- CheckMates
- :
- Products
- :
- Infinity Global Services
- :
- Infinity Portal
- :
- Re: Nano Agent with IoT Profile Automatically depl...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nano Agent with IoT Profile Automatically deployed
We have noticed that Check Point is consistently installing a nano-agent on all of our firewalls managed via Check Point Smart-1 Cloud in the last 3 weeks. These installations always include an IoT Discovery Profile, and sometimes an IoT Configuration Profile as well.
However, not all of these devices are configured with Quantum SD-WAN and no device with Quantum IoT services in the Infinity Portal. The deployment of these profiles has interfered with our existing SD-WAN setup running on some devices, revoking and reinstalling our custom-created profile without any prior notification, and causing impact on SDwan enabled sites.
Due to the impact on our environment, we have opened a TAC case. Check Point has described this as part of their IoT marketing, but we do not have any IoT dashboard or functionality enabled. Upon reviewing other Smart-1 Cloud customers, we observe the same behavior, where a nano-agent has been silently installed. This can be verified using the 'cpnano -s' command.
We are concerned about the lack of transparency in these actions—or perhaps we missed some important communication regarding these changes ?
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I understand that there is some confusion and frustration around this issue. I hope that I can share some details that will help to make things a bit clearer.
I had a session earlier today with relevant R&D owners in the Management, SD-WAN and IoT products. The purpose was to double-check a few things and to see where we can improve going forward.
In the last few weeks, we started to gradually deploy a process aimed to simplify the onboarding of products that rely on the nano-agent architecture (cpnano). These products include SD-WAN and IoT, and in the future will include more products like AIOps and Infinity Identity.
Until recently, when onboarding to SD-WAN or IoT, there was a mandatory manual step of installing a nano-agent on the gateway and connecting it with a token to the profile. This complicates onboarding and we wanted to improve upon this experience.
Since the need for a gateway to communicate with the Infinity Portal (via nano-agents) is becoming more common, we wanted to enable it automatically for all environments that are using the Infinity Portal. This is not that different from gateways' ability to communicate with ThreatCloud. So when you connect a Management to the Infinity Portal (via the Infinity Services page) or for Smart-1 Cloud (which is implicitly connected to the Infinity Portal), we are activating the nano-agents on the gateways and providing them with a token behind the scenes.
I want to emphasize that this process was created to simplify onboarding for many products (including SD-WAN) and it was not deployed as part of an IoT marketing campaign. That statement should not have been given to you.
I do understand that unexpectedly seeing more agents in the portal can be confusing, and we will try to learn from this case on how we can do this more transparently.
In the spirit of transparency, I can share that we have been considering the option to provide some IoT visibility to all customers (even without a license), but this has not yet been deployed. It's possible that these discussions contributed to the confusion and the statement about an IoT marketing campaign.
I also want to relate to the output of the "cpnano -s" command. This command reflects which profiles or "configuration topics" the agent is monitoring and which nano-services are actually running. An agent will "monitor" or "listen" to multiple profiles because they may be relevant in the future. However, if they have not been activated, it does not impact the agent behavior and nothing from that profile is running. The rows that appear in the command output table, and in the Infinity Portal UI column reflect the profiles that it's listening on. The fact that you saw "IoT Configuration" or "IoT Discovery" in the table does not mean that something from IoT is running. Above the table, you can see the list of nano-services that are actually running and they will explicitly state "Status: Running".
I attached two images, one showing a machine that is just listening on multiple IoT profiles (as was probably the case in your environment) and another image that shows how the output looks like when IoT nano-services are actually running.
One thing that we are taking from this discussion is that we need to improve and clarify the output of the command and the way we show profiles that are just "listening" versus "running".
Sorry for the long post, but I hope that it helps shed some light on the issue.
Please do share further feedback (you can do so directly as well) as we want to improve and be clear towards our customers.
I'm looping in @danielcoh and @Uri_Bialik in case there are further questions on IoT behavior.
Regards,
Tomer
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It appears the nano agent is used for two different things: IoT Protect and Quantum SD-WAN.
Please send me the relevant SR in a PM.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your response. Yes, the Nano agent is indeed used for those purposes, and we have deployed it on some devices for SD-WAN months ago.
However, the real surprise came when we discovered that Check Point has now been automatically installing these Nano agents on our devices through the Smart-1 Cloud connections—without our knowledge and without any clarity on their specific use. The description indicates it's for IoT discovery, but we don't even have access to the Quantum IoT dashboard on the Infinity Portal to verify, or disable this profile if we do not want this !
Everyone with a Smart-1 cloud connections best verify this Nano agent to see if Check Point is discovering their IoT devices without the customer knowing!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I assume that IoT usage and SD-WAN usage of the nano agent is...different.
I also assume if this were a widespread issue, I would be able to find TAC cases with customers reporting the same issue; I cannot.
You can uninstall the agent with: cpnano --uninstall
If it gets reinstalled despite that, I would open a TAC case.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The issue we encountered was accidental , and I don’t believe there are any general problems. My main concern is that Check Point is onboarding every firewall with a Smart-1 Cloud connection in Quantum IoT without providing access to the dashboard or data, and with no option to opt out. While I completely disagree with this approach, which feels invasive, it appears to be compliant with the Smart-1 Cloud EULA.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If Check Point were truly "onboarding every firewall with a Smart-1 Cloud connection in Quantum IoT" (or, more precisely, installing the nano agent on a gateway automatically), I would expect to find TAC cases with similar complaints to yours.
