Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
QixingCao_MTech
Explorer
Jump to solution

MacOS EPS Standalone Client (VPN client) Block All Incoming Traffic

Hi everyone in Checkmates

As an engineer of CheckPoint's Partner, I am always interested in latest CheckPoint Software release, and I always use  Endpoint Connect VPN (or known as Endpoint Security Standalone VPN Client) to keep connecting with Lab environment in company's network. I am a MacOS user (current OS Catalina, version 10.15.4), after upgrading the client to E82.50, I find that although no firewall policy loaded, after OS loads cpfw.kext (kernel extension), my Mac starts to block all incoming traffic. In fact, after installing new VPN client, my Mac can receive incoming traffic but never sends out any kind of reply ( for example, ping my Mac will get Overtime error ).

Although this issue can be fixed by unload this kernel extension manually, at the same time the VPN client will stop working. And it is Standalone EPS vpn client, so maybe it is hard to manage the default policy brought by cpfw.kext .

As this kind of client meets the requirements of customers who wants VPN function only, I think this behavior is not appropriate.

截屏2020-04-10 02.24.01.png截屏2020-04-10 02.24.25.png

2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin
The Mac VPN client is intended—and licensed—as a full Endpoint client.
This Desktop Firewall is a mandatory component of this that cannot be removed.
You can configure this firewall either in SmartEndpoint or in SmartConsole.

View solution in original post

PhoneBoy
Admin
Admin

Just to add to this answer, you can configure the state of the Endpoint firewall for all users in Global Properties.
Once the user connects to your gateway, the configuration of this firewall will be updated.

Screen Shot 2020-07-05 at 6.40.31 PM.png

If you want something more granular than what's listed here, you will need to configure a Desktop Firewall policy.
This can be enabled by ticking the "Policy Server" option in your gateway object, then a Desktop Firewall policy can be added to an existing policy package and created as desired.

View solution in original post

0 Kudos
12 Replies
PhoneBoy
Admin
Admin
The Mac VPN client is intended—and licensed—as a full Endpoint client.
This Desktop Firewall is a mandatory component of this that cannot be removed.
You can configure this firewall either in SmartEndpoint or in SmartConsole.
NFlourish
Explorer

This is not a "solution" - it is a work around that ignores a more general problem. As a consultant, I work with numerous clients. One of my clients needed me to install Checkpoint VPN to work on their network. Unfortunately, after installing the VPN client, my MacBook Pro no longer allows incoming connections... no matter if the VPN is connected. This is problematic for me in needing to work with other clients, and even on my home network. I can understand the VPN client having control over how my computer connects to local networks when connected to the VPN. However, once the VPN client is shut down locally, it should no longer have any control over my local machine's network connectivity. The VPN client is not being used purely by road warriors... and those of us who have machines not owned by the companies that run the VPN servers should not be impacted by the VPN client when we are not connected. Now my only options are to, apparently, ask my client to create a separate security policy in their VPN just for me, or for me to unload a kernel extension when I want to have control of my computer? The UX here is pretty weak.

PhoneBoy
Admin
Admin

The other option is to use the SNX client which does not have a desktop firewall component.
You can try to download a version of the client from here and use it against the relevant gateway: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Checkpoint VPN client can be installed from the same installer package in 3 different flavours:

EPS VPN including Desktop Firewall (the version used in the posts above)

Mobile VPN (no Desktop Firewall)

SecuRemote (no Desktop Firewall, no Office mode)

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin

Only the EPS flavor exists for the Mac.
Check Point Mobile and SecuRemote are not supported on the Mac.

0 Kudos
PhoneBoy
Admin
Admin

Just to add to this answer, you can configure the state of the Endpoint firewall for all users in Global Properties.
Once the user connects to your gateway, the configuration of this firewall will be updated.

Screen Shot 2020-07-05 at 6.40.31 PM.png

If you want something more granular than what's listed here, you will need to configure a Desktop Firewall policy.
This can be enabled by ticking the "Policy Server" option in your gateway object, then a Desktop Firewall policy can be added to an existing policy package and created as desired.

0 Kudos
Christoph
Collaborator

We encountered the same problem. The solution in the picture is not working, as it only applies to the mobile client and will not work with the (MacOS) Enpoint Security client

We also tried using the conf/trac_client_1.ttm to change this behavior with no success. While we could set the client to a "firewall off" state and other things, incoming connections were still being dropped.

The only solution that was working was the Desktop Firewall route, which is kind of unsatisfying as we only need it to replicate the behavior of mobile VPN for MacOS clients.

0 Kudos
Mustang
Employee
Employee

Hi, Any quick way to do it on R81.10?

0 Kudos
PhoneBoy
Admin
Admin

Believe it's the same procedure in R81.10.

0 Kudos
Mustang
Employee
Employee

Actually, I've tried it on 81.10 and it seems to lack the whole "Security Setting" section.

 
 

 

0 Kudos
PhoneBoy
Admin
Admin

The section is there, but it's missing the Enable Firewall Policy option.
Possible that option is configured somewhere else now.

0 Kudos
RicPCC
Explorer

As a workaround for this, I built an Automator action that runs a short shell script to toggle the processes that are blocking the connections. The script was lifted from SuperUser.com, but at least building it into an Automator workflow was my idea. The content of the script (which needs to be directed to stdin) in Automator is:

 

Click to Expand

#!/bin/bash
#
# The reason of creating this script is that Endpoint Security VPN installs it's own application firewall kext cpfw.kext
# which prevents for example PPTP connections from this computer, which is not appropriate if you need subj connection just
# from time to time
#
# Usage: ./checkpoint.sh
#
# The script checks if Enpoint Security VPN is running. If it is, then it shuts it down, if it is not, it fires it up.
# Or, make an Automator action and paste the script.
# You will need sudo power, of course
#
# To prevent Endpoint Security VPN from starting automatically whenever you restart your Mac, edit this file:
# `/Library/LaunchAgents/com.checkpoint.eps.gui.plist`
# And change the values of `RunAtLoad` and `KeepAlive` to `false`
# [Source](https://superuser.com/questions/885273)

# SERVICE='Endpoint_Security_VPN'
SERVICE='Endpoint_Security_VPN'

if pgrep $SERVICE > /dev/null
then
# $SERVICE is running. Shut it down
sudo launchctl unload /Library/LaunchDaemons/com.checkpoint.epc.service.plist
sudo kextunload /Library/Extensions/cpfw.kext
killall $SERVICE
else
# $SERVICE is not running. Fire it up
sudo launchctl load /Library/LaunchDaemons/com.checkpoint.epc.service.plist
sudo kextload /Library/Extensions/cpfw.kext
open '/Applications/Endpoint Security VPN.app'
fi 

Also, to get this to work, you will need to (one time only) manually edit /Library/LaunchAgents/com.checkpoint.eps.gui.plist and /Library/LaunchAgents/com.checkpoint.eps.gui.plist to set the key RunAtLoad to off.

The above will also disable Endpoint Security from bringing up a login dialog after every startup even if that is controlled by a policy. So, from an ethical standpoint, this only be used on a personally-owned computer, I think. However, it will, once again, allow me to smb and vnc in from other computers on my home network.

Ric

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events