Solved: Supernode Locations

AndrejMajer

How can we ensure fallback in the case where the customer uses multiple supernodes but wants to distribute agent connections to the supernode based on location (IP address)? How does this fallback work if a group of endpoints has more than one supernode defined? Does an architecture exist for such a solution?

PhoneBoy

I believe when you configure multiple, it's "first to respond" similar to how it works for Endpoint Management.

View solution in original post

the_rock

I had TAC case for this before and what Phoneboy said is exactly what support advised as well, first to respond.

Best,

Andy

View solution in original post

Don_Paterson

It looks like it is random, as per the documentation.

I also thought that it was first to respond but I think we've confused the Policy Server and Super Node solutions.

It's a good question because if you had all three cities' Super Nodes in all the relevant Client Settings > Rules > Super Nodes > Assigned Super Nodes then I would assume it is random, as per the documentation, which is counter to the advantage of Reduced site bandwidth usage.

That would put the responsibility on the administrator to configure Client settings rules for each site and group the machines, but then you could either exclude Super Nodes for the mobile users or need to include all Super Nodes for all users and see some clients on one site actually using the Super Node on another site, assuming your scenario of all endpoints having visibility of all three Super Nodes.

I guess the questions are:

- How does Check Point actually do it (randomly it seems, based on rules with more than one Super Node)?

- How does it work in a multi-site deployment with full connectivity across sites?

- How often does that happen?

- How many users do you have that will roam regularly between sites?

- Is there a manual configuration option for the case of just a few roaming clients?

- Is there an access control solution that can control access to the Super Nodes, if that extra work (workaround) can be part of a possible solution?

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_HarmonyEndpointWebManagement_Admin...

Super-Node

What is a Super Node?

A Super Node is a Windows device running a specially configured Endpoint Security Client that also consists of server-like and proxy-like capabilities, and which listens on port 4434 and port 3128 to proxy by default. Super Node is a light-weight proxy (based on NGNIX) that allows admins to reduce their bandwidth consumption and enable offline updates, where only the Super Node needs connectivity to the update servers.

Super Node Workflow

When a device is assigned as a super node and has the supported blades installed, it downloads signatures from the sources defined in the policy and stores a local copy. This local copy serves as the signature source for other Endpoint Security Clients.

When an Endpoint Security Client initiates an update, it follows this process:

The Endpoint Security client checks for the latest signatures from a randomly selected super node listed in the Client Settings > General policy.
If the update fails with the chosen super node, the Endpoint Security client attempts the update with another super node in the list.
If the update fails with all the super nodes listed in the General Client Settings policy, the Endpoint Security client will update directly from the sources specified in the policy.

Primary Advantages:

Reduces site bandwidth usage.
Reduces server workload.
Reduces customer expense on server equipment, as there is no need for a local appliance.
Improved scale.

https://support.checkpoint.com/results/sk/sk171703

Non-Super Node flows

When an Endpoint Security client launches an update, it ﬁrst checks the "Common Client Settings" policy for a "Super Node" list. If such a list is found, a random Super Node is selected for update. If update of the selected node fails, the next entry is taken from the list. Sources deﬁned in the Anti-Malware policy are only used if all the Super Node options have failed.
Starting with E85.30 client uses "Super Node List" global policy when it is available on server in combination with "Common Client Settings" policy to determine if current computer is Super Node or if it should use one of configured "Super Nodes" as a download location for supported file type.

Note: An update is considered to be successful if the local signatures are newer than the remote signatures. Make sure all Super Nodes are continuously updated. Policy and Software Deployment features in E85.30 and newer Endpoint Security clients require a connection to the Endpoint Manager to process sync requests regarding policy and software deployment changes.

View solution in original post

PhoneBoy

I believe when you configure multiple, it's "first to respond" similar to how it works for Endpoint Management.

AndrejMajer

Okay, but let’s say I have three cities, and in each city there will be one supernode. If an endpoint has visibility of all three supernodes, that means all of them can respond to it. How can I ensure that when a laptop moves from City 1 to City 2, it will only be answered by the supernode assigned in City 2 and not by the one in City 1?

the_rock

I think this is good illustration.

