Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

MacOS EPS Standalone Client (VPN client) Block All Incoming Traffic

Jump to solution

Hi everyone in Checkmates

As an engineer of CheckPoint's Partner, I am always interested in latest CheckPoint Software release, and I always use  Endpoint Connect VPN (or known as Endpoint Security Standalone VPN Client) to keep connecting with Lab environment in company's network. I am a MacOS user (current OS Catalina, version 10.15.4), after upgrading the client to E82.50, I find that although no firewall policy loaded, after OS loads cpfw.kext (kernel extension), my Mac starts to block all incoming traffic. In fact, after installing new VPN client, my Mac can receive incoming traffic but never sends out any kind of reply ( for example, ping my Mac will get Overtime error ).

Although this issue can be fixed by unload this kernel extension manually, at the same time the VPN client will stop working. And it is Standalone EPS vpn client, so maybe it is hard to manage the default policy brought by cpfw.kext .

As this kind of client meets the requirements of customers who wants VPN function only, I think this behavior is not appropriate.

截屏2020-04-10 02.24.01.png截屏2020-04-10 02.24.25.png

0 Kudos
1 Solution

Accepted Solutions
Highlighted
Admin
Admin
The Mac VPN client is intended—and licensed—as a full Endpoint client.
This Desktop Firewall is a mandatory component of this that cannot be removed.
You can configure this firewall either in SmartEndpoint or in SmartConsole.

View solution in original post

0 Kudos
2 Replies
Highlighted
Admin
Admin
The Mac VPN client is intended—and licensed—as a full Endpoint client.
This Desktop Firewall is a mandatory component of this that cannot be removed.
You can configure this firewall either in SmartEndpoint or in SmartConsole.

View solution in original post

0 Kudos
Highlighted
Admin
Admin

Just to add to this answer, you can configure the state of the Endpoint firewall for all users in Global Properties.
Once the user connects to your gateway, the configuration of this firewall will be updated.

Screen Shot 2020-07-05 at 6.40.31 PM.png

If you want something more granular than what's listed here, you will need to configure a Desktop Firewall policy.
This can be enabled by ticking the "Policy Server" option in your gateway object, then a Desktop Firewall policy can be added to an existing policy package and created as desired.

0 Kudos