page 348: Outbound Traffic Rules
Outbound Traffic Rules Outbound Traffic Rules Outbound traffic rules define which outgoing network traffic is allowed from endpoint computers. Select an Action: Action Description Allow any outbound traffic Allows all outgoing traffic from the endpoint computer. Allow outbound traffic to trusted zones Allow all traffic to trusted zones and traffic of and common internet protocols common internet protocols to the internet.
Page 349: Creating Firewall Rules
Creating Firewall Rules Creating Firewall Rules Create Firewall rules that relate to inbound traffic in the inbound traffic Rule Base and rules that relate to outbound traffic in the outbound traffic Rule Base. To create a Firewall rule: 1. In the Firewall rule in the Policy tab, right-click the inbound or outbound traffic Action and select Edit Properties.
Page 350: Services And Network Objects
Creating Firewall Rules If you have a rule that drops or accepts all traffic, do not enable logging. To use logs and alerts, you must configure options in the Client Settings rules: In the Log Upload action, Enable log upload must be selected. In the Users Disabling Network Protection action, under Network Protection Alerts, in the Firewall row, select Allow Alert.
Page 351: Disabling And Deleting Rules
Creating Firewall Rules Disabling and Deleting Rules When you delete a rule, it is removed from the Rule Base and not enforced in the policy. When you disable a rule, the rule is not enforced in the policy. The rule stays in the Rule Base with an X showing that it is disabled.
Page 352: Wireless Connection Settings
Wireless Connection Settings Wireless Connection Settings These actions define if users can connect to wireless networks while on your organization's LAN. This protects your network from threats that can come from wireless networks. Action Description Allow connecting wireless to Users can connect to wireless networks while connected to the LAN Do not allow connecting Users cannot connect to wireless networks while...
Page 353: Hotspot Settings
Hotspot Settings Hotspot Settings These actions define if users can connect to your network from hotspots in public places, such as hotels or airports. Action Description Allow hotspot registration Bypass the Firewall to let users connect to your network from a hotspot. Do not allow hotspot Do not let users connect to your network from a hotspot.
Page 354: Ipv6 Traffic
IPv6 Traffic IPv6 Traffic You can select one of these actions to allow or block IPv6 traffic to endpoint computers. Allow IPv6 network traffic Block IPv6 network traffic R81 Harmony Endpoint Server Administration Guide | 354...
Page 355: Choosing A Firewall Policy To Enforce
Choosing a Firewall Policy to Enforce Choosing a Firewall Policy to Enforce By default, the Firewall policy enforced is the Endpoint Security Firewall Policy Rules. If your environment had Endpoint Security VPN and then moved to the complete Endpoint Security solution, you might want to continue to use the Desktop Policy from the legacy SmartDashboard that you open from SmartConsole.
Page 356: Compliance
Compliance Compliance The Compliance component of Endpoint Security makes sure that endpoint computers comply with security rules that you define for your organization. Computers that do not comply show as non-compliant and you can apply restrictive policies to them. The Compliance component makes sure that: All assigned components are installed and running on the endpoint computer.
Page 357: Planning For Compliance Rules
Planning for Compliance Rules Planning for Compliance Rules Before you define and assign compliance rules, do these planning steps: 1. Identify the applications, files, registry keys, and process names that are required or not permitted on endpoint computers. 2. Collect all information and Remediation files necessary for user compliance. Use this information when you create Remediation objects to use in compliance rules.
Page 358: Configuring Compliance Policy Rules
Configuring Compliance Policy Rules Configuring Compliance Policy Rules For each Action in a rule, select an option, which defines the Action behavior. You can select a predefined Action or select New to define a custom Action option. Right-click an Action and select Edit or Edit Shared Action to change the Action behavior. Changes to policy rules are enforced only after you install the policy.
