CP R73 EPS Server AdminGuide

Endpoint Security Server
(Secure Access)
R73
Administration Guide
23 February, 2010
More Information
The latest version of this document is at:
http://supportcontent.checkpoint.com/documentation_download?ID=10635
For additional technical information about Check Point visit Check Point Support Center
(http://supportcenter.checkpoint.com).
Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your
comments to us (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Endpoint Security
Server (Secure Access) R73 Administration Guide).
© 2010 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under
licensing restricting their use, copying, distribution, and decompilation. No part of this product or related
documentation may be reproduced in any form or by any means without prior written authorization of Check
Point. While every precaution has been taken in the preparation of this book, Check Point assumes no
responsibility for errors or omissions. This publication and features described herein are subject to change
without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR
52.227-19.
TRADEMARKS:
Please refer to our Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.
Please refer to our Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a
list of relevant copyrights.
Contents
Introduction ............................................................................................................... 9
Policies ...................................................................................................................9
Policy Components and Settings ...........................................................................9
Using Endpoint Security Administrator Console.....................................................9
Modes and Views ............................................................................................10
Switching Views...............................................................................................10
Integration With Other Check Point Products.......................................................10
System Architecture .............................................................................................11
Endpoint Security Server .................................................................................12
Administrator Console .....................................................................................12
Endpoint Security Clients ................................................................................12
Getting Started ........................................................................................................ 14
Choosing Your Enterprise Policy Types ...............................................................14
Choosing Your Security Model .............................................................................14
Gathering Topology Information ...........................................................................15
Planning User Support .........................................................................................15
Distributing First Client .........................................................................................15
Configuring and Deploying the Default Policy ......................................................16
Policy Stages ...................................................................................................16
Default Policy...................................................................................................16
Creating a Basic Policy....................................................................................16
Deploying the Policy ........................................................................................19
Testing Policy and Zones ................................................................................19
Creating a More Advanced Policy ...................................................................19
Testing Program and Enforcement Rules .......................................................23
Assigning Policies ................................................................................................23
Creating Catalogs ............................................................................................23
Assigning a Custom Policy ..............................................................................24
Managing Domains ................................................................................................. 25
Multi-Domain Administrators ................................................................................25
System Domain and Non-System Domains .........................................................25
Checking Your Domain ........................................................................................26
Switching Domains ...............................................................................................27
Creating Domains ................................................................................................27
Deleting Domains .................................................................................................27
Managing Administrators ...................................................................................... 28
Administrator Roles ..............................................................................................28
Default Roles and Customized Roles ..............................................................30
Privileges .........................................................................................................30
Planning Administrator Configuration ...................................................................30
Creating Roles .....................................................................................................30
Creating Administrator Accounts ..........................................................................32
Editing Administrator Accounts ............................................................................33
Deleting Administrator Accounts ..........................................................................33
SmartCenter Administrators .................................................................................33
Managing Catalogs ................................................................................................. 34
Supported Catalog Types ....................................................................................34
User Catalogs ......................................................................................................34
Custom Catalogs .............................................................................................34
LDAP Catalogs ................................................................................................35
NT Domain Catalogs .......................................................................................38
RADIUS Catalogs ............................................................................................40
Authenticating Users .......................................................................................41
Synchronizing User Catalogs ..........................................................................42
IP Catalogs ...........................................................................................................43
Groups .................................................................................................................43
Managing Security Policies ................................................................................... 44
Understanding Policies ........................................................................................44
Connected Policies ..........................................................................................45
Disconnected Policies .....................................................................................45
Personal Policies .............................................................................................45
Policy Arbitration..............................................................................................46
Policy Packages ..............................................................................................46
Security Policy Component Overview .............................................................46
Policy Objects ..................................................................................................48
Rule Evaluation and Precedence ....................................................................48
Policy Lifecycles ..............................................................................................49
Using a Default Policy ..........................................................................................53
Creating Policies Using a Policy Template...........................................................53
Creating a Policy Using a File ..............................................................................54
Creating Access Zones as Policy Objects............................................................55
Locations .........................................................................................................55
Trusted Zone ...................................................................................................55
Blocked Zone...................................................................................................56
Internet Zone ...................................................................................................56
Security Rules .................................................................................................56
Setting Security Levels ....................................................................................56
Configuring New Network Detection Options ..................................................57
Defining Zones ................................................................................................57
Configuring Advanced Packet Handling Settings ............................................58
Creating Firewall Rules as Policy Objects............................................................59
Firewall Rule Rank in Security Policies ...........................................................59
Example of Rank .............................................................................................60
Creating Firewall Rules ...................................................................................60
Adding Firewall Rules to Policies ....................................................................62
Ranking Firewall Rules ....................................................................................62
Enabling and Disabling Firewall Rules ............................................................62
Editing Firewall Rules ......................................................................................62
Removing Firewall Rules from a Policy ...........................................................63
Deleting a Firewall Rule...................................................................................63
Creating Enforcement Rules as Policy Objects....................................................63
Enforcement Rule Types .................................................................................63
Enforcement Rules Process ............................................................................64
What a Restricted User Experiences...............................................................64
Planning Enforcement Rules ...........................................................................65
Providing Remediation Resources for Users...................................................65
Using Rules that Observe or Warn ..................................................................67
Enabling Enforcement Rule Alerts and Logging ..............................................67
Creating Enforcement Rules for Programs, Files and Keys ............................68
Anti-virus Rules ...............................................................................................70
Creating Client Enforcement Rules .................................................................74
Editing Enforcement Rules ..............................................................................75
Deleting Enforcement Rules ............................................................................76
Grouping Enforcement Rules ..........................................................................76
Adding Enforcement Rules to Policies ............................................................76
Configuring Compliance Check Settings .........................................................77
Adding Restriction Firewall Rules to Your Policy.............................................77
Configuring the Heartbeat Interval...................................................................77
Tracking Enforcement Rule Compliance .........................................................78
Creating Program Rules .......................................................................................79
Program Permissions ......................................................................................79
Program Groups ..............................................................................................80
Permission Precedence...................................................................................81
Global and Policy Permissions ........................................................................81
Program Evaluation Process ...........................................................................81
Program Observation ......................................................................................82
Using Checksums............................................................................................82
Planning Program Control ...............................................................................82
Creating Appscans ..........................................................................................85
Adding Programs Manually .............................................................................88
Creating Program Groups ...............................................................................88
Setting Program Permissions ..........................................................................89
Setting Policy-Level Permissions ....................................................................90
Configuring Alert Levels ..................................................................................91
Editing Anti-malware Settings ..............................................................................91
Enabling Updates ............................................................................................92
Enabling Support for Legacy Clients ...............................................................93
Configuring Anti-malware Protection ...............................................................93
Enforcing Anti-spyware Scans and Treatments ..............................................98
Editing SmartDefense Settings ............................................................................98
Configuring SmartDefense in a Policy .............................................................99
Editing Messaging Settings ..................................................................................99
Configuring MailSafe Protection in a Policy.....................................................99
Deploying Policies ..............................................................................................100
Creating Policy Packages ..................................................................................100
Simple View - Activating Policies .......................................................................100
Assigning Policies ..............................................................................................100
Policy Inheritance ..........................................................................................100
Assignment Order..........................................................................................102
Assigning Policies..........................................................................................103
Setting the Assignment Priority .....................................................................103
Monitoring Policy Assignment .......................................................................103
Rolling Back Policy Versions .............................................................................. 103
Exporting Policies ................................................................................................ 104
Deleting Policies ................................................................................................... 104
VPN Policies .......................................................................................................... 105
Using a Default VPN Policy ................................................................................105
Configuring the Default VPN Policy ...................................................................105
Creating a New VPN Policy ...............................................................................106
Managing Policy Templates................................................................................. 107
Preconfigured Policy Templates.........................................................................107
Creating a Policy Template ................................................................................107
Modifying a Policy Template ..............................................................................108
Withdrawing a Policy Template ..........................................................................108
Deleting Policy Templates ..................................................................................108
Program Advisor................................................................................................... 109
Program Advisor Server .....................................................................................109
Client Program Advisor Process ........................................................................109
Endpoint Security Server Program Advisor Process ..........................................111
Enabling Program Advisor .................................................................................112
Viewing Program Advisor Recommendations ....................................................112
Overriding Program Advisor Recommendations ................................................113
Managing Unknown Programs ...........................................................................113
Managing Updates ................................................................................................ 114
Overview of Updates ..........................................................................................114
Update Delivery Process ....................................................................................115
Update Staging Process ....................................................................................115
Making Updates Instantly Available ...................................................................116
Configuring Automatic Client Updates ...............................................................116
Configuring Client Update Staging .....................................................................116
Deploying or Rejecting Previewed Updates .......................................................117
Offline Updates ..................................................................................................117
Monitoring Anti-Malware Activity ........................................................................ 117
Monitoring Infection Activity on Endpoints..........................................................118
Monitoring Infection History ................................................................................118
Monitoring Scan and Update Status ..................................................................118
Gateways and Cooperative Enforcement ........................................................... 120
Introduction to Cooperative Enforcement ...........................................................120
Configuring Cooperative Enforcement ...............................................................121
Adding Gateway Catalogs .............................................................................122
Testing Gateway Cooperative Enforcement ..................................................124
Adding Gateway Groups ...............................................................................125
Supporting the User ............................................................................................. 126
Educating the Endpoint User .............................................................................126
Informing Endpoint Users in Advance ...........................................................126
Providing Information About Your Security Policy .........................................127
Describing the Distribution Process...............................................................127
Providing Remediation Resources .....................................................................127
Using Alerts for User Self-help ......................................................................127
Using the Sandbox for User Self-Help...........................................................127
Recommended Sandbox Customizations .....................................................128
Preparing your Help desk Staff ..........................................................................129
Documentation ..............................................................................................129
Training..........................................................................................................129
Distributing Endpoint Security Client ................................................................. 129
Upgrading the Client ..........................................................................................129
Client Installation Packages ...............................................................................129
Policies in Client Installations .............................................................................130
VPN Options ......................................................................................................130
Migrating from Check Point SecureClient (Optional) .....................................130
Planning Your VPN Configuration .................................................................132
Workflow for Configuring and Deploying VPN in Packages ..........................132
Installation Options .............................................................................................133
Install Key (Password) ...................................................................................133
Setting Install Key ..........................................................................................133
Silent Installations and Upgrades ..................................................................134
Connection Information .................................................................................134
User Identification ..........................................................................................134
Custom Parameters.......................................................................................134
Importing Client Executables .........................................................................135
Creating Client Packages ..............................................................................136
Exporting Client Packages ............................................................................136
Distributing the Client Package URL .............................................................136
Client Connectivity Report .............................................................................137
Client Version Report ....................................................................................137
Command Line Switches ...............................................................................137
Distributing Client with GPO ...............................................................................138
Distributing Client with Command-Line ..............................................................139
Command-Line Syntax ..................................................................................139
MSI Switches .................................................................................................139
MSI Error (Return) Codes..............................................................................140
Uninstalling Clients .............................................................................................. 140
Silently Removing a Client .................................................................................140
Uninstalling MSI files ..........................................................................................140
Uninstalling Using Product Code .......................................................................140
Obtaining Product Code ................................................................................141
Uninstalling Using a Script .................................................................................141
Configuring Office Awareness ............................................................................ 142
Overview of Office Awareness ...........................................................................142
Using Office Awareness Servers........................................................................142
Using the Office Awareness Beacon ..................................................................143
Beacon Details ..............................................................................................143
Installing a New Beacon Server ....................................................................143
Establishing Communication .........................................................................144
Registering the Beacon Server......................................................................144
Configuring an Existing Server ......................................................................144
Linux Agent Installation and Configuration ....................................................... 146
Deployment Workflow ........................................................................................146
Managing Linux Groups .....................................................................................146
Creating the Linux Policy ...................................................................................147
Supported Policy Settings .............................................................................147
Understanding Policy Enforcement on Linux .....................................................148
Disconnected Policy for Linux - Options ........................................................148
Managing Linux Disconnected Policy ............................................................148
Installation of Client on Linux .............................................................................149
Installation Methods.......................................................................................149
Installing with Installation Script.....................................................................150
Uninstalling with Installation Script ................................................................151
Installing using the Endpoint Security Agent RPM ........................................151
Customizing the Endpoint Security Agent Configuration....................................154
Configuration File Settings ............................................................................154
Changing Connection Manager Address.......................................................155
Changing cm_auth Parameter.......................................................................156
Running Endpoint Security Agent ......................................................................156
Using the Command Line Interface ...............................................................156
Using the Service Manager ...........................................................................157
Checking the Log...........................................................................................157
Setting Log Upload Parameters ....................................................................158
Configuration and Maintenance .......................................................................... 159
Managing Your Products ....................................................................................159
Licensing .......................................................................................................159
Version Information .......................................................................................160
Starting and Stopping Services .....................................................................160
Uninstalling Check Point Products - Windows ...............................................161
Uninstalling Check Point Products - Linux.....................................................161
Uninstalling Check Point Products - SecurePlatform ....................................161
Managing Communication .................................................................................162
Windows Firewall...........................................................................................162
Allowing Endpoint Hotspot Registration ........................................................162
Disabling Wireless on LAN ............................................................................163
Proxy Configuration .......................................................................................163
Configuring a RADIUS Server .......................................................................164
Certificate Management ................................................................................165
Changing your JDBC IP Address ..................................................................166
Heartbeats .....................................................................................................166
Client Logging................................................................................................166
Managing Data ...................................................................................................167
Events and Logging .......................................................................................167
Configuring Recommended Event Logs ........................................................167
Using SNMP with Endpoint Security .............................................................170
Trap Formats .................................................................................................170
Linux Configuration........................................................................................170
Managing Events ...........................................................................................170
Managing Disk Space....................................................................................171
Data Backup and Restore .............................................................................171
Log Purging ...................................................................................................172
Administrator Console Navigation ...................................................................... 173
Administrator Console Navigation Reference ....................................................173
Legacy VPN CLI .................................................................................................... 180
Commands .........................................................................................................180
Security Gateway Configuration ......................................................................... 182
Configuring Multiple Entry Point (MEP) ..............................................................182
Configuring Endpoint Compliance ......................................................................183
Enforcement Rules in the Endpoint Security Policy ......................................183
Configuring Secure Configuration Verification (SCV) ....................................184
Configuring Location Awareness .......................................................................184
Index ...................................................................................................................... 185
Chapter 1
Introduction
Endpoint Security allows you to centrally manage all endpoints: centralized organization of nodes in the
environment, centralized deployment, monitoring, and configuration of all Endpoint Security features on all
endpoints. Endpoint Security is integrated with other Check Point products complete unified security
management.
In This Chapter
Policies 9
Policy Components and Settings 9
Using Endpoint Security Administrator Console 9
Integration With Other Check Point Products 10
System Architecture 11
Policies
Policies are how you deliver security rules to your endpoint users. Administrators create enterprise policies
using the Endpoint Security Administrator Console and assign them to endpoint users or groups of endpoint
users. Endpoint Security deploys these enterprise policies to endpoint computers, where the Endpoint
Security clients receive and enforce them. You can create connected and disconnected enterprise policies
for your users. If your users have Flex, they may also configure a personal policy for themselves.
Policy Components and Settings

Endpoint Security Policies provide security with rules and controls. While some aspects of these features
may seem similar to each other, they provide security in different ways.
• Firewall Rules control traffic using packet data.
• Zone Rules allow or deny traffic based on security locations you define as trusted or untrusted.
• Program Control protects your network by controlling program access. Additional control with Program
Advisor service, to automate application control management.
• Enforcement Rules determine what software an endpoint computer must and must not have when
connecting to your network.
• Restriction firewall Rules control what parts of your network a user can access when they are out of
compliance with Enforcement Rules.
• Cooperative Enforcement with a supported gateway device restricts or disconnects noncompliant users
at the gateway level.
• Check Point Anti-spyware and Anti-virus to protect company data and endpoints with centrally managed
detection, prevention, and treatment.
Using Endpoint Security Administrator

Console
Most administrative functions are performed using the Endpoint Security Administrator Console.
Page 9
Log into the Endpoint Security Administrator Console at:
http://<Endpoint Security IP Address>/signon.do
Modes and Views

You can choose Multi or Single Domain mode when you install Endpoint Security. You cannot switch modes
after installation.
Multi Domain Mode

Use Multi Domain mode to create domains. You can use domains to organize users and Policies into units.
Each domain can have its own administrators and can be further divided into groups of endpoint users using
catalogs. Multi Domain mode is particularly useful for Internet Service Providers and large companies that
want local administration for business units or localities.
If you choose Multi Domain, Endpoint Security starts in Multi Domain mode.
Single Domain Mode

Use Single Domain mode if you do not need to organize your users and Policies into units. In Single Domain
mode there is only one domain, but it can be divided into groups of endpoint users to allow you to have
different Policies for different groups.
If you choose Single Domain mode, you can choose which type of view you need:
• Simple view provides an easier user interface for creating and activating Policies.
• Advanced view gives you access to all Endpoint Security features, some of which are not available in
Simple view (Domains and Catalogs, Policy Templates, Policy Assignment, Server Settings, and more).
Switching Views
In Single mode, Endpoint Security starts in Simple view. After installation, you can choose to change to
Advanced view.
You can also switch from Advanced to Simple view, but only if have not used features that are not included
in Simple view. If you have used Advanced features, the Change View option is not available.
To switch between views:
1. At the top of the Endpoint Security Administrator console (in Single mode only), click Change View. The
Confirm Change View page opens.
2. Click Change View.
Integration With Other Check Point

Products
Endpoint Security integrates with a variety of Check Point products to create an integrated security solution.
Notable integration points include:
• Installation Options – There are a variety of installation options for Endpoint Security with other Check
Point products. These options include:
• Single Server – You can now install Endpoint Security on the same server as SmartCenter and
Provider-1. This reduces your resource costs.
• Multi-Server – You can install SmartCenter and Endpoint Security on separate servers. You can also
choose to have logging on another server.
• Licensing – Performed on the server side so you do not need to update your Endpoint Security clients
with a new license when adding features. You can manage your licenses using Check Point license
management tools: SmartUpdate, the cplic command, or (for local licenses only) the Check Point
Configuration Tool.
• Gateway Integration – Endpoint Security provides Cooperative Enforcement in conjunction with the
several Check Point devices and software versions.
Introduction Page 10
• Unified Logging, Reporting, and Monitoring – Endpoint Security logs are stored in a format that
makes them readable by third party and Check Point Products, such as SmartView Tracker, Eventia
Reporter and Eventia Analyzer. This has the following advantages:
• Logs use a file system instead of a database, which allows you to archive and rotate the logs in the
same way as other Check Point logs.
• Log info is stored locally if the remote logging server is unavailable.
• Perimeter, internal, and Web Security events are all logged in one place.
• Using Eventia Reporter you can schedule reports to run during periods of low system use. You can
also e-mail reports to other people, and upload reports to a Web site.
• Using SmartView Tracker, you can view logs in real time using a thick client application. The client
application provides easy log navigation and filtering.
• Certain reports in SmartPortal are available from the Endpoint Security Administrator console. See
Monitoring Client Security. This allows you to view the detailed reports you are interested in directly
from the Endpoint Security Administrator Console.
• SmartView Monitor displays real time Endpoint Security statistics, along with all other Check Point
events.
• Shared Administrator Logins – You can use the same login for Endpoint Security as you do for other
Check Point products. SmartDashboard automatically creates an Integrity object upon installation and
grants Endpoint Security access to all administrators with SmartDashboard access.
Note - Administrator accounts created in SmartCenter can launch Endpoint
Security using the same read/write privileges assigned to them in
SmartCenter. However, these administrators are not able to create
administrator accounts in Endpoint Security.
You cannot create administrator accounts in SmartCenter using the roles
and role permissions available in Endpoint Security (for example, you
cannot create an administrator account with the ability to assign Policies,
but not edit Policies, or an account with only the ability to run reports). To
create these types of accounts you must log directly into Endpoint Security
using the masteradmin login.
System Architecture
The Endpoint Security system consists of two basic components: Endpoint Security Server, and the
Endpoint Security clients installed on your endpoint computers. You can also optionally include other items
in your system, such as gateways, RADIUS servers and LDAP servers.
All Endpoint Security Installations include SmartPortal, which provides reporting functionality, and other
Check Point components that function in the background.
Figure 1-1 Basic Endpoint Security Architecture
Endpoint Security Server

The Endpoint Security server allows you to centrally configure and deploy your Endpoint Security enterprise
Policies. Endpoint Security uses its own embedded datastore to store administrator, configuration, and
security policy information.
Administrator Console
The Endpoint Security Administrator Console is the graphical user interface you will use to create your
security Policies and deploy them to your users. You can also use the Administrator Console to pre-package
Endpoint Security client executables with configuration settings and Policies before you deliver them to your
users.
Endpoint Security Clients

As part of the Endpoint Security system you will be installing Endpoint Security clients on your endpoint
computers. These clients monitor your endpoints and enforce your security Policies. The Endpoint Security
system includes different clients: Endpoint Security Agent and Endpoint Security Flex. You may configure
and package either type of client with VPN capabilities.
Depending on your security needs and the components you have purchased, you may be working with more
than one of these client types.
To start planning your security system, decide which type of client you will deploy on which computers.
Agent Client
Use Endpoint Security Agent when you want to centrally manage security at all times. It has a simpler
interface, less messages, and does not allow the user to control security settings. This client is useful for
computers that belong to your organization, over which you have full legal control.
If you use the version of Agent that also has VPN capability, the users are provided with an interface to
configure their VPN and to manage some Anti-virus and Anti-spyware functions.
If endpoint users have the Agent client, without VPN, new networks are added by default to the Trusted
Zone and newly detected programs are allowed. This makes it less secure than Flex when the personal
policy is active. If you want to use Agent for remote users or users with laptops, you should specify a
Disconnected Policy to increase security.
Agent supports both Windows and Linux.
Flex Client
Use Flex when you want the endpoint user to control more security settings, and under certain conditions to
get prompts to make security decisions. Flex users can create personal security Policies for use while not
connected to your network.
Generally, use Flex for expert users who are familiar with security issues. Flex is also useful when you want
to provide Endpoint Security for computers you do not own and over which you are legally restricted from
exercising too much control.
The Flex client includes a user interface called the Check Point Flex Control Center. Endpoint users use the
Control Center to configure personal Policies. (To access the Flex Control Center, right-click the Endpoint
Security icon in the system tray and choose Show Client.)
VPN Agent and VPN Flex

The Agent and Flex clients can be packaged with VPN (Virtual Private Network) functionality.
The VPN may be either Check Point Endpoint Connect or the Legacy Endpoint Security VPN (also known
as SecureClient) or both. The VPN enables you to control client network access at the gateway and
provides users with a convenient unified interface for logging into the VPN.
If the user needs to switch between the VPN clients, this can be accomplished using the ChangeVPN tool
included on the CD. See the Endpoint Security Client User Guide
http://www.supportcontent.checkpoint.com/documentation_download?ID=10580 for more information on
switching between VPN clients.
Disabling Windows Firewall

If your endpoint computers are using a version of Windows that includes the Windows Firewall, you should
configure the policy to disable the Windows Firewall.
To disable Windows Firewall:
1. Click Policies.
2. Under the policy you want, click Edit.
3. Open the Client Settings tab.
4. In the General Connections Settings area, choose Disable the Windows Firewall.
5. Save and deploy the policy.
Chapter 2
Getting Started
To help you get started with Endpoint Security, to set up and deploy security measures as quickly as
possible, this section provides recommendations for planning and step-by-step tasks for initial configuration
and deployment on clients.
In This Chapter
Choosing Your Enterprise Policy Types 14

Choosing Your Security Model 14
Gathering Topology Information 15
Planning User Support 15
Distributing First Client 15
Configuring and Deploying the Default Policy 16
Assigning Policies 23
Choosing Your Enterprise Policy Types

Endpoint Security enforces your security rules by means of enterprise Policies. By using different types of
enterprise Policies you can provide different levels of security to your endpoint users depending on their
situation.
• Connected Enterprise Policies — These Policies are enforced when the endpoint computer is
connected to your Endpoint Security server. You will usually make these Policies more permissive than
your disconnected Policies.
• Disconnected Enterprise Policies — These Policies are enforced when the endpoint user is not
connected to your Endpoint Security server. Generally, you will want your disconnected polices to be
your strictest Policies.
You can assign connected and disconnected Policies to the same users by means of a policy package. You
can also choose to specify only a connected policy.
If your endpoint user has also created a personal policy using Flex, Endpoint Security will forbid any traffic
that violates either policy. You can also configure the enterprise policy to override the personal policy.
If you use VPN, you can also create a connected enterprise policy and assign it to the VPN. This is the
policy that will apply when the users of that VPN gateway use it to connect to your network.
If endpoint users have the Agent client, without VPN, new networks are added by default to the Trusted
Zone and newly detected programs are allowed. This makes it less secure than Flex when the personal
policy is active. If you want to use Agent for remote users or users with laptops, you should specify a
Disconnected Policy to increase security.
Choosing Your Security Model

You can assign Policies or policy packages to groups of users according to their security needs. These
methods of assigning Policies are the security model. Choose from the following models:
• IP — Assign Policies to IP ranges.
• User — Assign Policies to groups created through catalogs.
Page 14
While you can configure Endpoint Security to arbitrate between security models, it is easier to begin with
only one security model. Choose the security model that best fits the way your company network is
organized and gather relevant information.
There are several options for catalog types, but for Getting Started, we will assume that you are using either
an IP-based system or LDAP using Microsoft Active Directory. If you choose the LDAP option for this
sample configuration, you will need the following information:
• Primary Host
• User Filter
• Group Filter
• User-ID Attribute
• Server Port
• Base DN
• Administrator Name
• Administrator Password
Gathering Topology Information

Before you begin, you will need the following IP addresses from your current system:
• Domain Name Servers
• Mail Servers
• Domain Controllers
• File servers
• Print servers
• VPN gateway range
• Any other IP addresses or IP ranges to which you want to explicitly allow or deny access.
Test and record beforehand whether or not your test endpoint computers can currently connect to these
locations, both when connected to your network and when disconnected. By recording this information, you
will be able to accurately test your Endpoint Security configuration. If you do not record this information, you
will not know what behaviors to expect when you are testing.
Planning User Support

If your pilot will not have any genuine users, only test endpoint computers, you do not need to plan user
support. However, if you are doing a pilot deployment to users or a production deployment you should plan
your user support strategy. This should include how to notify your users of your new security measures and
coordinate with your helpdesk support. This will reduce the inconvenience to your users and reduce the
burden on your support team.
Distributing First Client

There are several Endpoint Security client packages provided by default. You must distribute the client to
users before you can deploy custom security Policies on the computers. This task explains how to perform
the simplest method of client distribution, but it does require user cooperation.
To distribute the Endpoint Security Client:
1. Go to the Home page of the Endpoint Security Administrator Console.
In the Client Packages area, there are links available for both Agent and Flex client packages. If your
license includes VPN capabilities, there are also links for the VPN-enabled versions of these client
packages as well.
2. In the row for the client package you want, click Email.
Getting Started Page 15

The first time, you will be prompted to provide your name, e-mail address and e-mail server information.
3. Provide your endpoint user e-mail address into the e-mail template.
The e-mail contains a link to the package, with instructions to download the client and let it install on the
computer.
Endpoint users run the executable. The Endpoint Security clients contact the Endpoint Security server and
receive the Default Policy. Your endpoint computers are now protected by the Endpoint Security system.
Configuring and Deploying the Default

Policy
It is recommended that you configure and distribute security Policies in stages. This allows you to test your
system at the end of each stage, to view the results of your configuration, and to troubleshoot errors. It also
allows you to achieve basic security quickly while you plan and execute the next stages.
Policy Stages
The following sections explain how to secure your system using the following stages:
1. Distributing Your First Policy — Achieve a basic level of security immediately by distributing the pre-
configured Policy.
2. Creating a Basic Policy — Modify the default Policy using some basic features.
3. Creating a More Advanced Policy — Add some more features to your basic Policy.
4. Creating Custom Policies — Create catalogs and assign specialized Policies to the users in those
catalogs.
Default Policy
Check Point provides you with a pre-configured, default policy that you can use as your first policy. This
policy includes some basic security features. Use the default policy as your first policy, without making any
changes to it.
Creating a Basic Policy

The tasks in this section describe how to modify the pre-configured, default policy with system-specific
security.
It is recommended that you save a copy of the default policy before changing its settings.
Note - Whenever you save a policy, it is recommended that you add

a version number to the description and increment it every time you
make a change. You may also want to add your initials and the date.
Perform the tasks in the following order to create your basic policy:
1. Configuring Zones (on page 16)
2. Configuring Program Advisor (on page 18)
3. Deploying the Policy (on page 19)
4. Testing Policy and Zones (on page 19)
Configuring Zones
Endpoint Security uses Zones to control network activity. Divide your network into the Access Zones of
Trusted, Blocked, and Internet; and then set security levels for those Zones.

Zone Description
Trusted Include in this Zone all the locations that you trust that
your users need access to. For example: DNS, Mail
Server, Domain Controller, File and Print servers. Do not
place your entire network in the Trusted Zone.
Blocked Include in this zone all the locations that you do not want
your endpoint users communicating with. You may choose
to include dangerous, or undesirable locations, or internal
locations that you want to restrict access to, such as
Human Resources servers.
Internet All locations not included in either the Trusted or the

Blocked Zones are considered to be in the Internet Zone.
You do not need to define this Zone, as it is the default
Zone.
Setting New Network Handling Parameters

This task shows how to put undefined networks into the Internet Zone (untrusted) as soon as the client
detects a new network.
To set new network security:
1. Click Policies.
2. In the Default Policy row, click Edit.
You are now redefining security settings for your default policy. The security settings you define in this
policy will apply to all users who are not assigned a custom policy.
3. Click Access Zones.
The first area shows options for When a new network is detected by the client:
4. Choose Leave Network in the Internet Zone.
Defining Zones
In this task you define the Trusted Zone and the Blocked Zone for your endpoint users. The first step is to
define Locations: a host, site, IP address, IP range, or subnet that you can define as either trusted or
untrusted.
To define locations:
1. Click Policies.
You are now redefining security settings for your default policy. The security settings you define in this
policy will apply to all users who are not assigned a custom policy.
3. Click Access Zones.
4. In the Define Zones area, click Add.
The Add Locations to Zones page opens.
5. Click New Location and choose the location type from the drop-down.
The New Location page opens, with the fields relevant to the selected location type.
6. Provide the information for the location.
7. Click Save.
8. Add all locations that you can define now.
After defining locations, add them to either the Trusted Zone or the Blocked Zone.
To define the Trusted Zone:
1. In the Add Locations to Zone page, select the locations that you want to add to the Trusted Zone.
2. In the Add to Zone drop-down, select Trusted Zone.
3. At the top of the page, click Add.

To define the Blocked Zone:
1. In the Add Locations to Zone page, select the locations that you want to add to the Blocked Zone.
2. In the Add to Zone drop-down, select Blocked Zone.
3. At the top of the page, click Add.
Zone Rules
Zone rules control the traffic to and from the Access Zones you have defined for a selected policy. This task
is performed in the Edit Policy page > Access Zones tab and shows the recommended settings.
To set Zone rules:
1. In the Security Rules for Internet Zone area, click Show Settings.
2. From the Security Level drop-down, choose High.
3. In the Security Rules for Trusted Zone area, click Show Settings.
4. From the Security Level drop-down, choose Medium.
5. In the Advanced Security Settings area, click Advanced.
6. Make sure Block fragments at all security levels is cleared.
7. Click Save.
You have now configured your Access Zones in your default policy.
Configuring Program Advisor

Program Advisor is a licensed service provided by Check Point that gives security policy recommendations
for programs. These recommendations are used in your security policy to control what applications can do
on your system. Program Advisor can block or allow a program's access to your Access Zones. It can also
terminate malicious programs. Use Program Advisor to get professional recommendations from Check Point
security professionals about which permissions to assign to common programs. This reduces your workload
while improving security and usability.
Program Advisor is licensed separately from the rest of the Endpoint Security system. You can activate this
license in the Check Point User Center and then apply it using the cplic command. Program Advisor is
enabled by default. A 15 day trial of Program Advisor is included with Endpoint Security. You can also obtain
a 30 day evaluation key from the media kit, or from the Check Point User Center.
For Program Advisor to work correctly, Endpoint Security must have Internet access to connect to the
Program Advisor Server (on ports 80 and 443) and retrieve the latest program information. Ensure that your
firewall allows this traffic.
Using Program Advisor with a Proxy Server

If your environment includes a proxy server for Internet access, perform the configuration steps below to let
the Endpoint Security server connect to the Program Advisor Server through the proxy server. Note that all
configuration entries are case-sensitive.
To configure a proxy server:
1. Open the Registry Editor (regedit.exe).
2. Edit "My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Apache Software Foundation\Procrun 2.0
\IntegrityTomcat\Parameters\Java\options" by adding the following:
-DproxySet=true
-Dhttp.proxyHost=<hostname>
-Dhttp.proxyPort=port
-Dhttps.proxyHost=<hostname>
-Dhttps.proxyPort=port
3. Close the Registry Editor.
4. Open the Services panel.
5. Stop the Check Point Tomcat service and then restart it.

