cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Andrea_Poiesi
Andrea_Poiesi inside Endpoint Security Products an hour ago
views 5312 11

Endpoint client and Windows 10 1903

Hi everyone,has anyone tried to upgrade windows 10 to the 1903 version and install the endpoint client? in the release notes of ver 80.94 and 80.96 I see that it is not mentioned and does not seem to be supported yet. does anyone have feedback?

FED UP WITH ENDPOINT - Last Straw - Support for Server 2019 but not the Hyper-V part

Hi All,<edit> It took nearly two hours to write this in a way that makes sense, despite how furious I am with what I heard from Support and our Reps today, and as soon as I did, the system marked it as SPAM.. I thankfully was able to hit the back key and get back to the edit window and retrieve this text. I saved it to a local document and will Re-Post if it gets taken down again<edit>I have been a proponent of Check Point since starting my tenure at my company in 2015, and as the ecosystem has evolved, I have come to CPX NY and watched the presentations and webinars and can see a truly integrated single pane of glass that is almost a full reality coming, What Check Point does is literally amazing and on an incredible scale. However....I have been struggling with Check Point Endpoint Security since drinking the cool aid a couple of years back and switching from Symantec.The promise of the product was fantastic, Reversal of Ransomware Attacks? Cloud based integration protecting our endpoints in the same ecosystem that protects our perimeter? One pane of glass eventually for both? Zero Phishing? Threat Extraction at the desktop? Awesome!With little exaggeration, I have spent about 20 percent of my man hours prior to the release of endpoint client 80.96 kludging workarounds for the way that the EP Client broke some of even our simplest workflows and vertical app access on bone stock freshly reinstalled workstations. The tickets are all in TAC to prove it out. First it broke our ActiveX based portfolio management system access at the browser level, then broke our access to our investment banking partner multiple times, and even breaking things as simple as the ESPN site with the TE and TX blades enabled, then later without them enabled. And the problems were inconsistent, involving GUIDbedit hacks with TAC and countless separate blade policies based on who was using which affected workflows, leaving many of the blades disabled for them.For a single IT Pro (and as of this year, Director of IT) at a small but high net worth wealth management firm with FINRA and SEC expecting us to be secure, endpoint security has to be enabled and has to be a top priority. And since our CP EP experience affected many workflows, the 20 percent number is not surprisingWe bought the product because it worked on our virtualized and bare metal servers protecting them from ransomware attacks, botnets, suspicious exe actviity, and the like and they have been TROUBLE here and there but they have run, and with the help of an excellent SE (who left the company in January) and a great sales rep (who left the company in February) and a replacement SE (who left the company in march)... well, ok I HAD a great team with a rapport that was top notch who got me in touch with the right people and even did some above and beyond hand-holding considering my workload along the way, and it kept me drinking the Kool Aid, even at room temperature..That mass exodus bode badly, but thankfully, once I had done all the work to get all the hardware and software purchased to begin our mass migration of our entire windows infrastructure due to Microsoft's End of Extended Support that affected literally everything in our environment (all workstations were still Windows 7 Professional, All server OSes were Windows Server 2008R2, Exchange server is 2010) I was able to turn my attention back toward Endpoint and see if there were any improvements the latest clients might offer.I was overjoyed to find that I was able to deploy 80.96 without a single issue on all the servers and workstations, and one by one I was able to enable blades that we had paid for for two years but could not use because they broke things. So, when I began the first deployment stage of our new Dell R740xd server with Server 2019 Std Hyper-V on the bare metal, I was expecting smooth sailing, It was Microsoft Best Practices to the best of my **bleep** retentive ability and I was methodical. So I deployed one 2016 VM for our Portfolio management system application server and another for its database server, turned that over to the consulting group handling the migration / upgrade from the existing servers to those. In parallel, I created another VM with the identical VM and guest OS configuration and brought it up for testing the Endpoint Client. I joined it to the domain, found it in the Endpoint Management console, and assigned deployment policy to it.After a first stumble due to a Server 2016 and Compliance hotfix that might have caused the issue, I blew away that VM and created a new one, identical, with a different hostname and joined It to the domain to try again.Starting small, I enabled only the AntiMalware blade in the deployment policy.Installed the Initial Client. All was well...The client picked up the deployment policy and the upgrade began. As soon as the client instantiated after that.... WTF... the Hyper-V guest restarts as if you pulled the "virtual power cord" out of it. It comes back up, you log in quickly get to the desktop and look around there was no BSOD, no way to get into safe mode and stay there, No memory dump file to go on. And errors in the Hyper-V logs on the Hypervisor Host... Before you know it the cord is pulled again and it starts over.. If you left it to it's own devices, it would boot loop like that endlessly once for each of