Please read posts carefully before replying. This is not a Sequoia issue. Apple is pushing Safari 18 to the three most-recent versions of macOS (Ventura, Sonoma, and Sequoia). For many of your customers, this will break Check Point Endpoint Security VPN functionality on all three.

Please rather read https://support.checkpoint.com/results/sk/sk115192 carefully to know what CP is commited to regarding new versions... Safari 18 would be covered by the disclaimer.

Same here, 

MAC Sonoma 14.7 or Sequoia both with Safari 18 cannot connect to SAML RA VPN.

Chrome works fine.

Mitigation was to first disable CP autoprotection module; change  idp_browser_mode in Trac.default file then reboot the mac client (for ease of use).

Think CP must provide a fix ASAP.

I believe someone from Israel mentioned last week in a different post that this should be supported in next release. I will see if I can find that post.

Andy

We resolved using E88.x with Chrome.

Will give 88.70 a try.

Regards,

Gianni.

On my first try, it doesn't seem like 88.70 with Safari v18 on Sonoma is working as advertised -- if anyone else has a different experience, let me know.

Is it possible to configure Checkpoint to use Chrome if Safari is the default browser?  It the idp_browser_mode only supports "default_browser" and "embedded", no?

I said it "may" fix the issue with Safari, no confirmation of that 🙂

The valid values for idp_browser_mode are listed here: https://support.checkpoint.com/results/sk/sk180395
Chrome cannot be directly specified, but it will work if it's the default browser in the OS.

Absolutely, I know no-one on this thread has confirmed a solution using Safari v18, but I figured I'd report my own finding and see if anyone else had a different result.  

I'm not inclined to switch my default browser just to resolve this, but I might consider using one of those browser-selector tools to see if that works in the meantime, and we'll see how long it takes for CheckPoint and Apple to find a workable solution. Even if Checkpoint were to give me more options for `idp_browser_mode` so I could select Edge / Chrome just for the VPN sign-on, that might be enough to get me through this blip.

Thank you for the update. Unfortunately, testing conducted this week revealed that while E89.00 restores client respect for Safari as the default browser, it does no resolve the SAML issues and popups whatsoever. 

Did you apply the gateway fix from: https://support.checkpoint.com/results/sk/sk182711 
I believe that's still necessary here.

I am using Endpoint Security E89.00 (Build 986202803) and trying to use Safari 18.2 (20620.1.16.11.8) on Mac Sequoia 15.2 as my default browser.  I have the same problems described above.  (Yes, I can change my default browser to Firefox and gain access.  But I want Safari to be my default browser.)

The VPN gateway is using R81.10.  Our VPN engineer is understandably cautious and has declined to apply the workaround from SK182711.  An upgrade to R82 is not expected to be installed for maybe 6 months.

I see that 89.00 added IKEv2 and higher levels of security algorithms for the Remote Access VPN, requiring the gateway to be at R82 to support them.

1.  Am I correct that Safari is using/requiring the higher level of security algorithms in the response from the authentication and that R81.10 (at least if it is without the patch in SK182711) does not support those levels, resulting in the negotiation failure?

2.  Would, for R81.10,  the replacement of redirect.php as supplied in SK182711 be sufficient for a client running Endpoint Security 89.00 to use Safari as the default browser and succeed in getting a VPN established?

3. Am I correct that the only two valid values (for Endpoint Security E89.00) for idp_browser_mode for a Mac are "default_browser" and "safari"?   (I'm hoping at least I can specify a different browser ("/Applications/...") to do the identity authentication.  Changing the default browser affects many interactions. Firing up a different browser for VPN authentication is not what I really want, but is acceptable. )

FYI: As my Mac is a M3, I can successfully use Capsule Connect.  I may just use that.