Page 359: Vpn Client Verification
VPN Client Verification VPN Client Verification The VPN Client Verification action selects the procedure used to enforce the Upon verification failure option that is defined in SmartConsole, in Menu > Global Properties > Remote Access > Secure Client Verification (SCV). The procedures are: VPN Client verification process will use Endpoint Security Compliance - Uses the Endpoint Security policy to control access to organizational resources.
Page 360: Compliance Action Rules
Compliance Action Rules Compliance Action Rules Many of the Compliance Policy actions contain Action Rules that include these components: Check Objects (Checks) - Check objects define the actual file, process, value, or condition that the Compliance component looks for. One or more Remediation objects - A Remediation object runs a specified application or script to make the endpoint computer compliant.
Page 361: Compliance Check Objects
Compliance Action Rules "Compliance d. Click the Remediation tab to add Remediation objects to the Remediation Objects" on page 363 . If the selected Action is Observe, the rule does not require a Remediation object. e. Optional: In the Comment field, enter a comment for the action rule. Do these steps again to create additional Action rules as necessary.
Page 362 Compliance Action Rules Option Description Registry Key Enter the registry key. Registry Enter the registry value to match. Value Check File Select one of these options to check if an application is running or if a file exists: File is running at all times - For example, make sure that Endpoint Security client is always running.
Page 363: Compliance Remediation Objects
Compliance Action Rules Compliance Remediation Objects Each Compliance Action Rule contains one or more Remediation objects. A Remediation object runs a specified application or script to make the endpoint computer compliant. It can also send alert messages to users. After a Remediation object is created, you can use the same object in many Action rules. To create a new or change an existing Remediation object: 1.
Page 364 Compliance Action Rules Option Description Parameters If the executable specified in the URL runs an installation process, make sure that the executable holds a parameter that specifies the directory where the program should be installed. If the executable does not hold such a parameter, enter one here. MD5 Checksum Click Calculate to generate a MD5 Checksum, a compact digital fingerprint for the installed application or the Remediation files.
Page 365: Service Packs For Compliance
Compliance Action Rules Service Packs for Compliance The Service Packs Compliance Action makes sure that computers have the most recent operating system service packs and updates installed. The default settings show in the Latest Service Packs Installed Action Rules. "Compliance Action Rules" on page 360 for more information.
Page 366: Required Applications And Files
Required Applications and Files Required Applications and Files Required Application and File Compliance Settings look for the presence of specified files, registry values, and processes that must be running or present on endpoint computers. The default settings show in the Required Application Action Rules. For Required Application action rules, multiple check objects in the rule are mutually exclusive.
Page 367: Prohibited Applications And Files
Prohibited Applications and Files Prohibited Applications and Files The Prohibited Applications and Files Action makes sure that files, registry keys, and processes that must not be on endpoint computers are not present or running. The default settings show in the Prohibited Application Action Rules. For Prohibited Application action rules, all check objects must be non-compliant to trigger the action and Remediation.
Page 368: Anti-Malware For Compliance
Anti-Malware for Compliance Anti-Malware for Compliance The Anti-Malware check makes sure that computers have an anti-malware program installed and updated. The default settings show in the Anti-Malware Compliance Action Rules. "Compliance Action Rules" on page 360 for more information. R81 Harmony Endpoint Server Administration Guide | 368...
Page 369: Ensuring That Windows Server Updates Are Installed
Ensuring that Windows Server Updates Are Installed Ensuring that Windows Server Updates Are Installed Windows Server Update Services (WSUS) allows administrators to deploy the latest Microsoft product updates.The WSUS compliance check ensures that Windows update are installed on the Endpoint Security client computer. You can restrict network access of the client computer if Windows updates have not been installed within a specified number of days.
Page 370: Monitoring Compliance States
Monitoring Compliance States Monitoring Compliance States Monitor the compliance state of computers in your environment from: The Logs tab of the SmartConsole Logs & Monitor view The Security Overview Reporting > Compliance These compliance states are used in the Security Overview and Compliance reports: Compliant - The computer meets all compliance requirements.