Deploying the Policy
After you have modified the default policy, deploy the policy to make changes available to endpoints.
Although you have saved your changes to the default policy, it will not be available to assign to entities until
you deploy it.
To deploy the default policy:
1. Click Policies.
2. In the Default Policy row, click Deploy.
3. When asked to confirm, click Yes.
The policy is now active on connected endpoint computers that have the client installed.
Testing Policy and Zones

Use these tests to see if your endpoints received your default security policy, and whether your Access
Zones and Access Rules are working correctly. Make sure to deploy the policy before running this test.
To check your policy and zones:
1. Log on to an endpoint computer that is connected to your network.
2. Go to the URL from the e-mail distributed to users, and download and install the Endpoint Security client
as a user would.
3. Attempt to connect to a location that you placed in the Blocked Zone.
The connection should fail.
4. Attempt to connect to a location that you placed in the Trusted Zone.
The connection should succeed.
If you do not get the expected results from this test, you need to check your location definitions, Access
Zones, and Access Rules.
Creating a More Advanced Policy

This section describes how to define more security settings for default Policies.
1. Setting firewall Rules (on page 19)
2. Setting Program Control (on page 20)
3. Configuring Enforcement Settings (on page 21)
Setting Firewall Rules

Firewall Rules enable you to restrict traffic to and from endpoint computers based on source and
destination. There are several pre-configured firewall Rules that you can add to your policy, or you can
create your own.
To add firewall Rules to your policy:
1. Go to Policies.
3. Click the Firewall Settings tab.
4. Click Add.
5. Select the firewall rules you want to use in the policy and then click Add.
To create custom firewall rules:
1. From the New Firewall Rule drop-down menu, choose either Incoming Firewall Rule or Outgoing
Firewall Rule.
2. Provide the rule information in the page that appears.
3. Click Save.

Setting Program Control
Use Program Control to set permissions for programs that endpoints use. Program rule permissions
determine whether a program can act as a server or as a client to the Trusted and Internet Zones. You can
also configure Program Control to terminate programs.
Before setting up custom program control, enable Program Advisor to set professional security settings for
common programs.
Note - Program Advisor has professionally-chosen security settings for

thousands of common programs. It is highly recommended that you use
Program Advisor, as it not only saves you time and effort in setting
program permissions, but it also gives you the advantage of expert
recommendations.
If a program is not handled by either Program Advisor or a custom program group, it is placed in the
unknown program group. By default, the unknown program group permissions are all set to block. These
permissions apply to all the programs in the group until you override them with specific, custom permissions.
Creating Program Groups

Endpoint Security comes with some default program groups. Creating additional custom program groups
makes it easier to manage program permissions. Program groups allow you to assign permissions to entire
groups of programs at once.
Program groups act as filters, grouping programs according to the criteria you specify. As programs are
added to the Endpoint Security system, they are automatically added to the appropriate group and the
permissions you specify for that group are enforced.
To create a custom program group:
1. Click Program Permissions.
The Program Group Permissions page opens.
2. Click New Group.
3. Provide the Group Definition information.
Group Definition Description
Name The name of the program group.
Description The description of the program group.
Make Settings Available To Includes the group settings in the policy file that
Unconnected Clients is sent to the endpoint computer.
If this option is not selected, and a program is
not governed by either an individual program
permission or by Program Advisor, clients that
cannot connect to the Endpoint Security server
will use the permissions for unknown programs.
Rank The priority of the group, determining

enforcement if a program belongs to more than
one group.
For example, with one program group for
Browsers, and a second for Internet Explorer All
Versions, IE 6.0 would be a program that falls in
two groups. When a client begins to use this
program, the group with the higher rank will
enforce its permissions over the client.
4. Define the program with the Filter Settings.

These settings determine which programs will be added to this group. For this example, to block access
to all programs with the file name 'Firefox'. add 'Firefox' to the File Name field.
5. Configure the Permission Settings for the group.

Permission Description
Terminate all programs in this Choose this option to shut down all the
group programs that are in the group.
Use the following settings for Choose this option to specify permissions
the programs in this group (allow, block, ask user) for this program to act
as client and as server, in the Trusted Zone or
the Internet Zone.
6. Click Save.
By default, this group will be the highest ranking group. Programs are controlled by the permissions of
the first group they match, so Firefox will be blocked by this rule, instead of being allowed by the
browsers rule.
7. Redeploy your Policies.
Although you can configure program permissions at both the global and the policy level, both settings
are included in your security policy. You must redeploy your policy to have either global or policy-level
changes take effect.
Overriding Program Advisor

Occasionally, you may wish to use your own custom settings instead of the default settings provided by
Program Advisor.
In this task, you set program permissions for an individual program.
To override Program Advisor permissions:
1. Run a common program, such as an Instant Messenger, that should be handled by Program Advisor.
2. Open Policies.
4. Click Program Rules.
5. Click PA Referenced Programs.
The PA Referenced Programs group contains programs for which Program Advisor recommends
allowing network access.
6. Select the program and choose Override Permissions.
Be sure to override the permissions for the exact version of the program you are using.
7. Set all the program permissions to block.
8. Click Save.
To block this program on all clients, deploy the Default Policy now.
Configuring Enforcement Settings

Enforcement settings consist of Enforcement Rules and Restriction firewall Rules. Enforcement rules require
or prohibit certain software on endpoint computers. Unlike Program Rules, which control the network access
of programs, enforcement rules determine what can be (or must be) on a computer when connecting to your
network.
When an endpoint user violates an enforcement rule, the user receives a message, and the rule executes
the action you specified for this violation.
Note - For best performance, it is recommended that you create no

more than 40 Enforcement Rules.
Creating an Example Enforcement Rule

This task illustrates an example of an Enforcement Rule. It ensures that clients have Anti-virus running on
the computer.
To create an enforcement rule:
1. Open Policies.

3. Open the Enforcement Settings tab.
4. In the Enforcement Rules section, click Add.
5. Click New Rule and choose Anti-virus Rule.
6. In Rule name, enter: Antivirus rule
7. From the Provider list, select your Anti-virus provider.
8. In Minimum engine version, provide the version number of the Anti-virus engine, as listed by the
provider.
9. In Minimum DAT file version, provide the version number of the latest Anti-virus update file that you
have from the provider.
10. In Rule Action, select Restrict clients that don't comply.
This option will restrict client connection from your network if its Anti-virus is not compliant with this rule:
if the client does not have the Anti-virus, if the Anti-virus is too old, or if it has not been updated to the
minimum update file.
11. In Remediation > Custom Alert/Sandbox text, enter: You must have the recommended
antivirus protection
This is what users will see when they violate the enforcement rule.
12. Select Specify a Remediation Resource.
13. Select Upload a file to use as a remediation resource and browse the executable for your
recommended antivirus provider.
When users violate this enforcement rule, they will be given the opportunity to download this executable
so they can become compliant. It is highly recommended that you provide remediation options for all
your enforcement rules.
14. Click Save.
Adding Enforcement Rules to Policies

After creating Enforcement Rules, add them to the policy to enforce the rules on the clients.
To add an enforcement rule to a policy:
1. Open Policies.
4. Select the checkboxes of the rules to add to the policy.
5. Click Save.
The selected rules will be enforced on the clients when the policy is updated.
Setting Restriction Firewall Rules

Restriction Firewall Rules control where your user can go on your network when they are out of compliance
with one of your enforcement rules that is set to restrict the user. If you do not set Restriction Firewall Rules
for your restricting enforcement rules, the user will not be restricted.
To set your Restriction Firewall Rules:
1. Open Policies.
4. In the Restriction Firewall Rules section, click Add.
The Add Enforcement Rules page opens.
5. Choose the restriction firewall rules that you want to use to confine noncompliant users to a certain area
of your network.
6. Click Add.
7. In Edit Policy > Restriction Firewall Rules, Use the Change up and down arrow keys to arrange the
firewall rules.
The Endpoint Security client enforces the firewall rules in the order that they appear here. Generally, you
will want to create rules to allow traffic to the areas you want the user to have access to, and then
specify a 'cleanup rule' as the last rule, blocking all traffic.
8. Click Save.

Testing Program and Enforcement Rules
Use these tests to see if your endpoints received your default security policy, and whether your Program
Rules and Enforcement Rules are working correctly. Make sure to deploy the policy before running this test.
To check your program rule:
1. Log into an endpoint computer.
2. Run the program you defined Program Rules for.
3. Compare your results to the rules you defined.
To check your Enforcement rule:
1. Log into an endpoint computer.
2. Remove your recommended Anti-virus provider from the computer.
3. Attempt to connect to your network.
4. You should receive a message and be restricted.
Assigning Policies
After you configure and deploy the default policy, you can create more specific security Policies and assign
them to users. The most efficient and consistent method is to create catalogs (groups of users) and assign
customized Policies to relevant catalogs.
To perform these tasks, if you are in Single mode and Simple view, switch to Advanced view.
Creating Catalogs
Use catalogs to sort your users into groups for the purpose of assigning security Policies. You may wish to
assign Policies according to user catalogs or according to IP range, depending on how your company
network is organized. This section will use LDAP with Microsoft Active Directory as an example of a user
catalog, but other options are available and are created in a similar way.
Creating an LDAP Catalog

If you want to assign Policies by user catalog, create an LDAP catalog. This task illustrates an example
using Microsoft Active Directory.
To create an LDAP catalog entity:
1. Click Endpoint.
2. Click New Catalog and choose LDAP.
3. Choose Microsoft Active Directory.
The New LDAP Catalog page refreshes and the fields relevant for Microsoft Active Directory appear.
4. Complete the information for your Microsoft Active Directory.
Be sure to provide the full LDAP path.
Example: cn=administrator;cn=users,dc=domainname,dc=com
5. Click Import Groups.
6. Click Save.
Creating an IP Catalog
Create an IP catalog to assign a policy to users according to their IP range.
To create an IP catalog
1. Click Endpoints.
2. Click New Catalog and choose IP Catalog.
3. In IP Catalog Name, provide a name for the user group.
4. In Address Range, provide the relevant IP addresses.
5. Click Save.

Assigning a Custom Policy
To enforce a custom policy on a catalog, you assign the policy to the catalog of endpoints.
To create a test custom policy:
1. Open Policies.
2. In the Default Policy row click Duplicate.
The policy opens in the Edit Policy page, as Copy of Default Policy.
3. Click Save.
The Version Comments pages appears.
4. Provide a comment and click Save.
5. The new policy appears in the Policy Manager page.
Now you will assign the custom policy to a catalog. Assigning a policy means that the members of that
catalog will be subject to the rules included in that policy. Users that are not assigned custom Policies are
subject to the rules included in the default policy.
To assign the custom policy:
1. Click Endpoints.
2. Select checkbox of the catalog you created and click Assign Policy.
The Assign Policies page opens.
3. From the Policy list, select the custom policy you created.
4. Click Assign.
All the users belonging to that catalog will now receive the new policy, which does not require an
Antivirus provider.

Chapter 3
Managing Domains
Endpoint Security uses domains in Multi-Domain mode to organize endpoint users into large units (which
can be further classified in catalogs and groups). Multiple domains allow you to create organizational units
that have their own administrators.
If you are in Single mode, you have one domain and can skip this section.
In This Chapter
Multi-Domain Administrators 25
System Domain and Non-System Domains 25
Checking Your Domain 26
Switching Domains 27
Creating Domains 27
Deleting Domains 27
Multi-Domain Administrators
Multi-Domain mode has different types of administrators.
Table 3-1 Global and Domain administrators
Roles Description
Global Administrator In Multi-Domain mode, global administrators have access to all

domains, including the System Domain and are usually responsible
for: creating and managing domains, entities, global policy data,
policy templates, and Endpoint Security system operations.
Domain Each domain has an administrator. This user is responsible for

Administrator creating and assigning Policies, monitoring and troubleshooting
connections, and running reports. According to the permissions of
this administrator, there may be more responsibilities over catalogs
and groups.
System Domain and Non-System Domains

There are two types of domain in Multi Domain mode.
Page 25
Table 3-2 System and Non-System Domains
Domain Description
System Domain This domain provides centralized control for creating new domains and
performing tasks that involve the entire system. The System Domain is
created when you install Endpoint Security and is the Domain you see
the first time you log in as a Global Administrator.
There is only ever one System Domain and only Global Administrators
have access to it.
Non-System These domains are created in the System Domain. The tasks
Domains performed here affect only the endpoint users in this domain.
The administrative tasks you perform will vary depending on whether you are in the System Domain or Non-
System Domain in Multi Domain mode, or if you are in Single mode.
Table 3-3 Tasks Available in Different Domains
Feature System Domain Tasks Non-System Domains Tasks or
Single Mode
Domains and Create Domains. Create Catalogs and Groups
Catalogs
Administrator Create Domain or Global Create Domain Administrator accounts

Accounts Administrator accounts, assign and assign roles. You can also assign
roles and assign Domain administrators to Catalogs.
Administrators to Domains.
Default Policy Set the Default Policy settings. Inherits the Default Policy from the
The default policy is inherited by System Domain. You can make
all the domains you create. changes to the Default Policy to refine
your security, or use the default policy
as a template for new Policies.
Policy Create policy templates and Use the policy templates to create new
Templates publish them for use in Non- Policies.
System Domains.
Sandbox Create Sandbox Templates Use the Sandbox Templates provided

Templates to create sandbox pages for your
endpoint users.
Policy Objects Create any policy objects that Use the policy objects you inherited
you think will be universally from the System Domain to create
useful for your Domains. Policies. You can also create policy
objects for your domain.
Checking Your Domain

The tasks you can perform and the Policies you want to configure will depend on the Domain you are in.
To verify the domain:
• In the Administrator Console, look under the navigation pane on the left side.
Your administrator name, domain name, and role name are listed.
Managing Domains Page 26

Switching Domains
As a Global Administrator, you can switch between the System Domain and any Domain you have created.
Domain Administrators can only access the domain they are assigned to.
To switch domains:
1. Click Domain Selection at the top of the screen.
2. Choose the name of the domain.
Creating Domains
You must be in the System Domain of a Multi Domain mode Endpoint Security to create a new domain.
To create a new domain:
1. Switch to the System Domain.
2. Click Domains.
The Domain Manager page opens.
3. Click New Domain.
The New Domain page opens.
4. Provide a Domain Name and Description.
5. Click Save.
Deleting Domains
Before you delete a domain, make sure you are prepared for the effects this will have on your
configurations, administrators, and endpoints users.
When you delete a domain, all the information for that domain is also deleted, including:
• Entities
• Domain Administrator information
• Sandbox pages
• Policies and Data Manager items
Note - To save policy information before deleting, export the policy
(Policies > Policy Manager > Export link of relevant policy).
If Domain Administrators are logged on when their domain is removed, they are automatically logged off. If
an endpoints user is logged on when their domain is removed, the user session is restricted or terminated
on the next heartbeat.
To delete a domain:
1. Switch to the System Domain.
2. Click Domains.
The Domain Manager page opens.
3. In the row of the domain, click Delete.
A confirmation dialog prompts you to verify your action.
4. Click Yes.
Managing Domains Page 27

Chapter 4
Managing Administrators
Endpoint Security provides flexible administration capabilities. You can create administrator accounts that
are limited to specific domains (in Multi-Domain mode) or to user sets (in both modes).
In This Chapter
Administrator Roles 28
Planning Administrator Configuration 30
Creating Roles 30
Creating Administrator Accounts 32
Editing Administrator Accounts 33
Deleting Administrator Accounts 33
SmartCenter Administrators 33
Administrator Roles
According to your environment, decide on the users who will have administrator roles, and which parts of the
organization each will manage.
Page 28
If you choose to assign a Domain Administrator to a specific catalog, be aware that this administrator can
assign Policies only to members of that catalog and its groups.
Figure 4-2 Administrator Inheritance in Multi-Domain
• Administrator A has access to your entire system. This administrator can assign Policies to any user.
• Administrator B is assigned to Domain 2. Administrator B can view and change settings for the domain
(in Multi-Domain mode) or the entire organization (in Single-Domain mode) and can assign Policies to
users in this domain.
• Administrator C is assigned to Catalog 3. Administrator C can view and change domain settings, but can
only assign Policies to endpoint users in Catalog 3.
• Administrator D is assigned to Group 2. Administrator D can view and change settings for the domain (in
Multi-Domain mode) or the entire organization (in Single-Domain mode), but can only assign Policies to
endpoint users in Group 2.
You can limit the types of tasks an administrator can perform through the use of roles.
Each administrator must be assigned a role. Roles are composed of privileges, which determine the
Endpoint Security features the administrator can access.
Use roles as a convenient way to assign a set of privileges to administrators.
Managing Administrators Page 29

Note - If you cannot find a particular feature in the Endpoint Security
Administration Console, your assigned role does not have the
privileges for that feature.
Default Roles and Customized Roles

Endpoint Security comes with several pre-configured roles for your convenience. These roles are designed
to reflect the most common division of administrative tasks. Use the Role Manager page to view the
available pre-configured roles (System Configuration > Administrators > Manage Roles).
If the default roles reflect the administrative responsibilities in your organization, assign one of these roles to
each of your Endpoint Security administrators.
If the default roles do not reflect the administrative responsibilities in your organization, you can edit them or
you can create new, customized roles. You may want to use a default role as a template for your
customized role.
Privileges
Privileges consist of a set of read/write permissions for various Endpoint Security features.
For each privilege, there are three possible permission settings:
• No access - The administrator cannot access the feature. All links to the feature are hidden.
• Read - The administrator can view the feature, but cannot change settings or perform actions and
cannot see the controls.
• Read/Write - The administrator can access and change the settings and actions.
Planning Administrator Configuration

Before you begin configuring your administrators and their roles, you need to know the following:
• The e-mail addresses and login names of all your administrators. If the Endpoint Security administrators
are authenticated against an external database, the administrator ID must match the user name in the
external database.
• The type of account for Multi-Domain mode: global or domain. You create global administrator accounts
in the System Domain, and domain administrators in the domain to which they belong.
• The roles and privileges you want your administrators to have. When you create the account, you must
assign the role. You can create the roles that you need in advance, using the Role Manager page, or
you can create roles as you need them while creating administrator accounts.
• Whether you want to restrict administrator access to a particular catalog, gateway, or group. You can
assign the administrator to the entire domain (in Multi-Domain mode) or to one or more specific catalogs
or groups. Administrators that are not assigned to a catalog or group are assigned to the entire
organization by default.
• Whether you want to use RADIUS authentication or Endpoint Security's built-in authentication. If you
want to use a RADIUS server to authenticate your administrators, configure it before creating
administrator accounts. See Configuring a RADIUS Server (on page 164).
Creating Roles
You can create a new role by duplicating an existing role on the Role Manager page and then making edits,
or by defining an entirely new role.
To create a role:
1. Click System Configuration > Administrators > Manage Roles.
The Role Manager page opens.

2. To create the role from an existing role, click the Duplicate link of the role you want to copy. The
Duplicate Role page opens.
To create a new role, click New. The New Role page opens.
3. In Role Name and Description, provide descriptive information for the type of role, not a specific user,
because multiple administrators may be assigned this role.
4. In the Access Privileges area, select the read/write permissions you want.
Note - You cannot create a role with greater privileges than your own.
Endpoint Security does not display privileges for which you have
insufficient permission.
Privilege Description
Domain Manager Add, edit, or delete entities and domains in Endpoint Security.
(Available in the System Domain only)
Entity Manager Add, edit, or delete entities in Endpoint Security. (Available

only in non-system Domain)
Admin Manager Create administrator accounts, and create, edit, or delete

administrator roles.
Event Notification Configure notifications to administrators regarding system

events and set up event logs. (Available in the System
Domain only)
System Configure databases, client settings. (Available in the System

Configuration Domain only)
Program Advisor Configure the Program Advisor license and settings.
Assignment Priority Configure which assigned policy is applied to an endpoint,

when the endpoint belongs to more than one catalog or
otherwise has more than one policy assigned to it. (Available
in the System Domain only)
Certificates Create or delete certificates.
Sandbox Customize remediation resources for a domain and customize

the templates that are used to automatically create
remediation resources when a new domain is created.
Client Packager Create a client package to deploy to endpoint computers.
Policy Manager Edit and create security Policies.
Firewall Rule Create, edit, or delete firewall rules, source and destination
Management address profiles, and protocol and port profiles for use in
security Policies.
Enforcement Rule Create, edit, and delete enforcement rules for use in security
Manager Policies. Configure a reference client with the anti-virus
software you want to enforce on your network.
Program Edit and create program groups for use in security policy
Management program control rules. Import, edit and remove SmartSum
reference source files.
Template Create and modify policy templates, and publish those

Publishing templates to all domains. (Available in the System Domain
only)

Privilege Description
Policy Assignment Assign security Policies to domains and entities.
Policy Deployment Deploy security Policies to the policy server.
Reports Run reports.
Creating Administrator Accounts

To create an administrator account:
1. In Multi-Domain mode, go to the appropriate Domain.
• If you want to create a Domain Administrator, switch to the Domain you want this administrator to
govern.
• If you want to create a Global Administrator, switch to the System Domain.
(Skip this step if you are in Single-Domain mode.)
2. Click System Configuration > Administrators.
The Administrator Manager page opens.
3. Click New.
4. Complete the information for the administrator.
Administrator Description
Field
Administrator ID Enter this ID as it appears in the authentication database.

If you are not using RADIUS authentication, record the
username and password, to send this information to your
administrator.
If external administrator accounts are in different catalogs and
administrators can have the same name, append the catalog
name before the user name: catalog.username
Title The administrator title.
Real Name The first and last name of the administrator.
E-mail The e-mail address of the administrator.
Password The password for this account. (Appears only when

Administrator Authentication is enabled)
Confirm Password The password for this account. (Appears only when
Administrator Authentication is enabled)
5. Assign a role to the administrator.

• In the Assigned Role area, click Edit.
• Select the role, and click Assign.
6. If you want to restrict the administrator to assign Policies to specific users only, assign the administrator
to the catalog, group, or gateway.
Administrators that are assigned to a catalog, group, or gateway are able to assign Policies only to
members of that catalog, group, or gateway. Administrators that are not assigned to a catalog or group
are assigned to the entire organization by default.
• In the Assigned Catalog area, click Edit.
• Select the catalog or group and click Assign.

7. Click Save.
8. Distribute the information to your administrators.
Send the administrators the login and password information for their accounts. You should also include
the URL of the Endpoint Security server login page.
If you are using RADIUS authentication for your administrators you will only need to send them the login
URL. RADIUS-authenticated administrators will use their RADIUS logins and passwords.
Editing Administrator Accounts

If you want to edit an administrator account, be aware of the following limitations.
• To modify a Multi-Domain Global Administrator account, you must be in the System Domain.
• To modify a Multi-Domain Domain Administrator account, you must be in that administrator's domain.
• To make changes to an administrator account, your role must have privileges equal to or greater than
the role of the account you want to change.
• In Multi-Domain mode, you cannot give a domain administrator access to additional domains by
modifying the administrator account. If you want one person to be able to manage more than one
domain, either give that person a different domain administrator account for each domain, or give that
person a global administrator account.
• You can change the user catalogs and groups an administrator has access to by editing the
administrator account. In Multi-Domain mode, to reassign an administrator, you must be in that
administrator's domain.
• If you change role assignment or privileges, Administrators receive the modified role the next time they
log on.
Deleting Administrator Accounts

If you want to edit an administrator account, be aware of the following limitations.
• To delete a Multi-Domain Global Administrator account, you must be in the System Domain.
• To delete a Multi-Domain domain administrator account, you must be in that administrator's domain.
• If administrators are logged on when you remove their accounts, they are automatically logged off.
SmartCenter Administrators
Administrator accounts created in SmartCenter can launch Endpoint Security using the same read/write
privileges assigned to them in SmartCenter. However, these administrators are not able to create
administrator accounts in Endpoint Security. Also, you cannot create administrator accounts in SmartCenter
using the roles and privileges available in Endpoint Security. To create these types of accounts you must log
directly into Endpoint Security using the masteradmin login.

Chapter 5
Managing Catalogs
Use catalogs to organize your endpoint users to easily assign one policy. A domain can contain any number
of Catalogs. Catalogs can contain any number of groups.
Catalog tasks are available in Single mode and in non-system domains in Multi mode.
In This Chapter
Supported Catalog Types 34

User Catalogs 34
IP Catalogs 43
Groups 43
Supported Catalog Types

Endpoint Security supports the following types of catalogs to organize endpoint users:
• User Catalogs - Organize users according to the information imported from you existing third-party user
directories: LDAP, NTDomain, and RADIUS. You can also create custom catalogs, with custom groups
you create manually.
• IP Catalogs - Organize users by IP range or subnet.
User Catalogs
Use user catalogs to assign Policies according to the department or location of the endpoint users. For
example, to allow the Human Resources department users to have access to computers with employee
information, while preventing access by other users, define user catalogs for HR and other departments,
and assign one policy with this specific permission to HR group.
If a user belongs to multiple catalogs and groups, and each catalog and group is assigned a different policy,
the user gets the policy of the catalog that was added first.
Important - When you add active directory catalogs, make sure you
add them in order of importance.
For example, if UserA is in the LDAP directory and also in a custom catalog, decide which policy (the policy
for the LDAP catalog of users or the policy for the custom catalog of users) should have preference for users
and add that catalog first.
Custom Catalogs
Use custom catalogs in conjunction with the User ID field in the client packager to create your own catalogs,
according to your policy needs. After you have created your custom catalog, create and deploy client
packages (with the appropriate values in the User ID field) to the users you want to include in the catalog.
To create a custom catalog:
1. Click Endpoint.
The Endpoint Manager page opens.
2. Click New Catalog and select Custom.
3. Provide a name and description.
Page 34
4. Click Save.
To add users to a custom catalog:
1. Click Client Configuration.
2. Click New Package and select a client type, or click an Edit link.
3. In the Edit Client page, open the Advanced Settings tab.
4. In the Custom User ID field, provide: manual://<Catalog_Name>
All endpoint machines that receive the package will belong to the custom catalog you specify here, and
will receive the Policies assigned to that catalog.
Important - If creating client packages with auto-update, with a

different Endpoint Security server than used for initial deployment,
use the same User ID for the updated client packages as for the initial
client deployment. This allows you to view the installation results in
the auto-update report.
LDAP Catalogs
Use LDAP catalogs to organize your users according to the directory groups in your existing LDAP.
Endpoint Security supports RFC 1777-compliant LDAP (Lightweight Directory Access Protocol) servers
versions 2 and 3. Endpoint Security provides the configuration filters for Novell eDirectory for Windows,
Netscape Directory Server for Windows 2000, and Windows Active Directory Service (native/mixed mode). If
you are using any other LDAP server, you must have the user and group filter information to import the
directories. For more information, see your LDAP provider's documentation.
Increasing the LDAP Result Size Limit

LDAP directory servers can impose a limit on the size of results that are allowed to be returned from a
query. The Microsoft Active Directory LDAP implementation has a default limit of 1000 users. Importing an
LDAP directory with more users than the imposed limit will cause the user directory import to fail. If you have
more than 1000 users, you must increase the limit. the following example shows how to increase the limit for
Microsoft Active Directory. See the documentation for your LDAP directory server for information on
increasing the size limit for that server.
To increase the size limit on query results:
1. Run ntdsutil.exe (located in WINNT\SYSTEM32).
2. At the prompt type: LDAP Policies
3. At the ldap policy prompt, type: connection
4. At the server connections prompt, type: connect to server [servername]
(where [servername] is the name of the LDAP server).
You will be granted access (or not) using the credentials of the locally logged in user.
5. Type q to go back up a menu.
6. At the ldap policy menu, type: show values to see the policy settings.
7. You can set any of these settings. Type: set [attribute] to [value]
For example, to allow 5000 users to be imported at once, type: set MaxPageSize to 5000
To confirm your changes, type: show values
Pending changes are shown in parentheses.
8. When finished, type: commit changes
Creating LDAP Catalogs

Before you create your LDAP catalog, make sure you will not exceed the size limit. You can import all the
users in your LDAP directory, or selected directory groups.
To create an LDAP catalog:
1. Click Endpoints.
2. Click New Catalog and choose LDAP.
Managing Catalogs Page 35

3. Choose a Catalog Subtype.
Fields of information to define the catalog appear. If you choose a third-party subtype, some of the fields
are filled in.
4. Complete the catalog information (some fields are available only in Multi mode).
LDAP Catalog Field Description
Parent Name The name of the domain to which the catalog belongs.
Policy Name The policy assigned to the catalog.
Catalog Type The LDAP catalog type.
Catalog Subtype The supported LDAP catalog subtypes:

For the providers listed here, Endpoint Security
populates various fields with the default settings. It is
recommended to keep defaults.
Primary Host The fully qualified host name (in FQDN format) or IP
address of the primary host server.
The first part of the host name should be in uppercase.
To ensure a match with what the endpoint transmits,
you should also repeat the uppercase host name in the
list of secondary hosts.
User Filter The user filter indicates how to find the user attributes.
If you select a standard provider in the Catalog
Subtype field, Endpoint Security provides the value
automatically.
If you select the Custom catalog subtype, this field will
be blank and you must enter a value. For example, the
filter
(|(objectClass=user)(objectClass=person))
consists of LDAP attributes and Boolean expressions
telling Endpoint Security to import LDAP objects of
class user or person.
Group Filter The group filter indicates how to find the group
attributes. If you select a standard provider in the
Catalog Subtype field, Endpoint Security provides the
value automatically.
If you select the Custom catalog subtype, this field will
be blank and you must enter a value. For example, the
filter
!(|(objectClass=user)(objectClass=person))
consists of LDAP attributes and Boolean expressions
telling Endpoint Security to import LDAP objects of
classes other than user or person.
User-Id Attribute Specifies an attribute that is used to distinguish users

with identical common names (CNs). If you select a
standard provider in the Catalog Subtype field,
Endpoint Security provides the value automatically.
Group Attributes Specifies an attribute that identifies the group to which

the user belongs. If you select a standard provider in
the Catalog Subtype field, Endpoint Security provides
the value automatically.
Server Port The port used to connect to the server.

LDAP Catalog Field Description
Secondary Host and The name of the primary and secondary hosts and
Port ports. To ensure a match with what the endpoint
transmits, you should also repeat the uppercase host
name here. Include secondary host names if the
primary machine has more than one host name and
address.
Use commas to separate host names.
For example,
172.1.1.1,HQDHCP1.zonelabs.com,ZLDC2
demonstrates alternate hostnames are comma-
delimited.
If alternate port numbers exist, separate port numbers
with a colon.
For example, 172.1.1.1:489 demonstrates alternate
port numbers are separated with a colon.
If you do not enter a port number, then each host's port
number defaults to the primary port number that you
entered in the Server Port field. However, if you do type
a port number, then the port number in this field
overrides the primary port number (entered in the
Server Port field).
Proxy Login Server Check this box to designate the catalog (and, by
extension, the associated external user directory) to
use for proxy login.
Proxy login is the method the Endpoint Security server
uses to identify users when it cannot obtain
authentication confirmation directly from the client. In
such cases, Endpoint Security proxies authentication to
the user directory that is the source of the designated
catalog.
Make note of the catalog you designate for proxy login,
and be prepared to tell users which user ID to supply if
Endpoint Security prompts them for proxy login.
Auto Add Checking this box turns on the auto-add feature for this
catalog. Auto-add allows users that are not found in the
catalog to be automatically added to it.
Base DN The base domain name.

The Base DN field specifies the root (or top-level)
group of the directory being imported. It must be the full
"DN", starting at the root.
Syntax:
cn=groupname,dc=domainname,dc=location
Admin Name The administrator name needed to access a protected

directory.
Syntax:
Administrator@Domainname.location
Admin Password Your administrator password needed to access a

protected directory.
You can import information from any server that conforms to the LDAP 2.0 or later specification using
the Custom Catalog Subtype. For information about filtering syntax, see the documentation for that
LDAP provider.

5. Click Import Groups.
6. Use the arrow buttons to choose groups to import and set the priority.
7. Click Save.
When you create the client package to distribute to users in the LDAP catalog, select the appropriate
LDAP option in the Single Sign On ID field.
NT Domain Catalogs
Use NT Domain catalogs to organize your users according to the directory groups in your existing NT
Domain.
Note - NT Domain catalogs are not available in SecurePlatform or

Linux installations.
Confirming WINS Server Settings

Endpoint Security communicates with Domain Controllers through the NetBIOS protocol using TCP ports
137-139. For Endpoint Security to import catalogs from an NT or Active Directory domain, you must have a
WINS server with NetBIOS over TCP/IP enabled.
The following example shows how to confirm the setting on a Windows 2000 Server platform. For other
platforms, see documentation of the platform.
To confirm server settings:
1. In Windows, right-click Network Neighborhood.
2. Select Properties.
3. Right-click Local Area Connection.
5. Select Internet Protocol (TCP/IP).
7. Select Advanced.
8. Select the WINS tab.
9. Make sure the Enable NetBIOS over TCP/IP radio button is selected.
10. Click OK.
Note - When Endpoint Security and a Domain controller communicate,

they only transmit user IDs. No passwords are transmitted.
Active Directory Compatibility

Endpoint Security supports Active Directory in native and mixed mode.
If you are using Windows NT Server 4.0 (SP6a) for your Primary Domain Controller or Backup Domain
Controller, then you will need to install Microsoft's ADSI (Active Directory™ Service Interfaces) libraries on
those machines for Endpoint Security to be able to import and synchronize domains. You can download the
ADSI extensions from the Microsoft site at
http://www.microsoft.com/ntworkstation/downloads/Other/adclient.asp. See the Microsoft documentation for
details on installing and configuring the ADSI libraries on your Endpoint Security system.
Changing Login Credentials

The NT Domain import process into Endpoint Security allows you to import all NT Domain users into one
group or select individual NT groups to import.
Single-Domain mode: To import all NT Domain users into one group, configure the Integrity service to run
under an NT Domain account with logon as a service privilege.
Multi-Domain mode: To import an NT Domain catalog, you must have NT Domain administrative privileges.