Andy

********************

✅ Example Architecture

City 1 Supernode = SN1 (10.1.0.10)
City 2 Supernode = SN2 (10.2.0.10)
City 3 Supernode = SN3 (10.3.0.10)

Agent Configuration Options:

DNS approach:
- From City 1 → supernode.company.com → 10.1.0.10
- From City 2 → supernode.company.com → 10.2.0.10
- From City 3 → supernode.company.com → 10.3.0.10
Subnet mapping approach:
- If agent’s IP = 10.2.x.x → select SN2
- Else if IP = 10.1.x.x → select SN1
- Else fallback → nearest reachable supernode

This ensures laptops dynamically “follow” the local supernode without manual intervention.

So to answer your question:

You ensure this behavior by using split-horizon DNS or subnet-based supernode selection rules. That way, when the laptop moves to City 2, it automatically resolves/selects SN2 as its primary, and only fails over to SN1/SN3 if SN2 is unavailable.

AndrejMajer

Ye, but this is not possible for our customer to do it, we had this idead before. 😕

the_rock

What exactly was the problem?

AndrejMajer

Customer declined this solution, it doesnt matter whats the problem honestly 🙂 if you know what i mean.

the_rock

I do know what you mean ; - )

upajmo, da bodo našli najboljšo rešitev

Andy

AndrejMajer

Upajmo, mislim, da nismo prvi dobavitelj, ki se je lotil te težave.

Don_Paterson

That's an interesting solution but it does pass responsibility to the network and DNS teams to fix what should be an option/feature in the Endpoint solution.

That's how it seems.

the_rock

Yea, agree.

Don_Paterson

It looks like it is random, as per the documentation.

I also thought that it was first to respond but I think we've confused the Policy Server and Super Node solutions.

It's a good question because if you had all three cities' Super Nodes in all the relevant Client Settings > Rules > Super Nodes > Assigned Super Nodes then I would assume it is random, as per the documentation, which is counter to the advantage of Reduced site bandwidth usage.

That would put the responsibility on the administrator to configure Client settings rules for each site and group the machines, but then you could either exclude Super Nodes for the mobile users or need to include all Super Nodes for all users and see some clients on one site actually using the Super Node on another site, assuming your scenario of all endpoints having visibility of all three Super Nodes.

I guess the questions are:

- How does Check Point actually do it (randomly it seems, based on rules with more than one Super Node)?

- How does it work in a multi-site deployment with full connectivity across sites?

- How often does that happen?

- How many users do you have that will roam regularly between sites?

- Is there a manual configuration option for the case of just a few roaming clients?

- Is there an access control solution that can control access to the Super Nodes, if that extra work (workaround) can be part of a possible solution?

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_HarmonyEndpointWebManagement_Admin...

Super-Node

What is a Super Node?

A Super Node is a Windows device running a specially configured Endpoint Security Client that also consists of server-like and proxy-like capabilities, and which listens on port 4434 and port 3128 to proxy by default. Super Node is a light-weight proxy (based on NGNIX) that allows admins to reduce their bandwidth consumption and enable offline updates, where only the Super Node needs connectivity to the update servers.

Super Node Workflow

When a device is assigned as a super node and has the supported blades installed, it downloads signatures from the sources defined in the policy and stores a local copy. This local copy serves as the signature source for other Endpoint Security Clients.

When an Endpoint Security Client initiates an update, it follows this process:

The Endpoint Security client checks for the latest signatures from a randomly selected super node listed in the Client Settings > General policy.
If the update fails with the chosen super node, the Endpoint Security client attempts the update with another super node in the list.
If the update fails with all the super nodes listed in the General Client Settings policy, the Endpoint Security client will update directly from the sources specified in the policy.