Page 371: Configuring The "About To Be Restricted" State
Monitoring Compliance States 3. In the Out-Of-Compliance section, configure when a client is restricted. Configure the number of heartbeats in Client will restrict non compliant endpoint after. The default is 5 heartbeats. 4. Click OK. Configuring the "About to be Restricted" State The About to be restricted state sends users one last warning and gives an opportunity to immediately correct compliance issues before an endpoint computer is restricted.
Page 372: Application Control
Monitoring Compliance States Application Control The Application Control component of Endpoint Security restricts network access for specified applications. The Endpoint Security administrator defines policies and rules that allow, block or terminate applications and processes. The administrator can also configure that an application will be terminated when it tries to access the network, or as soon as the application starts.
Page 373: Creating The List Of Applications On The Reference Computer
Scans the host computer and creates an XML file that contains a list of executable programs and their checksums. This XML file is used by the Check Point Reputation Service to create recommended rules to block or allow common applications. The administrator imports the XML file to theEndpoint Security Management Server using SmartEndpoint.
Page 374 Creating the List of Applications on the Reference Computer Parameters Parameter Description Sends output to the specified file name. If no file name is specified, Appscan uses the default file name (scanfile.xml) in the current folder. file name Output file name and path. /s <target Specifies the directory, including all subdirectories, to scan.
Page 375 Creating the List of Applications on the Reference Computer appscan /o scan2.xml /x ".exe;.dll" /s "C:\" This scan includes all .exe and .dll files on drive C and is saved as scan2.xml. appscan /o scan3.xml /x ".dll" /s c:\program files This scan included all .dll files in c:\program files and all its subdirectories.
Page 376: Importing The Appscan Xml File To The Endpoint Security Management Server
Importing the Appscan XML File to the Endpoint Security Management Server Importing the Appscan XML File to the Endpoint Security Management Server After you generate the Appscan XML file, import it to the Endpoint Security Management Server. Before Importing the Appscan XML file Remove all special characters, such as trademarks or copyright symbols, from the Appscan XML file.
Page 377: Configuring If Imported Applications Are Allowed Or Blocked By Default
Configuring If Imported Applications Are Allowed or Blocked by Default Configuring If Imported Applications Are Allowed or Blocked by Default Configure applications that were imported from the Appscan XML file to be Allowed or Blocked by default. To configure if imported applications are allowed or blocked: In the Policy tab >...
Page 378: Configuring Application Permissions In The Application Control Policy
Configuring Application Permissions in the Application Control Policy Configuring Application Permissions in the Application Control Policy In the Application Control Policy, review the permissions for applications for each application and application version. For applications and application versions that you are know are secure, change the permission setting to Allow .
Page 379 Configuring Application Permissions in the Application Control Policy The Versions for Application section shows the details for each version of the application, including a unique hash value that identifies the signer of the application version.You can block or allow specific versions of the same program. Each version has a unique Version number, Hash, and Created On date.
Page 380 Configuring Application Permissions in the Application Control Policy a. Right-click the Terminated Applications Action and select Manage Terminated Applications List. b. Select Terminate on execution. R81 Harmony Endpoint Server Administration Guide | 380...
Page 381: Using The Reputation Service To Allow Or Block Applications
The Check Point Reputation Service is an online service that gathers information about applications and classifies them as approved or not approved. The classifications are based on the recommendations of Check Point security experts and the hash value of the signed certificate of the application.
Page 382: Using The Reputation Service With A Proxy
If your environment includes a proxy server for Internet access, do the configuration steps below to let the Endpoint Security Management Server connect to the Check Point Reputation Service Server through the proxy server. Note that all configuration entries are case-sensitive.
Page 383: Disabling Or Enabling Windows Subsystem For Linux (Wsl)
Disabling or Enabling Windows Subsystem for Linux (WSL) Disabling or Enabling Windows Subsystem for Linux (WSL) Windows Subsystem for Linux (WSL) is the scripting language in Windows 10 and higher. It makes it possible to run Linux binary executables under Windows. WSL has the potential for compromising security.