I'm not finding any cases that mention this at all.
Please open a TAC case so we can investigate: https://help.checkpoint.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A TAC case has already been opened, and this behavior has been confirmed. We have observed this on our Smart-1 customers ( only three) , the nano agent is now installed with the IoT profile.
I'm not sure how the rollout is being handled globally !
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I didn't find your TAC SR when I was doing searches earlier, please send to me via PM so I can review.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
R&D is reviewing the situation, FYI.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I understand that there is some confusion and frustration around this issue. I hope that I can share some details that will help to make things a bit clearer.
I had a session earlier today with relevant R&D owners in the Management, SD-WAN and IoT products. The purpose was to double-check a few things and to see where we can improve going forward.
In the last few weeks, we started to gradually deploy a process aimed to simplify the onboarding of products that rely on the nano-agent architecture (cpnano). These products include SD-WAN and IoT, and in the future will include more products like AIOps and Infinity Identity.
Until recently, when onboarding to SD-WAN or IoT, there was a mandatory manual step of installing a nano-agent on the gateway and connecting it with a token to the profile. This complicates onboarding and we wanted to improve upon this experience.
Since the need for a gateway to communicate with the Infinity Portal (via nano-agents) is becoming more common, we wanted to enable it automatically for all environments that are using the Infinity Portal. This is not that different from gateways' ability to communicate with ThreatCloud. So when you connect a Management to the Infinity Portal (via the Infinity Services page) or for Smart-1 Cloud (which is implicitly connected to the Infinity Portal), we are activating the nano-agents on the gateways and providing them with a token behind the scenes.
I want to emphasize that this process was created to simplify onboarding for many products (including SD-WAN) and it was not deployed as part of an IoT marketing campaign. That statement should not have been given to you.
I do understand that unexpectedly seeing more agents in the portal can be confusing, and we will try to learn from this case on how we can do this more transparently.
In the spirit of transparency, I can share that we have been considering the option to provide some IoT visibility to all customers (even without a license), but this has not yet been deployed. It's possible that these discussions contributed to the confusion and the statement about an IoT marketing campaign.
I also want to relate to the output of the "cpnano -s" command. This command reflects which profiles or "configuration topics" the agent is monitoring and which nano-services are actually running. An agent will "monitor" or "listen" to multiple profiles because they may be relevant in the future. However, if they have not been activated, it does not impact the agent behavior and nothing from that profile is running. The rows that appear in the command output table, and in the Infinity Portal UI column reflect the profiles that it's listening on. The fact that you saw "IoT Configuration" or "IoT Discovery" in the table does not mean that something from IoT is running. Above the table, you can see the list of nano-services that are actually running and they will explicitly state "Status: Running".
I attached two images, one showing a machine that is just listening on multiple IoT profiles (as was probably the case in your environment) and another image that shows how the output looks like when IoT nano-services are actually running.
One thing that we are taking from this discussion is that we need to improve and clarify the output of the command and the way we show profiles that are just "listening" versus "running".
Sorry for the long post, but I hope that it helps shed some light on the issue.
Please do share further feedback (you can do so directly as well) as we want to improve and be clear towards our customers.
I'm looping in @danielcoh and @Uri_Bialik in case there are further questions on IoT behavior.
Regards,
Tomer
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the clarification, it's much appreciated.
Also one important takeaway from this discussion is the potential impact on customer networks !
In our case, since an original "quantum profile" already existed, the creation of a new "quantum profile 1" inadvertently caused clients to be revoked from the original profile, leading to a disruption in our environment. We still have clients that are revoked and no longer communicating, and we will attempt to resolve this manually. ( screenshot attached )
I will refrain from bringing up the fact that we now have a profile named "quantum profile 1" instead of something more appropriate, like "auto onboarding profile," in this discussion
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are facing an issue in our customer where every reboot of the box causes a reinstallation of the agent and it is duplicating the object in the Infinity Portal Agents tab.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is obviously not desired behavior.
Please open an SR to TAC so that we can investigate and make sure to fix it.
If possible, please send me the SR # in a direct message so that we can follow up on it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can confirm this behavior, after a reboot, something is happening with the agent, they get a new Agent ID and the old agent is in disconnected state. Is this intented @Tomer_Noy ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This behavior is not intended, but we are currently investigating the issue and we see it as well.
It happens specifically after reboot on Spark devices that were already connected with a nano-agent before the rollout to automatically connect the devices. The team is looking for a solution with high priority.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your response. Could you please provide feedback once the issue with he agent ID is resolved? With an agent reinstalling after reboot and staying in initializing state, we are unable to activate SDwan again.
I currently have an open TAC case, but unfortunately, they have been unable to provide answers to my questions.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you check if there is a duplicated object in the Agents tab?
In my case I needed to enable the disconnected agent view to see all the agents and delete all the duplicated agents, after removing all of them, restart the box and it will be installed correctly.