Primary Advantages:

Reduces site bandwidth usage.
Reduces server workload.
Reduces customer expense on server equipment, as there is no need for a local appliance.
Improved scale.

https://support.checkpoint.com/results/sk/sk171703

Non-Super Node flows

When an Endpoint Security client launches an update, it ﬁrst checks the "Common Client Settings" policy for a "Super Node" list. If such a list is found, a random Super Node is selected for update. If update of the selected node fails, the next entry is taken from the list. Sources deﬁned in the Anti-Malware policy are only used if all the Super Node options have failed.
Starting with E85.30 client uses "Super Node List" global policy when it is available on server in combination with "Common Client Settings" policy to determine if current computer is Super Node or if it should use one of configured "Super Nodes" as a download location for supported file type.

Note: An update is considered to be successful if the local signatures are newer than the remote signatures. Make sure all Super Nodes are continuously updated. Policy and Software Deployment features in E85.30 and newer Endpoint Security clients require a connection to the Endpoint Manager to process sync requests regarding policy and software deployment changes.

Don_Paterson

The term "Common Client Settings" (in sk171703 and the R82 Harmony Endpoint Server Administration Guide) should be something like:

Client Settings > General > Super Nodes

or

Client Settings > {selected rule} > Capabilities & Exclusions > General > Super Nodes > Assigned Super Nodes

I've left feedback on the sk about the old and new terms both being used. So that should get updated.

Check Point is not supporting SmartEndpoint from end of 2025 - https://support.checkpoint.com/results/sk/sk183410

I hope that will be followed by an update in the documentation.

I don't like having to go back and forward between R82 Harmony Endpoint Web Management Administration Guide & R82 Harmony Endpoint Server Administration Guide looking for information and finding SmartConsole and Infinity Portal terms/wording.

[EDIT]

There is a third guide that I was just reminded of:

Harmony Endpoint EPMaaS Administration Guide

And then there are the Client documentation buried away in each Clients SK...

It's fair enough to have a list of documentation (various separate documents) but on the management side I would like to see consolidation of documents, a bit like with the Quantum Security Management Admin Guide.

Rant over. 🛑

https://support.checkpoint.com/results/sk/sk183380

Documentation & Related SecureKnowledge Articles

Show / Hide this section

Endpoint Security Clients

Endpoint Security Clients for Windows E88.x Release Notes

Endpoint Security Clients for Windows User Guide

Replacing Anti-Malware Blade with US-DHS and EU compliant Blade

Harmony Endpoint Security for Windows MDM Deployment Guide

sk107255 - Endpoint Security Server versions and supported Endpoint Security Client versions

sk110420 - Endpoint Security Client Supported Upgrade Paths

sk120667 - How to upgrade to Windows 10 1607 and higher with FDE in-place

sk122706 - How to use Anti-Malware Blade exclusions in Endpoint Security Client

sk133174 - Enterprise Endpoint Security Windows Clients for ATM

sk164896 - Video: How to deploy and upgrade Endpoint Security Client?

sk182694 - Enterprise Endpoint Security Hotfixes for E88.x Windows Clients Releases

Remote Access VPN Clients

E88.x Remote Access VPN Clients for Windows Release Notes

Remote Access VPN Clients for Windows Administration Guide

EPMaaS

Harmony Endpoint EPMaaS Administration Guide

Endpoint Security Server

Harmony Endpoint Server R82 Administration Guide

Harmony Endpoint Web Management R82 Administration Guide

R82 Release Notes

Harmony Endpoint Server R81.20 Administration Guide

Harmony Endpoint Web Management R81.20 Administration Guide

R81.20 Release Notes

Harmony Endpoint Server R81.10 Administration Guide

Harmony Endpoint Web Management R81.10 Administration Guide

R81.10 Release Notes

sk109196 - Endpoint Security Server Supported Upgrade Paths

the_rock

I had TAC case for this before and what Phoneboy said is exactly what support advised as well, first to respond.

Best,

Andy

Are you a member of CheckMates?

Supernode Locations

Super-Node

Non-Super Node flows

✅ Example Architecture

Super-Node

Non-Super Node flows

Documentation & Related SecureKnowledge Articles