Page 384: Preventing The Leakage Of Sensitive Information Through Git (Developer Protection)
Preventing the Leakage of Sensitive Information Through Git (Developer Protection) Preventing the Leakage of Sensitive Information Through Git (Developer Protection) Developer Protection prevents developers leaking sensitive information such as RSA keys, passwords, and access tokens though the Git version control system. It also warns the developer when vulnerable external dependencies are used in AWS Lambda.
Page 385: Client-Side Warning Notifications
Preventing the Leakage of Sensitive Information Through Git (Developer Protection) Client-Side Warning Notifications Detect Mode - The user at the Endpoint Security client computer sees a warning message. The user clicks OK and continues with the Commit. Prevent Mode - The user at the Endpoint Security client computer sees a warning message.
Page 386: Installing The Application Control Policy
Installing the Application Control Policy Installing the Application Control Policy Changes to the Application Control policy are saved immediately. Refreshing the data does not revert the changes. To install the Application Control policy: 1. In the Policy tab, go to the Policy Toolbar. 2.
Page 387: Client Settings
Client Settings Client Settings In a large organization, creating a common policy for multiple clients eases deployment and reduces maintenance tasks. Configuring Client Settings Policy Rules The Client Settings Actions in the rules set: General user interface settings If users can postpone installations and for how long. The client uninstall password When log files are uploaded to the server Specified Network Protection settings...
Page 388: Client User Interface Settings
Client User Interface Settings Client User Interface Settings You can choose the default client user interface settings or edit them to customize the Endpoint Security client interface on user computers. You can change these settings: Display client icon - When selected, the client icon shows in the windows notification area when the Endpoint Security client is installed.
Page 389: Log Upload
Log Upload Log Upload The components upload logs to the Endpoint Policy Server The default log upload Action is Allow log upload to Endpoint Policy Servers. You can change these settings: Item Description Enable Log Upload Select to enable log upload. Clear to disable log upload. (Default= Selected) Log upload interval Frequency in minutes between logged event uploads.
Page 390: Installation And Upgrade Settings
Installation and Upgrade Settings Installation and Upgrade Settings The default installation and upgrade setting is that users can postpone the Endpoint Security Client installation or upgrade. You can change these settings: Item Description Default reminder Set the time, in minutes, after which users are reminded to install the interval client.
Page 391: Users Disabling Network Protection
Users Disabling Network Protection Users Disabling Network Protection You can let users disable network protection on their computers. Important - If users disable network protection, their computers will be less secure and vulnerable to threats. If the policy does not allow users to disable network protection, administrators can assign permissive policies to temporarily disable network protection for specified users.
Page 392: Sharing Data With Check Point
Sharing Data with Check Point Sharing Data with Check Point Clients can share information about detected infections and bots with Check Point. The information goes to ThreatCloud, a Check Point database of security intelligence that is dynamically updated using a worldwide network of threat sensors. ThreatCloud helps to keep Check Point protection up to date with real-time information.
Page 393: Remote Access Vpn
Remote Access VPN Remote Access VPN The Remote Access VPN component is a simple and secure way for endpoints to connect remotely to corporate resources over the Internet, through a VPN tunnel. For more information, see the Endpoint Security clients homepage for your client version.
Page 394: Access Zones
Access Zones Access Zones Access Zones lets you create security zones for use in Firewall. Configure Access Zones before configuring Firewall. There are two predefined Access Zones: The Internet Zone The Trusted Zone Network locations not placed in the Trusted Zone automatically belong to the Internet Zone. Note:?Access Zones rules are computer-centric (and not user-centric).
Page 395: Trusted Zone
Trusted Zone Trusted Zone The Trusted Zone contains network objects that are trusted. Configure the Trusted Zone to include only those network objects with which your programs must interact. Note - Objects not placed in the Trusted Zone are placed automatically in the Internet Zone SmartEndpoint contains an initial Access Zones policy.
