I have a few questions after reading the relevant sections in R81.20 Harmony Endpoint Server Administration Guide and still not being sure about them
Googling after that brought me here
Considering what I read above in this post:
1) I am curious as to how it makes sense for the firewall blade to be user based?
If you are protecting a workstation with inbound rules against possible inbound attacks from, say, a poisoned device on your internal network which would be in a Trusted Zone, how is the policy handled when nobody is logged in, for example?
If a firewall policy will follow a user around from a workstation that makes sense to have very limited inbound ports open, to a server with more (or less, or different sets) of them needing to be open, how do you differentiate, and close ports on the server conttrasted with the workstation?
2) how do I define firewall rules for workstations regardless of who is logged in?, the way you can with GPOs that use Computer Policy for Windows Defender Firewall?
I am looking at the admin guide as like the OP did, and I am not seeing guidance or it explicitly saying you can use a Virtual Computer Group to apply a rule to a whole workstation or server..
Some things I have learned since moving from Symantec to CPEP:
When I saw the capability of CheckPoiint Endpoint to reverse a ransomware attack in person from our CE running a scenario on a laptop, I jumped ship back in 2017 from Symantec Enterprise Endpoint protection.
I was also jazzed about the idea of running the endpoint management and our security management from a shiny new Smart-1 410 loaded with RAM, using a unified set of CheckPoint tools.
It was sized just fine for the task, One gateway, 26 workstations, a handful of servers, 26 humans who don't use very demanding internet based applications (almost everything is on premises)
We also no longer had to give up a dedicated Windows Server Volume license for the Symantec management server.
However, what I found quickly is that Symantec's solution was much easier to get started with in an Active Directory Domain based network of windows workstations and servers..
Windows 10 / Server 2019 starts in a pretty locked down Windows Firewall state by default, Symantec incorporates that starting point.
Maintaining Symantec's firewall component was also easier, as Symantec Endpoint Firewall integrated with the PC's built in Windows Defender Firewall, or at least the API that accepted firewall rule changes from GPOs or application installers..
It could incorporate and allow local workstations application software insallers to open specific ports needed for that application, presumably through some kind of windows Defender Firewall API
It also respected GPOs that I had set up, Enable Remote Management, so ADUC Right click on a workstation and select manage will work from specified management workstations.
This, by my recollection all spilled up to the management server as well, you could see it up there, and set overrides if you wanted to, etc.
You started out more locked down than you do with CPEP, by far.. And maintenance was much more flexible.
Considering my workload here in a smaller shop that runs tightly with just me as the IT Director and basically the staff,
I left my checkpoint endpoint firewall policy wide open rather than risking breaking the vertical applications we use,
or stuff like ShadowProtect which needs a nonstandard port opened for you to centrally monitor backup jobs from a workstation,
or all the GPOs I had to control the firewall from Administrative Templates.
All that work using MS tools in AD where I could previously move workstations into Test OUs to test new firewall / services enablement related settings were now largely wasted work..
I have left that CPEP Firewall blade policy alone in the wide open state trusting that Endpoint would only trust my internal networks at least.
I am now realizing that I forgot about the endpoint firewall policy and Access Zone Corporate Trusted Zones having ALL_Internet in it, and I now know that is not by design for production and it is a bad thing.
And I am afraid to change the Zones or policy in production,
Until I can do it for a TEST PC
Regardless of who logs into it, as I don't want to tie a policy change to any of the real users in the domain who have interactive login permissions here. As all of them are logged into a workstation already.
I am rambling a bit here, but I wonder if there is a good discussion or thread somewhere that has more examples of real world policies and Trusted Zone configurations so I can have more of a warm fuzzy before I go locking things down...
I am revisiting this now because I am about to upgrade all our Windows 10 workstations to Windows 11, one at a time, in place..
I created a new OU called Workstations_11 and was going to review all the attached GPOs on the production Workstations_10 OU and either link them to Workstations_11 as-is or create more appropriate versions of the GPOs in the new OU...
I then remembered that I really need to go down the Check Point Endpoint Firewall blade rabbit hole again, when I came upon the GPOs that used to allow remote management, or Spiceworks scanning, or RDP access, and remembered that they are meaningless insofar as the Windows Firewall parts of what they do.
I never really got around to building a set of EP firewall policy rules because It is difficult having to create a set of baseline rules to at least match what a Windows Defender Firewall default locked down state is, And specific exceptions for applications on specific sets of workstations or servers like Sage 50, whose software installers would otherwise set up the exceptions for you is a bit of a nightmare to manage from one central policy in a managment server that still has some growing pains in it's implementation for on premises shops like mine.