To change the Endpoint Security login credentials:
1. Open the NT Domain Services tool via Administrative Tools/Services.
2. Highlight the Integrity service, right-click, and select Properties.
3. Click the Log On tab.
4. The default for the Log on as credential will be the Local System Account. Click the This account radio
button.
5. Click the Browse button. This will open the Local Users and Groups for the Windows Server installation
on the host.
6. In environments with multiple domains, there needs to be a trust relationship established among the
domains. The administrator logged onto the computer running Endpoint Security requires the
appropriate privileges to access each domain. It is not advised to create trust.
7. In the Integrity service properties/Log On window, enter the appropriate credentials and passwords
for your domain(s) and click OK.
Creating an NT Domain Catalog

Before creating an NT Domain catalog in Endpoint Security, make sure you have performed the previous
tasks to set up the usage of the active directory with Endpoint Security.
To create an NT Domain catalog:
1. Click Endpoints.
2. Click New Catalog and choose NT Domain.
3. In the Catalog SubTypes field, choose how you want to structure your NT Domain catalog:
Catalog SubType Description
Field
Import all users into The entire NT Domain that you entered in the Domain
one group Name field will be imported into the new catalog.
Select groups to The Import Groups button becomes available.

import
The fields to define the catalog appear.

4. Provide your NT Domain user directory information.
NT Domain Catalog Description
Fields
Proxy Login Server Designates the catalog (and, by extension, the associated
external user directory) to use for proxy login.
Proxy login is the method Endpoint Security uses to identify
users when it cannot obtain authentication confirmation
directly from the client. In such cases, Endpoint Security
proxies authentication to the user directory that is the source
of the designated catalog.
Make note of the catalog you designate for proxy login, and
be prepared to tell users which user ID to supply if Endpoint
Security prompts them for proxy login.
Auto Add Enables the auto-add feature for this catalog. Auto-add
allows users that are not found in the catalog to be
automatically added to the proxy catalog.
Domain name The NT Domain name.
User name The user name in the format DOMAIN\username. This is

needed to access the protected directory and enumerate and
import domain groups and users.

NT Domain Catalog Description
Fields
Password The user name's password. This is needed to access the
protected directory and enumerate and import domain groups
and users.
5. If you chose Select groups to import, click Import Groups to display a list of NT Domain groups to
import, and click the arrows to choose groups to import and to set the priority.
Although a user can exist in more than one group within NT Domain, the user cannot exist in more that
one Endpoint Security group. Therefore, Endpoint Security establishes an order of priority when it
imports specific groups from NT Domains.
• If a user exists in more than one NT Group, Endpoint Security places the user only in the higher-
priority group.
• If the user name is not present in any NT Groups, it is added to the top level domain group when
imported.
6. Click Save.
RADIUS Catalogs
If you are going to assign Policies only at the RADIUS directory level and not at the individual user level, you
do not need to import the RADIUS catalogs. Endpoint Security adds users when they are successfully
authenticated during proxy login and assigns the RADIUS catalog-level policy automatically, if you use the
Auto Add feature. Endpoint Security supports RFC 2865-compliant RADIUS software.
Formatting the User Data File

To import RADIUS catalogs into Endpoint Security, copy your RADIUS users file to Endpoint Security.
To format a user data file:
1. Open the user data file you exported from your RADIUS server in a text editor.
Save the file as ASCII by selecting the appropriate format from the encoding drop-down menu. This
saved file will be your user data file.
2. Open the user data file and make sure it is formatted correctly.
The first column must be the username and each username must be followed by a carriage return,
space, or a comma.
You only need to format the first column. Endpoint Security does not use the other columns.
3. Move your user data file from your RADIUS server to the computer that is hosting Endpoint Security.
Creating a RADIUS Catalog

Use the Endpoint Security administrator console to create catalogs.
To create a RADIUS catalog:
1. Click Endpoints.
2. Click New Entity and choose RADIUS.
3. Complete the fields with the appropriate information for your RADIUS user directory and then click Save.
RADIUS Catalog Description
Fields
Primary Host The name or IP address of the primary host server.

RADIUS Catalog Description
Fields
Proxy Login Server Select if you use a proxy login server and you want to
establish this RADIUS server as the authentication device for
proxy login.
Proxy login is the method Endpoint Security uses to identify
users when it cannot obtain authentication confirmation
directly from the client. In such cases, Endpoint Security
proxies authentication to the user directory that is the source
of the designated catalog.
Make note of the catalog you designate for proxy login, and
be prepared to tell users which user ID to supply if Endpoint
Security prompts them for proxy login.
Auto Add Enables the auto-add feature for this catalog. The auto-add
feature allows users that are not found in the catalog to be
automatically added to the proxy catalog.
User Data File The fully-qualified path to the user data file, which contains
the exported RADIUS user information.
Windows example: C:\checkpoint\MyRADIUSUserFile
UNIX example: /checkpoint/MyRADIUSUser File
Server Port The server port on which the RADIUS server listens for
connection requests. This field defaults to 1812.
Secondary Host and The name of a secondary host and port. Use this field if the
Port primary machine has more than one host name and address,
or if you are clustering or load balancing.
Shared secret The shared secret or password needed to access a protected

server. Use the shared secret for the Password
Authentication Protocol (PAP) shared secret account.
File encoding The file encoding type.

This setting applies to both the user names read in from the
User Data File and the messages sent between Endpoint
Security and RADIUS. The character encodings must be the
same, or valid users will not be authenticated.
Updating RADIUS Catalogs

As the RADIUS user data changed, update Endpoint Security with the new information.
To update your RADIUS catalog information:
1. Format the new user data file.
2. Replace the old user data file with the new file.
If the user data filename and its location remain the same, Endpoint Security will automatically update
the RADIUS catalog. The user data file must reside on the same computer as the Endpoint Security
server.
3. If the new user data filename or location is different from the old user data file, update User Data File
field in the Edit Catalog page of the RADIUS catalog.
Authenticating Users
Endpoint Security imports user directory information from LDAP, NT Domain, and RADIUS servers, allowing
endpoint users to be authenticated against those directories.

• Gateway authentication - Users connecting to your network through a supported gateway are not
authenticated by Endpoint Security. They receive the policy assigned to that gateway. This method uses
Cooperative Enforcement with Check Point security management and security gateway.
• Native authentication - If your authentication system uses NT Domain, Novell NDS LDAP, or Microsoft
Active Directory, Endpoint Security automatically recognizes those endpoint users.
• Proxy login - If your authentication system is RADIUS or LDAP (other than Novell NDS and Microsoft
Active Directory), use proxy login to authenticate endpoint users.
To configure proxy login, select the Proxy Login Server check box when adding the relevant catalog.
You can designate only one catalog (NT Domain, RADIUS, or LDAP) for proxy login. This catalog will be
the proxy login catalog for all of your domains.
With proxy login, Endpoint Security displays a proxy login window to the endpoint user. After the user
provides credentials, Endpoint Security authenticates them against the external user directory (NT
Domain, RADIUS, or LDAP) and, if successful, assigns the appropriate security policy.
Proxy Login and Auto Add

The Endpoint Security Auto Add feature adds users who are authenticated by proxy login to the catalog. If
you select the Auto Add option during the user directory import process, new users are automatically placed
in the appropriate catalog when they access the network via proxy login. Users must be authenticated on
the LAN before they are auto-added. When Endpoint Security auto-adds a user, it deploys the most recent
policy to the endpoint computer.
Synchronizing User Catalogs

Synchronize updates to Endpoint Security user catalogs and groups with the data on your LDAP or NT
Domain user directory servers. You can synchronize your catalogs manually, or schedule regular
synchronizations.
When you synchronize, the following occurs:
• New records are added to Endpoint Security. New users get their parent group's or catalog's policy. New
groups get the default policy until a specific group policy is assigned.
• Deleted user records are removed from Endpoint Security, but the client software and policy on the
user's computer remains intact. The personal or enterprise policy is still enforced, depending on
configuration.
• Groups that are renamed are treated as a deletion and re-addition of the group. In this case, policy
assignments are lost, and must be reassigned under the new name.
• Unchanged records are left as they are. Assigned Policies remain in force.
Scheduling Synchronization
You can configure Endpoint Security to automatically synchronize with your LDAP or NT Domain user
directory.
It is recommended that you synchronize small catalogs daily. If your catalogs are large and synchronizations
take too long, you may wish to synchronize weekly.
To configure automatic synchronization:
1. In Single-Domain or Simple mode: Go to the Endpoint Manager page.
In Multi-Domain mode: Switch to System Domain and go to the Domain Manager page.
2. In the Synchronize drop-down menus, specify the day and time to synchronize.
3. Click Update.
Manual Synchronization
To manually synchronize a catalog:
1. Go to the Endpoint Manager page.
2. In the row for the catalog, find the Synchronize button.

Click to manually synchronize the current entity. This option is available
only for LDAP and NTDomain catalogs.
While Endpoint Security is synchronizing a catalog, you can click the
synchronizing link next to the catalog name to check progress.
IP Catalogs
Use IP Catalogs if your users are organized by IP range.
To create an IP Catalog:
1. Click Endpoints.
2. Click New Entity and choose IP Catalog.
3. Complete the fields with the appropriate information.
IP Catalog Fields Description
IP Catalog Name The name of the IP Catalog.
Address Range The IP address range to include in the catalog. The IP range
must be unique across all domains.
Subnet Mask The subnet mask to include in the catalog, if any. Enter the IP
address and then the subnet mask. For example,
172.18.22.160 / 255.255.254.0.
4. Click Save.
Groups
Add user groups to custom catalogs and IP catalogs.
To create a group:
1. Click Endpoints.
2. Click the name of the catalog to which you want to add the group.
The Endpoint Manager page refreshes and the New Group button is now available.
3. Click New Group.
4. In the Group Name field, type a name for the group.
Every group in a catalog must have a unique name, but user groups in different catalogs may have the
same name.
5. Click Save.
To add users to a group:
2. Click New Package and select a client type, or click an Edit link.
3. In the New or Edit Client page, open the Advanced Settings tab.
4. In the Custom User ID field, provide: manual://<Catalog_Name>/<Group_name>
5. If this is a new package, provide Package Name.
6. Click Save.
All endpoint machines that receive the package will belong to the catalog and group you specify here,
and will receive the Policies assigned to that catalog or group.

Chapter 6
Managing Security Policies
Creating security Policies is the core task involved in implementing security with Endpoint Security. An
Endpoint Security security policy is a set of rules and settings that govern the behavior of your endpoint
computers. Use Endpoint Security security Policies to achieve the goals of your security regulations.
In This Chapter
Understanding Policies 44
Using a Default Policy 53
Creating Policies Using a Policy Template 53
Creating a Policy Using a File 54
Creating Access Zones as Policy Objects 55
Creating Firewall Rules as Policy Objects 59
Creating Enforcement Rules as Policy Objects 63
Creating Program Rules 79
Editing Anti-malware Settings 91
Editing SmartDefense Settings 98
Editing Messaging Settings 99
Deploying Policies 100
Creating Policy Packages 100
Simple View - Activating Policies 100
Assigning Policies 100
Understanding Policies
Enterprise Policies provide centralized management of your Endpoint Security. Administrators create
enterprise Policies and assigned them to domains (in Multi-Domain mode) or endpoints.
Depending on your organization's security needs, you may wish to enforce different Policies when endpoints
are connected or disconnected from the your network. To do this, define your Policies and then designate
them as the connected or disconnected Policies.
Designate connected or disconnected when you assign the policy to users.
Note - In Simple mode, when you activate the policy, you designate
its status.
When creating new Policies, be aware of the following general notes:

• If you add policy objects (firewall Rules, Access Zone Locations, Ports and Protocols, Enforcement
Rules), those objects will be available for use in other Policies by all administrators.
• Objects that are created by Global Administrators (in Multi-Domain mode) are available in all domains.
• If you want to be the only administrator allowed to modify this policy, select Lock this policy.
If you plan to use this policy with Flex clients, decide whether these users will be able to use a personal
policy (Client Settings tab > Advanced > Enforce enterprise Policies only option).
Page 44
Connected Policies
The connected enterprise policy is the policy that is enforced when the endpoint computer is either
connected to Endpoint Security server; or if you have configured Office Awareness, connected to your
network. Generally, this is a fairly restrictive policy. This policy is used not only to protect the endpoint
computer from threats, but also to protect other computers on your network and to enforce your corporate
Policies. For example, a connected policy might require more restrictive firewall rules, require a particular
antivirus program, or block programs that violate your company computer use Policies, such as illegal file
sharing.
Disconnected Policies
The disconnected enterprise policy is enforced when the endpoint computer is not connected to your
network or to the Endpoint Security server. Sometimes this policy is less restrictive, but provides a minimum
level of security that you can then depend upon at all times. In other implementations, you may want this
policy to be more restrictive to prevent recreational use of endpoint computers.
Through the use of the Office Awareness feature, the client is able to tell whether or not the endpoint
computer is connected to your network. See Configuring Office Awareness (on page 142).
Important - If you do not configure Office Awareness, your clients will

use the disconnected policy whenever they lose contact with the
Endpoint Security server. The use of Office Awareness is highly
recommended when using disconnected Policies.
When the endpoint computer is not connected to your network, the connected policy is deactivated and the
disconnected policy comes into effect. The connected policy continues to try to connect to your network. The
disconnected policy doesn't send heartbeats. Once the connected policy successfully connects to the
network, it comes back into effect and disables the disconnected policy.
The goal of the disconnected policy is usually to protect the endpoint computer from the worst threats while
allowing the user more freedom. For example, a disconnected policy might require that the endpoint have
Anti-virus protection, but not be as strict about which brand or version. It might also allow users to run
entertainment programs that they are not allowed to run while connected.
If you do not want to control an endpoint computer's security when it is disconnected, you can omit the
disconnected policy. In the case of Flex users, the personal policy is enforced in the absence of a
disconnected policy.
Windows versions of Flex and Agent can use disconnected Policies. If you deploy a policy package to an
Agent for Linux, the disconnected policy within the policy package will be ignored. Agent for Linux will only
take the connected enterprise policy. Use the RPM Package builder to configure a disconnected policy for
Agent for Linux. For more information, see the Agent for Linux Installation and Administration Guide.
Unlike the personal policy, the disconnected policy is an enterprise policy, so it cannot be modified by the
endpoint user and can be centrally managed by the Endpoint Security server after installation.
Important - By default, when an endpoint computer cannot contact the

Endpoint Security server, it will use the permissions for Unknown
programs. If you are using Disconnected Policies and want your
program group permissions to apply instead, see the workaround in
Group Permissions and Policies (on page 80).
Personal Policies
Flex users can create their own security Policies: personal Policies. The personal policy gives some
control over security management to the endpoint user, who defines the policy using the Flex Control Center
(user interface).
Agent users do not have access to personal policy settings, although Agent does include an empty personal
policy accessible only through a configuration file.
The personal policy is installed with the client by default. You can specify a pre-configured personal policy
through the client packager or the client parameters, depending on your client deployment method.
Managing Security Policies Page 45

If you do not specify an enterprise policy when deploying the client, the client enforces the personal policy
until it receives an enterprise policy to override the personal policy.
Policy Arbitration
If a Flex endpoint user has a personal policy, the Policies are arbitrated. Generally, the more restrictive
policy rule is the one that is enforced. Arbitration occurs with both the connected and disconnected
enterprise Policies.
For example, if the enterprise policy is configured to allow inbound traffic on port 135, but the personal policy
is configured to block it, the traffic will be blocked. Such traffic will also be blocked if the personal policy is
configured to allow it, and the enterprise policy is configured to block it.
To disallow arbitration on Flex clients:
1. While creating the policy for the Flex clients, open the Client Settings tab of the Edit Policy page.
2. Select Enforce enterprise Policies only.
Note - If you choose to ignore personal policy settings, it is

recommended that you select the option to warn endpoint users that
their settings will not be enforced. Otherwise they will not understand
why their security settings have no effect.
Policy Packages
Policy packages are bundles of Policies that can be assigned together. Using packages, you can indicate
which policy to enforce as the connected policy and which to enforce as the disconnected policy.
Policy arbitration rules for policy packages are the same as policy arbitration rules for unpackaged
enterprise Policies. However, policy arbitration rules are enforced after the connection state determines
which enterprise policy is enforced. Then the enforced enterprise policy is arbitrated with the personal
policy.
Security Policy Component Overview

Enterprise and personal Policies consist of various types of security rules and settings.
Firewall Rules
Firewall rules take a traditional perimeter firewall approach to securing the endpoint. Firewall rules block or
allow network traffic based on attributes of communication packets. You can use firewall rules to block or
allow traffic based on the following attributes:
• Source and/or destination locations
• Protocol and/or port
• Time and/or day activities occurs
Zone Rules
In addition to firewall rules, you can also control network traffic through the use of Access Zones and Zone
Rules. Access Zones are groups of locations to which you assign the same network permissions: Trusted,
Internet, or Blocked. Zone Rules control network activity to and from your Zones.
Zone Rules
Zone rules control the traffic to and from the Access Zones you have defined for a selected policy. This task
is performed in the Edit Policy page > Access Zones tab and shows the recommended settings.
To set Zone rules:
1. In the Security Rules for Internet Zone area, click Show Settings.
2. From the Security Level drop-down, choose High.

3. In the Security Rules for Trusted Zone area, click Show Settings.
4. From the Security Level drop-down, choose Medium.
5. In the Advanced Security Settings area, click Advanced.
6. Make sure Block fragments at all security levels is cleared.
7. Click Save.
You have now configured your Access Zones in your default policy.
Program Control
Program rules restrict network access on a per-program basis. Whereas firewall rules restrict access
according to package content, and Zone Rules according to location, Program Control allows you to restrict
network access between a particular program and either your Trusted or Internet Zone.
Program Advisor
Program Advisor is a service provided by Check Point that gives program permission recommendations for
programs. Use Program Advisor to get professional recommendations from Check Point security
professionals about which permissions to assign to common programs. This reduces your workload while
improving security and usability. Program Advisor requires the purchase of an additional license.
Program Advisor
Smart Defense Program Advisor is a service provided by Check Point that gives policy recommendations for
improving security and usability. Program Advisor also lets you choose to terminate malicious programs on
endpoint computers.
Anti-spyware
Check Point Anti-spyware protects your network from threats ranging from worms and Trojan horses to
adware and keystroke loggers. Anti-spyware is a service Check Point provides to customers who purchase
a separate Anti-spyware license. Endpoint Security regularly receives updated spyware definitions from the
SmartDefense Anti-spyware Service, a central server maintained by Check Point. Administrators use these
definitions in specific Policies or in global Anti-spyware settings to enforce regular spyware scans and
treatments on endpoints.
Anti-virus
Check Point Anti-virus protects your endpoint users from known and unknown viruses by scanning for
known viruses and for characteristics of viruses. You have the option of configuring the schedule, deploying
the updates only after testing them, or even deploying the latest update immediately whenever necessary.
When a virus is detected, the client can render it harmless, either by repairing or denying access to the
infected file.
SmartDefense
Activating SmartDefense on your endpoints protects your network from network attacks. These attacks are
characterized by the misuse of allowed traffic and services. They have the capacity to slow or immobilize a
network and cause Denial of Service (DoS) conditions that block endpoint access to hosts and servers.
When SmartDefense protections are in place on your endpoints, the network is protected from attacks such
as the Ping of Death, SQL Slammer, Tear Drop, HTTP worm, etc. Attempted attacks and treatments are
also tracked and recorded for your observation.
Mail Protections
Use Endpoint Security to protect against e-mail threats using MailSafe. The MailSafe feature puts limits on
outgoing e-mail to prevent e-mail worms and other malicious code from using the endpoint computer to send
messages.

Enforcement Rules
Use enforcement rules to ensure that protected computers comply with your security Policies regarding Anti-
virus and other types of software. If a protected computer does not comply with one or more enforcement
rules, you can restrict the connection using restriction firewall rules.
Policy Objects
Policy objects are the interchangeable parts of your Policies. You can re-use policy objects in different
Policies. The following are policy objects:
• Firewall Rules
• Locations (for Zones)
• Ports and Protocols
• Enforcement Rules
After you create a policy object it is available for use in all your Policies. You can create policy objects:
• In Advance - You can use the Policy Objects page to create all, or most of your policy objects at once.
This is useful when you first start your implementation and want to enter all your locations, ports, and
protocols at once.
• As Needed - At any time you can create policy objects as you need them while configuring your
Policies.
Rule Evaluation and Precedence

It is possible for a single policy to contain conflicting rules. For example, the same policy might contain a
firewall rule that blocks incoming traffic on port 135, and a Zone rule that allows incoming traffic on that port.
Therefore it is important to understand how the different rules are evaluated and enforced by the Endpoint
Security client, and which rules take precedence if there is a conflict.
Hard-Coded Rules
Hard-Coded Rules are provided by Endpoint Security by default to facilitate traffic and help provide some
basic security. These rules take precedence over rules in your Policies and are not displayed in the
Endpoint Security Administrator Console. You can manually reconfigure the following hard-coded rules by
making changes to the XML policy file, but this is not recommended.
• Allow UDP packets to and from the Endpoint Security port 80
• Allow TCP packets to and from the Endpoint Security port 443
• Allow traffic from the local machine to port 53 on any computer. This rule allows access to the Domain
Name Service.
• Accept ICMP (Internet Control Message Protocol) type 9 to local machine. This rule allows router
advertisement.
• Block all traffic from sources which is not in the Trusted or the Internet Zone. This rule is the 'cleanup
rule', which blocks all unhandled traffic.
Security Rules
Network traffic is evaluated the same way whether it is incoming or outgoing.

The client checks hard-coded firewall rules before evaluating traffic against the enterprise or personal policy
rules. If the traffic is allowed by the hard-coded rules, the client then verifies the traffic against the policy in
the following order:
Figure 6-3 Traffic Verification
1. The client checks for a matching Firewall Rule.

• If the Firewall Rule defined in the policy says to block this traffic, the traffic is blocked.
• If there is no Firewall rule blocking this traffic, the evaluation process proceeds to the next step.
2. The client checks if the traffic is going to or coming from a restricted Zone.
• If the traffic comes from, or is going to a Zone that is defined as restricted, the traffic is blocked.
• If the traffic does not come from or going to a restricted Zone, the evaluation process proceeds to
the next step.
3. The client checks for applicable program rules.
• If the traffic matches a program rule in the policy, the client applies that program rule.
• If the traffic does not match any program rules, the client applies the Zone rule.
Policy Lifecycles
Effective threat management requires that you provide adequate security while maintaining accessibility as
needed. It is recommended that you achieve this through the use of a policy lifecycle. Policy lifecycles
involve iterative deployment of Policies based on information about your system and security needs.
For example:
First deploy the Default Policy to achieve a basic level of security. Then deploy stricter versions of the policy
to increase security. Finally, create custom Policies for certain sets of users. Afterwards, continue creating
and deploying new Policies to adjust your security level to your needs.

Planning Policy Lifecycles
When creating your security Policies, you need to balance your threat protection with system accessibility. If
you are too restrictive, your users may not be able to perform their tasks. Productivity will suffer, and you will
have a large support burden. If you are too lax, your users or your network may suffer a security attack.
You can help balance your threat protection through a planned policy lifecycle. Policy lifecycles consist of
periods of observation and policy deployments.
During the periods of observation, you should use reports and feedback from your users to see how well
your policy is working.
The following are some examples of the aspects you may want to monitor:
• Client Events — To see which of your settings are having an effect. Check to see if they seem to be
blocking legitimate traffic. See if there is other traffic you would like to block.
• Program Activity — To see which programs are most in use. If you do not have permissions for them
(your own or through Program Advisor) you will want to set them. If you are using Program Advisor, you
may want to check recent programs to see if you agree with the recommendations. There are options to
search for recent programs on the Program Group Permissions page.
• Client Connectivity and Compliance — (use the Endpoint Monitor reports, Client Connectivity and
Current Client Compliance Status) To see which users are unable to connect and which ones are out of
compliance with your rules.
You can view these reports in your pilot programs to gain a better understanding of how they work.
Depending on your security situation, you may want to plan a lifecycle that begins with a fairly lax policy, and
iteratively deploy Policies that become gradually stricter. This will allow you to observe the results of your
Policies and make small corrections as you go.
Suggested Policy Settings

Different levels of security require different settings in your Policies. This table lists recommended policy
settings at various security levels. You can use this as a quick reference when creating basic Policies to use
in your lifecycles.
Table 6-4 Suggested Settings Throughout Policy Lifecycle
Setting Low Security Medium Security High Security
Internet Zone Low Medium High, Block uncommon

protocols at High Security
Trusted Zone Low Medium Medium, Block Internet

Servers
'all other Allow all Allow Act as Client Block all

programs'
Block Act as Server
Enforcement Low Most important rules Most important rules set to

Rules set to Warn Restrict; less important
rules set to Warn
Low Threat Lifecycle

This lifecycle is recommended if your network is not under an immediate threat. In this lifecycle, you start
with a basic, low level of security and gradually deploy stricter and stricter Policies. This lifecycle provides a
minimal level of initial security with little or no disruption to the endpoint user. The low threat lifecycle takes a
block list approach to security; traffic is allowed unless explicitly blocked.
Creating an Initial Policy - Low

Use the Default Policy as a template to create the initial policy. The Default Policy is pre-configured with the
correct security settings for the Internet Zone, Trusted Zone, and 'all other programs'. Use the information

you gathered in your planning stage to create your initial security rules. You will expand upon and refine
these rules in subsequent Policies.
To create the initial policy:
1. Create locations for any IP or IP ranges you know you will want to block or explicitly allow.
2. Create any firewall rules you want to use.
3. If you have a Program Advisor license, enable Program Advisor.
4. Create a new policy using the Default Policy as a template.
The Default Policy template is pre-configured with minimum security settings. As the policy lifecycle
progresses, you will configure more and more strict settings.
5. Include your firewall rules in the policy.
6. Add your locations to the policy.
By default, Endpoint Security will give your Zones a low level of security. This is appropriate for the early
stages of the low threat lifecycle as it will minimize disruption to endpoint users.
7. Create your enforcement rules and set them to observe.
8. Deploy the policy and client package.
Creating the Second Policy

In this policy you will refine your security rules and add program rules as needed.
To create the second policy:
1. Check programs.
Use the Search option on the Program Group Permissions page to see which programs your endpoint
users have been using. If you are using Program Advisor, you may wish to check to what permissions it
has assigned the programs.
2. Create Program Groups
If you are not using Program Advisor, you may want to create Program Groups in order to more
efficiently assign permissions for programs.
3. Manage your programs.
• If you are not using Program Advisor, configure program group to filter your programs into groups
and set the permissions for those groups.
• If you are using Program Advisor, you may want to create custom settings for some of your
programs. You may also need to give permissions for any programs not covered by program
advisor.
4. Check access.
Use the Client Events report to check inbound and outbound firewall events. Adjust your firewall rules
and access Zones accordingly.
5. Set the security level for the Internet Zone.
Now that you have refined your Zones, you can raise the security level for the Internet Zone to Medium.
6. Make any needed changes to your enforcement rules and set them to warn.
You can check the effectiveness of your enforcement rules using the Client Connectivity and
Compliance reports. Setting the enforcement rules to warn, encourages your users to become compliant
without causing unnecessary disruption.
Creating Subsequent Policies

Continue to refine your Policies. Every time you deploy a new policy, observe the results and use the
information you gather to create your next policy. Once you are very confident that you have sufficient and
correct program permissions and firewall rules, you may make your Policies more restrictive.
To create the third and subsequent Policies:
1. Further refine your program and access settings by repeating steps 1-4 for creating the second policy.
2. Set the security level for the Internet Zone.
After several iterations of policy deployment, you can raise the security level of the Internet Zone to
High.
3. Set the security level for Unknown programs.
The settings for Unknown programs will apply to any program not in Program Advisor or for which you
have not explicitly created permissions for. When you're satisfied that you have a fairly comprehensive

listing of the programs you want to allow, and you've set up the rules for those programs to your
satisfaction, you may want to make the rules for unknown programs more strict.
4. Make any needed changes to your Enforcement rules and set them to restrict.
Once you are confident that your users are generally complying with your most important Enforcement
rules, you may want to set them to restrict. Use restricting Enforcement rules sparingly, and only after a
long period of warning, as they are very disruptive to the user. You will need to provide remediation
resources for rules that restrict.
5. Save and deploy the program.
You should continue to observe activity on the Endpoint Security Administrator Console and periodically
update your Policies
High Threat Lifecycle

This policy lifecycle is recommended if your network is under immediate threat. It starts with a very high
level of security and gradually becomes less strict to allow more legitimate traffic. The high threat policy
lifecycle takes an allow list approach to security; traffic is blocked unless explicitly allowed by your settings.
Note - This policy lifecycle has the potential to be highly disruptive to

users and you should be prepared for a large support burden. You
should only use this lifecycle if your network is under immediate threat.
To minimize the support version, you should take extra care when:
• Defining the Trusted Zone — Make sure you have included all the necessary resources. With the High
Threat Lifecycle, your users will not be able to access resources that are not included in the Trusted
Zone.
• Managing Programs — Make sure that you have included all the programs your users need, as they
will be unable to use programs that have not been assigned permissions either by you, or by Program
Advisor. If you do not have Program Advisor, or if you have a lot of programs that are not included in
Program Advisor, such as proprietary applications, it is recommended that you use a scan of a reference
computer (see Creating Appscans (on page 85)).
• Setting Your Enforcement Rules — Make sure that you have plenty of remediation resources
available to help your users to become compliant with your restricting Enforcement rules.
Creating an Initial Policy - High
The goal of this initial policy is to give maximum security immediately. The initial policy uses the High
Security template.
To create the initial policy:
1. Create locations for any IP or IP ranges you know you will want to block or explicitly allow.
2. Create any firewall rules you want to use.
3. If you have a Program Advisor license, enable it.
4. If you do not have Program Advisor, or if you users have programs that are not included in Program
Advisor, create a reference source using a reference computer and import it using the Program Manager
page.
The security policy you are creating will block all unknown programs.
5. Create a new policy using the High Security policy as a template.
6. Include your firewall rules in the policy.
7. Add your locations to the policy.
By default, the High Security policy template will set your Internet Zone security level to High and your
Trusted Zone security level to Medium.
8. Create your enforcement rules and set them to Restrict.
You will also need to create Restriction Firewall Rules with remediation resources and add them to the
policy.
9. Deploy the policy and policy package.
Creating Subsequent Policies

After the initial policy is providing a strong level of protection, you will probably need to make the policy less
strict to allow your endpoint users the access that they need. Use the reports and feedback from the

endpoint users to determine which parts of your policy are too strict and create subsequent Policies to grant
more access where it is safe to do so.
To create the subsequent Policies:
1. Check and adjust your Firewall and Zone rules.
Use the Client Events report to see if your Firewall and Zone rules are blocking legitimate traffic.
2. Check and adjust your program rules.
Use the Program Activity report to see if your users are trying to use legitimate programs that you (or
Program Advisor) have not set permissions for.
3. Check and adjust your Enforcement Rules.
Use the Endpoint Monitor Reports, 'Current Client Compliance Status' and 'Client Connectivity' to see
which users are unable to connect and which ones are out of compliance with your rules. If you have an
excessive number or users that are unable to connect, you may need to provide more remediation
resources to your Endpoint users, or set your less important enforcement rules to warn instead of
blocking users.
Using a Default Policy

Check Point provides a pre-configured Default Policy. You can customize this policy to suit your
organization's needs.
In Multi-Domain mode, a copy of the Default Policy you create in the System Domain is inherited by all the
Domains you create after defining it. This copy is known as the 'Default Domain Policy'. Domain
Administrators can use the Default Domain Policy as you provide it, or make changes to it to customize it for
their needs. The changes that Domain Administrators make to their copies of the Default Domain Policy do
not affect the original Default Policy.
Users that do not belong to any domain (Multi-Domain), catalog, or gateway are assigned the Default Policy
by default.
To use the Default Policy:
1. Configure the Default Policy.
The steps for configuring a Default Policy are generally the same as for any existing policy.
• Click Policies.
• In the row for the Default Policy, click Edit and make any necessary changes to the policy.
• Deploy the Default Policy.
2. Assign the Default Policy to unknowns.
• In Multi-Domain mode, open the Domain Manager page. In Single-Domain mode, open the
Endpoint Manager page.
• In the Assignment Priority area, select Assign the Default Policy to unknown users and IP
addresses.
3. Click Save.
The Default Policy is now assigned to any user that is not already assigned a policy by some other
method.
Creating Policies Using a Policy Template

Policy templates are sample Policies, available for both Multi-Domain and Single-Domain mode. Some
templates are provided by Check Point. If you are in Multi-Domain mode, some templates may have been
created by you or by other administrators. You can use the template Policies as they are, or modify them to
suit your needs.
To create a policy using a policy template:
1. Click Policies.
The Policy Manager page opens.
2. Click New and select From Template.