Page 396 Trusted Zone Security servers (for example, RADIUS, TACACS, or ACE servers) Other IP addresses or IP ranges, to which access is allowed or denied. R81 Harmony Endpoint Server Administration Guide | 396...
Page 397: Changing The Access Zones Policy
Changing the Access Zones Policy Changing the Access Zones Policy The main component of the Access Zones policy rule is the definition of the Trusted Zone. All objects that are not in the Trusted Zone are automatically in the Internet Zone. If necessary, you can create new Trusted Zone objects to use in different policy rules You can add and remove network objects from a Trusted Zone.
Page 398 Changing the Access Zones Policy 2. In the Select action field, select New. 3. Edit the Name and Description of the Zone. 4. Click OK. 5. Edit the network locations in the zone as described in the procedure above. R81 Harmony Endpoint Server Administration Guide | 398...
Page 399: Network Objects
Network Objects Network Objects Access Zones are made up of network objects. You define network objects by specifying one or more: Host IP address range Network Site Create network objects for areas that programs must have access to, or areas that programs must be prevented from accessing.
Page 400: Configuring A Network As A Network Object
Network Objects Object Description Information Name A name for the network object. The name must start with a letter and can include capital and small letters, numbers and '_'. All other characters are prohibited. First IP The first and last IP addresses for the network object. Address / Last IP Address Color...
Page 401: Configuring A Group As A Network Object
Network Objects Rule Description Condition Host Name The full LDAP name of the host of the site you want to use as a network object. For example, hostname.acme.com. Color Select a color to be used for the icon for this network object. Comment Enter a description of the network object.
Page 402 Network Objects Site Site Group R81 Harmony Endpoint Server Administration Guide | 402...
Page 403: Remote Help
Remote Help Remote Help Users can be denied access to their Full Disk Encryption-protected computers or Media Encryption & Port Protection-protected devices for many different reasons. They might have forgotten their password or entered the incorrect password too many time. In the worst case scenario, a hacker might have tried access the computer or device.
Page 404: Web Remote Help
Management Server, or create a dedicated server for the online web portal. Administrators can authenticate to the web portal with these authentication methods: Check Point Password login (default)- Configure this in SmartEndpoint Active Directory Password - See "Configuring SSL Support for AD Authentication" on page 411...
Page 405: Logging Into Web Remote Help Portal
Web Remote Help 3. In the Advanced Pre-boot Settings window, Remote Help area, select a Remote Help response length. 4. Click OK. 5. Click OK. 6. Install policy. Logging into Web Remote Help portal You can log into Web Remote Help portal using one of these methods: Password Login Token Login Password Login is the default method and shows when you first connect to the portal.
Page 406: Configuring A Standalone Web Remote Help Server
9. Create SIC trust between the Primary Endpoint Security Management Server and the Remote Help sever: a. Enter the same SIC Activation Key as the one you entered in the Check Point Configuration Tool. b. Click Initialize to create a state of trust between the Endpoint Security Management Servers.
Page 407 2. Click New. The Web Remote Help Account wizard opens. 3. Select a User type: Existing User/Group - AD user or group Local User - Check Point user 4. Click Next. 5. Configure login credentials: User type & Authentication Credentials Existing user with AD a.
Page 408 Web Remote Help User type & Authentication Credentials Existing User with a. In the User/Group Name field, RADIUS or select the user from the drop TACACS+ Authentication down list, or browse the AD tree to select a user. Alternatively, enter the name of the user from the AD (auto-complete field).
Page 409 Web Remote Help User type & Authentication Credentials h. Enter the Port number. If not specified, the default port are used. RADIUS : By default, the Endpoint Security Management Server listens for RADIUS traffic on UDP port 1812. This is the standard port for RADIUS authentication, as defined by the IETF in RFCs 2865 and 2866.
