topic Re: blade to isolate the equipment in Endpoint

blade to isolate the equipment

earomero — Fri, 13 Dec 2024 13:26:35 GMT

Good morning, greetings from Argentina!

Today I had a computer incident with an endpoint and I isolated the equipment. I thought that this measure was implemented...but no, I attached a photo where it says that I do not have the necessary blade installed.
How can I install the blade necessary for this?

Muchas gracias, saludos!

Re: blade to isolate the equipment

lluner — Fri, 13 Dec 2024 15:42:44 GMT

hi @earomero

Follow the image and put the name of the machine. On the screen you will see the blade that is not running

asset management --> organization ---> computers

Re: blade to isolate the equipment

earomero — Fri, 13 Dec 2024 15:57:11 GMT

Hi!
I am sending you a photo of my assets. I don't see the isolate machine blade in capabilities. How can I install it?

Re: blade to isolate the equipment

lluner — Fri, 13 Dec 2024 16:06:35 GMT

hi @earomero

Select the machine to know which blade is not showing

Re: blade to isolate the equipment

lluner — Fri, 13 Dec 2024 16:33:09 GMT

hi @earomero

You have to install the firewall blade

Re: blade to isolate the equipment

earomero — Fri, 13 Dec 2024 17:37:12 GMT

Thanks for the reply. Is it necessary to have XDR to deploy the firewall blade?

Saludos!

Re: blade to isolate the equipment

lluner — Fri, 13 Dec 2024 17:42:14 GMT

Re: blade to isolate the equipment

earomero — Fri, 13 Dec 2024 17:53:44 GMT

OK! Thanks!
How can I install the firewall blade without having to reinstall the entire harmony on the endpoints?

Re: blade to isolate the equipment

lluner — Fri, 13 Dec 2024 18:02:56 GMT

Selects the firewall checkbox and applies the policy by selecting the machine

Re: blade to isolate the equipment

earomero — Fri, 13 Dec 2024 19:07:47 GMT

Genius, idol, crack!
Thank you very much!
I send you a big hug in the best Argentine style, with the warmth that it deserves!

Re: blade to isolate the equipment

Swiftyyyyy — Fri, 13 Dec 2024 19:29:38 GMT

This might be considered potentially harmful advice without explaining the significant implications it may have.

Selecting to install a new blade via. deployment policy will result in the following:

Devices affected by the policy will immediately start to download the required packages, while this shouldn't be too significant for just the Firewall blade, we have had customer environments simply collapse if too many devices at once started pulling updates
The reconfiguration of blades on an installed systems WILL result in a reboot. Yes by default the client policy permits the user to postpone the operation, but once finished there will be a 2 minute timer to reboot without option of cancel. A notification should be done to users in most cases and some thinking should be done on when to deploy

Seeing as you don't appear to be too familiar with the Firewall blade keep in mind this WILL disable your existing Firewall (Windows Defender Firewall) and the DEFAULT policy for Check Point local Firewall is essentially Any Any Allow, meaning by just installing the Firewall blade without prior configuration of policy CAN and WILL reduce your over-all security posture.

Honestly, with how genuinely BAD the local firewall blade is to configure, I'd personally just deal with not having an isolate option.

Local firewall in its current iteration is embarrassing

It is in no way, shape or form Application Aware. Yes there is Application Control, but there is such a high barrier of entry to configuring that it's just not something you can manage in most environments
For an ENDPOINT product you really, genuinely should be able to do rules with "PROCESS NAME" as the Source field
There are no dynamic objects (not even one for EPMaaS for example)
You can't negate rules (for example using RFC1918 network group negated as a way to define the "Internet" isn't a thing you can do; you effectively have one network group you can negate by abusing the "Trusted" zone mechanic)
Sometimes rules don't catch if they're too precise and you resort to doing funky *ANY* rules just to get basic functionality

For a company whose bread and butter is the firewall the local firewall blade on Harmony Endpoint really needs to step up, because currently it's an outright downgrade of out-of-the-box Windows Defender Firewall with the only real perk being the Isolate functionality