This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
J_B
Collaborator
‎2020-02-10 08:31 AM

Endpoint Policy Server

When pushing out new clients to devices, does the Endpoint Policy Server handle this, or will the new client be downloaded from the Primary Management Server? 

I was almost sure that the client would be downloaded from the Policy Server that the client is connected to, but it's not really clear within the documentation as it doesn't specify client upgrades?  We're gradually updating 4000+ clients and the comms links are getting hammered, almost as if all the client downloads are coming from the Primary Management Server.

The Endpoint Policy Server handles the most frequent and bandwidth-consuming communication. The Endpoint Policy Server handles these requests without forwarding them to the Endpoint Security Management Server:

  • All heartbeat and synchronization requests.
  • Policy downloads
  • Anti-Malware updates
  • All Endpoint Security client logs (the Endpoint Policy Server is configured as Log Server by default).

It would be great if you could restrict the Policy Servers to only communicate with certain subnets that you specify, a bit like what you can do with distribution points within SCCM.  There doesn't seem to be any real logic behind the proximity analysis, apart from a simple ping command.

4 Replies
PhoneBoy
Admin
Admin
‎2020-02-11 05:57 PM

It uses ping to determine proximity analysis, you are correct.
I assume you could restrict access to the Policy Server using a firewall rule if needed.
J_B
Collaborator
‎2020-02-13 02:47 AM
In response to PhoneBoy

Can we submit feature requests for future releases/fixes?  In a large environment with 100's of sites the way policy servers work really hamper the network when it comes to client upgrades.  

Policy updates, or AntiMalware upgrades are great when using a policy server.  But not when it comes to installing a new 700MB client on 5000 machines.  A client should always look to use a policy server on it's own subnet for a client upgrade, not one over the WAN link.

Thanks

PhoneBoy
Admin
Admin
‎2020-02-13 11:45 AM
In response to J_B

The naive question I have is: shouldn't the policy server in your network have lower latency than one over the WAN link?
In any case, the formal link to submit RFEs: https://rfe.checkpoint.com/rfe/rfe.htm
If it's a deal breaker, I highly recommend working with your local office.
J_B
Collaborator
‎2020-02-14 01:16 AM
In response to PhoneBoy

They're fast WAN links so the latency is negligible across most of the sites.  Until of course clients start running client upgrades across all the WAN links instead of just using the policy server on their own subnet.

Thanks for the link.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events