Page 410 Web Remote Help User type & Authentication Credentials AD Group/OU with AD a. In the User/Group Name field, Authentication select the group from the drop down list, or browse the AD tree to select a group. Alternatively, enter the name of a group from the AD (auto-complete field).
Page 411: Configuring Ssl Support For Ad Authentication
Web Remote Help Note - you cannot change the User Name of an existing account. Deleting a Web Remote Help Account 1. In SmartEndpoint, go to Manage > Web Remote Help Accounts. The Web Remote Help Accounts window opens. 2. Select an existing account from the list. 3.
Page 412: Giving Remote Help To Full Disk Encryption Users
Giving Remote Help to Full Disk Encryption Users Giving Remote Help to Full Disk Encryption Users Use this challenge/response procedure to give access to users who are locked out of their Full Disk Encryption protected computers. To give Full Disk Encryption Remote Help assistance from the SmartEndpoint: 1.
Page 413 Giving Remote Help to Full Disk Encryption Users 4. Select the type of assistance the end-user needs: a. One Time Login - Gives access as an assumed identity for one session without resetting the password. b. Remote password change - This option is for users who have forgotten their fixed passwords.
Page 414: Media Encryption & Port Protection Remote Help Workflow
Media Encryption & Port Protection Remote Help Workflow Media Encryption & Port Protection Remote Help Workflow Media Encryption & Port Protection lets administrators recover removable media passwords remotely using a challenge/response procedure. Always make sure that the person requesting Remote Help is an authorized user of the storage device before you give assistance. To recover a Media Encryption &...
Page 415 Media Encryption & Port Protection Remote Help Workflow 7. Give the response code to the user. 8. Make sure that the user can access the storage device successfully. R81 Harmony Endpoint Server Administration Guide | 415...
Page 416: Disabling Remote Help
Disabling Remote Help Disabling Remote Help To disable Remote Help: 1. In the Media Encryption & Port Protection Policy window, in the Encrypt Removable Media area, click Advanced Settings. The Media Encryption page opens. 2. In the Offline Mode Settings expand the Advanced Settings area. 3.
Page 417: User-Bound Remote Help
User-Bound Remote Help User-Bound Remote Help User-bound Remote Help lets you do remote help for a user, Offline Group, or an organization without an exact device name. A special user is created for this purpose. Note - User-bound Remote Help is less secure than regular Remote Help because the same key for Remote Help is distributed to all machines assigned to the specified user account.
Page 418: Uninstalling The Endpoint Security Client Using Challenge-Response
On the Windows computer, go to the Add or remove programs system setting, select the Endpoint Security, and click Uninstall. A Check Point Endpoint Security challenge-response window opens. The window has a Challenge field that contains a number with many digits, and a Response field that is blank.
Page 419 Give the Response number to the user. This can be by phone, text message, email, or in some other way. 3. The user uninstalls the Endpoint Security client: a. Type the Response number into the Check Point Endpoint Security challenge- response window. b. Uninstall the Endpoint Security client.
Page 420: Offline Mode
Offline Mode Offline Mode Offline Mode lets users get policies and updates from a shared folder, without a connection to an Endpoint Security server. Policies for the following Endpoint Security client components are supported in Offline Mode: Full Disk Encryption OneCheck User Settings Client Settings R81 Harmony Endpoint Server Administration Guide | 420...
Page 421: Configuring Offline Mode
Configuring Offline Mode Configuring Offline Mode Manage the offline policies for the Endpoint Security client components that are supported in Offline Mode from each Offline Group in the Users and Computers tab. The policies for users in these groups are not configured in the Policy tab and are not included in policy installation. Create a new Offline Group and configure the sub-paths and settings Each Offline Group defines the location for its files and the included policies.
Page 422 Configuring Offline Mode d. Select a Category. Each category has a default path under the defined root path. Keep the default or click Add, Edit, or Remove to change the path or add a new one. e. Click OK. f. Select a value for each of the Synchronization Settings: Clients sync with shared location every X minutes After a failed connection, clients retry to sync with shared locations every X minutes...
