https://community.checkpoint.com/t5/Endpoint/connections-to-file-rep-iaas-checkpoint-com-443/m-p/236323#M9846 <P>Yes, the supernode has connectivity to the Cloud without the proxy. All these connections we can see on the proxy are only from the clients with installed EndPoint software.</P> Thu, 19 Dec 2024 09:55:01 GMT Wolfgang 2024-12-19T09:55:01Z https://community.checkpoint.com/t5/Endpoint/connections-to-file-rep-iaas-checkpoint-com-443/m-p/236319#M9844 <P>After deploying Harmony Endpoint in an environment with internet access only with proxy we are facing CPU utilization problems on the proxy environment.</P> <P>From the proxy logs we see the system is flooded with connections to "file-rep.iaas.checkpoint.com" from all clients all the times. We are using a supernode in the environment but these connections are always seen via the proxy. Around 80% of all internet traffic is regarding this connections. sk116590 states this connections are for ThreatEmulationBlade</P> <P>Any chance to stop this or get working not via the proxy but the supernode?</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="2024-12-19 10_.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/28920iD2B325318AFA9D0A/image-size/large?v=v2&amp;px=999" role="button" title="2024-12-19 10_.png" alt="2024-12-19 10_.png" /></span></P> Thu, 19 Dec 2024 09:31:46 GMT https://community.checkpoint.com/t5/Endpoint/connections-to-file-rep-iaas-checkpoint-com-443/m-p/236319#M9844 Wolfgang 2024-12-19T09:31:46Z https://community.checkpoint.com/t5/Endpoint/connections-to-file-rep-iaas-checkpoint-com-443/m-p/236322#M9845 <P>Are you implying the super node also doesn't rely on the proxy for its Internet access?</P> Thu, 19 Dec 2024 09:35:47 GMT https://community.checkpoint.com/t5/Endpoint/connections-to-file-rep-iaas-checkpoint-com-443/m-p/236322#M9845 Chris_Atkinson 2024-12-19T09:35:47Z https://community.checkpoint.com/t5/Endpoint/connections-to-file-rep-iaas-checkpoint-com-443/m-p/236323#M9846 <P>Yes, the supernode has connectivity to the Cloud without the proxy. All these connections we can see on the proxy are only from the clients with installed EndPoint software.</P> Thu, 19 Dec 2024 09:55:01 GMT https://community.checkpoint.com/t5/Endpoint/connections-to-file-rep-iaas-checkpoint-com-443/m-p/236323#M9846 Wolfgang 2024-12-19T09:55:01Z https://community.checkpoint.com/t5/Endpoint/connections-to-file-rep-iaas-checkpoint-com-443/m-p/236411#M9852 <P>Based on&nbsp;<A href="https://support.checkpoint.com/results/sk/sk171703" target="_blank">https://support.checkpoint.com/results/sk/sk171703</A>&nbsp;this is expected behavior.<BR />Specifically:&nbsp;<SPAN>Currently, Super Node serves as an Anti-Malware signature proxy.<BR /></SPAN></P> Thu, 19 Dec 2024 18:24:39 GMT https://community.checkpoint.com/t5/Endpoint/connections-to-file-rep-iaas-checkpoint-com-443/m-p/236411#M9852 PhoneBoy 2024-12-19T18:24:39Z https://community.checkpoint.com/t5/Endpoint/connections-to-file-rep-iaas-checkpoint-com-443/m-p/236444#M9855 <P>Hello,</P> <P>We faced the same issue. These connections overloaded our proxy. I understand it is a normal behavior, according to TAC, <SPAN>Under the hood Anti-Malware E2 is part of Threat Emulation blade and cannot function independently. Therefore Threat Emulation as blade is installed, no matter how it is called Threat Emulation or File reputation.</SPAN><BR clear="none" />. We found some options:&nbsp;</P> <OL> <LI>Reduce the number of connections that agents do to those URL's. It needs to disable some fetures which reduces security. (File reputation, custom IoC, create exclusions for browsers cache folders)</LI> <LI>Use semi isolated enviaroments Super Node, all file-rep connections will go to Super Node. It does not work with authenticated proxy.