the 90 seconds it took for the server to come up, and the Endpoint Client to get to some particular state in its startup, whether you logged into windows or not. I had opened a ticket with TAC before the first VM attempt that I mentioned with the 2016 and compliance blade as part of the deployment, explained the environment to him, he did research and suggested that perhaps the 2016 hotfix would be needed. Nothing came to mind for him about Hyper-V not being supported at that point, so he continued his research as I created the second fresh VM and did not deploy the compliance blade that time, Just the anti malware as mentioned. After two days of us working on it he indicates the Release notes, with the inferrence that Hyper-V is not supported, just VMWare ESXi and apologizes for the inconvenience this causes.He was a nice guy, I have no problem with him at all, I am not angry with him nor do I doubt his capability as an engineer... All the TAC engineers I have worked with have been great so far.However, this answer is clearly not acceptable.I am an RTFM kind of guy. I read the release notes, search the support portal, checkmates, I did my research, I googled (before AND after deciding on Hyper-V as our new environment's Hypervisor) for "Check Point Endpoint" and Hyper-V and 2019 and 2016 and every derivation thereof, but NOWHERE did I ever see anything like a support matrix that expressly indicated that they support Windows Server 2019 or 2016 but do not support the Hyper-V component in it. NOWHERE. Nobody stating in any blog, "Endpoint does not work with Hyper-V"All our current workloads are running fine with Check Point Endpoint 80.96 clients under a much more edge case hypervisor, namely Proxmox VE which is Debian Linux-based KVM virtualization. No catastrophic problems whatsoever. The issues we DID have were exactly the same on the Server VMs as they were on the bone stock Windows 7 Pro workstations. The hypervisor did not come into it at all.Though Debian KVM is not expressly supported in the release notes, we were able to do a test deployment in the environment when we first bought the management and endpoint packages so we were ok, even though KVM is not explicitly supported in any of the EP release notes or product pages, and we were not discouraged by our sales and engineering team about deploying the clients in those VMs as I recall. I have now wasted two weeks of juggling the overall workload of the infrastructure deployment and testing Endpoint with Hyper-V and trying to figure out what is going wrong while trying to keep the Portfolio Managment deployment going, and doing all the other jobs that a single IT Pro at a company like this one must do day to day; not seeing my kids awake, coming in at 7am and leaving at STUPID PM every night and this is the answer I got. 80.96 was the light at the end of the tunnel but that light it is indeed the proverbial freight train. Rep and TAC hands are tied, pretty much certain no one will work with me to get it off the ground until official support for Hyper-V is reached in the CP EPS Roadmap. This means we have wasted the money we spent this year for our Endpoint Managment and Client support and licenses, and will not be able to use the core parts that drew us to the product in the first place, where they are most needed , ON THE SERVERS. Our new environment will have more than 70 percent of its workload virtualized. Where does this leave us?I am beyond frustration at this point but what really gets me is that the documentation is vague, or it is misleading, depending on how you look at itAt the VERY LEAST, someone should tell the documentation group that if they put windows server 2019 or 2016 in as a supported platform for the client, they need to include an asterisk and caveat because HYPER-V is a ROLE on those platforms. if it is not supported IN ANY WAY whether on the bare metal or running as a VM in it, it needs to be EXPLICITLY stated that it is not supported. Hyper-V is not a separate product, it is part of Windows Server.I always base my purchasing decisions on what I read, and I do read the release notes for the clients. Server 2019 is supported without any asterisks. HYPER-V is a standard Role and has been since Windows Server 2008R2. If Check Point says it supports Server 2019, it must support the whole of the OS unless they state otherwise. I hope someone in Check Point engineering or support can help me at least see if there is something simple we can try, because the Triple Fault error seen in the Hyper-V logs was mentioned only for one thread on the MS blogs and though there was no hotfix yet, the official workaround was something simple, namely changing the MAC address on the VM, rebooting it, and changing it back, and rebooting it. This did not help in our use case, but that's what I am saying there may be something simple that can get us by so we don't have to finally give up on Check Point Endpoint protection and change all our reviews on Gartner to reflect how we now really feel at the end of all that promise. Sorry all, Just needed to vent. Feel free to flame me now 🙂 Some related linksThere appears to be some Hyper-V VDI supporthttps://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk105278&partition=Advanced&product=EndpointThe 2016 server compliance Hotfix which was a red herring in this casehttps://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122136The Hyper-V Triple Fault Bug workaround, not related to Check Point, but this is the error we see in the Hyper-V host logs when I install CP EPS in the VMhttp://www.checkyourlogs.net/?p=59953Build from May 2019 where MS ostensibly fixed the bug, Ms Blog replies refute this as being fixed howeverhttps://support.microsoft.com/en-us/help/4497934/windows-10-update-kb4497934
Salikov
Salikov inside Endpoint Security Products Sunday
views 79 1

