This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Reevsie147
Contributor
‎2021-07-07 09:10 AM

Endpoint Security client on Mac OS doesn't drop encrypted traffic as per restricted firewall policy

Hi All,

Have already had a TAC case open for a while on this one but figured I would ask here in case anyone had come across anything similar.

Within the Endpoint Security server I have defined a compliance policy to put clients into restricted state if certain conditions aren't met. If non-compliant state is triggered, a restricted firewall policy is enforced which blocks access to internal networks over the VPN whilst allowing access to certain internal resources for remediation purposes (AV Updates, patch servers etc).

These firewall rules seem to work perfectly on Windows hosts and when the non-compliant state is triggered, the EPS firewall blocks connections as defined by the policy.

On Mac OS however, the locaally enforced firewall policy seems to completely ignore any encrypted (remote access) traffic and allows it all through to the internal networks. I have tried with both E84.30 and E84.70 clients but neither seem to work as intended.

Has anyone else had a similar issue and found a solution/workaround for this? I can't imagine this is intended behaviour and it's causing quite a headache as we can't really roll anything out unless it works the same for both Windows and Mac OS as we have quite a mixture of clients within the business.

Any help would be greatly appreciated, thanks.

Labels
0 Kudos
10 Replies
PhoneBoy
Admin
Admin
‎2021-07-09 04:50 PM

Is the desktop firewall working in general?
Probably best to engage TAC here.

0 Kudos
Reevsie147
Contributor
‎2021-07-12 06:29 AM
In response to PhoneBoy

Hey @PhoneBoy,

Yes the desktop firewall does indeed function, in that it drops any unencrypted connections as intended. Is just seems to ignore any encrypted (Client VPN) traffic destined for the same addresses and allows them right through, which obviously isn't ideal!

I have demoed my issues on a zoom session with TAC and am awaiting a response to my ticket, it's just seems odd that I'm the only person that's experienced this issue, as at face value it seems like quite a big "hole".

I've actually done some further testing since the first post and tried both E84.30 and E84.70 Mac OS clients on both Catalina and Big Sur but the issue is the same across all combinations alas.

0 Kudos
the_rock
Legend
Legend
‎2021-07-12 11:50 AM

Cant say I had ever experienced that exact issue with Mac before...just wondering, do logs show you anything interesting at all that may point to a possible cause? What was TAC response? I assume this never worked with mac's before?

0 Kudos
Reevsie147
Contributor
‎2021-07-12 02:27 PM
In response to the_rock

Hey @the_rock. Unfortunately this is the first time I've tried enforcing a restricted policy on Mac OS so I can't speak as to whether it's always been an issue. All my preliminary testing was on Windows which behaves as I would expect.

I can't see anything obvious in the logs and haven't had a response from TAC as yet.

I'm only guessing here, but it almost seems as if the EPS firewall isn't actually filtering any traffic that passes through the VPN network adapter and only applying the filter to the physical NIC/s. As I mentioned in an earlier post, if I send traffic to a "restricted" IP with the VPN disconnected it is clearly blocked by the local firewall, but when the VPN is connected, it just passes through to that same IP.

0 Kudos
the_rock
Legend
Legend
‎2021-07-12 05:24 PM
In response to Reevsie147

I know Im not an Apple expert, but something came to my mind. I recall once when I was helping a customer with mac machine and we had an issue with vpn endpoint client and ended up calling Apple support, guy had us open console via utilities on macbook and then we were watching logs come up while replicating the issue. Not sure if thats something you could try...it might give some insight.

0 Kudos
Reevsie147
Contributor
‎2021-07-13 06:43 AM
In response to the_rock

Hey @the_rock , I haven't tried looking at the console logs as yet. I'll give it a shot. Thanks for the suggestion!

0 Kudos
the_rock
Legend
Legend
‎2021-07-13 09:45 AM
In response to Reevsie147

Sorry, I know its not the best suggestion, but something to try.

0 Kudos
Reevsie147
Contributor
‎2021-07-28 05:54 AM

Just by way of an update here for anyone else having this issue. The latest response on my TAC ticket states that the endpoint firewall on MacOS simply does not filter any encrypted traffic whatsoever.

It works as expected on Windows, but if you want to block any traffic to your Corporate resources over VPN on MacOS (in my case because the endpoint has become non-compliant) then it simply doesn't seem to be an option.

This seems really odd to me, as in my opinion, that's one of the main use cases for the endpoint compliance blade combined with the desktop firewall.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-07-28 04:53 PM
In response to Reevsie147

Can you send me the SR in a PM?
It's entirely possible MacOS doesn't provide a mechanism for us to filter encrypted traffic, but that's merely a guess.

0 Kudos
Reevsie147
Contributor
‎2021-07-29 03:50 AM
In response to PhoneBoy

Thanks @PhoneBoy , have done so. Much appreciated!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events