3. In Policy Name, provide a name for the new policy.
4. Select the policy template to use and click Create.
Template Description
High Security The High Security policy template provides an elevated

level of security at the expense of user connectivity.
Medium Security The Medium Security policy template provides mid-level

security with minimal end-user interruptions.
Observation The Observation policy template is designed for observing

endpoint behavior and testing client deployment. It provides
minimal security while maximizing user connectivity and
recording information about endpoint activity. Connectivity
alerts let administrators confirm connections to the server.
The Edit Policy page opens.

5. After reviewing and modifying the tabs of the policy as needed, click Save.
The Version Comments page opens.
6. Provide comments to indicate the changes made in this version of the policy. Comments help identify
major changes in case a roll back is needed later.
7. Click Save (policy is saved but cannot be downloaded) or Save & Deploy (save the policy and make it
available for endpoints to download, after you assign the policy to entities).
If you have not already done so, deploy clients to your endpoint computers.
Creating a Policy Using a File

You can save a policy as an XML file: click Export in the Policy Manager page.
If you have an existing policy file from another Endpoint Security server or Flex client, you can import it and
then use it as it is, or modify it to suit your needs.
Important - Endpoint Security does not import all attributes (such as

gateway locations). It does not import attributes created outside of
Endpoint Security. Some attributes may be overwritten.
For security reasons, Policies that contain enforcement rules with remediation files are not imported. If you
need to import such a policy, remove the enforcement rule manually from the policy file.
If the imported policy is missing required tags or attributes, they are supplied with default values. You should
review the settings in all the policy tabs before deploying a policy made from a file, to ensure that you are
providing the correct level of protection.
To create a policy using a file:
1. Click Policies.
2. The Policy Manager page opens.
3. Click New, and select From File.
4. Name the policy and then browse to the location of the policy file.
5. Click Import.

Creating Access Zones as Policy Objects
Use the Access Zones features to create security rules in Policies that control protected endpoint computer
network activity.
Zone rules allow you to create different levels of security by restricting or allowing network activity with a rule
that is enforced based on traffic's origination or destination Zone.
Using Zone rules, the client analyzes traffic to and from the protected computer in terms of the Zone the
traffic is coming from or going to, and the ports and protocols involved. If program control is enabled, it also
analyzes the traffic in terms of the application on the protected endpoint computer that is sending or
receiving the traffic.
The following settings are provided:
• Low security essentially removes endpoint protection except for Program Control. This level is
recommended only for environments where threats or intrusions are known to be absent.
• Medium security allows most commonly used network protocols. This level is recommended for the
Trusted Zone in security Policies for protected computers on a Local Area Network (LAN). Medium
security also enforces Program Control.
• High security establishes the strongest level of security by restricting most traffic types. This level is
recommended for the Internet Zone of protected computers connected directly to the Internet or
connected via an insecure network (such as a remote user's ISP).
You can also customize your security level to meet your needs.
Locations
Zones are made up of locations. Locations refer to network locations that you define. Locations can be
defined by specifying any of the following:
• Host
• Site
• IP address
• IP range
• IP subnet and mask
You should create locations in Endpoint Security for areas you want to:
• Allow access to or from
• Restrict access to or from
You can use locations as sources and destinations for creating Access Zones and firewall Rules. You can
either define locations as you need to use them in your Policies, or you can define them before you create
you Policies. Once you have defined a location you can use it in any policy.
Trusted Zone
The Trusted Zone contains traffic sources that you know and trust. In designing Policies, you configure the
Trusted Zone to include only the network elements your protected computers need to communicate with. Do
not place your entire network in the Trusted Zone.
Consider the following when configuring your Trusted Zone:
• Remote host computers connected to the protected computer (if not included in the subnet definitions for
the corporate network)
• Corporate Wide Area Network (WAN) subnets that will be accessed by the protected computer
• Corporate LANs that will be accessed by the protected computer
• Check Point Endpoint Security Server
• DNS servers
• Local host computer's NIC loopback address (depending on Windows version)

• If you specify a local host loopback address of 127.0.0.1, do not run proxy software on the local host
• Internet gateways
• Local subnets
• Security servers (for example, RADIUS, ACE, or TACACS servers)
Blocked Zone
The Blocked Zone contains traffic sources that you don't want your protect computers communicating with
at all. In designing Policies, you will populate the Blocked Zone with dangerous or otherwise undesirable
hosts. You may choose to include dangerous, or undesirable external locations, or internal locations that
you want to restrict access to, such as Human Resources servers.
Internet Zone
The Internet Zone contains all traffic sources that you have not placed in either the Trusted Zone or Blocked
Zone. Internet Zone sources may be outside or inside the perimeter firewall, anywhere on your local network
or on the Internet.
By default, all sources and destinations of network traffic are in the Internet Zone. By placing trusted traffic
sources in the Trusted Zone, you can give your endpoint users access to needed resources while keeping
them safe from Internet threats.
Security Rules
Security Rules control network activity to and from your Zones. Generally, you will want to set permissive
rules for your Trusted Zone and moderate rules for your Internet Zone. Security Rules allow you to set rules
for an entire Zone of locations, instead of having to set rules for each location individually.
Setting Security Levels

To ease administration, Endpoint Security provides preconfigured security levels that you can apply
immediately to the Internet Zone or Trusted Zone. Use the Endpoint Security Administrator Console to set
the security levels for your Zones.
To configure Security Rules:
1. Click Policies.
3. Open the Access Zones tab.
4. In the Security Rules for Internet Zone and Security Rules for Trusted Zone areas, choose the
security settings you want.
You can use the preconfigured settings, or click the Show Settings button to create custom settings for
the Medium or High security settings.
Rule Settings Description
Protocol Lists the protocols the Endpoint Security client recognizes by

default.
Incoming Specifies whether the Endpoint Security client allows or

blocks inbound instances of the specified protocol.
For the UDP and TCP protocols, you can also specify ports
or port ranges

Rule Settings Description
Outgoing Specifies whether the Endpoint Security client allows or

blocks outbound instances of the specified protocol.
For the UDP and TCP protocols, you can also specify
individual ports by number (24, 25,…), port ranges (24-27,
34-37,…), or a combination of ports and port ranges (24, 25,
28-32, 44-47, 55,…). When specifying ports or port ranges,
always specify port numbers in ascending order (24, 25,
28-37,… not 25, 24, 37-28,…).
Configuring New Network Detection Options

New network detection options determine what the client does when the protected computer connects to a
network that has not already been placed in the Trusted Zone or Internet Zone. Use the Endpoint Security
Administrator Console to configure your network detection options.
To set up a security policy access Zones:
1. Click Policies.
4. Select the option you want for When a new network is detected by the client.
Network Access Description
Zone
Include the network Select to have the Endpoint Security client automatically
in the Trusted Zone include newly-detected networks in the Trusted Zone. The
network is placed in the Trusted Zone in the user's policy file,
stored locally on the protected computer. It remains there until
the policy is edited and redeployed, or a new policy is
assigned.
Leave the network Select to have the Endpoint Security client automatically
in the Internet Zone include newly-detected networks in the Internet Zone. This is a
higher-security option, but it may result in users being unable
to communicate with valid subnets.
Defining Zones
Define your Zones by adding the appropriate locations to them. You can create locations as you need them
from the Zones tab, or you can create your locations in the Location Manager and then add them to the
Zones.
To create re-usable Location objects:
1. Research your network setup to see which subnets, hosts, or other resources need to be trusted or
blocked.
2. Click Policies.
3. Click Manage Policy Objects.
The Policy Objects page opens.
4. Open the Locations tab.
5. Click New Location and choose the location type from the drop-down.
The New Location page opens, with the fields relevant to the selected location type.

Option Description
Name Name of the location.
Type The four location types recognized by Endpoint Security:

Host/Site, IP Address, IP Range, or Subnet. Endpoint Security
enables or disables additional text entry areas, described in
the following table entries, based on the type of location
chosen.
Host The fully qualified name of the computer. For example,

endpointsecurity.checkpoint.com (not just
'endpointsecurity').
IP Address An IP address as a 32-bit identifier made up of four groups of

numbers, each separated by a period, such as
123.432.154.12.
IP Range The to and from IP addresses as 32-bit identifiers made up of

four groups of numbers (quads), each separated by a period,
such as 123.432.154.12.
Subnet Mask The IP addresses as 32-bit identifiers made up of four groups

of numbers ("quads"), each separated by a period, such as
123.432.154.12.
The Subnet Mask should have the higher bits set for the
network and the lower bits for the hosts.
To configure Zones:
1. Click Policies.
4. In the Define Zones area, click Add.
5. Select the locations and choose the Zone to put them in.
6. Click Add.
7. Click Save.
Note - If endpoint users experience network access problems after a

policy deployment, check your Trusted Zone contents first to make
sure no needed elements are missing.
Configuring Advanced Packet Handling Settings

Advanced packet handling settings apply to all traffic, regardless of Zone. These rules enable you to defend
against packet fragment attacks, and block or allow VPN protocols or uncommon protocols when High
security is being applied.
To configure advanced settings:
1. Click Policies.
4. In the Advanced Security Rules Settings area, click Advanced.
5. Select the packet types and conditions you want to block.

Advanced Security Description
Rule
Block fragments at Blocks all incomplete data packets.
all security levels
Use to respond to a known current threat only. Blocking
fragmented packets may disrupt normal application traffic.
Block VPN protocols Causes the Endpoint Security client to block all Virtual
(ESP, AH, GRE, and Private Network (VPN) protocols when the Zone security
SKIP) at High level is set to high.
Security
This is recommended for most configurations.
Block uncommon Causes the Endpoint Security client to block uncommon

protocols at High protocols.
Security
This is recommended for most configurations.
Creating Firewall Rules as Policy Objects

Implementing firewall rules achieves the same level of security as standard perimeter firewalls by restricting
or allowing network activity based on connection information, such as IP addresses, ports, and protocols,
regardless of the program sending or receiving the packet.
Use firewall rules to:
• Create a standard perimeter firewall on the protected computer.
• Fine-tune program control by restricting the network access of a program or program group.
• Restrict the access of users that are not compliant with your security Policies.
Firewall Rule Rank in Security Policies

In a security policy, rank is the order in which a client evaluates and executes the firewall rules. Because
clients execute the first rule that matches the traffic, the rule rank is extremely important.
For example, assume you have the following FTP access rules.
• The rule FTP Local allows FTP clients from the local private subnet (Private Subnet) to connect to the
protected computer's FTP server on port 21.
• The rule FTP Internet blocks all FTP clients from connecting to the protected computer's FTP server on
port 21.
Rank Name Src Dest Protocol Time Action Track
0 FTP Private Any IP_TCP_UDP Alway Allow Log

Local Subnet s
1 FTP Any Any IP_TCP_UDP Alway Block None

Internet s
In the first example, FTP Local is rank 0 and FTP Internet is rank 1.
• FTP requests from clients on the local subnet match the source address (Private Subnet) and all other
conditions of the FTP Local rule. The client executes FTP Local; the traffic is allowed.
• FTP requests from clients outside the local subnet do not match FTP Local conditions, so the client
checks the next rule (FTP Local is not executed). The traffic matches the conditions of FTP Internet. The
client executes FTP Internet; the traffic is blocked.

Example of Rank
For example, assume you have the following FTP access rules.
• The rule FTP Local allows FTP clients from the local private subnet (Private Subnet) to connect to the
protected computer's FTP server on port 21.
• The rule FTP Internet blocks all FTP clients from connecting to the protected computer's FTP server on
port 21.
Example 1: Allow local traffic and block other traffic

0 FTP Private Any IP_TCP_UDP Alway Allow Log

Local Subnet s
1 FTP Any Any IP_TCP_UDP Alway Block None

Internet s
In the first example, FTP Local is rank 0 and FTP Internet is rank 1.
• FTP requests from clients on the local subnet match the source address (Private Subnet) and all other
conditions of the FTP Local rule. The client executes FTP Local; the traffic is allowed.
• FTP requests from clients outside the local subnet do not match FTP Local conditions, so the client
checks the next rule (FTP Local is not executed). The traffic matches the conditions of FTP Internet. The
client executes FTP Internet; the traffic is blocked.
Example 2: All access is Blocked

1 FTP Private Any IP_TCP_UDP Always Allow Log

Local Subnet
0 FTP Any Any IP_TCP_UDP Always Block None

Internet
In the second example, FTP Internet is rank 0 and FTP Local is rank 1.
• All FTP requests from clients on the local subnet and other all locations match the conditions of the first
rule, FTP Internet, sot he client executes FTP Internet; all traffic is blocked.
Note - When FTP Internet is rank 1, traffic always matches the
conditions of the first rule. Therefore, the client will never evaluate
traffic against second rule, FTP Local.
Creating Firewall Rules

Create firewall rules for ports and destinations used by your environment.
You can predefine ports in the Ports and Protocols manager and destinations in the Locations manager; or
you can define ports and destinations as you need them while creating firewall rules. The firewall rules
themselves are also re-usable policy objects.
In Multi-Domain mode, firewall rules have icons, indicating whether the rule is global for all domains or local
to the current domain.
Icon Description
Indicates that the rule is global; settings are managed in the System Domain
by global administrators.

Icon Description
Indicates that the rule is local; settings are managed in the domain you are in.
To create a firewall rule policy object:

1. Click Policies.
3. Open the Firewall Rules tab.
4. Click New Rule and choose the Incoming or Outgoing.
5. Complete the information for the rule.
Column Description
Multi-Domain only: Indicates the domain where the rule is

managed.
are global items managed in the System Domain.
are local items managed in the domain you are working in.
Name The name of the firewall rule.
Source The source location of network traffic.

Use the Location Manager page to create source locations.
Destination The destination location of network traffic.

Use the Location Manager to create destination locations.
Protocol The network protocol the rule must match to be applied.

Use the Port and Protocol Manager page to create protocol
definitions.
Time The days and times the rule is enforced.
Action The effect of the rule on matched traffic: Block or Allow.
Track The Endpoint Security client behavior when the rule is

enforced:
Log - record rule enforcement in the Endpoint Security client
log.
Alert & Log - display pop-up on the endpoint computer and
record rule enforcement in the Endpoint Security client log.
None - log and alert messages are not generated.
Used By The number of Policies that use the rule. (selected single
domain only)
6. In the Source Locations options, choose Any Source Location (the rule will be applied to all traffic
coming from any source) or Select from Location list.
If you choose to select from the list, the locations table appears. It lists all pre-defined locations, and
provides the New Location button to allow you to create another location if needed.
7. In the Affected Ports & Protocols options, choose Any Port or Protocol (the rule will be applied to all
traffic using any port or protocol) or Select from Protocol list.
If you choose to select from the list, the ports and protocols table appears. It lists all pre-defined ports
and protocols, and provides the New Protocol button to allow you to create another port object or
protocol object, if needed.
8. Click Save.

Adding Firewall Rules to Policies
After you create a firewall rule as a re-usable object, add the rule to security Policies to use the rules on
clients.
Table 6-5 To add a firewall rule to a policy:
1. Click Policies.
3. Open the Firewall Settings tab.
4. Click Add.
Rules that are already in the policy are not listed.
5. Select the rule, and click Add.
The rule is automatically ranked and enabled.
6. Click Save.
Endpoint users will not receive the new policy until you deploy it.
Note - If you have a rule that blocks or allows all traffic, do not
enable logging for Firewall rules.
Ranking Firewall Rules

The Firewall Settings tab contains a list of the firewall rules in the selected policy. These rules are listed in
order of evaluation and execution priority (rank). The client executes only the first firewall rule to match the
traffic.
To rank a firewall rule:
1. Click Policies.
4. Use the arrow buttons to rank the firewall rules.
5. Click Save.
Enabling and Disabling Firewall Rules

After adding a rule to a policy, you can temporarily disable it without removing it from the policy. Disabled
rules do not affect network traffic and have no rank. Enabled rules are evaluated and executed in the rank
order, and affect network traffic.
To enable and disable rules:
1. Click Policies.
4. In the row of the rule you want to change:
• Click Disable. The rank of the rule is changed to Disabled. The other rules do not change. Thus, if
the disabled rule is rank = 1, then the rule with rank = 2 is now the first rule to be matched against
traffic.
• Click Enabled. The rank of the rule returns to what it was when you disabled it.
5. Click Save.
Editing Firewall Rules

When you modify a firewall rule, the rule settings are automatically updated in all your security Policies.
However, the Policies must be re-deployed before the changes affect the endpoint users.

Removing Firewall Rules from a Policy
Removing the rule from a policy does not delete it from Endpoint Security. The rule is still available in the
Firewall Rule Manager and can be added to a policy at any time.
The remaining rules in the policy ranks are renumbered sequentially, preserving their relative ranks.
Deleting a Firewall Rule

Deleting a firewall rule automatically removes it from all security Policies. However, the Policies must be re-
deployed before the changes affect the endpoint users.
To delete global firewall rules in Multi-Domain mode, you must be in the System Domain.
Creating Enforcement Rules as Policy

Objects
Use enforcement rules to ensure that endpoint computers comply with your security Policies regarding Anti-
virus and other types of software. If an endpoint computer does not comply with one or more enforcement
rules, you can restrict the connection using restriction firewall rules.
Note - Enforcement rules control what programs may be installed on

your endpoint computers, not program activity. To control program
activity on the endpoint computer, use Program Rules.
Enforcement rules determine whether the client can establish and maintain a session with the Endpoint
Security server and your internal network. The client periodically checks the endpoint computer for the
enforcement rule conditions you set.
Enforcement Rule Types

The Endpoint Security server allows you to create the following types of enforcement rules to secure the
endpoint computer:
Rule Type Description
General These enforcement rules require or prohibit specific file or

Enforcement program configurations.
Rule
For example, if you create a rule requiring a specific registry
key on Windows NT computers, users establishing a session
from a Windows NT computer must have that registry key.
Windows NT users that do not have the registry key are then
treated as being out of compliance with the rule.
Anti-virus Rule Anti-virus provider rules require a specific Anti-virus program,

version, and configuration on the endpoint.
For example, if you configured a rule requiring McAfee
VirusScan Version 4.2 or higher, users logging in from
computers that do not have this software are then treated as
being out of compliance with the rule.
Client Rule Client rules require an Endpoint Security client on the

computer.
For example, if you create a rule requiring Agent version 7.0,
users must have that version of Agent. Users that do not have
Agent, or which have the wrong version are then treated as
being out of compliance with the rule.

Rule Groups
If you have a number of Enforcement Rules in your system, you can create a group of rules for a policy.
Rule groups require compliance with at least one of the rules in the group.
For example, if you configure a group with rules that require McAfee VirusScan, Symantec Norton Anti-virus,
or Trend Micro PC-cillin, then as long as the endpoint computer complies with one of those rules the user is
treated as being compliant with the rule.
Enforcement Rules Process

The client regularly checks the endpoint computer to ensure that it complies with all the enforcement rules in
the assigned security policy. If the user's computer becomes out of compliance with the enforcement rule
conditions, the client executes the enforcement action specified by the rule.
1. The client checks the endpoint computer against all enforcement rules in the assigned security policy,
including Anti-virus provider rules and groups. The endpoint computer is found to be either in or out of
compliance with the rules.
2. If the endpoint computer complies with all enforcement rules, the client considers it to be 'in compliance'
and the connection can proceed.
3. If the endpoint computer is in violation of one or more enforcement rules, the client considers it to be
"out of compliance."
4. The client executes the action specified in the enforcement rule. The You can set the client to observe,
warn, or restrict computers that are out of compliance. If the enforcement rule is set to 'Warn' or
'Observe', the action takes place immediately. If the enforcement rule is set to 'Restrict' the action takes
place after the endpoint computer has been out of compliance for the number of heartbeats you
specified.
5. If you have set the enforcement rule to 'Restrict,' the endpoint computer will be restricted according to
the restriction rules you created for the enforcement rule. The client will set the state to 'Restricted.' See
What a Restricted User Experiences (on page 64).
6. When a endpoint computer is restricted, the client rechecks every minute to see if the computer is back
in compliance with the enforcement rules. When the computer is compliant, the client sets the
compliance state to 'In Compliance' and sends a sync to the server to immediately re-establish full
access.
7. If you set the enforcement rule to 'Observe,' the computer is allowed to connect and the event is logged.
See Using Rules that Observe or Warn (on page 67).
8. If you set the enforcement rule to 'Warn,' the computer is allowed to connect, the event is logged, and
the user sees an alert that describes the security violation and provides a link to remediation information.
See Providing Remediation Resources for Users (on page 65).
You can set up remediation resources for endpoints that Endpoint Security has warned or restricted.
Warned users must apply the remediation resources manually. Restricted users can apply the resources
manually or you can configure Endpoint Security to run the resources automatically.
9. Connected computers are rechecked every heartbeat to ensure that they remain compliant.
Note - There is a delay between the time the endpoint computer

becomes non-compliant and the point at which the connection is
restricted. The delay is equal to the number of heartbeats you specify
before restriction multiplied by the time interval you set for the
heartbeats. Observe and warn rules execute on the next heartbeat
after non-compliance.
What a Restricted User Experiences

To create effective enforcement rules, you should be familiar with the effects your rules have on endpoint
users. It is recommended that you attempt to access your network as an endpoint user after you configure
an enforcement rule, to be sure that it is having the desired effect and that your endpoints have access to all
the resources and information they need to become compliant.
When a endpoint computer is out of compliance with an enforcement rule, the following occurs:
1. The client executes the rule action. The user session is affected as follows:

• Observed users can access the endpoint network. Observed users receive no alert.
• Warned users receive an alert, but can still access the endpoint network. If you have configured a
remediation resource for the rule, the client includes the resources (for example, a link or an
executable file) in the alert message.
• Restricted users can access only the part of your network you specify using the restriction rules. If
you have configured it to do so, Endpoint Security applies the resource automatically.
Warning and restriction alerts include:
• Default or optional customized text explaining the rule action
• The rule name
• Any additional customized text you defined in the policy (optional)
• A help link that opens the sandbox page you created for that enforcement rule. If you specified a
remediation resource, the sandbox page will contain a link to it.
2. If the user clicks the help link, the appropriate sandbox page for that enforcement rule type appears.
3. When the user becomes compliant the client no longer restricts the session, and the user can access
the endpoint network.
Planning Enforcement Rules

Before creating Enforcement Rules, go through this check list.
1. Decide which rules you want to require or prohibit and what action you want the client to take.
It is recommended that you begin by using rules that observe or warn users (instead of restricting) so as
to avoid disrupting your users. Later, you may decide to reconfigure some rules to restrict non-compliant
users.
2. Gather all the information and resource files that your users will need to become compliant with your
rules. You will use this information when you customize your sandbox pages, and also when you specify
remediation resources in the enforcement rules.
Enforcement rules can cut users off from the network resources they need when they are out of
compliance. Therefore, it is important to provide easy means for the user to become compliant, to
minimize support requirements related to enforcement rules.
3. Customize sandbox pages with the appropriate resources.
4. Configure the heartbeat interval.
The interval between compliance check settings is regulated by the number of heartbeats so, you may
wish to adjust the heartbeat interval.
5. Enable Enforcement Rule alerts and logging on the Policies which will enforce the rules after
deployment.
Note - For best performance, it is recommended that you create no

more than 40 enforcement rules.
Providing Remediation Resources for Users

When implementing enforcement rules, provide adequate resources and information in the enforcement
alerts and sandbox pages to enable warned and restricted users to become compliant. There are different
ways to configure remediation resources:
• In the enforcement rule, you can specify a remediation resource that users can download and install
themselves. For restricted users, you have the option of configuring Endpoint Security to run
remediation resources automatically. If you are using automatic remediation, the file you specify must be
an executable.
• In the enforcement sandbox pages.
Important - If you are using enforcement rules in conjunction with
Cooperative Enforcement with a Gateway, you must provide
remediation resources on the Endpoint Security server host itself using
an uploaded file because restricted users will be unable to connect to
any other network resources.

To configure remediation resources:
1. Identify which programs, files, registry keys, or other conditions you want to require or prohibit on
endpoint computers to create a secure environment. Be sure to determine the correct information for
each operating system.
2. Determine what information and resources non-compliant users need to become compliant. Some
suggestions:
Resource Description Configuration Instructions
Specific details Provide the specific In an enforcement or Anti-virus

conditions of the rule. provider rule, enter custom text that
clearly describes the rule conditions
with which the user may not be
compliant.
This text displays in the Alert and on
the sandbox page.
Links Include links to external For links on the sandbox page to

sites where the user programs or files needed when a user
can download the is out of compliance with a specific
necessary programs or rule, include the URL in the
files. Enforcement Rule page.
For links that appear on the sandbox
page regardless of the specific rule,
set up the link on the relevant
sandbox page, using the Customize
Sandbox page.
Note that you cannot automatically
redirect a user to a link.
Executable Files Configure Endpoint Configure automatic remediation

Security to remediate when setting up the enforcement rule
restricted endpoints by or Anti-virus rule. The client can
automatically running access the remedial file either directly
the necessary or through an external URL.
executable file.
Steps Explain how to install On the sandbox page, provide

and configure required detailed instructions that are specific
resources. to all your enforcement rules.
Technical Technical support Include this information in all your

Support contact phone number sandbox pages.
and/or e-mail
addresses for your
company.
3. Configure custom text and URLs in enforcement rules.

4. Configure sandbox pages with specific information related to your organization and the rules you will
create.
To configure sandbox page templates:
1. If you are in Multi-Domain mode, switch to the System Domain.
2. Click System Configuration > Sandbox Pages.
3. To make the alerts conform to your organization web site, browse to and upload the stylesheet of the
web site.
4. From Language, select the language of the page you want to configure.
Note - You must select and modify the sandbox page for each
language you are using.
5. Select the sandbox page you wish to configure.

You should customize at least the following default sandbox pages:
• AV_COMPLIANCE for Anti-virus rules
• PROHIBIT for enforcement rules that prohibit programs, files, and keys
• REQUIRE for enforcement rules that require programs, files, and keys
• GROUP for Rule Groups that require one program
6. Modify the What happened and What should I do areas with specific information for your rules.
For example, you can add an HTML link to your intranet, where the Anti-virus executables are made
available to users for download and installation.
If you uploaded a stylesheet, the sandbox information in these fields can use its CSS classes.
7. Click Save.
Using Rules that Observe or Warn

An important strategy for smoothly implementing enforcement rules is to first create rules that observe or
warn, but do not restrict non-compliant computers. This helps identify any frequently occurring non-
compliant conditions in your network before restricting users as a result of those conditions.
Rules that Observe

When you configure an enforcement rule to observe, the client logs non-compliance events and reports
them to the Endpoint Security server. The user session is not restricted.
Configure observe rules for centrally-managed software that users do not install themselves. This allows you
to tell which users need the software without inconveniencing users with compliance issues they cannot
solve for themselves.
Rules that Warn

When you configure an enforcement rule to warn, the client displays an Alert message that directs the user
to remediation resources. The client logs the event, but allows the user full access to the endpoint network
Configure warn rules for software that users are responsible for installing and maintaining themselves.
Tracking Rules that Warn or Observe

After deploying a policy with an observe or warn rule, use the Enforcement Violations by Rule, Enforcement
Violations by Policy, and Endpoint Status versions of the Endpoint Monitor Report to track the number of
users affected by the rule. By tracking which users are non-compliant and the frequency of non-compliance,
and by seeing how long it takes users to come into compliance, you can gauge the effectiveness of your
policy and remediation resources.
To log enforcement-related events, configure the Client Alerts and Logging on the Client Settings tab of the
security policy.
When you are satisfied that your rule and resources will enhance security without unduly increasing your
support burden, you may want to change the action indicator in the rule from Observe or Warn to Restrict
and redeploy the policy. For rules that restrict, you can configure Endpoint Security to apply remediation
resources automatically.
Enabling Enforcement Rule Alerts and Logging

To configure alerts and logging:
1. Click Policies.
4. In the Client Alerts and Logs area, in the Enforcement alerts row, select:
• Display to display an alert when the user is out of compliance with an enforcement rule.
• Log to have the client record non-compliant events and report it to the Endpoint Security server.

5. Optionally, in the Custom Messaging area, provide a message and link text to appear in alerts.
6. Click Save.
Creating Enforcement Rules for Programs, Files and Keys

General enforcement rules consist of the rule conditions, the type of check, the rule action, and remediation
information.
To create a general enforcement rule:
1. Click Policies.
3. Open the Enforcement Rules tab.
4. Click New and select Enforcement Rule.
5. Configure the general settings.
General Option Description
Rule Name A description of the new enforcement rule.
Operating Systems To enforce the rule for all version of Microsoft Windows,
choose All. To enforce the rule for a specific version of
Windows, choose a version of Windows.
6. Specify the conditions that the rule should check for.

Option Description
Check for registry Checks for a specific key and value in the Windows Registry
key and value on the endpoint computer. Provide the Registry Key to check
and the Value to check.
Check for file and Validates the properties of a program file on the endpoint
properties computer. If you select this option, provide the File Name to
check (for example: example.exe), and File Properties (basic
property for checking the file):
Running at all times - check for programs running at all times
(relevant if file is an executable)
Location - check for files with this pathname on the endpoint
Version number - check for files matching, or falling in the
range of, the minimum and maximum version numbers
Last modified less than 'n' days ago - check for files that
were modified within this number days
Match Smart Checksum - use SmartSum to obtain checksum
and check the file that matches this number
7. Specify whether the conditions are required or prohibited, and what the action for non-compliance will
be.
Option Description
Type of check Determines whether the rule requires or prohibits the software.

Option Description
Action Select the action of the rule:

Observe clients that don't comply - also records in the logs.
Warn clients that don't comply - displays warning to users
whose endpoints do not comply, but let them access the
network.
Restrict clients that don't comply - enables
auto-remediation options.
Important - If you choose to restrict or warn the endpoint user,
you should configure the custom text for this enforcement rule
and provide a remediation resource. If you choose to restrict,
you must configure restriction firewall rules for the Policies that
include this rule, or your users will not be restricted.
8. Specify the message and remediation resources that will be provided if the endpoint computer is non-
compliant.
Option Description
Language The language for the sandbox page text. This option is only
displayed if you enabled client languages during installation.
Custom Provide a rule-specific message to add to the generic end-

alert/sandbox text user message the Endpoint Security client displays when
endpoints are non-compliant. Endpoint Security also adds this
message to the sandbox page.
For example: 'XYZ program is installed on your
computer. You must remove this program to
regain full access to the network.'
Note - The custom text you specify is displayed only if you
enable alerts and logging on the Client Settings tab of the
security policy.
Specify a Identifies a remediation resource the Endpoint Security can

remediation apply to non-compliant endpoints, either automatically or
resource through the sandbox. Specify the resource and the method of
application in the check boxes and fields below.
If you are using automatic remediation, the file you specify
must be an executable.
If Specify a remediation resource is selected, the following are available:

Option Description
Upload a file to use Uses the specified file for remediation. If you plan to apply the
as a remediation resource automatically, you must enter an executable file.
resource
Include link to Uses the specified link for remediation. If you plan to apply the
external URL resource automatically, the link must lead to an executable
file.
Run As Choose to run the remediation as either a System resource or

a User resource.
Automatically apply Remediates non-compliant endpoints automatically, saving

the remediation end users from going to the sandbox and applying the
resource when a resource manually. This check box is enabled only if you are
client goes out of restricting clients that do not comply with the rule.
compliance
Automatic remediation requires an executable file.