Page 423 Configuring Offline Mode OneCheck User Settings Policy Continue with the New Offline Group wizard or click OneCheck User Settings to configure the OneCheck User Settings policy settings for the group. This policy will be the default OneCheck User Settings policy for acquired users and users created from the deployment users on the computer.
Page 424 Configuring Offline Mode Option Description Notes Get Update Exports a file with policy updates. This file has CPPOL Policy File extension. You must put the CPPOL file in the Updates folder. Get Offline Exports a CPOMF file that contains This is for a help desk Management definitions that you can use to log in to or contractor...
Page 425 Configuring Offline Mode Option Description Notes Deployment > Exports a file that converts an offline You must put the Get Offline to client to an online client. After CPPOL file in the Online File installation, the client will connect to Updates folder.
Page 426 Configuring Offline Mode To deploy packages: Automatically deploy the offline client on computers or give users instructions to get the packages they require. To push a policy update for a specified client: Place the policy in the Work folder locally on the client. On x64 client: %PROGRAMFILES(X86)%\CheckPoint\Endpoint Security\Endpoint Common\Work\...
Page 427 Configuring Offline Mode Location Required Permissions Read Write List Execute Modify Delete Create Update Directory Recovery Files Directory Client Log Directory R81 Harmony Endpoint Server Administration Guide | 427...
Page 428: Creating Offline Administrators
Creating Offline Administrators Creating Offline Administrators Offline administrators can be created one at a time or in groups. To create offline administrators: 1. Open SmartEndpoint. 2. On the Users and Computers tab, right-click an offline group. 3. Select Create Administrators. The Create offline group administrators window opens with these options: Add Single User - Adds one administrator Enter the Logon Name.
Page 429: Editing Pre-Boot Users
Editing Pre-boot Users Editing Pre-boot Users To edit offline Pre-boot accounts: 1. From the Users and Computers tab, expand an Offline Group to see the users . 2. Right-click the user and select User Authentication (OneCheck) > Pre-boot Authentication method. 3.
Page 430 Editing Pre-boot Users Regular User (default) Do not use device information for Full Disk Encryption remote help - Enables user-bound remote help for the pre-boot user Lock user for preboot - Locks the user for preboot Require change password after first logon - Applies only to password authentication.
Page 431: Moving From Offline To Online Mode
Moving from Offline to Online Mode Moving from Offline to Online Mode During the conversion from offline to online mode, all users acquired on the offline client are deleted. Users must be pre-authorized for the online client to make sure that there are authorized users on the client.
Page 432: Endpoint Offline Management Tool
Endpoint Offline Management Tool Endpoint Offline Management Tool The Endpoint Offline Management Tool lets administrators manage offline mode users and give them password assistance and disk recovery. It does not require access to the Endpoint Security Management Server. Double click the OfflineMgmtTool.msi file to install the tool. Get the files from the Server Release information section of the Endpoint Security homepage.
Page 433: Selecting A User
Endpoint Offline Management Tool Click Browse to locate the file for the computer in the offline group that requires recovery. Click Next. Note - Each offline group is cryptographically independent. The CPOMF file for one group does not work for a different group. Selecting a User Select a user that has Pre-boot permissions on the computer.
Page 434: Select Media
Endpoint Offline Management Tool Click Next. Select Media Select the type of recovery media to generate: ISO file REC file USB media If you select ISO or REC, select the storage location. If you select USB, choose the drive to use. Click Create Media.
Page 435: Uninstalling Endpoint Security Using Challenge-Response In Offline Mode
Uninstalling Endpoint Security Using Challenge-Response in Offline Mode Uninstalling Endpoint Security Using Challenge-Response in Offline Mode You can allow a user to uninstall the Endpoint Security client on their remote Windows computer without giving the client uninstall password to the user. A challenge-response procedure validates the identity of the user on the remote computer.
