This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
biskit
Advisor
Advisor
‎2022-03-11 02:31 AM

Restricted Policy Delays

For the first time I've just been setting up Endpoint Compliance in the cloud portal.  My question to the community is this:  Is there a way to make the Restricted policy kick in immediately?  TAC said no, it's just the way the blade is designed.  But I think this is poor.  My customer specifically wants this so that machines that are not compliant are immediately restricted and prevented from being able to log in to VPN.  It seems at the moment this isn't possible as it takes several minutes of warning before the Restricted policy actually kicks in.  Does anyone know a way around this?

0 Kudos
5 Replies
jcortez
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2022-03-11 04:51 AM

@biskit,

Our Compliance Blade state changes are based on our client heartbeat which by default is every 60 seconds. Also by default, our Out Of Compliance state of Restricted is set to 5 heartbeats. If you are using our Harmony Endpoint Cloud/EPMaaS product, these settings/configurations are not configurable via the Infinity Portal/Harmony Endpoint Web Management. You would have configure/manage this through the Smart Endpoint Console application.

Untitled1.png

Untitled2.png

 

What you can try and test with is setting the Out Of Compliance/Client will restrict non compliant endpoint after: 5 heartbeats to 1 heartbeat and see if this improves it to what you are expecting.

 

I would not recommend changing the client heartbeat (Interval between client heartbeats) as this can cause a ton of communication from the client to the server and will cause the Harmony Endpoint Cloud/EPMaaS resources to run very high and with enough clients deployed even bring down the Harmony Endpoint Cloud/EPMaaS Server.

 

I think even with the Out Of Compliance set to 1 heartbeat you will still see somewhat of a delay still due to the communication the client needs to have internally with it's services. drivers and the Compliance Blade itself. This can take anywhere from a few seconds to a couple of minutes depending on the client machine resources and our current Harmony Endpoint client design.

 

And as TAC has already told you, they are correct. There is no such configuration today with our products that will give you an absolute immediate Compliant/Restrict state. You may be able to, like I explained above, get it down to seconds or a minute but that would be the best that can be done.


Justin Cortez
Technology Leader | Workspace Cyber Security Products | Americas Workspace Security Team
biskit
Advisor
Advisor
‎2022-03-14 02:03 PM
In response to jcortez

Hi @jcortez,

Thanks for your reply.  That all makes sense 🙂

I know the blade is currently behaving "by design" but I believe the current design isn't necessarily the right design.   I still believe there's room for a "feature request" here.  If an endpoint is not compliant we should have the option to apply an immediate policy - at least (in my case) denying them access to the VPN until the endpoint issues are remedied.  Unless you can convince me that it's actually a good idea to not immediately restrict an uncompliant machine?

Thanks,

Matt

0 Kudos
jcortez
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2022-03-14 02:10 PM
In response to biskit

@biskit,

Oh I agree. I think the behavior should change as well for immediate restricted state. It makes sense from a security aspect. However, above I was just stating current design. If this is something you and or other customers would like to see change and behave differently, it would require a Request For Enhancement (RFE).


Justin Cortez
Technology Leader | Workspace Cyber Security Products | Americas Workspace Security Team
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-03-15 02:44 AM
In response to biskit

If we think about what makes a EP client client compliant. one minute versus immediate restriction makes no difference at all, as the client already had enough time to wrack havoc in the unrestricted hours before...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
biskit
Advisor
Advisor
‎2022-03-15 02:54 AM
In response to G_W_Albrecht

True...  but that doesn't mean I want the uncompliant laptop to connect to VPN and start wreaking havoc on the LAN before it gets restricted.  Maybe EP needs to have two levels of non compliance?  Something like Minor and Major, with different rulebases?  So anything with AV older than 3 days is immediately in Major non-compliance as it boots up and is therefore prevented from connecting to VPN.  Just for example...  

Maybe SCV is the other option as I believe that checks every 20 seconds?  But that is a nightmare to get right in my experience.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events