Option Description
Run with Provide any resource-specific command-line arguments to use

arguments when running the remediation resource.
Automatically apply Applies the resource without asking for end-user confirmation.
remediation
resource
Apply remediation Applies the resource only after end-user confirmation. The
after user endpoint computer cannot access the corporate network until
confirmation the user allows the remediation
Determine MD5 for Causes Endpoint Security to determine the resource's MD5
Verification checksum. If you return to edit the rule after saving it, the
checksum will appear in the Enter MD5 checksum field.
Note that the Endpoint Security server must have the same
network access as the client in order to download the MD5.
Enter MD5 Provide the MD5 checksum of the resource.

checksum
Anti-virus Rules
Use Anti-virus Rules to require endpoints to run a specific Anti-virus program. If the endpoint becomes
non-compliant, the client can restrict the user session, warn the user without restricting, or observe the
violation without restricting. You can specify a remediation resource that users can download and install
themselves. For restricted users, you have the option of configuring Endpoint Security to run remediation
resources automatically.
When creating an Anti-virus provider rule, you can either enter Anti-virus engine and DAT file information
manually or use a reference client.
Manual configuration requires frequent maintenance to keep up with software and DAT file updates. You
can automate your updates by specifying a single computer (called an Anti-virus reference client) to provide
software and DAT file information to Endpoint Security. When you update the DAT file or Anti-virus engine
on the reference client, Endpoint Security updates its Anti-virus provider rules accordingly.
Using Reference Clients

To avoid having to constantly update your software and DAT file configurations in your policy, you can
configure an Anti-virus reference client and then specify that client as the standard in your enforcement rule.
Note - Reference clients do not provide DAT file remediation to your

endpoint computers. You should provide remediation resources in
your policy.
If you are using Cooperative Enforcement with a gateway and are
checking for compliance with enforcement rules, you must upload the
DAT files as remediation resources because users that are restricted
at the Gateway level will not be able to access other internal Anti-virus
DAT file resources.
To prepare a reference client:

1. Set up your reference client computer.
The reference client should be an endpoint computer that you know and trust to be free of malware with
the desired Anti-virus software engine and DAT file. Do not assign a policy to the reference client
computer. Be sure the intended reference client has the latest Anti-virus engine version and DAT file,
and that it is connected to the Endpoint Security server.
2. Install a client on the reference computer.
Clients on reference computers behave the same way as any other clients except that the Anti-virus
information they send to the Endpoint Security server is used for enforcement. Do not assign the policy

that uses the reference client to the reference client computer. Assign a policy without enforcement rules
to the reference client computer.
Note - Client versions 7.0 and higher use a different method to detect
Anti-virus providers on endpoint computers than previous clients. It is
highly recommended that you use the same version of the client on
your reference client as you distribute to your other endpoint
computers.
To create Anti-virus enforcement rules based on a reference client:

1. If you are in Multi-Domain mode, switch to a non-system Domain.
2. Click System Configuration > Reference Clients.
The Antivirus Reference Clients page opens.
This page contains entries for all supported providers, whether or not reference clients are configured.
Endpoint Security displays n/a for providers until you configure a reference client for that provider.
3. Select a provider from the list and click Configure.
4. Define the reference client with one of the following methods:
Option Description
IP Address Designates the reference client by IP address. Provide a static

IP address, dedicated to the reference client.
Custom User ID Designates the reference client by custom user ID (for

example, manual://myCatalog/myGroup/refClient).
Browse for a user Designates the reference client by name. Provide a partial
below string of a user with a client to be used as a reference point
and then click Search to browse the list of users who have this
client.
Do not specify a No reference client is configured for this provider. (default

reference client for setting)
this provider
5. Click Save.
The reference client is now available for use in an anti-virus enforcement rule.
6. Create a new Anti-virus Enforcement Rule that uses information from the reference client.
Creating an Anti-virus Enforcement Rule

To create an Anti-virus Enforcement Rule:
1. Click Policies.
4. Click New and select Antivirus Rule.
5. Provide a name for your rule and select a supported Anti-virus provider.
6. Specify the conditions of the rule.

Options Description
Keep clients in
Requires endpoints to match the settings of an anti-virus
sync with the
reference client. In the text field, enter the number of days
reference client
(from the time you update the reference client) by which
endpoints must comply.
This option is available only if you have already set up an
Anti-virus reference client.
Minimum engine
Requires that a minimum version of the anti-virus program's
version
engine be present on the endpoint computer. If you select
this option, type or paste the minimum engine version.
This program
Requires that the anti-virus program always be running on
must always be
the endpoint computer.
running
Minimum DAT file
Enforces a minimum DAT file version.
version
Oldest DAT file

Enforces an oldest allowed time stamp for the DAT file.
time stamp
Warning: You may encounter time zone issues when using
Symantec Anti-virus or Trend Micro OfficeScan Corporate
Edition and enforcing by DAT time. Enforce by version for
greater accuracy.
Maximum DAT file
Enforces a maximum DAT file age (in days).
age, in days
7. Specify the action, what happens to endpoint computers that are out of compliance.
Options Description
Observe clients
Observes and records endpoints that are not running the
that don't comply
required anti-virus software.
Warn clients that

Warns users whose endpoints are not running the required
don't comply
anti-virus software, but lets them access the network.
If you choose to restrict or warn the endpoint user, you
should configure the custom text for this enforcement rule
and provide a remediation resource.
Restrict clients
Restricts endpoints that are not running the required
that don't comply
anti-virus software. This enables auto-remediation options.
If you choose to restrict, you must configure restriction
firewall rules for the Policies that include this rule, or your
users will not be restricted.
8. Set the remediation options for the rule.

It is highly recommended that you set remediation rules to help your endpoint users to comply with your
rules. For rules that restrict, you can configure Endpoint Security to remediate the endpoint
automatically.
Options Description
Language The language for the sandbox page text. (This option is only
displayed if you enabled client languages during
installation.)

Options Description
Custom Type a rule-specific message to add to the generic end-user

alert/sandbox text message the Endpoint Security client displays when
endpoints are non-compliant. Endpoint Security also adds
this message to the sandbox page.
For example: Trend Micro OfficeScan Corporate
Edition is not installed on your computer.
Please install this program to regain full
access to the network.
The custom text you specify is only available in the alert if
you configure the client alert and logging settings to display
enforcement rules on the Client Settings tab of the security
policy.
Specify a Identifies a remediation resource the Endpoint Security

remediation client can apply to non-compliant endpoints, either
resource automatically or through the sandbox. Specify the resource
and the method of application in the check boxes and fields
below.
If you select Specify a remediation resource, the following are available:

Options Description
Use current Uses a previously-specified resource for remediation. This

uploaded field appears only when you edit an existing rule after having
remediation specified a resource previously.
resource
Upload a file to use Uses the specified file for remediation. If you plan to apply
as a remediation the resource automatically, you must enter an executable
resource file.
Include link to Uses the specified link for remediation. If you plan to apply
external URL the resource automatically, the link must lead to an
executable file.
Automatically apply Remediates non-compliant endpoints automatically, saving

the remediation end users from going to the sandbox and applying the
resource when a resource manually. This check box is enabled only if you are
client goes out of restricting clients that do not comply with the rule.
compliance
Automatically apply Applies the resource without asking for end-user

remediation confirmation.
resource
Apply remediation Applies the resource only after end-user confirmation. The
after user endpoint computer cannot access the corporate network
confirmation until the user allows the remediation.
Determine MD5 for Causes Endpoint Security to determine the resource's MD5
Verification checksum. If you return to edit the rule after saving it, the
checksum will appear in the Enter MD5 checksum field.
Note that the Endpoint Security server must have the same
network access as the client in order to download the MD5.
Enter MD5 Provide the MD5 checksum of the resource.

checksum

Creating Client Enforcement Rules
Use client enforcement rules to require users to have a particular type and version of the Endpoint Security
client. This is recommended when performing minor client upgrades from one client to another. Generally,
this is only recommended for minor release upgrades. You can only use client enforcement rules to upgrade
from a 6.x or higher version.
To encourage compliance when upgrading clients, it is recommended that you use the automatic upgrade
option. This starts the upgrade with minimal input or disruption to the endpoint user.
To create a client enforcement rule:
1. Click Policies.
4. Click New and select Client Rule.
5. Name the rule, and decide whether it will be applied to all clients on Windows, or to clients on specific
Windows versions.
6. Configure the rule conditions.
Rule Condition Descriptions
Client Type The client type: Flex or Agent. Each type can be with or
without VPN.
Minimum Version The minimum version number for the client. If the endpoint's
client version is lower that the minimum version number,
then the endpoint will be required to update the client before
accessing the corporate network.
7. Set the rule action, to determine what happens to endpoint users that are out of compliance with the
rule.
Rule Action Description
Observe clients Observes and records endpoints that do not comply with the
that don't comply enforcement rule.
Warn clients that Warns users whose endpoints do not comply, but lets them
don't comply access the network.
If you choose to restrict or warn, you should configure the
custom text for this client rule and provide the upgrade
package.
Restrict clients that Restricts endpoints when they do not comply with the client
don't comply rule. This enables the auto-remediation options.
If you choose to restrict, you must configure compliance check
settings and restriction firewall rules for the Policies you use
this rule in. You must save and deploy the policy for the
enforcement rule to take effect.
8. Set the remediation options for the rule.

Remediation Description
Language The language for the sandbox page text. (This option is only
displayed if you enabled client languages during installation.)

Remediation Description
Custom Type a rule-specific message to add to the generic end-user

alert/sandbox text message the Endpoint Security client displays when endpoints
are non-compliant. Endpoint Security also adds this message
to the sandbox page.
For example: Agent v. 7.0 is not running on your
computer. You must have a current version of
this program installed and running to regain
full access to the network.
The custom text you specify is only available in the alert if you
configure the client alert and logging settings to display
enforcement rules on the Client Settings tab of the security
policy.
Use Client Upgrades the client with the selected client package.
Package from
Note: if you want to use reporting for the auto-update feature,
Server
you must use the same connection string for the updated
client package as you used for the initial client deployment.
Use resource from Upgrades the client from an external source. If you plan to
external URL apply the resource automatically, the link must lead to an
executable file.
Provide the URL of the upgrade client or the URL of a
sandbox page that Endpoint Security created when you
created the upgrade client package.
Automatically start Enables the automatic client upgrade options.

the upgrade when
If selected, the following settings are available.
a client goes out of
compliance
Automatically Upgrades the client without asking for endpoint user

upgrade clients confirmation.
Upgrade with user Upgrades the client only after end-user confirmation. The
confirmation endpoint computer cannot access the corporate network until
the user allows the upgrade.
URL Resource Available if both Use resource from external URL and
Verification Automatically start the upgrade when a client goes out of
compliance are selected.
Provides an MD5 checksum to verify the URL client package
download, using one of the following options:
• Fetch MD5 checksum from URL—causes Endpoint
Security to determine the resource's MD5 checksum. If
you return to edit the rule after saving it, the checksum
will appear in the Verify against MD5 checksum
field. (Note that Endpoint Security server must have the
same network access as the client in order to download
the MD5.)
• Verify against MD5 checksum—verifies against the
checksum you enter.
•
Editing Enforcement Rules

When you edit a rule used by a security policy, the policy is updated automatically.
Clients are updated the next time the policy is deployed.

Deleting Enforcement Rules
Deleting an Enforcement Rule completely removes the rule from Endpoint Security. These rules are
removed from security Policies at the time that you delete them. The change to the security policy is applied
the next time the policy is deployed.
Grouping Enforcement Rules

After you add enforcement rules to a policy, you can create enforcement rule groups. When rules are
grouped, the endpoint computer must be compliant with at least one rule in the group.
When grouping enforcement rules, note the following:
• The rule action for the entire group supersedes the rule actions of the rules in that group.
• Automatic remediation is disabled for rules in a group. Endpoint Security still provides the remediation
resource in the sandbox, but the user has to apply the resource manually. If a rule in the group is used
individually in a different policy, automatic remediation still works for the rule in that policy.
• You cannot add client rules to a group.
To group enforcement rules:
1. Click Policies.
4. Select the rules you want to group and click Group.
The rules you selected are combined into one row and a group title box appears.
5. In the group title box, provide a name for the group.
6. Choose the action for the enforcement rule group:
• Restrict - Restricts non-compliant users according to your restriction firewall rules
• Observe - Allows non-compliant users access, and logs the violation
• Warn - Alerts the user that their computer is not compliant, allows the user to access the network,
and logs the violation
7. Click Save to save the new group.
For enforcement rules that warn or restrict, provide remediation resources and configure an
Enforcement Alert for the group.
For enforcement rules that restrict, configure compliance check settings and restriction firewall rules for
this policy.
You must save and deploy the policy for the rule group to take effect.
Adding Enforcement Rules to Policies

When you add rules to a policy, the user's computer must be compliant with all rules in the policy. When you
add rule groups to a policy, the computer must be compliant to at least one rule in the group.
If you add both rules and rule groups, the computer must be compliant with all single rules and with the
group, as a group (at least one rule in the group).
To add rules to a policy:
1. Click Policies.
4. In the Enforcement Rules area, click Add.
5. Select the rules you want, then click Add.
The Enforcement Settings tab appears with the enforcement rules in the policy.
If you use rules that restrict or warn, you should configure the Enforcement Alert for this rule and provide
remediation resources.

If you use rules that restrict, you should configure Compliance Check Settings and Restriction Firewall
Rules for this policy.
You must save and deploy the policy for the enforcement rule to take effect.
Configuring Compliance Check Settings

Compliance check settings control how long a endpoint computer can be out of compliance with the
enforcement rules for the policy before being restricted. The default number of heartbeats is four.
To configure compliance check settings:
1. Click Policies.
4. Set the Number of non-compliant heartbeats before restriction setting.
5. Set the Subsequent non-compliant heartbeats before termination setting.
You must save and deploy the policy for the new compliance check settings to take effect.
Adding Restriction Firewall Rules to Your Policy

Restriction firewall rules limit access for users who are not compliant with enforcements rules that are set to
restrict. Use restriction firewall rules to only allow your users access to the resources they need to become
compliant.
If you do not configure restriction rules, the users who are out of compliance will not be restricted.
To add restriction firewall rules to your policy:
1. Click Policies.
4. In the Restriction Firewall Rules section, click Add.
The Add Restriction Firewall Rules to Policy page opens.
If you need to create a new firewall rule, click New Firewall Rule.
These rules generally specify a part of your network as the Destination, with the Action to block.
5. Select the firewall rules you want to restrict the non-compliant clients and click Add.
6. Use the up and down arrows to rank the restriction firewall rules.
Rules are enforced according to their rank. Generally, you will want to create rules to allow traffic to the
areas you want the user to have access to, and then specify a 'cleanup rule' as the last rule, blocking all
traffic.
You must save and deploy the policy for the restriction firewall rules to take effect.
Configuring the Heartbeat Interval

Compliance check settings are regulated by the number of heartbeats. You may wish to adjust the heartbeat
interval.
Note - Setting an extremely low heartbeat interval can result in

performance issues. Setting an extremely high heartbeat interval can
result in decreased security and less accurate reporting. Typical
heartbeat intervals range between 300 and 1800 seconds.
To configure the heartbeat interval:

If you have not configured client settings, the Client Configuration page shows the default settings.
2. In the Client Settings area, click Edit.
3. In Heartbeat > Interval, provide the number of seconds you want to have between heartbeats.

4. Click Save.
Tracking Enforcement Rule Compliance

Enforcement rules and enforcement settings let you restrict the network access of endpoints that do not run
specified software (such as up-to-date Anti-virus software) or that otherwise fail to meet specified conditions
(such as periodic spyware scans and treatments). Enforcement rules and settings can also restrict
endpoints that are running undesirable or dangerous software.
Endpoint Security provides a variety of reports that help you monitor compliance with your enforcement
rules and settings. You can view a general compliance report showing all enforcement events, as well
specialized reports showing events by rule and by policy. A report showing historical enforcement events is
also available. Use these compliance reports to analyze the effectiveness and user impact of your
enforcement rules, and to help you troubleshoot specific support issues with restricted users.
An enforcement event occurs when a user violates an enforcement rule or an enforcement setting. If a user
violates more than one enforcement rule or setting, each violation causes its own enforcement event.
Note - When you first implement enforcement rules and settings,

configure them to 'observe' endpoints (instead of restricting them). You
can then view the compliance reports to monitor effects on end users.
If endpoint user effects are not too great, you may decide to
reconfigure some of your rules to restrict non-compliant endpoints.
Viewing Compliance Status

The Endpoint Status Report report shows which clients currently comply with your enforcement rules and
settings, and which clients do not. Endpoint Security also provides reports that show enforcement rule
violations organized by rule and by policy.
• Compliant — the endpoint complies with all enforcement rules and settings.
• Observe — the endpoint violates one or more enforcement rules, but the rules are configured to record
the violation without taking any other action.
• Warn — the endpoint violates one or more enforcement rules, but the rules are configured to warn the
user.
• Non-Compliant — the endpoint violates one or more enforcement rules but has not yet been restricted
or terminated.
• Restricted — the endpoint has violated a rule configured to restrict the user, and the user has
subsequently failed to remediate the endpoint in the grace period. (The default grace period is four
heartbeats, though you can configure the grace period in the policy.)
• Terminated — the endpoint has violated a rule configured to restrict the user, and the user has
subsequently failed to remediate the endpoint in the allowed time. (The default time allowed is six
heartbeats after restriction, though you can configure the allowed time in the policy.)
• Shutdown — the endpoint user has shut down the endpoint computer.
• Unconnected — the endpoint is not connected to the Endpoint Security server. A client is connected
when the endpoint computer is turned on, the user is logged in, and the endpoint computer is able to
connect to the Endpoint Security server. It is therefore normal for a majority of endpoints to be
unconnected during nonworking hours, when most users have turned off their computers.
• If you have configured Office Awareness, the unconnected status does not necessarily indicate that
the client is using the disconnected policy, or is in the disconnected state. In this circumstance,
clients are shown as unconnected when they miss a number of heartbeats to the Endpoint Security
server. They are in the disconnected state when they are not on your network.
• If you are not using Office Awareness, clients are in the disconnected state and use the
disconnected policy when they are shown as unconnected in this report.
To open an Endpoint Status Report:
1. If you are in Multi-Domain mode, switch to a non-system domain.
2. Click Reports > Endpoint Monitor.

3. In the Chart drop-down menu, choose Endpoint Status.
Violations by Rule and Policy

The Enforcement Violations by Rule report displays rules that have been violated, with links to lists of
endpoints that have violated each rule.
To open an Enforcement Violations by Rule Report:
3. In the Chart drop-down menu, choose Enforcement Violations by Rule.
The Enforcement Violations by Policy report displays Policies containing rules that have been violated, with
links to lists of non-compliant endpoints with those Policies.
To open an Enforcement Violations by Policy Report:
3. In the Chart drop-down menu, choose Enforcement Violations by Policy.
Viewing Anti-virus Versions

Use the Antivirus Provider Brands Report to view the various Anti-virus applications that are currently in use
in your organization.
To open an Antivirus Provider Brands Report:
3. In the Chart drop-down menu, choose Antivirus Provider Brands.
Creating Program Rules

Program rules restrict network access on a per-program basis.
Program Control allows you to restrict network access between a particular program and either the Trusted
or Internet Zone.
Program rules restrict access of applications on the endpoint computer; these rules cannot block access to
the endpoint computer using that application from another location. When planning your program control,
consider both your security goals and your endpoint users' needs. By configuring program control to block
all programs except those you explicitly allow you achieve a high level of security, at the expense of
endpoint user productivity. By configuring program control to allow all programs except those you explicitly
forbid, you achieve a lower level of security, but cause less disruption to your endpoint users.
Program Control only moderates network access for programs. It does not prohibit the programs
themselves. To require or prohibit a program on an endpoint computer use enforcement rules.
Check Point Program Advisor service provides professionally-recommended security settings for most
programs. If you are using Program Advisor, you will be able to skip most of the topics in this chapter.
Program Permissions
Program permissions control the program access on endpoint computers. You can set the permissions for
individual programs or groups of programs. Program activity is evaluated according to the following criteria:
• Zone - Traffic is evaluated by the Zone (Internet or Trusted) that the program is trying to communicate
with.
• Role - Traffic is evaluated according to whether the program is trying to establish a connection (acting as
a client) or listen for a connection (acting as a server)?
You can set the following permissions for programs and program groups:
• Allow - Allows the program to establish or accept the connection

• Block - Blocks the program from establishing or accepting the connection
• Ask - Asks the endpoint user whether to allow or block the program
Note - If you choose the 'Ask' permission, you must also choose the
Allow Flex clients to decide 'Ask' program permissions option in
the Advanced Client Settings on the Program Rules page. If you do
not, Flex will not ask the user for program permissions.
• Terminate - Denies the connection and terminates the program.
Program Groups
Your endpoint users may use hundreds, or even thousands of programs. To facilitate managing your
programs, it is recommended that you generally set program permissions for groups of programs, rather
than for individual programs. Check Point provides some program groups. You can also create custom
groups to manage your programs.
Group Permissions and Policies

By default, groups and group permissions exist only on the Endpoint Security server and are not included in
the actual policy file that is transmitted to the endpoint computer. This significantly reduces policy size and
improves performance. However, it has the following important results:
• Endpoint users with Flex see only the individual program permissions whether individually assigned or
inherited from a group.
• If a client is unable to contact the Endpoint Security server and the program is not governed by Program
Advisor permissions (because Program Advisor is not enabled or the client is not allowed to ask
Program Advisor directly for the permissions) the program will receive the permissions you have set for
Unrecognized Programs.
This behavior will occur under the following circumstances:
• The client is unable to contact the Endpoint Security server and is using a disconnected policy.
• The client is unable to contact the Endpoint Security server but is using a connected policy because no
disconnected policy was specified.
• The client is unable to contact the Endpoint Security server but is using a connected policy because you
are using the Office Awareness feature. See Configuring Office Awareness (on page 142).
You can include program group permissions in your Policies by selecting the Group Settings Available in
the Disconnected Policy option on the Program Group Page. See Creating Program Groups (on page 88).
This includes the group permissions and definition in all Policies, not just the disconnected policy. Note that
including group permissions can substantially increase the size of all your Policies. Including too many
groups in your Policies may make your Policies too large and cause performance issues.
If you are using disconnected Policies, it is recommended that you create a group that contains the most
essential programs for your organization and select the Group Settings Available in the Disconnected
Policy option for that group. It is also recommended that you allow the client to contact the Program Advisor
Server directly. This will ensure that your users always have access to the most important programs.
Permissions for individual programs are always included in Policies.
Default Groups
Check Point provides the following default program groups:
• PA quarantined programs - If you are using Program Advisor, this group contains all the programs that
Program Advisor recommends terminating. This group has precedence over all other groups. You
cannot change the rank of this group, disable this group, or override its group permissions. You can,
however, override the permissions for the individual programs in this group, but this is not
recommended. If you do not have a Program Advisor license, this group does not appear.
• PA referenced programs - If you are using Program Advisor, this group contains all the programs that
Program Advisor recommends allowing or asking the user about. This group always ranks immediately
after your custom groups. You cannot change the rank of this group or override its group permissions.
You can, however, disable this group or override the permissions for the individual programs in the
group. If you do not have a Program Advisor license, this group does not appear.

• Unrecognized programs - This group contains all the programs that are not governed by any other
group. Programs remain in this group until you create groups for them. This is always the lowest-ranking
group. You cannot change the rank of this group.
Custom Groups
You can also create custom groups. Custom groups act as filters, grouping programs together according to
the criteria you specify.
Some possible uses for custom groups include:
• Grouping by publisher - Use this option when you want to apply the same permissions to all software
from the same company.
• Grouping by file name - Use this option to apply the same permissions to all versions of a program. This
is useful when your users are using many different version of the same program, such as Microsoft
Outlook. You can also use this for programs that change checksum frequently, such as programs that
your organization is creating.
Permission Precedence
Program traffic is moderated according to the permissions of the first group it belongs to. Groups are ranked
in the following order:
• PA quarantined programs
• Custom groups, in the order they appear in the Program Group Permissions page.
• PA referenced programs
• Unrecognized programs
You can change the order of your custom groups, but you cannot change the order of any of the default
groups.
If you need to make an exception to the permissions for a group, you can set individual permissions for that
program. Generally, for maximum efficiency you should set permissions on the group level whenever
possible and only make exceptions when absolutely necessary.
Global and Policy Permissions

You can set permissions for programs either at the global level or in individual Policies.
Global program permissions are set in the Program Group Permissions page and apply to your domain (in
Multi-Domain mode) or the entire organization (in Single-Domain or Simple mode).
Policy-level program permissions are set in the policy. They only apply to the endpoint computers that
receive that policy.
It is recommended that you configure your global program permissions to reflect your general security needs
and then use policy-level permissions to create any special exceptions.
Note - Although you can configure program permissions at both the

global and the policy level, both settings are included in your security
policy. You must redeploy your policy to have either global or policy-
level changes take effect.
Program Evaluation Process

In case of conflict between policy-level and global permissions, they are enforced in the following order:
1. Policy-level permissions for a particular program
2. Global permissions for a particular program
3. Policy-level permissions for the program group
4. Global permissions for the program group

The permission setting for the program is always displayed in the policy, in the program permission pages.
Policy-level permissions are shown in color. Global permissions are shown in gray.
Program Observation
Programs do not appear in the program control user interfaces until they are observed by the Endpoint
Security system.
You can configure the client to detect programs on your endpoint computers as they attempt to connect with
the Internet or Trusted Zones. This is useful for determining what programs are actually in use by your
endpoint users.
Using Checksums
You may wish to identify programs by their checksums, instead of by filename alone. Checksums are unique
identifiers for programs that cannot be forged. This prevents malicious programs from masquerading as
other, innocuous programs.
Use the following features to identify programs by their checksums:
• Appscans - You can configure a reference computer with the typical programs that your endpoint
computers have. Scanning this computer produces a reference source file that contains all the
checksums for all the programs on the computer. You can import this scan file into the Endpoint Security
system. This is useful when groups of your endpoint users have computers with very similar software
configurations.
• Manual Input - You can also create checksums of individual programs and manually enter them, one by
one, into the system. This is only recommended if you have a very limited number of programs to enter.
Planning Program Control

As with most security settings, your program control permissions must balance user access with security.
You should pay particular attention to the settings you apply to Unknown Programs.
Internet Zone/Act as a Server

In most cases, you should not allow programs to act as servers to the Internet Zone. There are few reasons
a standard workstation needs to accept connections.
Generally, you should prevent this kind of network activity for Unknown Programs, because this type of
connection presents the greatest risk. Remote access Trojan horse programs can listen for connections
from hackers; and unauthorized or unsecured FTP and Web servers can be exploited to gain access to your
network.
Internet Zone/Act as a Client

To protect your network from common threats such as key loggers or remote access Trojan horse
programs, you should generally not allow programs to act as clients to computers in the Internet Zone.
However, there are legitimate reasons for some programs to have this kind of network access. For example,
applications with auto-update functions, mail clients, instant messengers, and Web browsers all need to be
able to access the Internet to perform their functions. To unblock legitimate applications, you must either
add the locations that the applications need to access to the Trusted Zone, or allow the application to act as
a client in the Internet Zone.
Trusted Zone/Act as a Server

You may want to prevent this kind of access for some programs to help prevent against attacks launched
from inside your organization. You may also want to prevent this kind of access on certain computers that
contain highly sensitive data. However, some programs legitimately need Trusted Zone server access for
features such as drive sharing. Also, some endpoint users may have a legitimate need to run server
programs on their endpoint computers.

Trusted Zone/Act as a Client
This is generally the least risky type of communication to allow. Generally, you will want to allow applications
to have this kind of access to allow access to printers, remote files, and internal Website locations.
Generally, you will only want to broadly restrict this kind of access as a temporary measure in response to a
serious attack.
Configurations for Unknown Programs

Since unknown programs generally present the most risk to your network, you should pay particular
attention to the permissions you assign to them. However, setting excessively restrictive permissions too
early in your implementation may lead to blocking legitimate traffic. This can be very disruptive to your
endpoint users.
For these reasons, it is generally recommended that your first Policies use less program permissions. Once
you have populated the system with the more commonly used programs and sorted them into groups, you
can gradually apply stricter program permissions.
Sample Program Permission Configurations

Use these sample program permissions for unknown programs when managing program control. The
sample permissions are presented in order from most lenient to most restrictive. Generally, this is the order
in which you should implement them in your security Policies. Each sample is evaluated for the following
criteria:
• Unknown attack protection -How effectively does the configuration protect against unknown attacks?
• User restriction -How much does this restrict what the end user can do?
• Policy maintenance - How much time will you have to spend maintaining the policy by adding
exceptions and specific program permissions?
As a general rule, the more restrictive you are with these settings, the more protection you have from
unknown attacks, but the more work you will have to put into maintaining the policy.
Table 6-6 Sample Program Permissions

Permission Settings
Sample Trusted Zone Internet Zone
Server Client Server Client
Block Internet Zone servers only Allow Allow Block Allow
Block all servers Block Allow Block Allow
Block all non-trusted communication Allow Allow Block Block
Block all internet applications Block Block Block Block
Block Internet Zone Servers Only

This is the most lenient of the sample settings for Unknown Programs. Because applications accepting
connections from the Internet pose the greatest risk to the endpoint, this configuration provides effective
security by blocking those connections.
This policy assumes you have defined your Trusted Zone and added any necessary corporate hosts and
networks to it. By leveraging the Trusted Zone, the few applications that need server rights to operate on the
corporate network will have these by default.

Table 6-7 Impact of Blocking Internet Zone Servers
Impact area Level Explanation
Unknown attack protection Good Any unknown application that tries to accept
a connection from the Internet Zone is
blocked.
User restriction Low Users are able to run any program that
sends traffic to the network. They are also
able to run any programs that accepts a
connection from a trusted host.
Policy maintenance Low You will only have to configure exceptions

for applications that need to be specifically
blocked from sending network traffic, or that
need to accept connections on the Internet
Zone.
Block All Servers

Use these settings for your Unknown Programs if you don't want to assume the Trusted Zone is safe to
accept connections from. This increases your level of protection, but requires more maintenance and is
potentially more disruptive to users if you fail to grant server permissions to legitimate programs.
Table 6-8 Impact of Blocking Servers
Impact area Level Description
Unknown attack protection Very good Applications that try to accept a connection
are blocked.
User restriction Medium Users are able to run any program that
send traffic to the network. They are not be
able to run any programs that accept
connections.
Policy maintenance Medium Only applications that need to be

specifically blocked from sending network
traffic will have to be added to the Specific
Programs list.
You will need to assign permissions to
specific applications that need server
rights.
Block All Non-trusted Communication

These settings are appropriate when you are comfortable that the Trusted Zone is accurately defined and
you are not concerned about attacks originating within your network.
Table 6-9 Impact of Blocking Internet Zone
Unknown attack protection Very good Any application trying to send traffic or
accept a connection from the Internet Zone
is blocked.

User restriction High Users are able to run any program that
communicates within the Trusted Zone. If a
program communicates anywhere on the
Internet Zone, it is blocked.
Policy maintenance Medium You will need to monitor your programs to

ensure your custom program groups are
adequate and have the right permissions.
You may have to periodically review the
Trusted Zone to ensure it is accurate
Block All
The block all option completely prevents applications on the protected computer from communicating with all
other computers. This provides the highest possible level of program control, but you must have adequate
custom program groups with the correct permission levels to avoid disrupting your endpoint users.
Table 6-10 Impact of Blocking All Network Applications
Unknown attack protection Excellent Any application trying to send traffic or

accept a connection from the Internet Zone
is blocked.
User restriction High Users are able to run any program that
communicates within the Trusted Zone. If a
program communicates anywhere on the
Internet Zone, it is blocked.
Policy maintenance High You will need to monitor your programs to

ensure your custom program groups are
adequate and have the right permissions.
You may have to periodically review the
Trusted Zone to ensure it is accurate
Creating Appscans
An Appscan is an XML file that contains MD5 and Smart checksums of the programs on a particular
computer in your environment.
Using Appscans you can quickly create program rules for the most common applications and operating
system files in use on your network.
Create an Appscan for each disk image used in your environment. You can then create rules that will apply
to those applications. Using Appscans to populate your Endpoint Security system is particularly useful if
your endpoint computers tend to have the same programs.
You create Appscans by running the SmartSum utility (appscan.exe) on a computer with a tightly-controlled
disk image, then importing the file into Endpoint Security.
Creating an Appscan
Before running Smart checksum, set up a computer with all the programs that are standard for protected
computers in your organization. If you have several different configurations, perform these steps for each
endpoint computer standard configuration.

Important - The computer you scan to create a Appscan must be free
of all malware. If you are certain that your scan is clean, you can
create rules that allow the programs access to the network.
To run SmartSum from the command line:

1. Copy SmartSum, located in the
<installdir>checkpoint\Integrity\engine\webapps\ROOT\bin directory on the Endpoint
Security host, to the root directory (typically c:\) of the baseline reference source computer.
For SmartSum to execute on Window 95, 98, or ME operating systems, you also need to copy
unicows.dll, located in the <installdir>checkpoint\Integrity\engine\webapps\ROOT\bin
directory on the Endpoint Security host, to the root directory (typically c:\) of the baseline reference
source computer.
Important - Do not copy the unicows.dll file if the baseline reference

source computer is running any operating system other than Window
95, 98, or ME.
2. On the protected computer, open a command prompt window (go to Start | Run..., then type cmd).
3. In the command prompt window, go to the root directory by entering "cd \".
Note - To limit the scan to a specific directory, go to that directory,

then begin your scan there (for example, cd \program files).
4. Type appscan \ to begin the scan.

You can modify the scan through the use of the Appscan switches.
When the scan is complete, an output file (scan.xml) is created in the directory where you ran the scan
and the command prompt appears.
Your Appscan file is ready to be imported into Endpoint Security.
Appscan Switches
Use the following switches to modify your scan.
Table 6-11 Appscan switches and functions
Switch Function
/o Specifies the output file to be created. If no file name is specified, the

default output file name (scan.xml) is used.
Example 1: C:\appscan /o scan1.xml [files]
• In Example 1, the scan is named scan1. The output file name is
used when importing it into the Endpoint Security server.
If you conduct multiple scans on the same machine, give each scan a
unique name.
/x Designates target file names to add to the scan.