Connect to vpn by command line

Hi there,Are there any solution to connect to vpn with out using Endpoint security vpn client GUI just by cli on Mac OS? Thanks and Regards,Salikov

Convert legacy to UEFI boot on the fly possible?

HiHas anyone experience with converting legacy boot to UEFI boot and sucesfully managed to get FDE boot to work afterwards?we need to change legacy boot to uefi boot due to issues with support of IC2 bus controller handling the touch pad and mousetrapper on mobile users.also we want to safe users for an extra Authentication due to uefi boot can go directly to Windows if fde boot is able to reach the endpoint mgmt server.have seen on this link from Intel.Convert legacy boot to uefi bootHere Intel use the tool mbr2gdp but after using it endpoint client does not work. Can a possible repair of the client solve this issue?reason why if we cannot change on the fly is to reinstall Windows on new uefi boot / partition.
Hawkeye_Parker
Hawkeye_Parker inside Endpoint Security Products a week ago
views 460 1

Any way to check process debug is still running ?

Hi Chekmates,Have a query on Process Debug. Do we have any way to check if the process debug is enables or not ( Just to know if its stopped ) ?For example , We ran debug on FWD process using "fw debug fwd on TDERROR_ALL_ALL=5". Any particular command to know if its running ? Understand it would write up logs on fwd.elg file. Apart from that any particular command to know if its still running ?
Vladimir
Vladimir inside Endpoint Security Products a week ago
views 1429 16

Wildcards in custom Apps

I am attempting to whitelist a long list of domains used by the user awareness training campaign. And am seeing this: Can we get some clarity on why this is not working and how to get around this issue. The lab is 80.30EA, but the client is running 80.20. Thank you, Vladimir
Vishnu_Kumar
Vishnu_Kumar inside Endpoint Security Products a week ago
views 485 1

Database Migration in VSX environment

Hi All, We have following two checkpoint serversMGMT-SERVER-1:OS: Gaia R80.20VSX Environment (On 2 HA appliances)Managing 6 Virtual Systems.Each VS-Gateway policy package having around 200 policies.MGMT-SERVER-2:OS: Gaia R80.10Only two firewall in HA Mode.2000 + Polices into single Policy package. Now we are planning to merge the database of both these management servers using Python toll“Python tool for exporting/importing a policy package or parts of it “ I need your help for following queries:Can we run this python tool into VSX environment?As OS version are different (R80.10 and R80.20). So is possible to export policy package from R80.10 management server and then import it directly to R80.20 OSAs we need to merge the policy package which having 2000+ policies, so is there any limitation on the basis of policy package size or number of policies.
Tony_Seely
Tony_Seely inside Endpoint Security Products 2 weeks ago
views 389 1

Secure Domain Logon Altering Windows Logon

Client: 80.87 / OS: Windows 7 EnterpriseWhen Secure Domain Logon (SDL) is enabled it alters the Windows logon screen with an additional button to launch the VPN. This works as intended. However if SDL is disabled on a device it was previously enabled on the Windows logon screen remains altered. The logon screen will no longer remember the last user automatically and instead presents the logon window with a button for the last user, a button for other user, and also a button for the Smart Card if the device has that capability.We'd like to disable the way SDL is altering the Windows logon screen when SDL is also disabled to return to our previous logon experience. I currently cannot find what registry keys are being altered by enabling SDL beyond "HKLM\SOFTWARE\Wow6432Node\CheckPoint\TRAC\IsInEncDomain" and "HKLM\SOFTWARE\Wow6432Node\CheckPoint\TRAC\SDLEnabled".I appreciate any suggestions you can provide.
Johannes_Schoen
Johannes_Schoen inside Endpoint Security Products 2 weeks ago
views 1144 3

Sandblast Browser on top?

