This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
K_R_V
Collaborator
‎2024-10-09 02:48 AM
Jump to solution

Nano Agent with IoT Profile Automatically deployed


We have noticed that Check Point is consistently installing a nano-agent on all of our firewalls managed via Check Point Smart-1 Cloud in the last 3 weeks. These installations always include an IoT Discovery Profile, and sometimes an IoT Configuration Profile as well.

However, not all of these devices are configured with Quantum SD-WAN and no device with Quantum IoT services in the Infinity Portal. The deployment of these profiles has interfered with our existing SD-WAN setup running on some devices, revoking and reinstalling our custom-created profile without any prior notification, and causing impact on SDwan enabled sites.

Due to the impact on our environment, we have opened a TAC case. Check Point has described this as part of their IoT marketing, but we do not have any IoT dashboard or functionality enabled. Upon reviewing other Smart-1 Cloud customers, we observe the same behavior, where a nano-agent has been silently installed. This can be verified using the 'cpnano -s' command.

We are concerned about the lack of transparency in these actions—or perhaps we missed some important communication regarding these changes ?

0 Kudos
1 Solution

Accepted Solutions
Tomer_Noy
Employee
Employee
‎2024-10-10 03:22 PM
Jump to solution

Hi,

I understand that there is some confusion and frustration around this issue. I hope that I can share some details that will help to make things a bit clearer.

I had a session earlier today with relevant R&D owners in the Management, SD-WAN and IoT products. The purpose was to double-check a few things and to see where we can improve going forward.

In the last few weeks, we started to gradually deploy a process aimed to simplify the onboarding of products that rely on the nano-agent architecture (cpnano). These products include SD-WAN and IoT, and in the future will include more products like AIOps and Infinity Identity. 
Until recently, when onboarding to SD-WAN or IoT, there was a mandatory manual step of installing a nano-agent on the gateway and connecting it with a token to the profile. This complicates onboarding and we wanted to improve upon this experience.

Since the need for a gateway to communicate with the Infinity Portal (via nano-agents) is becoming more common, we wanted to enable it automatically for all environments that are using the Infinity Portal. This is not that different from gateways' ability to communicate with ThreatCloud. So when you connect a Management to the Infinity Portal (via the Infinity Services page) or for Smart-1 Cloud (which is implicitly connected to the Infinity Portal), we are activating the nano-agents on the gateways and providing them with a token behind the scenes.

I want to emphasize that this process was created to simplify onboarding for many products (including SD-WAN) and it was not deployed as part of an IoT marketing campaign. That statement should not have been given to you.
I do understand that unexpectedly seeing more agents in the portal can be confusing, and we will try to learn from this case on how we can do this more transparently.
In the spirit of transparency, I can share that we have been considering the option to provide some IoT visibility to all customers (even without a license), but this has not yet been deployed. It's possible that these discussions contributed to the confusion and the statement about an IoT marketing campaign.

I also want to relate to the output of the "cpnano -s" command. This command reflects which profiles or "configuration topics" the agent is monitoring and which nano-services are actually running. An agent will "monitor" or "listen" to multiple profiles because they may be relevant in the future. However, if they have not been activated, it does not impact the agent behavior and nothing from that profile is running. The rows that appear in the command output table, and in the Infinity Portal UI column reflect the profiles that it's listening on. The fact that you saw "IoT Configuration" or "IoT Discovery" in the table does not mean that something from IoT is running. Above the table, you can see the list of nano-services that are actually running and they will explicitly state "Status: Running".

I attached two images, one showing a machine that is just listening on multiple IoT profiles (as was probably the case in your environment) and another image that shows how the output looks like when IoT nano-services are actually running.
One thing that we are taking from this discussion is that we need to improve and clarify the output of the command and the way we show profiles that are just "listening" versus "running".

Sorry for the long post, but I hope that it helps shed some light on the issue.
Please do share further feedback (you can do so directly as well) as we want to improve and be clear towards our customers.

I'm looping in @danielcoh and @Uri_Bialik in case there are further questions on IoT behavior.

Regards,
Tomer

View solution in original post

cpnano -s without IoT.png
Preview file
48 KB
cpnano -s with IoT.png
Preview file
52 KB
0 Kudos
16 Replies
PhoneBoy
Admin
Admin
‎2024-10-09 07:07 AM
Jump to solution

It appears the nano agent is used for two different things: IoT Protect and Quantum SD-WAN.
Please send me the relevant SR in a PM.