• The leading period before a file extension is required.
• A semi-colon separates the target extensions.
• The target extensions are grouped by quotes.
• A target directory must be specified using the /s switch.
• If the /x switch is not used in the command statement: Only
program files (.exe file name extension) are scanned.
Example 2: C:\appscan /o scan2.xml /x ".exe;.dll" /s
"C:\"
In Example 2, the scan is named scan2, and the scan will include .exe
and .dll files in the current directory only.

Switch Function
/s Designates the directory for SmartSum to inventory.

• If you do not use /s to designate a target directory, the scan will be
run in the current directory only.
• If you use /s, the scan will be run in the target directory and its
subdirectories.
Example 3:C:\appscan /o scan3.xml /x ".dll" /s
c:\program files
In Example 3, the scan is named scan3. The target directory is
C:\program files and all its subdirectories. The target extension is
.dll.
Example 4: C:\appscan /o scan4.xml /x ".exe;.dll"
/s c:\program files
In Example 4, the scan is named scan4. The target directory is
c:\program files. The target extensions are .exe and .dll.
/e Use the /e switch to inventory all executable files in the target directory
or drive, regardless of extension.
Example 5: c:\appscan /s "C:\program files" /e
In Example 5, all files are incorporated into the scan.
/a Generates all file properties for each file inventoried.

Example 6: c:\appscan /o scan6.xml /s "C:" /a
In Example 6, the scan is named scan6. The target directory is the
entire contents of c: The output file displays file properties more
thoroughly than it would without the /a switch.
The /a switch does not affect the source.
/p Displays progress messages.
/verbose Displays progress and error messages.
/warnings Displays warning messages.
/ ? or /help Displays help for SmartSum.
Importing Appscans
After generating an Appscan file, import it into Endpoint Security. You can also import any of the provided
Appscans for other versions of Windows from the Samples folder in your installation folder.
Note - You must remove all special characters, such a trademarks

from the appscan before importing it.
To import an Appscan:
1. Click New Program and select Import Scan.
2. Browse to the Appscan file: scan.xml
3. Click Import.

Adding Programs Manually
If there is a program that has not been observed on your system that you want to proactively set
permissions for, you can add it manually. Adding programs manually and then setting the global program
permissions to block is especially useful for protecting your system from new malicious programs.
To manually add a program:
1. If you are in Multi-Domain mode, switch to a Non-System Domain.
3. Click New Program and select Add Manually.
4. Enter the information for the program and click Save.
Options Description
MD5 Checksum The MD5 checksum of the file. MD5 checksums are 128-bit
checksums.
Smart Checksum The Smart checksum of the file. The 128-bit Smart Checksum
allows program files that change frequently, or have unique
MD5 checksums when installed in a specific endpoint
computer, to be validated.
File Name Name of the executable.
File Version Version of the executable.
Publisher Company or organization that produced the program file.
Product Name Product name of this program file.
Product Version Version number of the program.
Language Language of the program.
Creating Program Groups

Endpoint Security comes with some default program groups. You should create additional, custom program
groups to facilitate managing your program permissions. Program groups allow you to assign permissions to
entire groups of programs at once.
Program groups act as filters, grouping programs according to the criteria you specify. As programs are
added to the Endpoint Security system, they are automatically added to the appropriate group and the
permissions you specify for that group are enforced.

programs. If you are using Office Awareness and want your program
group permissions to apply instead, see Group Permissions and
Policies (on page 80).
To create a custom program group:

3. Click New Group.
4. Provide the Group Definition information.

Group Definition Description
Name The name of the program group.
Description The description of the program group.
Make Settings Available To Includes the group settings in the policy file that
Unconnected Clients is sent to the endpoint computer.
If this option is not selected, and a program is
not governed by either an individual program
permission or by Program Advisor, clients that
cannot connect to the Endpoint Security server
will use the permissions for unknown programs.
Rank The priority of the group, determining

enforcement if a program belongs to more than
one group.
For example, with one program group for
Browsers, and a second for Internet Explorer All
Versions, IE 6.0 would be a program that falls in
two groups. When a client begins to use this
program, the group with the higher rank will
enforce its permissions over the client.
5. Define the program with the Filter Settings.

You can use either standard Windows wild cards, such as '*' or '?' or Java regular expressions to specify
your filter information. Java regular expressions must be preceded by a '|'.
These settings determine which programs will be added to this group. For this example, to block access
to all programs with the file name 'Firefox', add 'Firefox' to the File Name field.
6. Configure the Permission Settings for the group.
Permission Description
Terminate all programs in this Choose this option to shut down all the
group programs that are in the group.
Use the following settings for Choose this option to specify permissions
the programs in this group (allow, block, ask user) for this program to act
as client and as server, in the Trusted Zone or
the Internet Zone.
7. Click Save.
8. Redeploy your Policies.
Although you can configure program permissions at both the global and the policy level, both settings
are included in your security policy. You must redeploy your policy to have either global or policy-level
changes take effect.
Setting Program Permissions

You can set program permissions for groups of programs. This is the recommended way to set permissions
for most programs.

programs. If you are using office awareness and want your program
group permissions to apply instead, see the important information and
workaround in Group Permissions and Policies (on page 80).
You can also set permissions for individual programs. These permissions override the permissions set for
the program group. Permissions given to an individual program persist even if the program changes groups.

To set individual program permissions:
3. Click the Group Name that the program belongs to.
The Program Permissions page opens, displaying the programs in the selected group.
4. Click the Program Name.
The Edit Permission Settings page opens.
5. In the Permissions Settings area, configure the permissions.
Options Description
Use the group's permission Default; no override.

settings for this program
Override settings and All settings for the group are ignored for this program; as
terminate the application soon as it is observed to be installed or activated, it is shut
down.
Override settings with the Set the permissions for this program for when it is in the
settings below Trusted Zone and when in the Internet Zone. For each zone,
set permissions for when the program is acting as client and
when it is acting as server.
Note - You cannot configure more permissive settings for the Internet
Zone than for the Trusted Zone, nor for server connections than for
client connections. For example, if the Client - Trusted setting is
Block, all settings must be Block; if the Server - Internet setting is
Allow, all settings must be Allow.
Setting Policy-Level Permissions

Use policy-level permissions to set exceptions to your global rules for the endpoint computers that receive
that policy.
To set policy-level permissions for a program group:
1. Click Policies.
3. Open the Program Rules tab.
4. Click Edit Permissions in the row of the group.
The Edit Program Group page opens.
5. Select either Terminate all programs in this group; or Use the following settings for the programs
in this group and set the permissions.
Set the permissions for this program for when it is in the Trusted Zone and when in the Internet Zone.
For each zone, set permissions for when the program is acting as client and when it is acting as server.
Note - You cannot configure more permissive settings for the Internet
Zone than for the Trusted Zone, nor for server connections than for
client connections. For example, if the Client - Trusted setting is
Block, all settings must be Block; if the Server - Internet setting is
Allow, all settings must be Allow.
6. Click Done.
To set policy-level permissions for an individual program:
1. In the Program Rules tab, click the link of the group to which the program belongs.

The table refreshes to show the programs in the group.
2. Click the link of the program to change.
The Edit Program Permission Settings page opens.
3. Set the permissions for this program and click Done.
The program is listed in italics and its permissions are shown in color, rather than inherited gray.
To restrict access to areas in Allowed zones:
1. In the Edit Program Group page for a group or the Edit Program Permission Settings page for a
program, click Add in the Firewall Rules section.
The Program Group Rules page opens.
2. Choose the firewall rules that set the Source as Client Computer; Destination as the part of the zone
that you want to restrict; and Action as Restrict.
If needed, you can create new rules using the New Firewall Rule button.
Note - Firewall rules are enforced in the order listed. These rules are
applied only if the program has the required permission to act as a
server or act as a client for the Zone involved.
3. Click Add.
4. Click Done.
5. Click Save.
Configuring Alert Levels

Endpoint Security clients can alert endpoint users whenever programs try to perform restricted functions. To
avoid overwhelming endpoint users with alerts, you may want to prevent the clients from showing all of
these alerts.
To configure alert levels:
1. Click Policies.
Open the Client Settings tab.
3. In the Client Alerts and Logs area, clear the Display check boxes of the alerts that you do not want the
users to see.
4. Click Save.
Editing Anti-malware Settings

Check Point Anti-spyware protects your network from threats ranging from worms and Trojan horses to
adware and keystroke loggers. Use Anti-spyware to detect and treat viruses and spyware on your endpoint
computers.
Check Point Anti-virus allows you to provide centrally-managed protection against virus risks to your
endpoint computers.
The Endpoint Security server regularly receives updated virus and spyware definitions from a Check Point
update server. You can use these definitions in Policies to check your endpoint computers and enforce
regular scans and set treatment options.
You can accept the default treatment and client notification or restriction settings, or modify the settings by
virus or spyware category.
For example, you might configure a policy that deletes Trojans and then notifies end users of the deletion.
After configuring treatment options, you can enforce regular scans and treatments, and then observe, warn,
or restrict endpoints that are not successfully scanned and treated at the appointed time. Your treatment
parameters and enforcement settings become part of the Policies you deploy to endpoints.
Before you begin to configure Anti-malware in Policies, make sure your environment is set up correctly to
receive and deploy updates ("Enabling Updates" on page 92).
You can use the Anti-malware feature for legacy clients (versions prior to R73) as well as for new clients. To
do so, you must first enable support for legacy clients ("Enabling Support for Legacy Clients" on page 93).

Enabling Updates
Before you begin to configure Anti-malware in Policies, make sure your environment is set up correctly to
receive and deploy updates.
To plan for Anti-malware functionality:
1. License Anti-malware. If you have not already done so, generate and apply your licenses for endpoints
and updates.
2. Endpoint Security must have access to ports 80 and 443 to retrieve the latest virus and spyware
information. Make sure that your firewall allows this traffic.
3. If you plan to use Anti-malware in an environment that includes a proxy server for Internet access,
configure Endpoint Security to work with a proxy server.
To configure a proxy server in Windows:
-DproxySet=true
-Dhttp.proxyPort=port
-Dhttps.proxyPort=port
5. Stop the "Check Point Tomcat" service, and then restart it.
Configuring Proxy Servers in Linux

To configure a proxy server (in a standard Linux installation):
1. Edit ~/engine/bin/catalina.sh, replacing the line:
JAVA_OPTS="-Xms256M -Xmx512M -Djava.awt.headless=true"
with the line:
JAVA_OPTS="-Xms256M -Xmx512M -Djava.awt.headless=true -DproxyHost=true
-Dhttp.proxyHost=hostname -Dhttp.proxyPort=port -Dhttps.proxyHost=hostname
-Dhttps.proxyPort=port"
2. Save the file.
3. Restart Endpoint Security by issuing:
<Install Directory>/bin/IntegrityStop
<Install Directory>/bin/IntegrityStart
The default install directory is /opt/CPIntegrity
To reset the JAVA_OPTS environment variable:
• Use the appropriate setenv call to reset the value of JAVA_OPTS to:
"-Xms256M -Xmx512M -Djava.awt.headless=true -DproxyHost=true
Enabling Update Traffic

After configuring the proxy server, set up the firewall to accept the traffic to and from the update servers.
To enable update traffic through a proxy server:
1. In your firewall, allow outbound internet connectivity to
• PA2.zonelabs.com
• cm2.zonelabs.com
2. In your firewall, allow inbound and outbound connectivity to the Anti-Malware update servers:
• Anti-virus update server - http://kav-integrity.zonelabs.com/

• Anti-spyware update server - http://upd.zonelabs.com/zonealarm/online/
Enabling Support for Legacy Clients

To specify the relevant settings for legacy clients (versions prior to R73), you need to enable support for
legacy clients first.
To enable support for legacy clients:
1. Open the Home page of the Endpoint Security Administration Console.
2. Click Modify Signature and Client Update Settings at the bottom right of the window.
The Signature and Client Update Settings window opens.
3. Under Legacy AV and AS updates, select Support Clients prior to R73.
The General, Anti-Spyware and Antivirus Scan, and Treatment settings relevant to the legacy clients
become available on the <tp_am> tab of the Policies page.
Configuring Anti-malware Protection

Configure Anti-malware settings in Non-System Domains (Multi-Domain mode) or in your Policies (Single-
Domain). Anti-malware settings supply the same protection as the combination of Antivirus and Anti-
Spyware did in previous versions.
To configure Anti-malware protection in a policy:
1. Click Policies.
3. Open the Anti-malware tab.
4. Select:
• Protect against spyware
• Protect against viruses
• Enable WebCheck
The settings are now accessible.
Anti-malware Settings
Use the Anti-Malware tab of a policy to configure Anti-Spyware, Antivirus, and WebCheck settings for the
current policy.
General Settings
What general settings are available depends on whether you have enabled legacy clients ("Enabling
Support for Legacy Clients" on page 93) or not.
Table 6-12 Option when Legacy Clients Are Disabled
Option Description
Protect against Activates Anti-malware protection in the policy.

malware
Table 6-13 Options when Legacy Clients Are Enabled

Option Description
Protect against Activates Anti-Spyware protection for legacy clients in the

spyware policy. Note that this setting does not affect client version R73
and greater. For these clients, use the Scan Riskware setting.

Option Description
Protect against Activates Antivirus in the policy for all clients with Antivirus or
viruses Anti-malware installed. When activated, on-access scans are
always performed automatically on client files.
WebCheck Settings
Use WebCheck to set options for web security.
Option Description
Enable WebCheck Select this checkbox to activate WebCheck in the policy.
Enable Site Status Checks security-related information about each site visited. If
Check this setting is enabled, users can click the Site Status button in
the WebCheck toolbar for details about the security level of
any site they are currently visiting.
Enable Anti- Tracks recently discovered phishing and spyware sites, and
phishing interrupt browsing with a warning.
(Signature)
Enable Anti- Checks site for phishing characteristics.

phishing
(Heuristics)
WebCheck trusted To onfigure which sites are safe to exclude from WebCheck
sites protection, provide the safe site URL in the Domain/Site field,
and click Add.
Anti-Spyware Scan Settings

The Anti-Spyware Scan settings are available only if support for legacy clients has been enabled ("Enabling
Support for Legacy Clients" on page 93). For clients running Endpoint Connect, see the description of Anti-
malware settings below.
Option Description
Schedule regular Select the day and time for a scheduled scan.
Anti-Spyware
Note - If a client moves from one policy to another (for
scans
example, from Connected Policy to VPN Policy), the client will
do the scan for both schedules. For example, if the Connected
Policy is scheduled to run on the 13th of every month, and the
VPN Policy is scheduled to run every Monday, the Anti-
Spyware scan will run every Monday and again on the 13th.
To avoid too many scans (which takes resources from the
computer), make sure that policy schedules are synchronized.
Restrict clients that Restrict clients that have not run the scheduled spyware
don't comply with scans.
the Anti-Spyware
Endpoints that are not successfully scanned at the scheduled
Scan settings
time are restricted according to the restriction Enforcement
Rules you created with <tp_es>.
Antivirus Scan Settings

The Antivirus Scan settings are available for all clients that have Anti-malware or Antivirus installed.

This an optional deep Antivirus scan setting, which you can run in addition to the automatic Antivirus scans
that are always run when Antivirus is activated in a policy. This area allows you to schedule a very detailed
Check Point Antivirus scan of every file on the Scan Targets you select.
Because it is so rigorous, this scheduled deep Antivirus scan has a significant impact on endpoint
performance. For this reason, these scans are recommended for previously-unprotected endpoints, and are
best run when your end users are not using their computers.
Option Description
Frequency Select Daily, Weekly, or Monthly for the deep scan to run on
endpoints with this policy.
Note - To avoid too many scans (which takes resources from
the computer), make sure that policy schedules are
synchronized. (See the explanation in Anti-Spyware Scan
Settings above.
Starting On The date and time for the Antivirus scan schedule to start.
Scan Riskware This setting activates Anti-Spyware scanning for all R73
clients.
Enable NTFS File We recommend that you use this setting, which optimizes
System based scans by skipping untouched files securely on computers with
optimizations NTFS file systems.
Enable Checksum We recommend that you use this setting, which optimizes
based optimization scans by skipping untouched files securely on computers that
do not have NTFS file systems.
Anti-malware Scan Settings

Option Description
Schedule regular Frequency: Select Daily, Weekly, or Monthly for the deep
Antivirus scans scan to run on endpoints with this policy.
Note - To avoid too many scans (which take resources from
the computer), make sure that policy schedules are
synchronized. See the explanation in the section for Anti-
Spyware Scan settings above.
Starting On: The date and time for the Antivirus scan
schedule to start.
Scan Riskware This setting activates Anti-malware scanning for all R73
clients.
Enable NTFS File We recommend that you use this setting, which optimizes
System based scans by skipping untouched files securely on computers with
optimizations NTFS file systems.
Enable Checksum We recommend that you use this setting, which optimizes
based optimization scans by skipping untouched files securely on computers that
do not have NTFS file systems.

Option Description
Scan Level In the drop-down list, select one of the following:

Deep Scan - with this option, everything except archives will
be scanned.
Normal Scan - with this option, everything except archives
and non-executable files will be scanned.
Quick Scan - with this option, only the Windows folder and
startup items will be scanned.
Scan Targets Settings

Use this feature to choose the drives you want scanned for viruses or spyware.
Choose the type of drives to be scanned on the endpoint computer. Target drives are scanned only at
scheduled scan times.
To increase the efficiency of your scan, specify parts of endpoint computers to scan: any local, removable,
CD-ROM, or network drive as a target drive.
Scan Exclusions and Trusted Processes

In this area, you can define paths to be excluded from scans, and processes which are to be trusted.
Option Description
Excluded path Use this feature to specify paths to be excluded from Antivirus
scans.
Specify the fully-qualified path for the file types or directories
you want excluded from the scan, and then click Add.
Use this option to save time when scanning, or exclude certain
types of files, such as large database files.
Trusted Process Use this feature to designate executables as trusted

path processes. This means that you trust the executables to read
or write to any file.
The files to which a trusted process reads or writes are
excluded from anti-virus scans.
The executable (trusted process), however, is scanned
because it is the files to which the executable reads and writes
that are exempted from the scan, and not the executable itself.
Example: If you designate C:\windows\notepad.exe as a
trusted process, any file that notepad.exe opens will be
allowed and not scanned. However, the file
C:\windows\notepad.exe will be scanned.
Specify the fully-qualified path, including any environment
variables, for the executable that you want to designate as a
trusted process, and then click Add.
Treatment Settings
How you define treatment settings depends on if you have enabled legacy clients ("Enabling Support for
Legacy Clients" on page 93) or not.
Use these settings to configure the action that Endpoint Security clients should perform when certain types
of infections are detected.

Table 6-14 Options when Legacy Clients are Disabled
Treatment Table Description
Option
Treatment Options for treating malware.

• Ask endpoint user: Displays a message to the
endpoint user, who decides what action to take: repair,
quarantine file, rename, delete, or ignore once.
• Repair the file. If repair fails, alert endpoint user:
Attempts to repair infected file. If the Endpoint Security
client cannot repair the file, it asks the user what action to
take.
• Repair the file. If repair fails, quarantine the file:
client cannot repair the file, it places the file in quarantine
to prevent further infection.
Table 6-15 Options when Legacy Clients are Enabled

Treatment Search Description
Option
Application Name Filter the list for a specific spyware application.
Category Filter the list for a type of spyware, select a category.

Option
Category The type of malware: any, adware, browser plugin, dialer,

hacker tool, keystroke logger, RAT, screen logger, trojan,
worm, other.
To allow a specific Anti-Malware program to run:
Click a category link or type an application name in the
Search. The Treatment table refreshes with program options.
Select Always Allow for the program you want, and then click
Back.
Action The level of user notification for treatments.

• Automatic: Performs treatment without notifying user.
• Notify: Performs treatment, then notifies user. The user
cannot cancel the treatment.
• Confirm: Specify treatment: Allow (to let the spyware
application run one time), Always Allow (to let the
application run at any time), Quarantine, or Delete.

Option
Treatment Options for treating malware.

• Ask endpoint user: Displays a message to the
endpoint user, who decides what action to take: repair,
quarantine file, rename, delete, or ignore once.
• Repair the file. If repair fails, alert endpoint user:
client cannot repair the file, it asks the user what action to
take.
• Repair the file. If repair fails, quarantine the file:
client cannot repair the file, it places the file in quarantine
to prevent further infection.
Choose one of the following options for treating detected
spyware:
• Quarantine: Quarantines all malware in this category.
• Delete: Deletes all malware in this category.
• Allow: Allows all malware in this category.
Note - You can only Allow or Delete for tracking cookies, as
they are numerous.
Always Allowed Number of programs specified to run during the scan.
Table 6-16
Enforcing Anti-spyware Scans and Treatments

In the Edit Policy page > Anti-Malware tab, you can select Restrict clients that don't comply with the
Spyware Scan settings.
An endpoint is considered to be non-compliant with the scan enforcement if the user refuses or interrupts
the scan or if the client fails to treat one or more spyware items. Non-compliant endpoints can be restricted
from the network.
A scan is successful if the client treats all detected spyware applications. If any spyware applications remain
untreated, the scan is not considered successful and does not satisfy enforcement requirements. Scans are
considered successful, however, if Flex users intentionally allow a suspected spyware application.
You may want to initially configure Anti-spyware without enforcement to minimize user disruption. Later, you
can add enforcement to your Policies to increase user compliance.
Editing SmartDefense Settings

Employ SmartDefense to provide your enterprise with protection from several forms of network attacks.
These attacks are characterized by the misuse of allowed traffic and services, and have the potential to
cripple a network and cause Denial of Service (DoS) conditions that block endpoint access to hosts and
servers.
Note - The version of SmartDefense that is included in Endpoint

Security is R55.
SmartDefense creates a framework of defense against attacks that are intended to harm the network by
flooding it. You activate SmartDefense on your network by enabling it in the Policies you deploy to your
endpoints. While endpoint users are not allowed to configure SmartDefense, they do have the option of
viewing SmartDefense logs with the client Alerts and Logs feature.
When SmartDefense protections are in place on your network endpoints, the network is protected from the
following attacks:
• Ping of Death

• Tear Drop
• LAND
• Large (Max) Ping
• Malformed ANI
• CIFS worm catcher
• SQL slammer
• HTTP worm catcher
• HTTP header rejection
Configuring SmartDefense in a Policy

To configure SmartDefense in a policy:
1. Click Policies.
3. Open the SmartDefense tab.
4. Select Turn SmartDefense Protections ON for this policy.
5. Click Save.
Editing Messaging Settings

You can prevent your endpoint computers from participating in e-mail attacks using MailSafe. MailSafe limits
outgoing e-mail to prevent e-mail worms and other malicious code from using the endpoint computer to send
messages. It prevents endpoint computers from sending suspiciously large numbers of e-mails in short
intervals and from sending e-mails to unusually large numbers of recipients. E-mail operations that exceed
your specified limits trigger a warning to the endpoint user.
MailSafe works only with the SMTP protocol.
Configuring MailSafe Protection in a Policy

To configure MailSafe protection:
1. Click Policies.
3. Open the Messaging Settings tab.
4. Configure the settings.
Option Description
Warn the user Sets a number and frequency of outgoing e-mails that trigger a
when too many warning to the endpoint user. Provide the number of e-mail
messages are sent messages and the interval in the appropriate text boxes (or
out in a specified accept the defaults of 50 messages and two seconds).
interval.
Warn the user Sets the number of e-mail recipients (per e-mail message) that
when the number triggers a warning to the endpoint user. Provide the number of
of recipients in an recipients that triggers the warning (or accept the default of
e-mail exceeds: 50).

Deploying Policies
When you save a policy, Endpoint Security does not automatically deploy it. This lets you save cumulative
changes to a policy without affecting users. It also lets you deploy the policy when it is convenient for you
(during off hours, for example, when users are not at work and more bandwidth is available).
To deploy a policy:
1. Click Policies.
2. In the row for the policy, click Deploy.
A confirmation message appears.
3. Click Yes.
The policy is now available for endpoints to download. If you have already assigned the policy, the
endpoints it is assigned to will download the policy on the next heartbeat or the next time they log in.
Creating Policy Packages

After you have Policies, and the Policies are deployed, you can bundle them into policy packages. This
allows you to provide connected and disconnected Policies consistently.
When two enterprise Policies are packaged together, if one or the other policy is redeployed, the policy
package is updated with the new policy settings and automatically redeployed.
To create a new policy package:
1. Click Policies.
2. Click New, and select Policy Package.
3. Name the policy package.
4. From the Connected Policy and from the Disconnected Policy drop-down, select a deployed policy.
5. Click Save.
Simple View - Activating Policies

In Simple view on Single-Domain mode, you cannot assign Policies. Instead, you can choose which Policies
to activate as your connected, disconnected, and gateway Policies. Disconnected Policies apply to users
that are not connected to the Endpoint Security server. Gateway Policies apply to users who connect
through a gateway. The same policy applies for all the gateways you have defined. Any other Policies you
have created remain inactive, and do not affect your endpoint users.
To activate Policies in Simple mode:
1. Click Policies.
2. In the Use As column for the policy, click Connected, Disconnected or Gateway.
Assigning Policies
For Endpoint Security clients to get a policy and policy updates, the policy must be assigned to the
endpoints.
You can assign Policies to a number of entity types, with the endpoints inheriting their policy from a larger
container entity. For example, the root node should have at least a Firewall policy assigned to it. This policy
is then inherited by all the nodes in the tree, unless you assign another Firewall policy to a specific node. If
that node has children nodes, they inherit this Firewall policy; unless you overwrite it with another one.
Policy Inheritance
Endpoint Security users inherit Policies through the hierarchy of domains (in Multi-Domain mode), gateways,
catalogs, and groups, according to the assignment priority you choose. Assignment priority determines

which policy will be enforced when a user is assigned one policy through a user catalog and another through
the IP.
The following are examples of policy inheritance.
Multi-Domain Policy Inheritance Example

• User 1 receives Policy A, which it inherits from Domain 1.
• User 2 receives either Policy A from Domain 1 or Policy B from the Custom catalog, depending on the
assignment priority.
• User 3 is assigned Policy C directly, which overrides any other policy assignment.
• User 4 receives Policy D, which it inherits from the RADIUS it belongs to.
• User 5 receives Policy E from Domain 2, which has a gateway. Policies assigned to or inherited by a
gateway always have priority.
Figure 6-4 Multi-Domain Policy Inheritance
Single-Domain Policy Inheritance

• User 1 inherits the Default Policy.
• User 2 receives either the Default Policy or Policy A from the Custom catalog, depending on the
assignment priority.
• User 3 is assigned policy B directly, which overrides any other policy assignment.
• User 4 receives Policy C, which it inherits from the RADIUS it belongs to.
• User 5 receives the Default Policy because Policies assigned to or inherited by a gateway always have
priority.

• User 6 receives the Default Policy.
Figure 6-5 Single Domain Policy Inheritance
Assignment Order
You will want to assign Policies to your most inclusive organizational units first. After you have established
your basic security policy assignments in this way, you can make exceptions by assigning different Policies
to the sub-units.
Assign your Policies in the following order for maximum efficiency:
Order Entity to assign When to assign to this entity:
policy to:
1 Domains Assign a policy to a domain to have all the
(Multi-Domain mode) members of that domain receive that policy. This
provides a basic level of security for all the domain
members.
2 Gateways Assign a policy to a gateway to ensure that users

connecting through the gateway have an
appropriate policy. When endpoint users connect
to your network though a gateway, they always
receive the gateway policy for the duration of the
sessions, regardless of any other assigned policy.
3 Catalogs Assign a policy to a catalog to provide more

customized protection according to the user
catalog or IP range or subnet they belong to.
4 Groups Assign a policy to a group in a catalog to provide

customized security according to business units or
geography.
5 Individual endpoint Assign a policy directly to one or more users to

users provide exceptions to your general security
practices.

Assigning Policies
To assign a policy or policy package:
1. In Multi-Domain mode, go to the appropriate domain.
2. Click Endpoints.
3. Select the domain, gateway, catalog, group, or individual endpoint user and click Assign Policy.
If the item you are looking for is not on the screen, use the Search function, or drill down through the
hierarchy. If an item does not have a check box, you do not have permission to assign Policies to it.
Entities are added to the list only if they are defined in the Endpoint Security system; for example, if you
did not define a gateway, you will not see a gateway section in the list.
4. Select the policy or policy package to assign.
You can select a specific policy, or specify that the selected item should inherit a policy.
If you select a policy that has not been deployed, the assignment process automatically deploys it.
5. Click Assign.
Setting the Assignment Priority

A user may be subject to more than one security policy. For example, a user might belong to a group that
gets policy x, but have an IP that is assigned policy y. The assignment priority determines policy precedence
in such cases.
Default priorities:
• Unknown users and IP addresses receive the Default Policy.
• Gateway-based Policies always have priority over all other policy assignments. You cannot change this
priority.
To set the assignment priority:
1. Click Endpoints.
2. In the Assignment Priority area, click Edit.
3. Use the up and down arrows to change the priority.
4. Click Save.
Monitoring Policy Assignment

The Policy Assignment report shows Policies that are assigned to your endpoints. Use the report when you
have deployed a new or updated policy and want to confirm that endpoints have received the new
assignment. This feature is relevant to Multi-Domain and Single-Domain mode.
The Policy Assignment chart's legend may occasionally contain error categories such as "User not resolved"
or "Group not resolved," indicating that you have not assigned a policy to all entities, that you have removed
a group or catalog without updating the policy assignment, or that there is a problem with the client's
connection information.
To generate and view the Policy Assignment report:
2. In the Chart drop-down, select Policy Assignment.
Rolling Back Policy Versions

Each time you save a policy, Endpoint Security stores a copy of the policy for reference and rollback. You
can use the policy history rollback function to restore the settings of an earlier version of a policy.
Note - Viewing the original policy version of a prepackaged policy is

useful when you need to know the default values for a security setting.
Rolling Back Policy Versions Page 103

When you roll back to a previous policy version, the policy uses current definitions for policy components,
such as firewall rules and location definitions. Occasionally, the following conditions may occur when you roll
back to an earlier version of a policy:
• The rule or definition was modified since you created that version of the policy. In this case, the policy
includes the most current settings for rule or definition.
• The rule or definition was deleted since you created that version of the policy. In this case, the policy
includes the original, deleted rule or definition. The deleted rule or definition becomes local to the policy.
It does not appear in the Policy Objects pages and is not available for use in other Policies.
To roll back a policy to a previous version:
1. Click Policies.
2. In the row for the policy, click History.
3. To view the policy settings for the saved version, click the link in the Date Saved column.
4. Inspect the policy settings to verify that this is the version you want to restore and click Back.
5. In the version list, select a version, then click Roll Back.
6. Click Yes.
After you have rolled back to a previous version, you must deploy the policy to send it to the assigned
users.
Exporting Policies
You can export a policy for use with another Endpoint Security server.
To export a policy:
1. Click Policies.
2. In the row for the policy, click Export.
A dialog appears, asking you if you want to save the file.
3. Click Save.
4. Choose the location and name for your policy and click Save.
The policy is saved as an XML file. You can import this policy into another Endpoint Security server by
creating a new policy using the file.
Deleting Policies
You cannot delete a policy while it is assigned or is included in a client package.
To delete a policy:
1. Click Policies.
2. Remove all policy assignments for the policy.
• Select the policy, and click View Assignments.
The Endpoint Manager page appears, showing only those catalogs that have your chosen policy
assigned to them.
• Select the catalogs and select a new policy assignment from the Policy drop-down.
You can explicitly assign a different policy to the catalogs, or you can choose to have the catalog
inherit the policy from its parent.
• Click Assign.
Be sure to perform these steps for all the catalogs that are assigned the policy.
3. Remove the policy from all policy packages.
Exporting Policies Page 104

• For all the policy packages, check the Description field for the policy you want to delete.
• Click Edit and choose another policy for the package.
• Click Save.
Be sure to perform these steps for all the policy packages that contain the policy you want to delete.
4. In the row for the policy, click Delete.
5. Click Yes.
VPN Policies
If your network uses a virtual private network, you should create a separate policy for the VPN users and
assign it to the gateway they use. When users are connecting to the internet outside your LAN, they may be
exposed to many more security risks than when they are connected to your network. If an endpoint
computer is compromised or infected, it may be a source of security risk to other computers on your
network.
There are two basic approaches to dealing with this risk:
• Provide users with very restrictive VPN and disconnected Policies, but have lenient connected Policies.
This prevents security problems at their source, by preventing the original infection or compromise.
However, this high level of protection comes at the cost of usability. If your VPN policy is very restrictive,
your endpoint users may be unable to perform tasks on their computers, resulting in more support
expenses.
• Provide users with a very permissive disconnected policy, but use a very strict VPN and connected
Policies to ensure that their computers are clean and compliant when they are on your network.
This helps prevent infections from spreading to other computers in your network, but does not inhibit
usability. This can be a good solution when you are creating Policies for contractors who are using their
own computers, rather than your companies. This is also useful in countries where laws prohibit
restricting endpoint user activities when they are not working.
Specify connected and disconnected Policies by creating policy packages and assigning them to user or IP
catalogs. Specify VPN Policies by assigning a policy or policy package to the VPN gateway.
Using a Default VPN Policy

