Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ionut138740
Explorer

firewall policy is not configured

Hello

I've got a problem with the program on  a new lapotp. On my old laptop everything was fine
I've installed Check Point Endpoint but is not working. I've respected all instructions but I still receive en erorr "No security policy is configured" and on Firewall option " Firewall policy is not configured"
When I want to connect to checkpoint endpoint security on VPN side it sais connected but Firewall is remaining on yellow with the error Firewall policy is not configured. Then the internet is switched off automatically and VPN is trying to reconnect. 
I have disabled the firewall, the antivirus, the certificate is ok  (it is working on my old laptop)

I want to mention that is the same internet network.

OS is Windows 11

What am I doing wrong? 

0 Kudos
6 Replies
PhoneBoy
Admin
Admin

That policy is configured on the firewall side (either as part of Endpoint or Desktop Policy).
Or you can reinstall as "Check Point Mobile" which does not include Desktop Firewall.

WiliRGasparetto
MVP Diamond
MVP Diamond

I also think that the solution lies in this direction.

the_rock
MVP Diamond
MVP Diamond

Sounds right.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond

One way to fix that is to remove desktop policy option in gateway properties or if it has to be there, make sure its enabled in policy layer editor and then configured in legacy smart console.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
WiliRGasparetto
MVP Diamond
MVP Diamond

What you’re seeing (“No security policy is configured” / “Firewall policy is not configured”) almost always means the client is not receiving a Desktop/Endpoint policy from your Check Point environment. In other words: the VPN tunnel may come up briefly, but the Endpoint Firewall blade has no policy to enforce, and your environment may be configured to block/limit traffic when endpoint policy/compliance is missing, which explains why the Internet drops and the client keeps reconnecting. (support.checkpoint.com)

Below is the most practical Check Point–aligned way to fix it, with the two common deployment models.

 

1) First: confirm you’re using the right client “mode”

If you only need Remote Access VPN (no endpoint firewall/compliance), install the VPN-only client. If you installed the full “Endpoint Security” package (Firewall/Compliance), it expects policy.

If your organization does want Endpoint Firewall/Compliance, keep reading and fix policy delivery.


2) Most common root cause: Desktop Security Policy is not installed/available for this user/gateway

For Check Point Remote Access clients, the Desktop Security Policy must be configured and installed on the Remote Access gateway to support policy-driven desktop controls (including firewall behavior). (support.checkpoint.com)

Fix path (Security Management / SmartConsole)

  1. In SmartConsole → Security Policies, ensure you have a Desktop Security Policy (Policy Type = Desktop Security).

  2. Configure at least a basic Desktop Firewall policy (even permissive) so the client receives something.

  3. Install the Desktop policy to the relevant Remote Access gateway(s).

Check Point’s admin guide describes the workflow to create/configure a Desktop Security policy in SmartConsole and then open/configure the Desktop policy (including firewall). (Checkpoint)

If Desktop policy isn’t installed (or the gateway isn’t acting as Policy Server for desktops), the client can connect but still display “No security policy is configured”. (support.checkpoint.com)


3) Alternative root cause: endpoint is not managed / not assigned to a policy (Harmony Endpoint / EPM)

If your org uses Harmony Endpoint (EPM) for policy, the new laptop may not be:

  • registered/enrolled correctly, or

  • placed in the right group, or

  • allowed to fetch policy (certificate/trust chain/identity mismatch).

Symptom-wise, the result is identical: VPN connects, but endpoint firewall stays yellow because no policy arrived. (Your old laptop likely still has a valid enrollment + cached policy.)

Practical checks (admin side):

  • Confirm the device appears in the endpoint management console and is in the correct policy group.

  • Force policy update / verify last policy timestamp (varies by console).

4) Why Internet drops right after “Connected”

This pattern usually happens when:

  • the environment enforces desktop policy / compliance and blocks traffic if the endpoint is “unmanaged / no policy”, or

  • a “disconnect if policy missing” posture is enabled, which triggers reconnection loops.

This is consistent with Check Point guidance that Desktop Security policy must exist/installed for proper operation of desktop controls. (support.checkpoint.com)

 

5) What to do next (fast, actionable)

If you manage RA VPN from SmartConsole (most common):

  • Implement a minimal Desktop Security policy and install it to the Remote Access gateway. (Checkpoint)

  • Test again on the new laptop.

If you manage via Harmony Endpoint (EPM):

  • Re-enroll/register the new laptop properly so it can download policy.

