Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Eric_Winn
Explorer

E84.30 mac os Big Sur (11.1) Enforce Firewall Policy failed

Based on the Big Sur EA E84.30 release here I downloaded and installed it over my E82.50 mac os Catalina (10.15) and it worked fine.

I then upgraded to Big Sur (11.1) where I can connect and authenticate OK but then the connection fails with "Enforce Firewall Policy failed".

I checked the trac.log and it shows the KEXT is found, loaded OK but then fails trying to start the firewall. Is this supposed to work with EA E84.30 on Big Sur? I didn't see anything in the release notes that indicated this was an issue.

 

[ 124 0x10320be00][5 Jan 11:42:57][TR_FIREWALL] CFirewallWrapper::EnforcePolicy: firewall not initialized, calling init
[ 124 0x10320be00][5 Jan 11:42:57][TR_FIREWALL] CFirewallWrapper::Init: entering...
[ 124 0x10320be00][5 Jan 11:42:57][TR_FIREWALL] CFirewallWrapper::Init: MACOS init firewall, g_kextPath=/Library/Extensions/cpfw.kext
[ 124 0x10320be00][5 Jan 11:42:59][TR_FIREWALL] CFirewallWrapper::Init: CpfwLoadKext returned cpfwlib_success
[ 124 0x10320be00][5 Jan 11:42:59][TR_FIREWALL] CFirewallWrapper::Init: CpfwConnectKext returned cpfwlib_success
[ 124 0x10320be00][5 Jan 11:43:09][TR_FIREWALL] CFirewallWrapper::Init: CpfwStartFirewall returned cpfwlib_kernctl_fail
[ 124 0x10320be00][5 Jan 11:43:09][TR_FIREWALL] CFirewallWrapper::Init: CpfwStartFirewall Failed with error cpfwlib_kernctl_fail
[ 124 0x10320be00][5 Jan 11:43:09][TR_FIREWALL] CFirewallWrapper::EnforcePolicy: ERROR - initializing firewall
[ 124 0x10320be00][5 Jan 11:43:09][TR_FLOW_STEP] TR_FLOW_STEP::TrFirewallStep::EnforceFirewallPolicyOnConnect: EnforcePolicy failed !!

 

 

-Eric

0 Kudos
3 Replies
saulgudman
Employee
Employee

Hi Eric,

Apple changed quite a bit with applications using kext files. After installation of the new client you should see in System Preferences>Network>a new adapter called com.checkpoint.fw.app. This will allow the firewall policy to be enforced under 11.1

Also ensure that the relevant process have been given full access under System Preferences>Security and Privacy>Privacy>Full Disk Access 

The Launch Dameon that runs should be present under /Macintosh HD/Library/LaunchDaemons/com.checkpoint.cpfwd.plist

0 Kudos
Eric_Winn
Explorer

SOLVED.

I had also sent an email to EP4Mac_Feedback@checkpoint.com and received a reply from Pavel Voleyko who said this was a known issue when doing an upgrade from Catalina to Big Sur with the EA release, supposed to be fixed in GA. Apparently my system retained just the kernel extension (KEXT) firewall from the old version and failed to install the system extension firewall configuration Big Sur was expecting.

Per Pavel's advice I ran this to unload the kernel extension (if it exists):

 

sudo kextunload -b com.checkpoint.cpfw

 

 

The run this to allow a re-install:

 

sudo pkgutil --forget com.checkpoint.pkg.epc

 

 

I got it working by doing a reinstall. The first attempt or two didn't seem to work... My last re-install I also disabled my Sophos Home and after that I was prompted with the security alerts to allow the system extension firewall filtering.

 

I did not try to uninstall. Just a re-install to preserve my existing site settings.

-Eric

 

0 Kudos
Pavel_Voleyko
Employee
Employee

The issue was valid for EA version of E84.30 Standalone VPN client for macOS. And it was fixed in GA version of E84.30  from sk170513.

0 Kudos