The Endpoint Security server includes a Default VPN Policy for you to apply to Check Point security
gateways with minimal configuration. This policy is designed to keep out any incoming traffic that is not
encrypted. It is also configured to allow encrypted outgoing traffic, SCV keep alive, and outgoing Visitor
Mode traffic.
Note - Visitor Mode tunnels all client-to-gateway communication

through a regular TCP connection on port 443. All required VPN
connectivity (IKE, IPsec, and so on) between the client and the server
is tunneled inside this TCP connection. This means that the peer
gateway needs to run a Visitor Mode (TCP) server on port 443.
Configuring the Default VPN Policy

Unlike the regular Default Policy, the Default VPN Policy is not applied automatically to any unassigned
users. Configure it for your gateway and apply it to the gateway.
To use the default VPN Policy:
1. Make a duplicate of the Default VPN Policy (Policy Manager > Default VPN Policy, click Duplicate).
2. Click Save twice and then click Manage Policy Objects.
VPN Policies Page 105

The Policy Objects page opens to the Firewall Rule Manager tab.
3. Search for the SC in the rule name, and click the Edit link of the SC Outgoing rule.
The Edit Firewall Rule page opens.
4. Add the Check Point gateway as the Destination, then click Save.
5. Click the Edit link of the SC Incoming rule and add the Check Point gateway as the Source, then click
Save.
6. Click the Edit link of the SC Visitor Mode rule and add the Check Point gateway as the Destination,
then click Save.
7. Open the Locations tab and add the IP address of the Check Point gateway, then click Save.
8. In the Policy Objects page, click Back.
9. Edit the Duplicate VPN Policy > Access Zones and add the Check Point gateway IP address location to
its Trusted Zone.
10. Save the Duplicate VPN Policy and assign it to the Check Point gateway.
To allow clients to initially connect, do the following:
• Add the SC Outgoing firewall rule to the disconnected policy.
• Add the Check Point gateway IP address to the Trusted Zone of the disconnected policy.
Creating a New VPN Policy

To create the VPN policy:
1. Configure the gateway in Endpoint Security.
To assign Policies to your gateway, configure it in Endpoint Security. The method for doing this varies
depending on whether you are using a gateway that is supported for Cooperative Enforcement (consult
with your Check Point vendor).
• Supported Gateways - If you are using a supported gateway, use the Gateways page to configure it
in Endpoint Security.
If you want to use Cooperative Enforcement with your supported gateway, it is recommended that
you not set any Restriction Firewall Rules. Using Cooperative Enforcement and Restriction Firewall
Rules simultaneously makes it difficult to troubleshoot your configuration.
•Unsupported Gateways - If your gateway is not supported for Cooperative Enforcement, you can still
assign a policy to it by creating an IP catalog for the IP range of the gateway. Use the Endpoints
page to create an IP Catalog for your VPN gateway.
2. Prioritize the IP Security Model. (Unsupported Gateways only)
The Security Model determines which policy a user gets when one policy is assigned to them as a user,
and another is determined by their IP address. To provide a stricter policy to VPN users, regardless of
their identity, set it to be the top model in the Security Model page.
Note - If you are using a supported gateway, the policy assigned to that
gateway always has priority.
3. Create a policy using the Medium Security template and assign it to the gateway or IP catalog you
created.
4. Populate your Trusted Zone.
Add the locations you want these users to have access to. It is recommended that you include the
following locations in the Trusted Zone:
• The internal and external IP Addresses of your VPN gateway
• The appropriate LAN/WAN subnets of the internal network: Class A, B, or C networks, such as
10.0.0.0, subnet masks, DNS or DHCP addresses
• The loopback address: 127.0.0.1
• The DNS server
VPN Policies Page 106

Chapter 7
Managing Policy Templates
Global administrators in Multi-Domain mode, in the System Domain, can create and publish policy
templates, which are used by domain administrators to create enterprise security Policies.
In This Chapter
Preconfigured Policy Templates 107

Creating a Policy Template 107
Modifying a Policy Template 108
Withdrawing a Policy Template 108
Deleting Policy Templates 108
Preconfigured Policy Templates

Endpoint Security includes preconfigured policy templates. Global administrators in Multi-Domain mode can
modify settings in these templates; other administrators can only use these templates to build new Policies.
Template Description
High Security The High Security policy template provides an elevated level of
security at the expense of user connectivity.
Because high-level security settings can block communications
from legitimate sources, you should add such sources to the
Trusted Zone before deploying the policy.
It is also important to define programs or to use Program Advisor
with this policy.
This policy turns on a high number of alerts for evaluation
purposes. To minimize user interruptions, disable all alerts other
than enforcement alerts before general deployment.
Medium Security The Medium Security policy template provides mid-level security
with minimal end-user interruptions.
Observation The Observation policy template is designed for observing

endpoint behavior and testing client deployment. It provides
minimal security while maximizing user connectivity and
recording information about endpoint activity. Connectivity alerts
let administrators confirm connections to the server.
It is recommended to turn off connectivity alerts before general
deployment.
Creating a Policy Template

You can create a policy template from an existing policy, if you are a Global administrator in the System
Domain.
Page 107
To create a policy template:
1. Click Policies.
2. Select the policy you want to publish as a template, and click Edit.
Optionally, you can select Lock this policy to prevent other administrators from changing the policy
template settings. This setting is not published. Therefore, Policies created from this template will not
automatically be locked.
3. Select Publish this policy as a template to all domains.
Modifying a Policy Template

You can modify the policy templates you have created and the pre-configured policy templates provided with
Endpoint Security.
When you modify a policy template, existing Policies that were created from previous versions of the
template are not affected.
Modified policy templates are automatically published to all domains.
Withdrawing a Policy Template

Unpublish a policy to withdraw it from the domains without deleting it from the system.
To unpublish a policy template:
1. Click Policies.
2. The Policy Manager page opens.
3. Select the policy template, then click Edit.
4. Deselect Publish this policy as a template to all domains.
A warning message appears.
5. Click Save.
6. In the Version Comments page, click Save again.
Deleting Policy Templates

Deleting a policy template permanently removes the template and its history from Endpoint Security. If you
want to revert back to a previous version, do not delete the template. The template is unpublished from the
domains; but Policies that were created using the template are unaffected.
To delete a policy template:
1. Click Policies.
2. Select the policy template, then click Delete.
The policy template has been completely removed from the system.
Managing Policy Templates Page 108

Program Advisor
Program Advisor is a service provided by Check Point that gives program permission recommendations for
improving security and usability. Program Advisor requires the purchase of an additional license.
Program Advisor Server

The Program Advisor Server contains a database of program permissions that is constantly updated by
Check Point security professionals. The Program Advisor Server can perform the following functions:
• Provide program permissions to the Endpoint Security server - You can choose to either accept these
permission recommendations or override them with custom recommendations of your own.
• Provide program permissions to the Endpoint Security client - You can configure the enterprise policy to
allow the client to access the Program Advisor Server directly if the client cannot contact the Endpoint
Security server.
Client Program Advisor Process

Figure 7-6 Program Advisor Process
The following steps describe the client Program Advisor process:
Program Advisor Page 109

1. A program on an endpoint either accesses the Internet, or is accessed by the Internet.
2. The client checks for locally-stored permissions for the program.
The client has two sets of locally-stored permissions: those set by the endpoint user, and those set by
the enterprise policy.
• If the client finds locally-stored permissions for the program, it checks the time-to-live date.
• If the client does not find locally-stored permissions, it attempts to contact the Endpoint Security
server to check permission settings.
3. The client checks the program permission time-to-live date.
If the client finds locally-stored permissions, and the policy is set to allow the client to ask the Endpoint
Security server, it checks the time-to-live.
• If the time-to-live has not expired, the client uses the locally-stored permissions
• If the time-to-live has expired, the client will attempt to contact the Endpoint Security server to check
for new permission settings.
4. The client asks the Endpoint Security server.
If the client does not find locally-stored permissions, or the permission time-to-live has expired, the client
attempts to contact the Endpoint Security server to obtain program permissions.
Note - In the case of Flex users with policy arbitration enabled, Flex
will both ask the user whether or not to allow access and attempt to
contact the Endpoint Security server for program permissions. Flex
records the results of both queries in the personal and enterprise
Policies, respectively
5. The client asks Program Advisor server.

If the client does not find locally-stored permissions, or the permission time-to-live has expired, and the
client is not able to contact the Endpoint Security server, and you have set the policy to allow the client
to ask the Program Advisor server, it attempts to contact the Program Advisor directly to obtain program
permissions.
In Simple view, the client always has permission to ask the Program Advisor server.
6. The client performs client-specific actions.
• If your endpoints are using Flex and you have set the policy to not allow the client access to the
Endpoint Security server or to not allow access to the Program Advisor Server, the client will ask the
user whether or not to allow access.
• If your endpoints are using Agent and you have set the policy to not allow the client access to the
Endpoint Security server or to not allow access to the Program Advisor Server, the client will block
access to and from the program.

Endpoint Security Server Program Advisor
Process
The Endpoint Security server receives program permission requests from the client. In conjunction with the
Program Advisor server, the Endpoint Security server determines what permissions should be applied to the
program, and how it should be displayed in the Program Group Permissions page of the Endpoint
Security Administrator Console.
1. The Endpoint Security server receives the request from the client.
2. The Endpoint Security server checks for a matching reference source. If the program has a matching
reference source, the Endpoint Security server sends a response to the client. The client applies the
permissions you have set for referenced programs in the deployed enterprise policy.
3. The Endpoint Security server checks if Program Advisor is enabled. If Program Advisor is not enabled,
the Endpoint Security server sends a response to the client. The client applies the permissions you have
set for 'Unknown Programs' in the deployed enterprise policy.
4. The Endpoint Security server checks for custom overrides. You can set the Endpoint Security server to
override Program Advisor's recommendations with your own permission set. If you have set custom

overrides for this program, the Endpoint Security server sends a response to the client. The client
applies the custom permissions you specified.
5. The Endpoint Security server checks for Program Advisor recommendations. The Endpoint Security
server either contacts the Program Advisor server, or accesses a cached copy of the Program Advisor's
previous recommendations. Program advisor recommendations stored on the Endpoint Security server
include a time-to-live stamp. If the time-to-live period has expired for the program, the Endpoint Security
server must contact the Program Advisor Server to check for new permissions.
• If Program Advisor has a recommendation for this program, the Endpoint Security server sends the
recommended permissions to the client. The client applies the Program Advisor permissions.
• If Program Advisor does not have a recommendation for this program, the Endpoint Security server
sends a response to the client, instructing it to mark the program as 'Unknown' in the Program
Group Permissions page. The client applies the permissions you have set for 'Unknown Programs'.
Enabling Program Advisor

To use Program Advisor in your Policies, you must first license it and configure it.
Use of Program Advisor requires a license. If your license expires, Endpoint Security ceases to respond to
program permission requests from clients. Custom overrides also cease to function, including termination.
Locally-stored permissions will remain valid until their time-to-live expires.
For Program Advisor to work correctly, the Endpoint Security server must have Internet access so that it can
connect to the Program Advisor Server (on ports 80 and 443) and retrieve the latest program information.
Ensure that your firewall allows this traffic. If your environment includes a proxy server for Internet access,
configure the proxy before continuing with the steps in this section. See Using Program Advisor with a Proxy
Server (on page 18).
To enable Program Advisor:
1. Obtain a Program Advisor license key from your Check Point representative or from the Check Point
User Center (www.checkpoint.com/usercenter).
2. Use SmartUpdate or the cplic command-line tool to apply the license to the desired installation.
3. Configure any additional Program Advisor preferences (System Configuration > Program Advisor).
Note - This option is not available in Simple View of Single-Domain

mode. If you are in Multi-Domain mode, switch to a non-system
domain.
4. Click Edit.
• If you want Program Advisor to terminate the processes for malicious programs, select Allow
Program Advisor to terminate malicious applications.
• If you want endpoints to receive Program Advisor recommendations when they cannot contact the
Endpoint Security server, select Allow clients to ask Program Advisor directly when the
Endpoint Security server is unavailable.
If you choose this option, endpoints will not receive any permission overrides you have set until they
connect to the Endpoint Security server again and either restart the program or receive a new policy.
5. Click Save.
Viewing Program Advisor

Recommendations
Program Advisor displays recommendations for programs when the programs are observed on the endpoint
computer.
You can view all the program permission recommendations that Program Advisor provides in the Program
Group Permissions page.
To view the Program Advisor recommendations:

3. Click the PA referenced Programs link.
Each program has permissions set for the Trusted Zone and the Internet Zone, for the program to act as
client and as server. Program Advisor either blocks or allows access, or asks the user whether or not to
allow access.
To see the programs that Program Advisor terminates automatically, in the Program Group Permissions
page, click the PA terminated programs link.
Note - If there is a long delay between a client asking Program Advisor

about a program and the log upload containing the observation for that
program, and if there is also a Program Advisor recommendation for
that program, the program recommendations may appear incomplete.
Overriding Program Advisor

Recommendations
If you do not agree with a Program Advisor recommendation for a program in the PA referenced programs
group, you can override it with your own custom permissions. However, you cannot override the permissions
for the Program Advisor Groups, or individual permissions in the PA quarantined programs group. You can
override permissions at either the global or the policy level.
To override Program Advisor recommendations:
1. Go to the Program Group Permissions (click Program Permissions) or the Program Rules (Policies
> Edit > Program Rules) page of the policy, depending on whether you want to change global or policy-
level permissions.
2. Click PA referenced programs.
3. Click the Product Name of the program.
4. Set the Permissions Settings options.
Options Description
Use the group's permission Default; no override.

settings for this program
Override settings and All settings for the group are ignored for this program; as
terminate the application soon as it is observed to be installed or activated, it is shut
down.
Override settings with the Set the permissions for this program for when it is in the
settings below Trusted Zone and when in the Internet Zone. For each zone,
set permissions for when the program is acting as client and
when it is acting as server.
5. Click Save.
When you set permissions for an individual program, the permissions are displayed in color.
Permissions inherited from a group are gray.
Important - The changes you have made take effect without

redeployment.
Managing Unknown Programs

After you have deployed a policy, you should periodically check for unknown programs. Unknown programs
are programs that are not governed by either Program Advisor or by any other program group. Set up
groups for these programs so you can assign permissions to them more efficiently.

To manage unknown programs:
3. Click the Unknown Programs link.
View the programs to determine what program groups you need to create.
4. Select the check boxes of the programs to add to a group.
5. Click Move Program and from the drop-down menu, select an existing group or New Group.
6. Edit or define the group if needed and click Save.
Managing Updates
Use the Updates feature to receive, manage, and deploy anti-malware and WebCheck updates.
Overview of Updates
Use the Updates feature to receive, manage, and deploy:
• Virus definition updates - These updates ensure your endpoints are constantly protected against new
viruses. The updates include DAT files, which are libraries of virus signatures.
• Spyware definition updates - These updates help to protect your endpoints against the latest spyware.
Using the Updates feature, you can:
• View available updates -By default, the Endpoint Security server receives the update information
hourly from the Check Point update server, and makes it available for retrieval by your endpoints. The
update is listed on the Home page and the Client Updates page.
• Specify an automatic client updates schedule -You can specify a schedule for how often the
Endpoint Security server makes the latest update available for endpoint retrieval. (This feature creates
automatic deployment, and does not allow you to test each update on a smaller group.)
• Preview updates with a test group - You can deploy client updates to selected endpoints for testing
before rolling the updates out to all clients. This feature, called staging, allows you to update a select
group of test endpoints. You can then determine if an update is acceptable to you before choosing to
deploy it. (With this option, there is no automatic deployment of updates.)
• Immediately deploy client updates - At any time, you can choose to immediately make the latest
collection of client components available to all clients. This is particularly useful if a virus outbreak
occurs.
Managing Updates Page 114

Update Delivery Process
To protect your endpoint computers from the most recent viruses and spyware, the client must have the
most up-to-date virus and spyware definitions (DAT files). The Update Server has the most recent
definitions.
Figure 7-7 Update Process
The Update delivery process:

1. DAT files are updated on the external Check Point Update Server as needed.
2. The Endpoint Security server contacts the Update Server once an hour and receives DAT file
information.
The Endpoint Security server only receives version information about the current DAT files. It does not
receive the actual DAT files.
You will see traffic to the following locations:
3. If you have configured offline updates, the client contacts the Update Server at scheduled times or
intervals and retrieves updates, if available.
If offline updates are configured, the Endpoint Security server relays only the location of the Update
Server to the client via the policy. The client receives the engine and DAT files directly from the Update
Server, not from the Endpoint Security server.
4. During synchronization, the Endpoint Security server relays the updates to the client; the client informs
the Endpoint Security server of its current DAT file versions; and the Endpoint Security uses this
information to create the update report.
Update Staging Process

When you choose to preview updates, they follow a set path from release by Check Point to deployment on
your endpoints, and you control when and if deployment happens. This path is a three-phase succession:
updates remain at each stage until the update in front has moved forward down the path.
The current phase of each update is displayed on the Home page and in the Client Updates page.
The three phases of the client updates lifecycle are:

1. Available for Staging - Endpoint Security server has been informed of a new update available from
Check Point. To move the available update to the Staging phase, click the Deploy to Staging link.
2. In Staging - The client update has been made available to a test user group. This phase applies only if
you have chosen to manually preview client updates. At this point you can do either of the following:
• Deploy the update to all endpoints by clicking the Deploy to Production link.
• Deny deployment by clicking the Deploy to Staging link to replace this update with the next update
for the test group.
3. In Production - The update has been released for endpoint retrieval. All of your endpoints will retrieve
this component when they check in with the Endpoint Security server.
Making Updates Instantly Available

This update deployment method is especially useful if a virus outbreak is detected. At any time, you can
view and manually deploy client updates without previewing them in a test group or waiting for the next
scheduled deployment.
Note - Because this method makes the updates available, but does
not require clients to synchronize, it may take up to an hour for all your
endpoints to get the update.
To make client updates available:

1. Configure your proxy settings, to be able to contact the Update Server.
2. Go to the Home page.
3. View available update components in the Updates tables. They display the version, date, and status for
each available update.
If you wish to check for a more recent update than the one displayed, click the Check for Updates link.
4. Click the Deploy link in the Status column of the Client Updates table.
The status of the available DAT file changes to Deployed. It is immediately made available for all
clients, regardless of the configured update schedule.
Configuring Automatic Client Updates

Use the following steps to configure how often the Endpoint Security server automatically makes updates
available for endpoints. By default, unless manual previewing (staging) is configured, client updates are
deployed for endpoint retrieval on an hourly basis.
This procedure should be used only if you do not wish to preview or test client updates before making them
available. In Multi-Domain mode, switch to the System Domain to do this procedure.
To configure automatic client updates:
1. Configure your proxy settings to be able to contact the Update Server.
2. Go to the Home page and click the View Client Update Settings link.
3. In the Schedule sections, click the Schedule Automatic Updates options.
4. Select an update frequency from the Schedule drop-down list.
5. Click Save.
Configuring Client Update Staging

This configuration allows you to preview updates within a test group before making them available to all
endpoints. First, create a Test Group, then configure updates for Manually Preview.
To create a Test Group:
2. Click Reports > Endpoint Activity.
3. Leave all the fields blank, and click Apply Filter.

4. In the In Test Group column of each user you want to add to the Test Group, click the Add to Group
link.
Important - To remove a user from the Test Group, click the Remove
from Group link; do not click the Delete link in the Computer Name
column.
To Configure Manual Client Update Staging:

3. Select the Manually Preview Updates options.
4. In the Updates table, click the Fetch link in the Status column.
The DAT update file is made available to your test group.
Deploying or Rejecting Previewed Updates

After observing the results of an update on the Test Group, either make the update available to all endpoints
or reject the update and request the next one.
To deploy client updates:
2. In the Status column of the Updates table, click the Deploy Now link.
The status of the previewed DAT update changes to Deployed. It is retrieved by all of your endpoints the
next time they check in with the Endpoint Security server.
To reject previewed updates:
2. In the Status column of the Updates table, click the Fetch link.
The previewed updates file is rejected and the next one is taken.
Offline Updates
Offline updates provide remote users with a way to get Anti-virus and Anti-spyware updates without being
connected to your corporate network. Users can get updates from your company server, or they can receive
updates directly from Check Point.
To Set Up Offline Updates:
Go to the Home page and click the View Client Update Settings link.
1. Select the Provide offline users access options.
2. If you are using a proxy server for internet access, make sure you allow traffic to the appropriate update
server:
When the endpoint computers connect to the server, they automatically receive the latest updates.
Note - Your users must be using the most current version of the Anti-
virus software to use the Check Point servers.
Monitoring Anti-Malware Activity

Keep up to date with the virus and spyware events detected and handled by Endpoint Security, and when
your endpoints were last scanned and updated with the latest protections.
Note - Events related to tracking cookies are not included in reports,

as they are too numerous
Monitoring Anti-Malware Activity Page 117

Monitoring Infection Activity on Endpoints
The Home page tells you how many virus and spyware infections are active or resolved on your connected
endpoints. The Infection Events page provides detailed information based on the type of infections. If you
are in Multi-Domain mode, switch to a non-system domain to see the Endpoint Infections information on the
Home page.
To monitor the infection status of endpoints:
1. Go to the Home page.
The Endpoint Infections section shows how many resolved and how many unresolved (detected but
not yet successfully treated) malware files are on the connected endpoints (clients that have contacted
the server in the last hour), in categories of Anti-virus, Anti-spyware, and WebCheck.
2. Click a number to go to the Infection Events page for more details, including a breakdown by infection.
To see the infected file numbers for disconnected clients as well, in the Endpoint Status drop-down menu,
select All.
Monitoring Infection History

Use the Infection Summary page to see how many and which infections were detected and treated
successfully in a given time frame.
To monitor the infection history of all endpoints:
1. Open the Infection History report (Home > Infection History link in Endpoint Infections section or
Reports > Infection History).
2. Choose the parameters of the report.
Filter Option Description
Time Span Use to select a time frame of infection history to display.
Event Type Use to select the type of events to display: Anti-virus, Anti-
spyware, WebCheck, or Summary of all.
3. Click Apply Filter.

The Infection History report shows the following.
Options Description
Event Type Type of infection event: Anti-virus, Anti-spyware, WebCheck.

Click the event name to display a detailed bar chart.
Total Events Total number of detected infections or malicious site activity.

This number includes both resolved and unresolved infections.
Total Users Total number of users with detected infections. This number
includes users with both resolved and unresolved infections.
Click the number to go to the User Events Report page, which
provides a detailed list of the users.
Description Describes type of event.
You can launch SmartPortal for more event reporting: click View Events.
Monitoring Scan and Update Status

Use this monitoring feature to determine how often your endpoints are being scanned for malware, which
have WebCheck enabled, which have not been scanned, and to check on the update status of the
endpoints.

To see a scan or update status report:
2. From the Chart menu, chose one of the following:
• Check Point Anti-virus Scanned Date Report
• Check Point Anti-spyware Scanned Date Report
• Antivirus Provider Brands Report
• WebCheck Protection
3. To see a list of endpoints in a particular category, click the appropriate link in the legend.
For example, in the Spyware Scanned Date chart, click the 48 hours link to see which clients have been
scanned in the last 48 hours.
The Connectivity Report page opens.
4. To see more information on a specific endpoint, click the link in the User column.
The Endpoint Details page opens. From this page you can link to the policy assigned to the endpoint
and to the Compliance History report of the endpoint. You can see the Anti-malware software that is
installed on it, and you can open the SmartPortal reports and logs for this endpoint (click View Events).

Chapter 8
Gateways and Cooperative
Enforcement
Cooperative Enforcement enables your Endpoint Security computers to interact with gateways and Security
Management Server for efficient VPN functionality and policy management.
In This Chapter
Introduction to Cooperative Enforcement 120

Configuring Cooperative Enforcement 121
Introduction to Cooperative Enforcement

Use the Cooperative Enforcement feature to ensure that endpoint computers remotely connecting to your
network:
• Are running the Endpoint Security client.
• Have a specific policy.
• Comply with the Enforcement Rules in the security policy assigned to them.
• Are regularly contacting the Endpoint Security server.
Using this feature, you can restrict or terminate the gateway session for endpoint computers that are out of
compliance, as well as endpoints that have stopped contacting the Endpoint Security server.
Note - Cooperative Enforcement differs from enforcement with just

Enforcement Rules in that it restricts at the gateway level. If you use
Enforcement Rules alone, restriction happens at the client level.
You can configure Cooperative Enforcement to check for compliance
with Enforcement Rules, but the restriction in this case occurs at the
gateway level.
The enforcement action is activated after either of the following:

• Four heartbeats of noncompliance. By default, enforcement is activated after four heartbeats of
noncompliance. You can change this number. For details, see Configuring Compliance Check Settings
(on page 77).
• Four missed heartbeats. Enforcement is activated after four heartbeats are missed. This number
cannot be altered.
A heartbeat lasts one minute by default, so if an endpoint has been out of compliance or has not contacted
the server for four minutes, the client executes the action specified in the enforcement rule.
You can change the duration of a heartbeat. See Configuring the Heartbeat Interval (on page 77) for details.
Page 120
Note - If you are using a Check Point InterSpect™ or VPN-1
UTM/Power gateway, you can also have intra-LAN Cooperative
Enforcement.
If you use an unsupported gateway, Endpoint Security can monitor
client events and the user status, but it will not be able to restrict
access at the gateway level. You must use Enforcement Rules in
conjunction with Restriction Firewall rules to restrict endpoint users.
See Enforcing Endpoint Security (see "Creating Enforcement Rules
as Policy Objects" on page 63).
Configuring Cooperative Enforcement

If you are setting up Cooperative Enforcement using Check Point gateways, configure Endpoint Security
first.
To configure Cooperative Enforcement in Endpoint Security:
1. If you are using an 802.1x-compatible gateway, configure 802.1x settings in the Endpoint Security
Administrator Console:
• In Single-Domain mode, go to the Gateway Manager page.
In Multi-Domain mode, switch to the System Domain and click System Configuration > Server
Settings.
• Click Edit.
• Select Configure Settings for enabling 8021.1x.
The Authentication Port field becomes available.
• Provide the 8021.1x communication port and click Save.
2. Add the gateway to a Gateway Catalog in Endpoint Security.
3. Add groups to the gateway.
You must add a group to your gateway catalogs (except VPN-1 UTM/Power gateway catalogs), and this
group must have a specific name. You can add multiple groups to Cisco gateway catalogs, but other
gateway catalogs must contain only one group.
4. Create and assign Policies.
5. Configure the gateway to complete integration of it with Endpoint Security.
Important Notes on Policies with Cooperative Enforcement:

• If you are using Anti-virus Enforcement Rules in your policy with Cooperative Enforcement, provide the
DAT files as a remediation resource. Restricted endpoint users will have no access to any internal sites
except the Endpoint Security server.
• It is recommended that you not set any Restriction Firewall Rules in the Enforcement Rules of your
policy. Using Cooperative Enforcement and Restriction Firewall Rules simultaneously makes it difficult to
troubleshoot your configuration.
• If you must use Restriction Firewall Rules in your policy, it is recommended that you begin with a policy
that has no Restriction Firewall Rules and then, with each successive policy, add only one rule at a time.
After you deploy each policy you should carefully observe the results before adding another rule.
• You can assign Policies to a group within the gateway and/or to the gateway itself. You do not assign
security Policies directly to Check Point VPN-1 UTM/Power gateways. Instead, you can create a catalog
that contains the users or endpoints you want the gateway to monitor, and then assign a policy to the
catalog. Or, allow the users to receive a policy according to policy inheritance.
• If you do not assign a policy to the gateway, it will inherit the policy assigned to its parent domain or
entity. If an endpoint user is assigned a policy in more than one way, Policies assigned to a gateway, or
a group within the gateway, always take priority over Policies assigned to an IP or a group that is not
within the gateway.
Gateways and Cooperative Enforcement Page 121

Adding Gateway Catalogs
Gateway catalogs allow the Endpoint Security server to communicate with your gateway device. The first
time a new user connects to the Endpoint Security server, they are dynamically added to the gateway
catalog or group.
To add a new gateway catalog:
2. Click Gateways.
The Gateway Manager page opens.
3. Click New Gateway and select your gateway type.
Note - For all Cisco ASA and Concentrator gateways, choose Cisco
VPN Gateway.
4. Complete the fields with the appropriate information for your gateway.
Check Point InterSpect

Options Description
InterSpect Host The IP address or host name of the InterSpect gateway.

Name
Certificate Host An IP address to acquire an initial or changed certificate from

that network address rather than from the Check Point
InterSpect gateway.
Pull Certificate For an initial configuration or after changing certificates, use

Pull Certificate to acquire the certificate required for SSL
communications between the Endpoint Security server and
the Check Point InterSpect gateway.
You can only pull the certificate this way once. In order to pull
the certificate again, the certificate must be re-initialized on the
InterSpect gateway.
SIC Object Name The Secure Internal Communication ("SIC") Name assigned
on the InterSpect gateway to this Endpoint Security server.
The SIC Object Name corresponds to the Name specified to
the InterSpect SmartDashboard.
SIC Activation Key The Secure Internal Communication Activation Key assigned
on the InterSpect gateway to this Endpoint Security server.
The SIC Activation Key corresponds to the Activation Key
specified to InterSpect SmartDashboard.
Cisco VPN Gateways

Options Description
Cisco Public Host The public host name for the Cisco VPN 3000 series
Name concentrator.
Cisco Private Host The private host name for the Cisco VPN 3000 series
Name concentrator.
Gateway Port The port used by the gateway.
Certificate Port The port used by the certificate.

Nortel Contivity with TunnelGuard
Options Description
Nortel Public Host The public host name for Nortel Contivity with TunnelGuard.
Name
Check Point VPN-1 for remote access users

Options Description
Check Point VPN-1 The public host name for the Check Point -1 VPN gateway.
Public Host Name
Check Point VPN-1 UTM/POWER

Options Description
VPN-1 Host Name The IP address or host name for the Check Point -1 VPN
UTM/Power gateway.
802.1x-Compatible Network Access Server

Options Description
NAS IP Address The network access server IP address.
RADIUS client IP The IP address of the RADIUS proxy, if you use one.
Address
NAS Secret The RADIUS secret for the NAS.
Primary RADIUS IP The IP Address of the primary RADIUS server.

Address
Primary RADIUS The port on which the primary RADIUS server listens.
Authentication Port
EAP Type The EAP type. Default is 44. If your NAS filters out EAP type
44, use a lower number, ensuring that you specify the same
number on the Endpoint Security client.
Compliant VLAN Use this field to specify the VLAN that should be accessible to
compliant users, if you are not using a RADIUS attribute to do
so.
Compliant Filter Use this field to specify the Filter ID, if you are not using a
RADIUS attribute to do so.
Note that the filter should not block HTTP port 8443 or UDP
port 6054.

Options Description
Restrict VLAN The number for the restricted VLAN (optional). If there is no
restricted VLAN, leave this field blank.
Note that, if there is another Endpoint Security server on the
VLAN, the user receives the policy of that Endpoint Security
server. Users who visit the VLAN will not be able to reconnect
to the internal network via the wireless access point if Reject
Connections on Non-Compliance is selected.
Note that, for Cisco devices, you must specify the VLAN name
instead of the ID.
Restrict Filter The filter name for the VLAN (optional). If there is no VLAN or
if the VLAN does not have a filter, leave this field blank.
Note that the filter should not block HTTP port 8443 or UDP
port 6054.
Reject Connections Select this checkbox to:

on
• deny access to non-compliant clients, in cases where
Non-Compliance
your NAS does not support VLANs or filters.
• deny access to clients that are unable to report
compliance. (If you do not select this checkbox, such
clients will be granted access until the next automated
attempt to re-authenticate.)
This setting does not affect the handling of clients that have
the wrong policy or no policy at all. Such clients are granted
access (or restricted access, if this is defined).
Re The re-authentication interval (measured in seconds).

-authentication
Interval
Vendor Specific The parameters of any vendor-specific attributes (VSAs). (For

Attribute (VSA) information about VSAs for a specific gateway, see the
Parameters documentation for that gateway.) The parameters are:
• Vendor Code—The vendor code of your 802.1x device
for the purpose of a VSA.
• Attribute—The VSA to be sent.
• Value—The value of the attribute.
• Data Format—String or Integer.
• Sent For—Indicates when to send the VSA to the client.
Select Restriction to send the VSA when the client is
non-compliant. Select Compliant to send the VSA when
the client is compliant. Select Always to send the VSA
whether or not the client is compliant.
•
Testing Gateway Cooperative Enforcement

If clients can access the gateway, they can access the Endpoint Security server. To verify that the gateway
was added and configured correctly, add the gateway to the Trusted Zone of a policy and include the policy
as an initial policy.
To test that clients can access the gateway:
1. Add the gateway to the Trusted Zone of a policy:
• Click Policies > Edit > Access Zones.
• Click Add > New Location > IP Address.
• Provide the name of the gateway and its IP address and click Save.