Page 436 Uninstalling Endpoint Security Using Challenge-Response in Offline Mode 3. In Select Status File, select the .cpsts file of the client in the Client Logs folder in the Offline location. 4. Click Next. 5. Give these instructions to the user : R81 Harmony Endpoint Server Administration Guide | 436...
Page 437 Add or remove programs system setting, select the Endpoint Security client, and click Uninstall. A Check Point Endpoint Security challenge-response window opens. The window has a Challenge field that contains a number with many digits, and a Response field that is blank.
Page 438 Uninstalling Endpoint Security Using Challenge-Response in Offline Mode c. If Full Disk Encryption (FDE) is installed, a popup window shows. Click OK to reboot the client computer. This decrypts the computer. Then, the Endpoint Security client is uninstalled. R81 Harmony Endpoint Server Administration Guide | 438...
Page 439: Glossary
Access Zone Access Zone lets you create security zone for use in Firewall. Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. Anti-Malware A component on Endpoint Security Windows clients. This component protects clients from known and unknown viruses, worms, Trojan horses, adware, and keystroke loggers.
Page 440 Security Gateway that is part of a cluster. Compliance Check Point Software Blade on a Management Server to view and apply the Security Best Practices to the managed Security Gateways. This Software Blade includes a library of Check Point-defined Security Best Practices to use as a baseline for good Security Gateway and Policy configuration.
Page 441 Route-Based VPN, it is done by FWK daemon. CPUSE Check Point Upgrade Service Engine for Gaia Operating System. With CPUSE, you can automatically update Check Point products for the Gaia OS, and the Gaia OS itself. For details, see sk92449. DAIP Gateway Dynamically Assigned IP (DAIP) Security Gateway is a Security Gateway, on which the IP address of the external interface is assigned dynamically by the ISP.
Page 442 A component of Endpoint Security Management Server that scans the defined Active Directory and copies the existing Active Directory structure to the server database. Distributed Deployment Configuration in which the Check Point Security Gateway and the Security Management Server products are installed on different computers. Dynamic Object Special object type, whose IP address is not known in advance.
Page 443 Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell).
Page 444 Acronym: IDA. Identity Logging Check Point Software Blade on a Management Server to view Identity Logs from the managed Security Gateways with enabled Identity Awareness Software Blade. Internal Network Computers and resources protected by the Firewall and accessed by authenticated users.
Page 445 Glossary IPsec VPN Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access. Jumbo Hotfix Accumulator Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA. Kerberos An authentication server for Microsoft Windows Active Directory Federation Services (ADFS).
Page 446 (USB, Bluetooth, and so on). Acronym. MEPP. Mobile Access Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. Multi-Domain Log Server Dedicated Check Point server that runs Check Point software to store and process logs in a Multi-Domain Security Management environment.
Page 447 Check Point Software Blade on a Management Server that manages large-scale deployments of Check Point Security Gateways using configuration profiles. Synonyms: SmartProvisioning, SmartLSM, Large-Scale Management, LSM. Check Point Software Blade on a Security Gateway that provides policy-based traffic bandwidth management to prioritize business-critical traffic and guarantee bandwidth and control latency.
Page 448 One or more additional Endpoint Security Management Servers for High Availability. This makes sure that a backup server is always available for down time situations. SecureXL Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway. Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.
Page 449 Gateways using configuration profiles. Synonyms: Large-Scale Management, SmartLSM, LSM. SmartUpdate Legacy Check Point GUI client used to manage licenses and contracts in a Check Point environment. Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities.
Page 450 Glossary Threat Extraction Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX. Threat Extraction, Threat Emulation and Anti-Exploit A SandBlast Agent component on Endpoint Security Windows clients. Threat Extraction quickly delivers safe files while the original files are inspected for potential threats.
Page 451 Glossary Zero Phishing Check Point Software Blade on a Security Gateway (R81.20 and higher) that provides real-time phishing prevention based on URLs. Acronym: ZPH. R81 Harmony Endpoint Server Administration Guide | 451...

Save PDF