This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
CzarMark
Explorer
3 weeks ago

Endpoint Security VPN for macOS Safari 18 compatibility problems

We are seeing that Check Point Endpoint Security VPN for macOS appears to suffer compatibility problems with Safari 18. We use Azure for authentication. Azure logs show successful authentications. However, the client stalls for about a minute then fails and displays, “Negotiation with site failed." This occurs in both the recommended version (E88.40) and the latest version (E88.60). The only workaround we have identified is to 1) Change the default browser from Safari to Chrome or Edge; and 2) use version E88.60. We have found that E88.40 ignores the default browser setting and opens Safari anyways. It is not clear what Apple changed in Safari 18. We have tested toggling different privacy settings to no avail. We have replicated the problem and the fix on more than one Mac and on more than one version of macOS (Sonoma 14.7 and Sequoia 15.0). Consequently, we implemented a 90-day deferral on all software updates via MDM until Check Point fixes its broken client.

11 Replies
PhoneBoy
Admin
Admin
3 weeks ago

Current releases do not support Sequoia.
I suspect this will be addressed in an upcoming release in the coming weeks.

0 Kudos
CzarMark
Explorer
3 weeks ago
In response to PhoneBoy

Please read posts carefully before replying. This is not a Sequoia issue. Apple is pushing Safari 18 to the three most-recent versions of macOS (Ventura, Sonoma, and Sequoia). For many of your customers, this will break Check Point Endpoint Security VPN functionality on all three.

0 Kudos
(1)
G_W_Albrecht
Legend Legend
Legend
Tuesday
In response to CzarMark

Please rather read https://support.checkpoint.com/results/sk/sk115192 carefully to know what CP is commited to regarding new versions... Safari 18 would be covered by the disclaimer.

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
Legend
Legend
3 weeks ago

Someone also mentioned in another post that option 1 you described was indeed the way to make it work.

Andy

0 Kudos
GianniPapetti
Contributor
2 weeks ago
In response to the_rock

Same here, 

MAC Sonoma 14.7 or Sequoia both with Safari 18 cannot connect to SAML RA VPN.

Chrome works fine.

Mitigation was to first disable CP autoprotection module; change  idp_browser_mode in Trac.default file then reboot the mac client (for ease of use).

Think CP must provide a fix ASAP.

 

0 Kudos
the_rock
Legend
Legend
2 weeks ago
In response to GianniPapetti

I believe someone from Israel mentioned last week in a different post that this should be supported in next release. I will see if I can find that post.

Andy

0 Kudos
PhoneBoy
Admin
Admin
a week ago

We just released E88.70 of Endpoint Security/VPN, which supports Sequoia as Early Availability: https://support.checkpoint.com/results/sk/sk182646 
It might also resolve the issues with the latest Safari as well.

0 Kudos
GianniPapetti
Contributor
a week ago
In response to PhoneBoy

We resolved using E88.x with Chrome.

Will give 88.70 a try.

Regards,

Gianni.

0 Kudos
wiseman
Newcomer
12 hours ago
In response to GianniPapetti

On my first try, it doesn't seem like 88.70 with Safari v18 on Sonoma is working as advertised -- if anyone else has a different experience, let me know.

Is it possible to configure Checkpoint to use Chrome if Safari is the default browser?  It the idp_browser_mode only supports "default_browser" and "embedded", no?

0 Kudos
PhoneBoy
Admin
Admin
11 hours ago
In response to wiseman

I said it "may" fix the issue with Safari, no confirmation of that 🙂

The valid values for idp_browser_mode are listed here: https://support.checkpoint.com/results/sk/sk180395
Chrome cannot be directly specified, but it will work if it's the default browser in the OS.

0 Kudos
wiseman
Newcomer
10 hours ago
In response to PhoneBoy

Absolutely, I know no-one on this thread has confirmed a solution using Safari v18, but I figured I'd report my own finding and see if anyone else had a different result.  

I'm not inclined to switch my default browser just to resolve this, but I might consider using one of those browser-selector tools to see if that works in the meantime, and we'll see how long it takes for CheckPoint and Apple to find a workable solution. Even if Checkpoint were to give me more options for `idp_browser_mode` so I could select Edge / Chrome just for the VPN sign-on, that might be enough to get me through this blip.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events