Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Eric_Winn
Explorer

E84.30 mac os Big Sur (11.1) Enforce Firewall Policy failed

Based on the Big Sur EA E84.30 release here I downloaded and installed it over my E82.50 mac os Catalina (10.15) and it worked fine.

I then upgraded to Big Sur (11.1) where I can connect and authenticate OK but then the connection fails with "Enforce Firewall Policy failed".

I checked the trac.log and it shows the KEXT is found, loaded OK but then fails trying to start the firewall. Is this supposed to work with EA E84.30 on Big Sur? I didn't see anything in the release notes that indicated this was an issue.

 

[ 124 0x10320be00][5 Jan 11:42:57][TR_FIREWALL] CFirewallWrapper::EnforcePolicy: firewall not initialized, calling init
[ 124 0x10320be00][5 Jan 11:42:57][TR_FIREWALL] CFirewallWrapper::Init: entering...
[ 124 0x10320be00][5 Jan 11:42:57][TR_FIREWALL] CFirewallWrapper::Init: MACOS init firewall, g_kextPath=/Library/Extensions/cpfw.kext
[ 124 0x10320be00][5 Jan 11:42:59][TR_FIREWALL] CFirewallWrapper::Init: CpfwLoadKext returned cpfwlib_success
[ 124 0x10320be00][5 Jan 11:42:59][TR_FIREWALL] CFirewallWrapper::Init: CpfwConnectKext returned cpfwlib_success
[ 124 0x10320be00][5 Jan 11:43:09][TR_FIREWALL] CFirewallWrapper::Init: CpfwStartFirewall returned cpfwlib_kernctl_fail
[ 124 0x10320be00][5 Jan 11:43:09][TR_FIREWALL] CFirewallWrapper::Init: CpfwStartFirewall Failed with error cpfwlib_kernctl_fail
[ 124 0x10320be00][5 Jan 11:43:09][TR_FIREWALL] CFirewallWrapper::EnforcePolicy: ERROR - initializing firewall
[ 124 0x10320be00][5 Jan 11:43:09][TR_FLOW_STEP] TR_FLOW_STEP::TrFirewallStep::EnforceFirewallPolicyOnConnect: EnforcePolicy failed !!

 

 

-Eric

0 Kudos
4 Replies
saulgudman
Employee
Employee

Hi Eric,

Apple changed quite a bit with applications using kext files. After installation of the new client you should see in System Preferences>Network>a new adapter called com.checkpoint.fw.app. This will allow the firewall policy to be enforced under 11.1

Also ensure that the relevant process have been given full access under System Preferences>Security and Privacy>Privacy>Full Disk Access 

The Launch Dameon that runs should be present under /Macintosh HD/Library/LaunchDaemons/com.checkpoint.cpfwd.plist

0 Kudos
Eric_Winn
Explorer

SOLVED.

I had also sent an email to EP4Mac_Feedback@checkpoint.com and received a reply from Pavel Voleyko who said this was a known issue when doing an upgrade from Catalina to Big Sur with the EA release, supposed to be fixed in GA. Apparently my system retained just the kernel extension (KEXT) firewall from the old version and failed to install the system extension firewall configuration Big Sur was expecting.

Per Pavel's advice I ran this to unload the kernel extension (if it exists):

 

sudo kextunload -b com.checkpoint.cpfw

 

 

The run this to allow a re-install:

 

sudo pkgutil --forget com.checkpoint.pkg.epc

 

 

I got it working by doing a reinstall. The first attempt or two didn't seem to work... My last re-install I also disabled my Sophos Home and after that I was prompted with the security alerts to allow the system extension firewall filtering.

 

I did not try to uninstall. Just a re-install to preserve my existing site settings.

-Eric

 

0 Kudos
Pavel_Voleyko
Employee
Employee

The issue was valid for EA version of E84.30 Standalone VPN client for macOS. And it was fixed in GA version of E84.30  from sk170513.

0 Kudos
Heath_H
Contributor

Note that it seems to be back in the latest EA for E85.30, but with a twist.  I was already running Big Sur, but had installed the custom version of E84.30 that added support for SAML authentication.  I had disabled the firewall extension because we don't use it (deleted it from System Prefs -> Network Settings entirely because it kept getting in this state where the VPN was connected but not traffic was being allowed).  Anyway, I upgraded to E85.30 EA because I needed the fix in E84.70 for the IP address renewal bug but I also needed the SAML support, so this is the only option available.

After what looked like a clean upgrade, any attempt to connect would result in the tunnel being dropped for the error about enforcing firewall policy.  This is strange because we don't have the full license for Endpoint Security VPN, but there is no option for Check Point Mobile on macOS and we have always used the full Endpoint Security VPN client with no issues.

These instructions worked for me, I was able to reinstall and this time I allowed the firewall filter.  All seems to be working well.

Just adding this note here in case others find this posting when searching about this issue with the latest EA (E85.30).

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events