0 Kudos
K_R_V
Collaborator
‎2024-10-09 07:13 AM
In response to PhoneBoy
Jump to solution

Thank you for your response. Yes, the Nano agent is indeed used for those purposes, and we have deployed it on some devices for SD-WAN months ago.

However, the real surprise came when we discovered that Check Point has now  been automatically installing these Nano agents on our devices through the Smart-1 Cloud connections—without our knowledge and without any clarity on their specific use. The description indicates it's for IoT discovery, but we don't even have access to the Quantum IoT dashboard on the Infinity Portal to verify, or disable this profile if we do not want this !

Everyone with a Smart-1 cloud connections best verify this Nano agent to see if Check Point is discovering their IoT devices without the customer knowing!

 

0 Kudos
PhoneBoy
Admin
Admin
‎2024-10-09 12:04 PM
In response to K_R_V
Jump to solution

I assume that IoT usage and SD-WAN usage of the nano agent is...different.
I also assume if this were a widespread issue, I would be able to find TAC cases with customers reporting the same issue; I cannot.
You can uninstall the agent with: cpnano --uninstall 
If it gets reinstalled despite that, I would open a TAC case.

0 Kudos
K_R_V
Collaborator
‎2024-10-10 06:04 AM
In response to PhoneBoy
Jump to solution

The issue we encountered was accidental , and I don’t believe there are any general problems. My main concern is that Check Point is onboarding every firewall with a Smart-1 Cloud connection in Quantum IoT without providing access to the dashboard or data, and with no option to opt out. While I completely disagree with this approach, which feels invasive, it appears to be compliant with the Smart-1 Cloud EULA.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-10-10 07:38 AM
In response to K_R_V
Jump to solution

If Check Point were truly "onboarding every firewall with a Smart-1 Cloud connection in Quantum IoT" (or, more precisely, installing the nano agent on a gateway automatically), I would expect to find TAC cases with similar complaints to yours.
I'm not finding any cases that mention this at all.
Please open a TAC case so we can investigate: https://help.checkpoint.com 

0 Kudos
K_R_V
Collaborator
‎2024-10-10 09:43 AM
In response to PhoneBoy
Jump to solution

A TAC case has already  been opened, and this behavior has been confirmed. We have observed this on our Smart-1 customers ( only three) , the nano agent is now installed with the IoT profile.

I'm not sure how the rollout is being handled globally !

0 Kudos
PhoneBoy
Admin
Admin
‎2024-10-10 10:03 AM
In response to K_R_V
Jump to solution

I didn't find your TAC SR when I was doing searches earlier, please send to me via PM so I can review.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-10-10 12:03 PM
In response to PhoneBoy
Jump to solution

R&D is reviewing the situation, FYI.

0 Kudos
Tomer_Noy
Employee
Employee
‎2024-10-10 03:22 PM
Jump to solution

Hi,

I understand that there is some confusion and frustration around this issue. I hope that I can share some details that will help to make things a bit clearer.

I had a session earlier today with relevant R&D owners in the Management, SD-WAN and IoT products. The purpose was to double-check a few things and to see where we can improve going forward.

In the last few weeks, we started to gradually deploy a process aimed to simplify the onboarding of products that rely on the nano-agent architecture (cpnano). These products include SD-WAN and IoT, and in the future will include more products like AIOps and Infinity Identity. 
Until recently, when onboarding to SD-WAN or IoT, there was a mandatory manual step of installing a nano-agent on the gateway and connecting it with a token to the profile. This complicates onboarding and we wanted to improve upon this experience.

Since the need for a gateway to communicate with the Infinity Portal (via nano-agents) is becoming more common, we wanted to enable it automatically for all environments that are using the Infinity Portal. This is not that different from gateways' ability to communicate with ThreatCloud. So when you connect a Management to the Infinity Portal (via the Infinity Services page) or for Smart-1 Cloud (which is implicitly connected to the Infinity Portal), we are activating the nano-agents on the gateways and providing them with a token behind the scenes.

I want to emphasize that this process was created to simplify onboarding for many products (including SD-WAN) and it was not deployed as part of an IoT marketing campaign. That statement should not have been given to you.
I do understand that unexpectedly seeing more agents in the portal can be confusing, and we will try to learn from this case on how we can do this more transparently.
In the spirit of transparency, I can share that we have been considering the option to provide some IoT visibility to all customers (even without a license), but this has not yet been deployed. It's possible that these discussions contributed to the confusion and the statement about an IoT marketing campaign.

