This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
VicOropeza420
Newcomer
9 hours ago

Why user "localhost" install policies on the FW?

Hi, Folks.

Do you know why the user "localhost" is installing policies on the firewall? Recently, i identified on the FW logs this activity, I leave a sample of the log:

"Nov 11 12:09:50 x.x.x.x 1 2024-11-11T15:09:48Z FW - [action:"Accept"; flags:"xxx"; ifdir:"outbound"; loguid:"{xxx}"; origin:"x.x.x.x"; originsicname:"xxxx"; sequencenum:"1"; time:"1731337788"; version:"x"; additional_info:"Desktop Policy : policy_name"; administrator:"localhost"; audit_status:"Success"; client_ip:"127.0.0.1"; machine:"localhost"; objectname:"xxxx"; objecttable:"applications"; objecttype:"dtps_application"; operation:"Install Policy"; operation_number:"7"; product:"SmartConsole"; subject:"Policy Installation"; uid:"{xxxxx}"]"

The policy installed is "Desktop Policy", This activity can be "normal" or as part of policy program updates?

I would greatly appreciate your support.

Regards,

Victor.

2 Replies
PhoneBoy
Admin
Admin
4 hours ago

Desktop Policy is used by Remote Access clients.
Normally, this is pushed as part of the regular Access Policy.
Not sure why "localhost" is doing this...might be worth a TAC case.

the_rock
Legend
Legend
4 hours ago

Just by pure logic, I would say thats not an actual user and here is why. So, if you think about it, ANY computer in the world can technically be "localhost" and we all know what IP is 127.0.0.1. I think @PhoneBoy even has shirt about it lol

Anyway, Im fairly positive this is simply default. system log, or, as you described it, normal in this instance. As Phoneboy had said, desktop policy is related to remote access clients.

Hope that helps.

Andy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events