</LI> <LI>Send these connections to a different proxy configuring&nbsp;<SPAN>&nbsp;</SPAN><SPAN class="Menu_Options">Client Settings</SPAN><SPAN>&nbsp;&gt;&nbsp;</SPAN><SPAN class="Menu_Options">General<SPAN>&nbsp;</SPAN></SPAN><SPAN>&gt;&nbsp;</SPAN><SPAN class="Menu_Options"><SPAN class="SearchHighlight SearchHighlight1">Authenticated</SPAN><SPAN>&nbsp;</SPAN><SPAN class="SearchHighlight SearchHighlight2">Proxy</SPAN></SPAN><SPAN>. Again, it does not work with authenticated proxy! It should be fixed on E88.70.&nbsp;</SPAN></LI> </OL> <P><SPAN>Just a tip. Make sure that all CheckPoint URL's are allowed on your proxy for endpoints. We found a couple endpoints without permissions to file-rep URL, and they went crazy, sent hundreds of attempts until we allowed the connection.</SPAN></P> <P><SPAN>Regards</SPAN></P> Thu, 19 Dec 2024 22:09:31 GMT https://community.checkpoint.com/t5/Endpoint/connections-to-file-rep-iaas-checkpoint-com-443/m-p/236444#M9855 RS_Daniel 2024-12-19T22:09:31Z https://community.checkpoint.com/t5/Endpoint/connections-to-file-rep-iaas-checkpoint-com-443/m-p/236459#M9857 <P>Thanks&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/1920">@RS_Daniel</a>&nbsp;sounds good, we are not alone.</P> <P>Your second point is very interesting. We are using the Super Node, but all connections to file-rep...... are going through the normal proxy. It would be very helpful gettng these connection rid from the normal proxy. We don't use our proxy with authentication.</P> Fri, 20 Dec 2024 07:11:35 GMT https://community.checkpoint.com/t5/Endpoint/connections-to-file-rep-iaas-checkpoint-com-443/m-p/236459#M9857 Wolfgang 2024-12-20T07:11:35Z https://community.checkpoint.com/t5/Endpoint/connections-to-file-rep-iaas-checkpoint-com-443/m-p/236478#M9860 <P>Hello,</P> <P>That option only worked after we enabled Semi Isolated mode on our tenant. A checkpoint team helped us enabling this feature on the server, and only then we were able to follow and enabled Semi Isolated super node configuration steps. Also i would try it with E88.50 or higher.</P> <P>You can check this training video shared by Bar Yassure:</P> <P>Learn more about this new capability:</P> <UL> <LI><SPAN><A href="https://checkpoint.zoom.us/rec/share/dDYR-Mss-uE8-b0y8cO3bfi_k5prQ8GUmhMawQXcLrPCTu1WEAxkvLb5MwD9_kls.q0Io8sSo72lG5oEE" target="_blank" rel="nofollow noopener noreferrer">Technical Training</A></SPAN><SPAN>&nbsp;</SPAN>(Passcode: 1Zmjq!ZA)</LI> </UL> <P>Regards</P> Fri, 20 Dec 2024 12:54:25 GMT https://community.checkpoint.com/t5/Endpoint/connections-to-file-rep-iaas-checkpoint-com-443/m-p/236478#M9860 RS_Daniel 2024-12-20T12:54:25Z https://community.checkpoint.com/t5/Endpoint/connections-to-file-rep-iaas-checkpoint-com-443/m-p/236682#M9870 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/1920">@RS_Daniel</a>&nbsp;as an information ... We could reduce the CPU utilization on the proxy significant by not logging the known URL. We have 500 clients and not logging these URL reduces CPU utilization form 80% =&gt; 10% (4 cores active).</P> <P>######## small&nbsp;ACL for squid-proxy #############</P> <P>acl nolog dstdomain \<BR />&nbsp; &nbsp; &nbsp; file-rep.iaas.checkpoint.com</P> <P>access_log none nolog</P> <P>######## small&nbsp;ACL for squid-proxy #############</P> Mon, 23 Dec 2024 13:57:18 GMT https://community.checkpoint.com/t5/Endpoint/connections-to-file-rep-iaas-checkpoint-com-443/m-p/236682#M9870 Wolfgang 2024-12-23T13:57:18Z https://community.checkpoint.com/t5/Endpoint/connections-to-file-rep-iaas-checkpoint-com-443/m-p/236970#M9892 <P>Good tip, thanks! will test it.</P> Fri, 27 Dec 2024 18:49:29 GMT https://community.checkpoint.com/t5/Endpoint/connections-to-file-rep-iaas-checkpoint-com-443/m-p/236970#M9892 RS_Daniel 2024-12-27T18:49:29Z