Dear Community,I got a general question for the SA Webbrowser extension:I assumed, that the browser extension would be installed on top of a normal Sandblast agent.But sk108695 states, it's not recommended for other browsers then Chrome.Does anyone of you gathered experience/best practices with this?Is a browser download, phishing attempt etc. intercepted even if the browser extension is not installed, but the Sanblast Agent?Looking forward to your reply.Best RegardsJohannes
Nilesh_Sonkusa1
Nilesh_Sonkusa1 inside Endpoint Security Products 2 weeks ago
views 493 2

VSX Failover

Hi Team , Can someone suggest me how to switch my VSX firewall without any downtime .I am planning to Hot fix installation on primary firewall before this I need to make my secondary firewall make active so not impact on my BusinessSomeone suggest me if I Use ClusterXL admin down command not use in VSX mode .I am use R80.10 version in checkpoint firewall .Thanks in advance for replay my query .
CHINMAYA_NAIK
CHINMAYA_NAIK inside Endpoint Security Products 2 weeks ago
views 982 2

Endpoint Security client cannot register to the server.The security ID of this machine was not found

Hi Team,Endpoint Server: OPENOS: R80.20 Hotfix: Take_47Client Package: E80.96 and E81.00Host Machine OS: Windows 7 Pro (64 bit) , Windows 10 Pro (64 bit), Windows 8 Pro (64 bit)On Windows 8 Pro: No issue working fine with E80.96 package.Issue: We face the issue with Windows10 and 7.We try both client package E80.96 and E81.00 and after installed showing error "Endpoint Security client cannot register to the server. The security ID of this machine was not found"Could someone address what is the exact issue?We removed the Third Party Antivirus from Windows 10 and also 7 but still struggling we unable to communicate with Endpoint Server.Also, what are those dependencies that need to care before installing SBA?Pls help to resolved this issue. @CHINMAYA_NAIK
Pliops12
Pliops12 inside Endpoint Security Products 2 weeks ago
views 974 3

VPN Access

Hi, Im looking for solution for my company.Currently we have remote access to the office via VPN Client and everything working fine.I want to allow to a specific user access via VPN but to another subnet and not to the "Office Mode Network" subnet that every employee connecting to by default.Or when this user connecting through VPN he allow to access only to DMZ Network and block his traffic to office by Access Policy. Thanks!
Hawkeye_Parker
Hawkeye_Parker inside Endpoint Security Products 2 weeks ago
views 776 3

R77.30 version gateway writes logs on fwd.elg files eventhough Debug is disabled.

Hi All ,Need your advise on reason for why below logs are filling up fwd.elg file.Usually contents should be written to the .elg file if any debug is enabled.But seeing these weird logs written up frequently. RemoveFilesFromCLDir: Failed to open dir /opt/CPsuite-R77/fw1/log//cl_delRemoveFilesFromCLDir: Failed to open dir /opt/CPsuite-R77/fw1/log//cl_delRemoveFilesFromCLDir: Failed to open dir /opt/CPsuite-R77/fw1/log//cl_delRemoveFilesFromCLDir: Failed to open dir /opt/CPsuite-R77/fw1/log//cl_delRemoveFilesFromCLDir: Failed to open dir /opt/CPsuite-R77/fw1/log//cl_delRemoveFilesFromCLDir: Failed to open dir /opt/CPsuite-R77/fw1/log//cl_delRemoveFilesFromCLDir: Failed to open dir /opt/CPsuite-R77/fw1/log//cl_del
paul
paul inside Endpoint Security Products 2 weeks ago
views 1132 7

SandBlast Agent stuck "Loading"

I'm trying to install the Check Point SandBlast Agent for Browsers on Windows Server 2008 R2. I'm unable to get it to work properly.(MSI) Installation went fine and when I open the "Manage Add-ons" dialog in IE11 I see both "CheckPoint.SandBlast" (version 990.58.12.0) and "Check Point SandBlast" (version 990.058.012.0), both enabled, both 32-bit and loaded.When I click the "Check Point SandBlast" button (or "Tools|Check Point SandBlast"), a pop-up dialog is displayed showing "HTML"-code. When I disable ESC (Enhanced Security Configuration) the pop-up dialog is displayed correctly, only it is stuck "Loading".Enhanced Protected Mode is not enabled (Internet Options Advanced Tab) and Internet Zone Security-Level is set to "Medium-High" (Default).I'm trying to implement SandBlast as a POC.
Nilesh_Sonkusa1
Nilesh_Sonkusa1 inside Endpoint Security Products 2 weeks ago
views 1045 2

configure Proxy Arp on VSX cluster firewall

Hi Team ,Can someone explain me how to configure Proxy Arp for Static NAT Public IP on R80.10 VSX Cluster firewall .My Cluster is active passive mode .I am go through SK30197 but not understand .