I also want to relate to the output of the "cpnano -s" command. This command reflects which profiles or "configuration topics" the agent is monitoring and which nano-services are actually running. An agent will "monitor" or "listen" to multiple profiles because they may be relevant in the future. However, if they have not been activated, it does not impact the agent behavior and nothing from that profile is running. The rows that appear in the command output table, and in the Infinity Portal UI column reflect the profiles that it's listening on. The fact that you saw "IoT Configuration" or "IoT Discovery" in the table does not mean that something from IoT is running. Above the table, you can see the list of nano-services that are actually running and they will explicitly state "Status: Running".

I attached two images, one showing a machine that is just listening on multiple IoT profiles (as was probably the case in your environment) and another image that shows how the output looks like when IoT nano-services are actually running.
One thing that we are taking from this discussion is that we need to improve and clarify the output of the command and the way we show profiles that are just "listening" versus "running".

Sorry for the long post, but I hope that it helps shed some light on the issue.
Please do share further feedback (you can do so directly as well) as we want to improve and be clear towards our customers.

I'm looping in @danielcoh and @Uri_Bialik in case there are further questions on IoT behavior.

Regards,
Tomer

cpnano -s without IoT.png
Preview file
48 KB
cpnano -s with IoT.png
Preview file
52 KB
0 Kudos
K_R_V
Collaborator
‎2024-10-11 01:07 AM
In response to Tomer_Noy
Jump to solution

Thank you for the clarification, it's much appreciated.

Also one important takeaway from this discussion is the potential impact on customer networks !

In our case, since an original "quantum profile" already existed, the creation of a new "quantum profile 1" inadvertently caused clients to be revoked from the original profile, leading to a disruption in our environment. We still have clients that are revoked and no longer communicating, and we will attempt to resolve this manually. ( screenshot attached )

I will refrain from bringing up the fact that we now have a profile named "quantum profile 1" instead of something more appropriate, like "auto onboarding profile," in this discussion

revoked.jpg
Preview file
64 KB
0 Kudos
Robert_M_Nubile
Explorer
Explorer
‎2024-10-11 06:44 AM
In response to Tomer_Noy
Jump to solution

We are facing an issue in our customer where every reboot of the box causes a reinstallation of the agent and it is duplicating the object in the Infinity Portal Agents tab.

 

0 Kudos
Tomer_Noy
Employee
Employee
‎2024-10-11 07:50 AM
In response to Robert_M_Nubile
Jump to solution

This is obviously not desired behavior. 
Please open an SR to TAC so that we can investigate and make sure to fix it. 

If possible, please send me the SR # in a direct message so that we can follow up on it. 

0 Kudos
K_R_V
Collaborator
‎2024-10-14 06:40 AM
In response to Tomer_Noy
Jump to solution

I can confirm this behavior, after a reboot, something is happening with the agent, they get a new Agent ID and the old agent is in disconnected state. Is this intented @Tomer_Noy  ?

 

0 Kudos
Tomer_Noy
Employee
Employee
‎2024-10-14 10:50 PM
In response to K_R_V
Jump to solution

This behavior is not intended, but we are currently investigating the issue and we see it as well.

It happens specifically after reboot on Spark devices that were already connected with a nano-agent before the rollout to automatically connect the devices. The team is looking for a solution with high priority.

0 Kudos
K_R_V
Collaborator
‎2024-10-15 12:11 AM
In response to Tomer_Noy
Jump to solution

Thank you for your response. Could you please provide feedback once the issue with he agent ID is resolved? With an agent reinstalling after reboot and staying in initializing state, we are unable to activate SDwan again.

I currently have an open TAC case, but unfortunately, they have been unable to provide answers to my questions.

0 Kudos
Robert_M_Nubile
Explorer
Explorer
‎2024-10-15 05:40 AM
In response to K_R_V
Jump to solution

Did you check if there is a duplicated object in the Agents tab?
In my case I needed to enable the disconnected agent view to see all the agents and delete all the duplicated agents, after removing all of them, restart the box and it will be installed correctly.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    In-Person

    Tue 25 Mar 2025 @ 09:00 AM (EDT)

    Canada In-Person Cloud Security with Hands-On CloudGuard Workshops!
    In-Person

    Tue 25 Mar 2025 @ 12:00 PM (MDT)

    Salt Lake City: CPX 2025 Recap
    In-Person

    Tue 08 Apr 2025 @ 12:00 PM (MDT)

    Denver: CPX 2025 Recap
    CheckMates Events
    Top