Possible to use Harmony Endpoint Application Contr...

dt7

Dear all,

I am seeking some clarifications on how the Harmony Endpoint Application Control & Firewall capabilities can be used from experts in the community.

I would like to use Application Control in my context to manage allowed/blocked applications in production environment, but I don't really have a need to use the Firewall capability in Harmony Endpoint. The firewall part is already managed in a separate way (MS GPOs, etc.) and I do not want / need to activate the Firewall capability in Harmony Endpoint, only the Application Control part, is that possible?

From what I understand (based on the admin guide and my experience with the product), both seem to be merged together under the same blade and it does not seem to be possible... unless I am missing something:

Under software deployment the capabilities are enabled together, I do not know any way to just enable Application Control for example
Both seem to rely on a service called "Check Point Endpoint Security Network Protection", which only appears on the endpoint when the combined blade above is enabled.

Even if the Firewall capability must be activated, I do not see any way in the Harmony management console to disable it, you can only edit the Firewall inboud/outbound rulebase or manage objects.. If you have no choice but to enable it together to use Application Control, how to negate its effects? Disable all rules in the rulebase and it will not do anything or interfere in any way with the Windows firewall / Defender on the machine? Or it will anyway override and take over the Windows Firewall as long as it is enabled?

In short, is there a way to bypass / disable the Firewall capability and just use Application Control only?

I have attached a couple of screenshots as well to illustrate the point.

Thank you for your help.

the_rock

Hey @dt7 You asked:

In short, is there a way to bypass / disable the Firewall capability and just use Application Control only?

I am fairly sure there is no way to bypass it. For the lack of better term, I would call them as a bundle "Network protection"

You are more than welcome to verify with TAC, but Im 99.99% sure they will tell you the same. I will leave 0.01% I am wrong...would not be first OR last time lol

Best,
Andy

dt7

@the_rock Noted..

In that case, do you know how to negate the impact of having Firewall enabled? Does it deactivate the Windows firewall by default as long as the Firewall feature is enabled or there is a way to ignore the processing in Harmony and leave it to the OS as it was?

For example:

Disable all the rules under Firewall inbound / outbound?/
Use any/any allow in both?

the_rock

Yes, you can do that. Technically, it would be same as in say regular CP firewall, or any fw, for that matter, you can always create rules to allow/bypass specific subnets/ports. But then, it begs the question, why even have the blade enabled or use the firewall?

I get your dilemma (for the lack of the better word), but it sure sounds if you totally disabled the blade, then you would need to rely on windows built in firewall to allow/block specific services on the PC.

Best,
Andy

dt7

Yes but this is fine, I already manage the necessary via built-in Windows firewall / GPOs, I basically just want to use Application Control and do not want to enable Firewall in Harmony Endpoint ideally.

The problem is that it seems you cannot just enable Application Control without enabling Firewall in Harmony, so how to basically make sure it does not interfere with the builtin Windows firewall even if it is enabled, as I don't plan on using that capability (ideally) in Harmony.

the_rock

I totally get what you are saying now. Thats a bit of "catch 22" situation, if you will. Does not appear those blades can be "separated", so technically, best thing to do would be enable it, and then keep making exceptions as needed via policy.

Makes sense?

Best,
Andy

dt7

Yes makes sense, as long as enabling the Firewall capability in Harmony does not completely override the built-in Windows firewall managed by GPOs, do you know if that's the case?

For example, if you enable Harmony Endpoint antimalware blade, it auto-disables Windows Defender. If the same thing happens when enabling Firewall in Harmony, then making exceptions or allowing "any" in Harmony Firewall will actually create a security hole in the previous configuration instead..

the_rock

Im fairly certain that enabling fw blade on harmony endpoint would effectively override windows defender built in firewall and your GPO rules would also be affected.

Maybe best to open TAC case to confirm.

Best,
Andy

TurgutKaplanogl

Hello,

Technically, you must deploy to both blades simultaneously; you can not unselect FW or App blade from deployment rules or package export rules. You can do this while editing the FW blade policies. To bypass the firewall functionality, you can configure the Inbound and Outbound policies as Any–Any–Allow and disable logging.

Thank you

lluner

Honestly, with the Checkpoint firewall you have the possibility to create many more features than the Windows firewall, besides log management and subnet management.

Among the possibilities:

1- Better rule management
2- Log visualization
3- Subnet microsegmentation

the_rock

I was hoping you would reply...I was going to tag you, but then could not remember your username.

Thanks @lluner

Best,
Andy

dt7

Are you able to manage the different zones in Harmony Firewall as well? Such as domain firewall, private and public? This can be done by GPO, but I am not sure how the same thing can be achieved using Check Point firewall, if you have any inputs that would be great.

In addition, what do you mean exactly by 3- Subnet microsegmentation? Is it the fact that all traffic will go through the Check Point firewall on the client and so you can also isolate the device within its own connected subnet for example to block traffic from machines in the same subnet?

lluner

@dt7

Are you able to manage the different zones in Harmony Firewall as well? Such as domain firewall, private and public? This can be done by GPO, but I am not sure how the same thing can be achieved using Check Point firewall, if you have any inputs that would be great.

R:.You can do this on the Checkpoint firewall; it works as both inbound and outbound.

In addition, what do you mean exactly by 3- Subnet microsegmentation? Is it the fact that all traffic will go through the Check Point firewall on the client and so you can also isolate the device within its own connected subnet for example to block traffic from machines in the same subnet?

R:. You can do it all

The granularity of the firewall is up to your imagination.

the_rock

Hey mate,

Please let us know if you were able to sort this out? It would be good to know if anyone else encounters the same dilemma.

Best,
Andy

dt7

Hello, I haven't fully tested this part yet, but I will eventually in order to validate what has been discussed. If I have more helpful information on this, I will try to post it at a later date yes so that it can help others.

Thank you 🙂

the_rock

Excellent, thanks for letting us know!

Best,
Andy

Are you a member of CheckMates?

Possible to use Harmony Endpoint Application Control capability without activating the Firewall one?