This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Alex-
MVP Silver
MVP Silver
‎2025-05-20 04:03 AM

Air-gapped endpoints in environment using EpmaaS.

One of our customers is using Infinity Harmony Endpoint for regular endpoints like computers, servers.

They have a requirement to deploy a few computers which would be in a completely isolated network and location for accessing and managing privileged information.

The framework requires a standalone EDR solution.

I've read Deploying Harmony Endpoint in an Offline (Air-Gapped) Environment which describes a completely offline installation of EPS server along with TE appliance.

As the customer is already using the online Endpoint, the question is whether we can leverage the existing option of creating a full standalone package, including signatures, installing locally and leave it offline, knowing the limitations of blades when offline, and update the signatures manually without access to any management server.

0 Kudos
7 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2025-05-20 04:36 AM

Updating Signatures offline needs an On-Premise EPSS  Management Server as documented in sk182535. So you can ask CP TAC if Infinity EPS could be used, but but signature update, using a TE appliance and its update will not be possible.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
lluner
Advisor
‎2025-05-20 05:52 AM

@Alex- 

You could use the supernode, the link is below. In addition, you could implement the endpoint firewall, only allowing access to the supernode.

Super-Node

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2025-05-20 06:27 AM
In response to lluner

Also the supernode needs internet access, so it can not be used in a completely isolated network !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
lluner
Advisor
‎2025-05-20 06:59 AM
In response to G_W_Albrecht

tks

0 Kudos
Alex-
MVP Silver
MVP Silver
‎2025-05-20 09:14 AM
In response to lluner

@lluner @G_W_Albrecht Thanks for chiming in.

This project has stringent requirements, so partial or derived Internet access like the super node is not compliant.

We will then explore if the air-gapped architecture with HEP can be considered.

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2025-05-21 12:46 AM
In response to lluner

Please, do not adress me in a language i do not understand.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Don_Paterson
MVP Gold
MVP Gold
‎2025-05-23 12:40 PM

You could ask you SE if Check Point will support a data diode. For example Owl. 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events