  • Confirm it receives policy before expecting the firewall blade to go green.

If you don’t need endpoint firewall at all:

  • Deploy the VPN-only client instead of the full Endpoint package (this avoids the “Firewall policy not configured” dependency).

0 Kudos
the_rock
MVP Diamond
MVP Diamond

FWIW, here is what MS copilot AI gave:

*****************************************

You’re not doing anything wrong as a user — this error almost always means the Endpoint client is not receiving a security policy from the Check Point Management Server, and on a new Windows 11 laptop there are a few very common causes.

I’ll break this down clearly and practically.


What the error actually means

“No security policy is configured / Firewall policy is not configured”

This does NOT mean:

  • Your local Windows Firewall is wrong
  • Your antivirus is blocking it
  • Your certificate is invalid

It DOES mean:

  • The Endpoint client installed correctly
  • The VPN tunnel initially comes up
  • But the Management Server never pushes a policy to this device

When no policy arrives:

  • Firewall stays yellow
  • Internet traffic is blocked by Endpoint
  • VPN repeatedly disconnects/reconnects

This behavior is by design.


Why it works on the old laptop but not the new one

On Check Point Endpoint, policies are device‑specific.\ A new laptop is seen as a new endpoint by the management server.

Typical reasons policy is not delivered on the new laptop:

  1. The device is not assigned to a policy
  2. Endpoint version mismatch with the gateway
  3. Identity / certificate registration did not complete
  4. Firewall blade is enforced but policy isn’t allowed for this user/device
  5. Windows 11 network driver / filter driver issue
  6. Office Mode / Compliance rules block traffic before policy download

Most common root cause (90% of cases)

The new laptop is not assigned to a policy in SmartConsole

Your VPN connection can be “Connected” but:

  • Endpoint Firewall policy is empty
  • Firewall blade enforces default deny
  • Internet is cut immediately

Your old laptop already had:

  • A device object
  • A user assignment
  • A firewall policy attached

Your new laptop does not

This must be fixed server‑side by your IT / firewall admin.


What to ask your IT / Security team (exact wording)

Send them this (copy/paste):

The new Windows 11 laptop connects to Check Point Endpoint VPN, but Endpoint Firewall shows “Firewall policy is not configured”.

Please check:

  • Endpoint device object is created for this machine
  • The user/device is assigned to an Endpoint Security Policy
  • Firewall blade policy is included
  • Endpoint version compatibility with the gateway
  • Compliance / Office Mode settings

This will immediately point them to the right place.


Things YOU can verify locally (before escalating)

1️⃣ Check Endpoint version vs gateway

On the laptop:

  • Open Check Point Endpoint Security
  • Go to About
  • Note the Endpoint version

If your company gateway is older:

  • Newer Endpoint clients will connect but never receive policy

Solution: install the exact version your IT provides\ (Not the latest from Check Point website unless approved)


2️⃣ Re‑register the client (very important)

Sometimes the registration partially fails on Windows 11.

  1. Disconnect VPN
  2. Exit Endpoint completely
  3. Open Command Prompt as Administrator
  4. Run:

 

trac reset
``

 

(or uninstall/reinstall if trac isn’t available)

Then:

  • Reboot
  • Reconnect VPN
  • Watch if policy downloads

3️⃣ Check if Firewall blade is required at all

Some companies:

  • Do not use Endpoint Firewall
  • But still deploy the Firewall blade accidentally

If Firewall blade is enabled without a policy, traffic is blocked.

Ask IT to either:

  • Assign a firewall policy or
  • Disable the Endpoint Firewall blade for your user group

4️⃣ Windows 11 network adapter issue (less common)

On some Windows 11 builds:

  • Endpoint NDIS filter driver doesn’t bind correctly

Check:

  • Device Manager → Network adapters
  • Look for Check Point / Endpoint filter
  • If missing → reinstall Endpoint as Administrator

Why disabling Windows Firewall / antivirus didn’t help

Because:

  • Check Point Endpoint Firewall is separate
  • It enforces rules before Windows Firewall
  • When no policy exists → everything is blocked

So disabling local firewalls has no effect.


Summary (plain English)

VPN connects\ Endpoint does not receive a policy\ Firewall stays yellow\ Internet is blocked\ ➡️ This is a management‑side configuration issue, not your laptop


If you want, tell me:

  • Endpoint version
  • VPN gateway type (Remote Access / Mobile Access)
  • Whether this is corporate or personal laptop

I can help you pinpoint exactly what your IT team needs to change.

 

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events