topic Re: Harmony Endpoint client that is not allowed to go to Internet in Endpoint

Harmony Endpoint client that is not allowed to go to Internet

Wei_Soon_Heng — Mon, 05 Feb 2024 05:44:58 GMT

Hi All,

Recently, my client has purchased 250 seats of harmony endpoint license with EPS Cloud Management.

Their environment is all servers that comprised mix of Window and Linux and are not allowed to go to Internet.

In this case, how should we ensure that installed endpoint client able to grab malware database update and how management server able to manage those offline client ?

I had gone through Harmony Endpoint EPMaaS Administration Guide, there are few possible methods to achieve and will need verification on some capability as listed below:

Super Node:

1) Does Super Node able to push all Threat Prevention blade database update to all endpoint clients(Windows and Linux), and able to relay policy changes to clients(Windows and Linux)?

Proxy:

1) Does authenticated proxy able to work on Linux servers?

2) I knows that it mostly will work on Windows server.

Deploy another On-Prems Endpoint Management Server

1) If the On-Prem Endpoint Management Server is able to go over internet, does the client(Linux and Windows) itself also need to have internet connectivity ? Based on Harmony Endpoint EPMaaS Administration Guide, it shows the linux endpoint need to have internet connectivity by itself.

Thanks,

Re: Harmony Endpoint client that is not allowed to go to Internet

G_W_Albrecht — Mon, 05 Feb 2024 08:05:41 GMT

Ask CP TAC for the configuration suggested by CP !

Re: Harmony Endpoint client that is not allowed to go to Internet

JonnyRabinowitz — Mon, 05 Feb 2024 21:55:42 GMT

You are correct that the SuperNode is available for Windows and allows to share local copies of things like Anti-Malware signatures, Behavioral Guard rules and Static Analysis ML/AI models.

This capability is currently being extended so that will allow all communication from the Windows client to be made through the Super Node and prevent direct connectivity to the Internet. These new capabilities should e available during Q1 2024

There are also plans to have the SuperNode provide the same capabilities for Linux and Mac clients. The final schedule for these items has not been locked down yet but should be in firs half of the year

Re: Harmony Endpoint client that is not allowed to go to Internet

Blason_R — Mon, 11 Mar 2024 03:21:11 GMT

Hey Folks,

Wondering has that been rolled out? Will that be available in R81.20?

Re: Harmony Endpoint client that is not allowed to go to Internet

JonnyRabinowitz — Mon, 11 Mar 2024 11:26:29 GMT

Hi Blason

Yes. It will be available in E88.20 that should be released any time soon (will try and remember to post again when it does)

The capability will be available for Windows clients as Early Availability (EA). Please reach out to me directly if want to participate

Re: Harmony Endpoint client that is not allowed to go to Internet

JonnyRabinowitz — Wed, 13 Mar 2024 11:29:19 GMT

E88.20 is now available and includes this capability for Windows based clients

Enables semi-isolated environment where all endpoint communications are routed through a super node

This capability is for Early Availability (EA) and not available by default in General Available (GA) version

Please unicast me if any interest to join EA program

Re: Harmony Endpoint client that is not allowed to go to Internet

PJ_WONG — Wed, 28 Aug 2024 03:46:38 GMT

Hi Jonny,

May I know is this capability currently included for or removed for the superNode and the superNode client?

This is because we have client utilizing superNode and able to get all the blades updated previously but now we are only able to get the AM database to update from superNode only while other blades will have no connection to server. This is behaving like the version before E88.20.

Could you provide any insight on this? Appreciate.

Re: Harmony Endpoint client that is not allowed to go to Internet

PhoneBoy — Wed, 28 Aug 2024 14:13:34 GMT

Should be GA, considering there's several SKs on it.
For example: https://support.checkpoint.com/results/sk/sk171703

Re: Harmony Endpoint client that is not allowed to go to Internet

JonnyRabinowitz — Wed, 28 Aug 2024 17:38:13 GMT

To repeat from earlier in the thread

"You are correct that the SuperNode is available for Windows and allows to share local copies of things like Anti-Malware signatures, Behavioral Guard rules and Static Analysis ML/AI models. (this existed prior to E88.20)

This capability is currently being extended so that will allow all communication from the Windows client to be made through the Super Node and prevent direct connectivity to the Internet. (Extended functionality available from E88.20 and onwards as EA]"

I have not been able to get any confirmation that extended functionality (aka semi-isolated network) is GA and EAs for customers are ongoing with the latest release

Re: Harmony Endpoint client that is not allowed to go to Internet

JonnyRabinowitz — Fri, 30 Aug 2024 04:52:58 GMT

Was able to confirm that GA for this feature will in fact be in E88.60 which is the next release up and should be available within the order of weeks

It is great to see the interest in this feature. Note that customers leveraging semi-isolated networks will also be able to leverage the EDR package with HEP and leverage XDR capabilities

Re: Harmony Endpoint client that is not allowed to go to Internet

PJ_WONG — Fri, 30 Aug 2024 02:12:22 GMT

Thank you for the information! It appears that we were able to download E88.20 with EA capability from the web portal when it was released. In that case, we'll be anticipating the next release for download.