Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

MacOS EPS Standalone Client (VPN client) Block All Incoming Traffic

Jump to solution

Hi everyone in Checkmates

As an engineer of CheckPoint's Partner, I am always interested in latest CheckPoint Software release, and I always use  Endpoint Connect VPN (or known as Endpoint Security Standalone VPN Client) to keep connecting with Lab environment in company's network. I am a MacOS user (current OS Catalina, version 10.15.4), after upgrading the client to E82.50, I find that although no firewall policy loaded, after OS loads cpfw.kext (kernel extension), my Mac starts to block all incoming traffic. In fact, after installing new VPN client, my Mac can receive incoming traffic but never sends out any kind of reply ( for example, ping my Mac will get Overtime error ).

Although this issue can be fixed by unload this kernel extension manually, at the same time the VPN client will stop working. And it is Standalone EPS vpn client, so maybe it is hard to manage the default policy brought by cpfw.kext .

As this kind of client meets the requirements of customers who wants VPN function only, I think this behavior is not appropriate.

截屏2020-04-10 02.24.01.png截屏2020-04-10 02.24.25.png

2 Solutions

Accepted Solutions
Admin
Admin
The Mac VPN client is intended—and licensed—as a full Endpoint client.
This Desktop Firewall is a mandatory component of this that cannot be removed.
You can configure this firewall either in SmartEndpoint or in SmartConsole.

View solution in original post

Admin
Admin

Just to add to this answer, you can configure the state of the Endpoint firewall for all users in Global Properties.
Once the user connects to your gateway, the configuration of this firewall will be updated.

Screen Shot 2020-07-05 at 6.40.31 PM.png

If you want something more granular than what's listed here, you will need to configure a Desktop Firewall policy.
This can be enabled by ticking the "Policy Server" option in your gateway object, then a Desktop Firewall policy can be added to an existing policy package and created as desired.

View solution in original post

0 Kudos
Reply
6 Replies
Admin
Admin
The Mac VPN client is intended—and licensed—as a full Endpoint client.
This Desktop Firewall is a mandatory component of this that cannot be removed.
You can configure this firewall either in SmartEndpoint or in SmartConsole.

View solution in original post

Explorer

This is not a "solution" - it is a work around that ignores a more general problem. As a consultant, I work with numerous clients. One of my clients needed me to install Checkpoint VPN to work on their network. Unfortunately, after installing the VPN client, my MacBook Pro no longer allows incoming connections... no matter if the VPN is connected. This is problematic for me in needing to work with other clients, and even on my home network. I can understand the VPN client having control over how my computer connects to local networks when connected to the VPN. However, once the VPN client is shut down locally, it should no longer have any control over my local machine's network connectivity. The VPN client is not being used purely by road warriors... and those of us who have machines not owned by the companies that run the VPN servers should not be impacted by the VPN client when we are not connected. Now my only options are to, apparently, ask my client to create a separate security policy in their VPN just for me, or for me to unload a kernel extension when I want to have control of my computer? The UX here is pretty weak.

Admin
Admin

The other option is to use the SNX client which does not have a desktop firewall component.
You can try to download a version of the client from here and use it against the relevant gateway: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
Reply
Champion
Champion

Checkpoint VPN client can be installed from the same installer package in 3 different flavours:

EPS VPN including Desktop Firewall (the version used in the posts above)

Mobile VPN (no Desktop Firewall)

SecuRemote (no Desktop Firewall, no Office mode)

0 Kudos
Reply
Admin
Admin

Only the EPS flavor exists for the Mac.
Check Point Mobile and SecuRemote are not supported on the Mac.

0 Kudos
Reply
Admin
Admin

Just to add to this answer, you can configure the state of the Endpoint firewall for all users in Global Properties.
Once the user connects to your gateway, the configuration of this firewall will be updated.

Screen Shot 2020-07-05 at 6.40.31 PM.png

If you want something more granular than what's listed here, you will need to configure a Desktop Firewall policy.
This can be enabled by ticking the "Policy Server" option in your gateway object, then a Desktop Firewall policy can be added to an existing policy package and created as desired.

View solution in original post

0 Kudos
Reply