https://community.checkpoint.com/t5/Endpoint/Air-gapped-endpoints-in-environment-using-EpmaaS/m-p/249382#M10578 <P>Updating Signatures offline needs an On-Premise EPSS&nbsp; Management Server as documented in <SPAN class="css-13y3t3g"><SPAN class="css-vy7rm">sk182535</SPAN></SPAN>. So you can ask CP TAC if Infinity EPS could be used, but but signature update, using a TE appliance and its update will not be possible.</P> Tue, 20 May 2025 11:36:10 GMT G_W_Albrecht 2025-05-20T11:36:10Z https://community.checkpoint.com/t5/Endpoint/Air-gapped-endpoints-in-environment-using-EpmaaS/m-p/249378#M10577 <P>One of our customers is using Infinity Harmony Endpoint for regular endpoints like computers, servers.</P> <P>They have a requirement to deploy a few computers which would be in a completely isolated network and location for accessing and managing privileged information.</P> <P>The framework requires a standalone EDR solution.</P> <P>I've read&nbsp;<A href="https://support.checkpoint.com/results/sk/sk182535" target="_blank" rel="noopener">Deploying Harmony Endpoint in an Offline (Air-Gapped) Environment</A>&nbsp;which describes a completely offline installation of EPS server along with TE appliance.</P> <P>As the customer is already using the online Endpoint, the question is whether we can leverage the existing option of creating a full standalone package, including signatures, installing locally and leave it offline, knowing the limitations of blades when offline, and update the signatures manually without access to any management server.</P> Tue, 20 May 2025 11:09:58 GMT https://community.checkpoint.com/t5/Endpoint/Air-gapped-endpoints-in-environment-using-EpmaaS/m-p/249378#M10577 Alex- 2025-05-20T11:09:58Z https://community.checkpoint.com/t5/Endpoint/Air-gapped-endpoints-in-environment-using-EpmaaS/m-p/249382#M10578 <P>Updating Signatures offline needs an On-Premise EPSS&nbsp; Management Server as documented in <SPAN class="css-13y3t3g"><SPAN class="css-vy7rm">sk182535</SPAN></SPAN>. So you can ask CP TAC if Infinity EPS could be used, but but signature update, using a TE appliance and its update will not be possible.</P> Tue, 20 May 2025 11:36:10 GMT https://community.checkpoint.com/t5/Endpoint/Air-gapped-endpoints-in-environment-using-EpmaaS/m-p/249382#M10578 G_W_Albrecht 2025-05-20T11:36:10Z https://community.checkpoint.com/t5/Endpoint/Air-gapped-endpoints-in-environment-using-EpmaaS/m-p/249392#M10579 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/10384">@Alex-</a>&nbsp;</P> <P>You could use the supernode, the link is below. In addition, you could implement the endpoint firewall, only allowing access to the supernode.</P> <P><A href="https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_HarmonyEndpointWebManagement_AdminGuide/Topics-HEPWM-R81.10/Super-Node.htm" target="_self">Super-Node</A></P> Tue, 20 May 2025 12:52:24 GMT https://community.checkpoint.com/t5/Endpoint/Air-gapped-endpoints-in-environment-using-EpmaaS/m-p/249392#M10579 lluner 2025-05-20T12:52:24Z https://community.checkpoint.com/t5/Endpoint/Air-gapped-endpoints-in-environment-using-EpmaaS/m-p/249393#M10580 <P>Also the supernode needs internet access, so it can not be used in a completely isolated network !</P> Tue, 20 May 2025 13:27:55 GMT https://community.checkpoint.com/t5/Endpoint/Air-gapped-endpoints-in-environment-using-EpmaaS/m-p/249393#M10580 G_W_Albrecht 2025-05-20T13:27:55Z https://community.checkpoint.com/t5/Endpoint/Air-gapped-endpoints-in-environment-using-EpmaaS/m-p/249397#M10581 <P>tks</P> Wed, 21 May 2025 11:20:36 GMT https://community.checkpoint.com/t5/Endpoint/Air-gapped-endpoints-in-environment-using-EpmaaS/m-p/249397#M10581 lluner 2025-05-21T11:20:36Z https://community.checkpoint.com/t5/Endpoint/Air-gapped-endpoints-in-environment-using-EpmaaS/m-p/249407#M10582 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/87055">@lluner</a>&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/21294">@G_W_Albrecht</a>&nbsp;Thanks for chiming in.</P> <P>This project has stringent requirements, so partial or derived Internet access like the super node is not compliant.</P> <P>We will then explore if the air-gapped architecture with HEP can be considered.</P> Tue, 20 May 2025 16:26:13 GMT https://community.checkpoint.com/t5/Endpoint/Air-gapped-endpoints-in-environment-using-EpmaaS/m-p/249407#M10582 Alex- 2025-05-20T16:26:13Z https://community.checkpoint.com/t5/Endpoint/Air-gapped-endpoints-in-environment-using-EpmaaS/m-p/249465#M10584 <P>Please, do not adress me in a language i do not understand.</P> Wed, 21 May 2025 07:46:55 GMT https://community.checkpoint.com/t5/Endpoint/Air-gapped-endpoints-in-environment-using-EpmaaS/m-p/249465#M10584 G_W_Albrecht 2025-05-21T07:46:55Z https://community.checkpoint.com/t5/Endpoint/Air-gapped-endpoints-in-environment-using-EpmaaS/m-p/249730#M10585 <P>You could ask you SE if Check Point will support a data diode. For example Owl.&nbsp;</P> <P>&nbsp;</P> Fri, 23 May 2025 19:40:24 GMT https://community.checkpoint.com/t5/Endpoint/Air-gapped-endpoints-in-environment-using-EpmaaS/m-p/249730#M10585 Don_Paterson 2025-05-23T19:40:24Z