Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
doxepin
Explorer

Endpoint VPN E82 - MacOS 10.15.4 blocks incoming connections

I am using the Endpoint VPN client for over a year, but all of the sudden it started blocking all incoming connections, without doing any app or MacOS upgrades.

I thought it's a policy from the VPN admin, but it't not.

I removed all VPN connections and it still blocks all incoming connections.

I uninstalled the app and the traffic is coming in. If I install the app again, it block all incoming connections again. I have not created any VPN connections, I have not installed any certificates. it's a blank installation.

Why could it possibly block connections eve though I deleted any VPN accounts and certificates?

Does it cache any possible policy that may have been enforced by the VPN admin in the past?

If so, where are these files stored? So I can delete them.

Thanks

5 Replies
Chris_Atkinson
Employee Employee
Employee

Might need to be investigated further with help from TAC.

The current version is E82.50 have you tried upgrading?

CCSM R77/R80/ELITE
doxepin
Explorer

Hi Chris,

 

Yes, I also installed 82.5, but it does exact thing. Blocks all incoming connections right after it finishes installing without happening any connection set up.

This is weird and it happens even if I kill all checkpoint services, remove it's launch/start daemons and restart the computer afterwards.

And I have no idea where it installs the service or policy that blocks the connections. 

PhoneBoy
Admin
Admin

The expectation is the inbound firewall policy will be managed as part of the site you're connecting to.
The default policy of block all applies if one is not defined by the site you've connected to (or its a fresh installation).
There is no way to disable the firewall included in Endpoint Security VPN for Mac that I am aware of.
doxepin
Explorer

Thanks for the information.

But why is this happening? Why was "feature" implemented?

It only causes issues. I have dozens of VPN connections on dozes of computers. I run various network software on my computers and I need to have inbound traffic.

The admins of those VPNs (my clients) will not set such policies so there is no other solution for me then to use another VPN solution.

This is a crazy idea to block all inbound traffic by default.

Nobody thought that there are people that just need a simple VPN that does NOT block lan traffic?

The previous version didn't block traffic.

 

This is crazy!

PhoneBoy
Admin
Admin

The Mac VPN client has never been "just" a VPN client the same way that, say, Check Point Mobile on Windows is.
It has always included a firewall and it's not something the end user can disable.
These are long-standing limitations documented here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 
Note: this says Endpoint, but it also applies to the standalone VPN client as well, which requires Endpoint licensing (or at least CPEP-ACCESS or legacy SecureClient licensing).

Creating a Desktop Policy is actually pretty simple and doesn't require Endpoint management to do it.
You do have to enable Policy Server on the relevant gateways, which will allow you to add a Desktop policy to existing policy packages.
That will allow you to create a granular firewall policy for the desktop.

However, you don't even have to go that far.
You can simply make the default policy "allow all" in Global Properties and install policy to the gateway:

Screen Shot 2020-05-15 at 12.02.01 PM.png

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events