• Select Trusted Zone and the check box of the gateway IP address, and then click Add.
2. Make this policy the initial policy of a client package.
• Open the Client Settings tab.
• Click Advanced and select Enforce enterprise Policies only.
• Click Save.
• Click Client Configuration > New Package > and the package type.
• Open Advanced Settings and in Add Initial Policy, select the policy you edited to include the
gateway in the Trusted Zone.
• Complete the client configuration and click Save.
3. Distribute the client package to the test computers.
• Click Client Configuration > link of the client package you made.
• Copy the Package Download URL.
• E-mail this URL to test users.
4. Make sure the test users install the package, run the client, and can then connect to the gateway.
Adding Gateway Groups

You can add multiple groups to Cisco gateway catalogs, but other gateway catalogs must contain only one
group. (The exceptions are VPN-1 UTM/Power gateways, to which you do not need to assign a group.) This
allows you to assign different Policies and administrators to subsets of users within the gateway.
If every user in the Cisco gateway is going to receive the same policy or be managed by the same
administrators, you do not need to add groups.
To create a group:
1. Click Gateways.
2. Click the name of the gateway.
3. Click New Group.
4. In the Group Name box, type a name for the group.
For the Cisco VPN 3000 Series concentrator, one group name must match the name defined on the
concentrator.
5. Click Save.

Chapter 9
Supporting the User
To ensure that your users will be able to have the access they need and are not needlessly inconvenienced
by your security Policies, you should plan how to provide support and education for them.
In This Chapter
Educating the Endpoint User 126

Providing Remediation Resources 127
Preparing your Help desk Staff 129
Educating the Endpoint User

One of the most important things you can do to make your Endpoint Security implementation run smoothly,
is prepare the users. If users are expecting the Endpoint Security client installation, and understand it and
your security rules you will greatly reduce the volume of unnecessary help desk requests.
You should begin educating users about the upcoming implementation and your security Policies a few
weeks before you perform your implementation. You should also remind users as the time approaches.
Make sure your users know the following:
• What the Endpoint Security client (Flex or Agent) does
• What security Policies you will be enforcing
• How to become compliant with your security Policies
• What the consequences are of non-compliance
• How to get help
It is recommended that you inform users whenever possible before deploying a new security policy. This
allows them to become compliant in advance, avoid restriction, and creates less of a burden for your support
team.
Informing Endpoint Users in Advance

Before deployment, give your endpoint users an overview of what Endpoint Security does, how it works, and
the benefits it will provide. For example, provide answers to the following questions:
• What is Endpoint Security Flex?
• How does it work?
• Can I change my security settings?
• How do I choose my settings?
• What are the alerts I see on my screen?
• What are the buttons in the alert box for?
• What are the icons in my Windows system tray?
• I still have questions—what should I do?
You should include information about the security Policies you will be enforcing, how to become compliant,
and where to go for help.
Page 126
Providing Information About Your Security Policy
Users are less likely to be confused and place unnecessary help desk calls if they understand clearly any
corporate policy changes entailed by Endpoint Security deployment. For example, you may want to inform
users if:
• Endpoint Security is a corporate requirement on all company computers
• Users that are out of compliance with enforcement rules are restricted
• Specific programs are required or prohibited by your policy.
• Specific programs are no longer allowed Internet access or may be terminated (for example, media
players or music file sharing tools).
Be as specific as possible. For example, if your enforcement rules will require a certain Anti-virus program
be sure to say which one, which version, and provide information and resources so that users can become
compliant with the rule in advance and without support.
It is recommended that you continuously provide information to endpoint users about Endpoint Security and
your security policy. You should provide information and instructions whenever you make a significant
change to your security Policies that will affect the user experience. This is especially true for changes that
tighten your security policy, as they may impact availability for the user. You should also make sure that the
information you provide is readily available, especially to new users.
Describing the Distribution Process

Whether you use a client distribution method that requires user action (for example, with installer packages),
or some other method (for example, SMS), it is important that you describe the distribution process for your
endpoint users and give them instructions for any procedures they will need to perform.
Providing Remediation Resources

If you provide your endpoint users with effective remediation resources, they will often be able to resolve
their compliance issues on their own. Remediation resources are especially important when you create
Enforcement Rules that restrict or use the Cooperative Enforcement feature with a gateway device to restrict
access for users that do not comply with your security Policies.
Making effective use of the sandbox feature of Endpoint Security can enable end-users to solve many
common problems on their own.
Using Alerts for User Self-help

Endpoint Security uses Alerts (messages that pop up) to inform users of when they are out of compliance
with your security rules, and when it performs security functions, such as blocking access to a location or
preventing a program from accessing the Internet.
Most of these alerts require no action by the user and are not configurable. However, the compliance rule
alerts can, and should be customized, especially if you are using rules that restrict.
When users are out of compliance with an Enforcement Rule that restricts or warns, or with a Cooperative
Enforcement rule with a gateway that restricts, an alert appears. You should specify custom instruction text
to appear in this alert in the Enforcement Rule page. The alert will also direct the user to the appropriate
sandbox page. Your custom instruction text is also displayed on the appropriate sandbox page.
Using the Sandbox for User Self-Help

The alerts that users see when they are out of compliance or when Endpoint Security performs a security
functions each contain a link to the Sandbox page for that particular alert type.
The Sandbox is a Web page that provides additional information that helps users to understand what just
happened and what, if anything, they should do about it.
Supporting the User Page 127

There are different Sandbox pages for different types of security events. The specific sandbox page that is
displayed is determined by the situation on the endpoint. For example, users that see an alert because their
Anti-virus DAT file is out of date and click the URL will be taken to the 'AV Compliance' sandbox page.
You should customize these pages (in the Customize Sandbox page) to provide accurate and detailed
information for your user.
Recommended Sandbox Customizations

You can modify all your Sandbox pages so their appearance coordinates with your organization's logo and
style by specifying a style sheet.
You should also make changes to individual Sandbox page templates. Note that one Sandbox page may
appear for a variety of reason. It is recommended that you perform the following customizations on your
sandbox page templates using the Customize Sandbox page:
• Anti-spyware Protection — Users are directed to this page when they need to run and Anti-spyware
scan. This page doesn't require much customization. Add a link to your Help Desk or administrator
contact information.
• Anti-virus Protection — Users are directed to this page when they are not in compliance with your
Anti-virus policy.
Note that this page is not specific to the particular Anti-virus violation. For example if you require one group
of users to have Anti-virus program A, and another to have Anti-virus program B, both groups are directed to
this page. So any remediation information you provide here must apply to both.
However, when you create an enforcement rules you can also specify custom text and a remediation
resource that is specific to that enforcement rule. The custom instruction text and the remediation resource
link are only displayed when that specific rule is violated. It is highly recommended that you specify custom
text and remediation resources when creating rules that warn or restrict. Use the Enforcement Rule creation
pages, not the Customize Sandbox page to configure these aspects of the sandbox page.
If you require only one Anti-virus program for your organization, it is recommended that you customize this
page with information about how to obtain and install it as well as information about updating the DAT file.
You should also add a link to your Help Desk or administrator contact information.
• Informational Alerts — Users are directed to this page when they get a new policy, or connect or
disconnect to the Endpoint Security server. You don't need to customize this page, but you may want to
include some information about Endpoint Security or a link to your help desk or administrator contact
information.
• Blocked Network Traffic — Users are directed to this page when they are blocked by a firewall rule.
Add a link to your help desk or administrator contact information.
• Grouped Enforcement Rule —Users are directed to this page when they are blocked by a group
enforcement rule. Add a link to your help desk or administrator contact information.
• Program Requesting Internet Access — Users are directed to this page when a program they are
using requests internet access. Add a link to your help desk or administrator contact information.
• Program Activity Block — Users are directed to this page when they use a blocked program. You may
want to customize this page with examples of commonly blocked programs and explain why they are
blocked. Add a link to your help desk or administrator contact information.
• Remove Prohibited Program — Users are directed to this page when they are required by an
enforcement rule to remove a program. Add a link to your help desk or administrator contact information.
• Install required Program or File — Users are directed to this page when they are required by an
enforcement rule to install a program. Add a link to your help desk or administrator contact information.
• Contacting Technical Support —Add a link to your help desk or administrator contact information.
• New Endpoint Security Client package —Users are directed to this page when they receive a new
Endpoint Security client package. You may want to customize this page with more information about the
client you are deploying. Add a link to your help desk or administrator contact information.
• Initial Endpoint Security Client deployment —Users are directed to this page when they receive an
Endpoint Security package for the first time. It is recommended that you customize this page with more
information about the client you are deploying. Use the introductory materials as a guide. Add a link to
your help desk or administrator contact information.
Supporting the User Page 128

Preparing your Help desk Staff
For your help desk staff to provide useful support to your endpoint users, they must understand both the
Endpoint Security system and your security Policies.
Documentation
Make sure that your help desk staff have all the relevant Endpoint Security documentation available. You
may also want to provide them with a list of common programs you have prohibited and programs that your
policy requires.
Training
You should give your help desk staff at least basic training in the Endpoint Security system. You may want
to have them perform some basic policy deployments in a pilot environment so they can become familiar
with how Policies affect the endpoint user.
Your help desk staff should also be familiar with how to upload Endpoint Security Client diagnostic
information.
Distributing Endpoint Security Client

Distribute your Endpoint Security clients to your endpoint computers. This must be done before Policies can
be deployed on endpoints.
Note - Do not attempt to deploy the Endpoint Security client by

distributing a ghost image (clone) of a machine that has ever had the
client installed on it. This is not supported. Installing the client in this
way can result in multiple machines being counted as the same
machine in the Endpoint Activity Report.
Upgrading the Client

If you are upgrading from an Integrity 6.5 client, Secure Access client, or SecureClient to the current version,
you do not need to remove the old client.
If you are upgrading a Secure Access client with SecureClient to the current version with Endpoint Connect,
then SecureClient will be removed automatically.
If you are upgrading a SecureClient standalone to the current version with Endpoint Connect, then the
SecureClient standalone will remain installed.
Client Installation Packages

Client packages provide a convenient way to install clients on your endpoint computers. Use client packages
to install client programs along with configuration information and, optionally, security Policies. Client
installation packages consist of the following:
• client msi - This file installs the client on your endpoint computer. The executable that is included is
determined by the choice you make when creating your package.
• config.xml - This file provides connection information that the client will use to communicate with the
Endpoint Security server. It also configures some aspects of how the client is presented to the endpoint
user and sets the Custom User ID, if specified. This file is configured by the client packager according to
the choices you make.
Distributing Endpoint Security Client Page 129

• msi.ini file - The Microsoft Installer file is used by the installer to set properties for the client installation.
This file is created by the client packager with the following default parameter settings:
• REBOOT=R
• Initial policy (optional) - Use an initial policy in your client package to provide a basic level of security
for the endpoint computer before it connects to the Endpoint Security server and receives its
assigned disconnected policy. If an Initial policy is included in the package, it is active until the
Endpoint Security client connects to the Endpoint Security server. When the Endpoint Security client
connects to the Endpoint Security server, it downloads the connected and disconnected Policies that
are assigned to that user.
• userc.C and product.ini - These files specify VPN settings.
• cpmsi_tool.exe - The client packager runs this executable to insert the userc.C and product.ini into the
msi database.
• integrity.pem - Contains authentication information.
• updatekeyfiles.xml - Contains authentication information that the client uses to receive upgrades.
Policies in Client Installations

It is generally recommended that you immediately establish a basic level of security by including a policy in
your policy package. Depending on the type of policy you include, this policy is enforced until either the
endpoint user configures a policy, or until the endpoint computer contacts the Endpoint Security and
receives the assigned policy.
If you plan to include Policies in your client package, it is convenient to create them before you create your
package.
You may also want to assign Policies to your endpoint users before you distribute clients to them. This is
especially highly recommended if you do not include a policy in your package.
VPN Options
You can choose to include Virtual Private Network (VPN) capability with your Agent or Flex client installation
package. By providing a secure VPN for your endpoint users, you give them remote access to your network
while also administering high levels of privacy and authentication.
This feature combines VPN capability with the security protection of the Endpoint Security client. By using
this feature in combination with Enforcement rules, you have the option of controlling access at the VPN
gateway based on the presence or absence of certain software. This VPN functionality is designed to work
with the Check Point VPN-1 gateway, so you need the VPN-1 gateway installed on your network before
packaging and deploying VPN packages.
Migrating from Check Point SecureClient (Optional)

If you previously integrated client and Check Point VPN SecureClient by configuring SCV (Secure
Configuration Verification) for the purpose of Cooperative Enforcement, you can now achieve similar goals
more easily with Endpoint Security. The VPN feature provides a faster, simplified method of configuring and
deploying VPN, and provides end-users with a unified interface for both the client and the VPN. You can still
use client and Check Point SecureClient separately, but doing so does not take advantage of the simplified
client management and unified interface.

Note - There are some third-party scripts, which you may have used
with SCV, for which there are no Endpoint Security system
alternatives. The following third-party scripts are not currently
supported in Endpoint Security:
• A script for verifying machine certificates to confirm domain
membership
• A script that checks active GPO Policies
• A script that blocks USB devices
See About Third-Party Scripts (on page 131) for information about
some Endpoint Security alternatives to other types of third-party
scripts.
Migrating from SCV and Desktop Security Rules

If you previously configured VPN enforcement with Desktop Security rules and SCV, and now want to use
Endpoint Security to configure similar control, the following approach is recommended:
1. Set your Access Zone Rules (Internet Zone and Trusted Zone) to Low security and set Program Control
to Allow All.
This is recommended because it allows you to start with a configuration process that is similar to your
prior experience, and helps prevent unexpectedly restrictive experiences for your endpoint users. Later,
you can build more complexity into the policy you deploy.
2. Recreate SCV settings:
• Make a note of the endpoint local.scv file (SCV) settings that you want to recreate. (Note that
local.scv files are eliminated during endpoint installation of Endpoint Security VPN packages.)
• Use Endpoint Security Enforcement rules to recreate the enforcement settings.
3. Recreate Desktop Security rules:
• Make a note of the inbound and outbound rules in the Desktop Security policy that has been used by
your endpoints. These rules are shown in the Desktop Security tab of SmartDashboard.
• On Endpoint Security, recreate, as Firewall rules, the inbound and outbound rules that you noted
above.
• Create a "cleanup" rule: Add a last-precedence Firewall rule, ranked at the bottom of the list, which
blocks all traffic.
This cleanup rule is necessary because when Access Zone Rules are set to Low, the hard-coded
cleanup rule that blocks all unhandled traffic is disabled.
4. If possible, set the Check Point Desktop Security rules to the following settings to ensure that only one
firewall driver is active in the system:
• Source: Any
• Destination: Any
• Service: Any
• Action: Accept
5. Proceed with the steps outlined in Workflow for Configuring and Deploying VPN in Packages (on page
132).
As described in the workflow, be sure to add the Firewall rules and Enforcement rules to the policy
assigned to the VPN-1 gateway.
About Third-Party Scripts

While there is no Endpoint Security Enforcement rule that you can use to run a third-party script, you can
use Program Control and Enforcement rules to recreate a number of the endpoint checks you may have
configured with third-party scripts and SCV. For example:
• You can use Program Control in a disconnected policy to deny network access to peer-to-peer
applications.

• You can use Program Control to block access to services like Telnet and FTP.
You can create Enforcement rules to restrict endpoint network access when endpoints do not have the
required Anti-virus protection.
Planning Your VPN Configuration

To prepare for creating a VPN client package, select a VPN configuration method and decide which VPN
settings you want.
To prepare for creating a VPN client package:
1. Determine which of following methods you will use:
• Configure VPN settings while creating the client package. Use this method if you want to be
able to create and edit the client package VPN settings using the Endpoint Security Administrator
Console.
After you create a VPN package with the Administrator Console settings (rather than by importing
files), you can easily make new packages by copying the package and edit the configuration with the
Client Packager.
• Import existing VPN configuration files. Use this method if there is an existing VPN configuration,
created prior to the existence of VPN settings in the client packager, that you want to replicate and
deploy. (Note that once you import configuration files, you are not able to use the Administrator
Console to edit those settings.)
While creating the client package, you import existing VPN settings by specifying the location of
product.ini and userc.C files for the settings you want. The product.ini and userc.C files are VPN
configuration files.
The most recent default installation locations of these two files on endpoint computers are:
<Client Inst>\SecuRemote\database\userc.C
<Client Inst>\SecuRemote\product.ini
To prepare for configuration, make sure the product.ini and userc.C files are in an accessible location
(local or via network) so that you can select them during configuration. For more information about
product.ini and userc.C files, see the Check Point Virtual Private Networks document, available for
download at the Check Point Website.
2. Determine which VPN configuration settings are most suitable for your environment.
This step includes deciding which Policies you want the VPN gateway to use. For example, you may
want to provide VPN users with stricter security Policies.
3. Decide whether or not to control endpoint computer access, based on the presence or absence of
certain software, at the VPN gateway level.
Enforcement rules can require or prohibit specified programs, files, Anti-virus software, and other
conditions on the endpoint computer before allowing unrestricted network access. When Enforcement
rules are in the policy assigned to the VPN gateway, endpoint VPN access is controlled according to
those rules. If you wish to establish this access control at the VPN gateway level, you will need to
ensure that Enforcement rules are added to the policy being used by the VPN gateway.
Note - If you previously integrated the Endpoint Security client and

SecureClient by configuring a local.scv file (Secure Configuration
Verification) for cooperative enforcement, see Migrating from SCV and
Desktop Security Rules (on page 131).
Workflow for Configuring and Deploying VPN in Packages

The process for including VPN in client installation packages consists of the following steps.
Note - The information provided here assumes that a Check Point

VPN-1 gateway is already installed and tested on your network. For
information about installing the gateway, see the Check Point VPN-1
documentation.

To include VPN in client installation packages:
1. Create a policy to include in the client package (optional).
Note - A Default VPN Policy, designed to keep out any incoming

traffic that is not encrypted, is included for your convenience. See
Using a Default VPN Policy (on page 105) for information on how to
access and configure it.
2. Configure the VPN-1 gateway within Endpoint Security.

• Add the gateway to your Endpoint Security. See Adding Gateway Catalogs (on page 122). This step
allows the Endpoint Security server to communicate with the VPN gateway.
• Assign Policies to the gateway (optional).
If you prefer to assign a specific policy to this gateway, you can do so now. If you do not assign a
specific policy, the inherited policy is used by the gateway.
3. Add any Firewall rules, Enforcement rules, and Program Rules to the policy assigned to the VPN-1
gateway.
This step is necessary only if you want to control access, based on endpoint software checks, at the
VPN gateway level.
4. Create the client package.
• Choose VPN Agent or VPN Flex from the New Package menu.
• Use the VPN Settings tab to configure VPN settings for the package.
5. Distribute the client package.
Installation Options
Important - It is highly recommended that you create a unique install
key (rather than use the default key) in client installation packages.
This prevents endpoint users from guessing the key and uninstalling
the client. Allowing endpoint computers that are not protected by an
client to connect to your network is a security risk.
If you do not set a unique install key and are using a supported
gateway, it is highly recommended that you use the gateway to restrict
or terminate the connection if the client is not running. This prevents
the endpoint user from removing the client and then connecting to your
network while unprotected. See Gateways and Cooperative
Enforcement (on page 120).
Install Key (Password)

The install key is a password needed to uninstall or upgrade the client, ensuring that:
• endpoint users cannot change the installation or block upgrades
• administrators can perform silent upgrades and uninstalls
As a back-up safety mechanism to protect your network from endpoint computers that are not protected by
an Endpoint Security client, a default install key is created if you do not create one.
The default install key is secret.
Create your own install key while creating the client package, on the Package Details tab (Client
Configuration > Edit).
Setting Install Key

To set the install key:
1. Use the appropriate method to configure the install key:

• If you are using GPO, configure the install key (password) using the Endpoint Security administrator
console when you create the client installation package.
• If you are using another third-party distribution method, you can also set the install key using an
installation command line. See Installation Command Line, on page 225.
Example:
msiexec /i <client package filename>.msi NEWINSTALLPASSWORD=<yourpassword>
2. Record the password.
If you lose this password you will be unable to change it or perform silent upgrades or uninstalls.
Silent Installations and Upgrades

Because there is always an install key (the default one or your custom one), you upgrade or uninstall the
client without any user interaction. On the endpoint, the client icon appears in the desktop system tray
during the upgrade or installation, but no action is required of the user.
Note that without an install key, the TrueVector security software (low level software that monitors Internet
activity) cannot validate the request to shutdown. This would result with a dialog asking the user for
permission to continue.
Connection Information
It is essential that the clients have the connection information they need to contact the Endpoint Security
server. The necessary connection information for the Endpoint Security server is provided by default. You
can also manually change this information or import configuration files (config.xml) from another server.
If you change the connection information for your Endpoint Security server, you must distribute new
package files with the new server's connection information.
User Identification
You can assign a Single Sign On ID or a User ID to your endpoint computers as part of the client package.
A Single Sign On ID allows endpoint users to sign on once per start up.
A User ID allows you to add users to custom catalogs by that name. If you want to include the endpoint
computers that receive this package in a custom catalog, type the catalog name and, optionally, the group
name in the User ID field.
Use the following format: manual://<Catalog_Name>/<Group_Name>
When the endpoint computers that receive this package connect to the Endpoint Security server, they will
become members of the catalog and group you specified here.
Note - If you are creating a client package to use with the auto-
upgrade feature (and if you are using a different Endpoint Security
server than you used for the initial deployment) and you want to view
installation results in the auto-upgrade report, then you must use the
same user ID (connection string) for the upgraded client package as
you used for the initial client deployment.
Custom Parameters
A Custom Parameter field is included in the Advanced Settings of the client packager. In this field you can
enter commands to further refine installer behavior.
To enter custom parameters, use the <parameter>=<value> format.
To specify multiple custom parameters, separate each with a space.
For example:
RESETVPNCONFIG=YES FORCEREBOOTDIALOG=YES

Use the following client parameters to customize installation. The default value given is the default given in
the MSI file. If you are using client parameters in a command line, they must be in uppercase, preceded by
the /v switch and enclosed in quotation marks.
Table 9-17 Client Package Custom Parameters
Property Description Default
CLIENTSTARTUP Triggers the Endpoint Security client to Yes

start up after installation.
FORCEREBOOTDIAL Warns the user that an installation reboot No

OG will occur in n number of minutes, where
is n is specified by REBOOTDELAY. The
user cannot cancel this reboot, and user
input is not required.
INSTALL_SC Installs Secure Client. Yes
INSTALL_FF Installs the WebCheck feature Yes or No,

depending
on whether
the feature
is selected
in the
server
settings.
INSTALL_EC Installs Endpoint Connect Yes or No,

depending
on whether
the feature
is selected
in the
server
settings.
INSTALL_AV Installs the Anti-virus/Anti-malware Yes

feature
INSTALL_EAP Installs the EAP feature Yes
INSTALL_SD Installs the SmartDefense feature. If Yes

INSTALL_SC=YES, INSTALL_SD must
be YES.
REBOOTDELAY Number of minutes between 1

FORCEREBOOTDIALOG warning and
reboot. The maximum value for this
command is 15.
REGISTRYFILE Location of the .reg file describing Blank

registry entries to make during the
installation.
RESETVPNCONFIG Removes the existing user VPN settings. No

Other Endpoint Security client settings
are maintained.
Importing Client Executables

If you have received a new version of a client from Check Point, import it into your system so you can
include it in your client packages.

To import client executables:
1. Click Client Configuration > Manage Installer Versions.
2. Click New.
3. Click Choose File and browse to the MSI file.
4. Provide the version name-number of the new package.
5. Click Import.
Creating Client Packages

Create client packages to bundle client executables with configuration information and Policies.
To create a client package:
1. Go to the Client Configuration page.
2. Click New Package and choose your client executable option.
3. Configure your package options.
For more information about these options, see the online help.
• In the Package Details page, configure your installation options.
The Endpoint Security server can communicate with all 6.x versions of the clients, but it is
recommended that you use the same version as your Endpoint Security server or higher. Using the
same version ensures that all features will perform as expected.
• If you have enabled VPN in this package, click VPN Settings and enter your VPN information.
• If you want to specify connection and user ID settings other than the default, click Advanced
Settings.
4. Click Save.
Exporting Client Packages

You can export a client package as an executable .exe file.
Group Policy Object (GPO) and third-party deployments can then use a command-line tool to convert the
package into an MSI (Microsoft Installer) file.
To export a client package .exe file:
2. Click Export on the row of the package you want.
3. Browse to the location where you want to save the client package and click Save.
Important - Do not click the Open button as the executable will install
on the console of the administrator.
You can now use which ever distribution method you choose to distribute the Endpoint Security client
package to your endpoint users.
To convert the client package .exe file to an MSI file:
1. Go to the directory to which you saved the .exe file.
Example:
cd c:\downloads
2. Run the .exe package installer with the parameter msi.
For example:
<client package filename>.exe msi
The directory now contains a new file called <client package filename>.msi, which you can use to
perform GPO or third-party deployments of the client.
Distributing the Client Package URL

To distribute a URL to download the client

2. Click the client package name that you wish to distribute.
3. Copy the Package Download URL.
4. Distribute the URL to endpoint users using e-mail or your intranet:
• E-mail the full path of the client package to endpoint users. Users can simply click on the hyperlink
provided or copy and paste the URL into a browser address field.
• Post the download URL to your intranet as a convenient method of software distribution.
Both of the above methods rely on the endpoint user's cooperation. However, once clients are installed,
upgrades can be handled seamlessly by way of policy enforcement and auto-upgrade.
Client Connectivity Report

The Client Connectivity Report gives an up-to-date overview of connected and unconnected clients.
Connected clients are organized according to how long they have been connected. The report keeps you up
to date on connectivity issues, such as when an unusual number of endpoints are unconnected during
working hours.
A client is connected when the endpoint computer is turned on, the user is logged in and the client can
contact the Endpoint Security server. It is therefore normal for a majority of endpoints to be unconnected
during non-working hours, when most users have turned their computers off.
Client Version Report

The Client Version Report shows which client versions are running on your network and which endpoints are
running them. Use the report when you have deployed a new client package and want to confirm that
endpoints are running the new client.
Command Line Switches

Use command line switches to make changes to your Endpoint Security clients after installation.
To use command line switches:
1. Open a command line window.
2. Navigate to the Endpoint Security client directory.
3. Type iclient -<switch> <parameter>
Example: iclient –config pathtoconfig.xml -pwinst installpassword
If the parameters contain spaces, you must enclose them in double quotes.
4. Close the command line window.
Table 9-18 Post-Install Client Management Switches
Switches and Parameters Description
-serialnumber or -lickey Inserts the key into the license table.
-password Specifies the user password.
-pwinst Use this parameter to specify the old

install key when changing it using the -
setpwinst or -pwinstet parameters.
-upgradekey Specifies the upgrade key.
-setpass or -passwset Sets a new user password. Use the -

password parameter to specify the old
password.

Switches and Parameters Description
-setpwinst or -pwinstset Changes the install key. These

parameters can only change existing
install keys. If you did not specify an
installation password when you first
installed the Endpoint Security client, you
will not be able to use these parameters
to set it.
-config <path to config Applies the configuration file to the

file> personal policy. Use this to specify
Endpoint Security connection
information.
-policy <path to policy Applies the policy file to the enterprise

file> connected policy.
-disconnectedPolicy <path Applies the policy file to the enterprise

to policy file> disconnected policy.
-HU100 Regenerates the HU100 key that

uniquely identifies the endpoint. Use this
if you have erroneously used imaging to
install Endpoint Security clients.
-errorsubmission Zips all errors, logs, and dumps and

sends them to Check Point for analysis.
Distributing Client with GPO

In this installation, you will be creating a Microsoft Installer Package (.msi) file. You need to use Windows
Installer Packages, rather than standard .exe software packages because GPO cannot accept the command
line switches needed for silent install with automatic reboot during software deployment.
For more information about using a GPO, see the Microsoft Website.
The GPO distribution workflow:
1. From the Endpoint Security administrator console, create a client installer package EXE file by
configuring and exporting a client package.
Important - When you create new client packages to upgrade clients

in your GPO distribution, create a new install key (password) each
time so that clients cannot uninstall the Endpoint Security client
without your permission. In a GPO distribution the install key is
cached, which means that end users will not need a key to uninstall
unless you have added a new install key in the upgrade package.
2. Go to the directory to which you saved the .exe file.

For example, if the .exe file is in the downloads directory:
cd c:\downloads
3. Run the .exe package installer with the parameter msi.
For example:
<client package filename>.exe msi
where <client package filename> is the filename of the .exe file you exported.
4. The following files are extracted:
• vc90rt.msi: Microsoft Visual C++ Runtime Libraries. Note: This file is a prerequisite and must be
deployed on the clients first.

• iFlex***.msi: Network protection installer. After vc90rt.msi is distributed, distribute
iFlex***.msi.
• FFsetup.exe: WebCheck feature installer. After iFlex***.msi is distributed, you can distribute
FFsetup.exe if you want to have the WebCheck feature installed on the clients.
•
EC.msi: Endpoint Connect installer. After iFlex***.msi is distributed, you can distribute EC.msi
if you want to install Endpoint Connect on the clients.
5. Use the .msi client package file with your GPO.
Distributing Client with Command-Line

The installer for the Endpoint Security client uses Microsoft Installer (MSI) technology. Use the command
line to customize your installation or upgrade.
The installation command line consists of the following:
• MSI switches - These switches control the Microsoft Installer behavior. See MSI Switches (on page
139).
• Endpoint Security client installation parameters - Control the Endpoint Security client installation
behaviors. See Client Parameters.
Command-Line Syntax
The following is the general form for the installation command lines.
<client package msi filename>/<MSI Switches> <Installation Parameters>
Example:
<client package filename>.msi INSTALLPASSWORD=psswrd
Note the following when creating your command lines.
• Endpoint Security client parameters must be in uppercase.
• If an Endpoint Security client parameter or MSI switch value includes a space, it must be enclosed in
escape quotes.
Note - The syntax used for the command lines in this chapter may
differ from the command lines that you used in previous versions.
Always use the documentation that is for the software version you are
using.
MSI Switches
The installer supports all the standard MSI switches, except /j and /p. See the MSI documentation for more
information about these switches. MSI Switches are provided for your convenience when working with the
most common switches.
Switch Description
/i <file> Installs an msi file.

Example:
Msiexec.exe /i <filename>.msi
/x <GUID or file> Uninstalls an msi file.
Msiexec.exe /x <filename>.msi
/qn Silent install.
/qb Provide notification of installation to user.

Note - The Endpoint Security client installer automatically deactivates
the Cancel button, so you do not need to suppress this button using
the MSI switches.
MSI Error (Return) Codes

All MSI installations behave according to Microsoft standards. The following codes indicate a successful
installation:
Code Value Description
ERROR_SUCCESS 0 Action completed successfully.
ERROR_SUCCESS_REBOOT_ 1641 The installer has started a reboot.

INITIATED
ERROR_SUCCESS_REBOOT_ 3010 A restart is required to complete the install. This

REQUIRED does not include installs where the ForceReboot
action is run.
For a list of all error codes, see the Microsoft MSDN article on Windows Installer Error Codes
(http://msdn.microsoft.com/en-us/library/aa368542(VS.85).aspx).
Uninstalling Clients
Use these instructions to uninstall Endpoint Security clients on a large number of endpoint computers. You
must have administrator privileges to uninstall Endpoint Security clients.
Silently Removing a Client

You can silently uninstall Endpoint Security clients to reduce the need for endpoint user cooperation. By
default, running a silent uninstallation automatically restarts the endpoint computer without warning to
complete the installation process. However, you can use additional parameters and switches to either
suppress the restart, or to prompt the endpoint users to restart the endpoint computers themselves.
Note - You cannot uninstall Endpoint Security clients using GPO.

Uninstall GPO-installed Endpoint Security clients using the product
code, using either the command line or a script.
Uninstalling MSI files

Use the following command line to uninstall the Endpoint Security client if you know which specific MSI file
you used to install it:
Msiexec /X /qn <installDatabase.msi> INSTALLPASSWORD=<password>
Uninstalling Using Product Code

Use the following command line to uninstall the Endpoint Security client if you do not know the specific file
you used to install it:
Msiexec /X /qn <Product Code> INSTALLPASSWORD=<password>
Uninstalling Clients Page 140

Obtaining Product Code
To obtain the product code, (GUID), examine this registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Zone Labs\ZoneAlarm\MsiProductCode.
The product key is the value for MsiProductCode.. You can verify this code by checking for a sub-folder
named with the product key.
Uninstalling Using a Script

You can also uninstall the Endpoint Security client using a script. The following sample script automatically
finds the product code and uses it to uninstall the MSI file. The script then causes the computer to reboot.
Dim runPath, strReadValue
Dim objShell
Set objShell = CreateObject("WScript.Shell")
Const Reg_TestKey = "HKEY_LOCAL_MACHINE\SOFTWARE\Zone
Labs\ZoneAlarm\MSIProductCode"
strReadValue = objShell.RegRead(Reg_TestKey)
runPath = "msiexec /x " & strReadValue & " /qn INSTALLPASSWORD=secret"
Set WshShell = CreateObject( "WScript.Shell" )
WshShell.Run runPath
wscript.quit
Uninstalling Clients Page 141

Chapter 10
Configuring Office Awareness
Office Awareness allows the client to know whether the endpoint computer is connected to your network or
not. Use Office Awareness to ensure that the disconnected policy becomes active only when the endpoint
computers become disconnected from your network, not when they become disconnected from the Endpoint
Security server.
In This Chapter
Overview of Office Awareness 142

Using Office Awareness Servers 142
Using the Office Awareness Beacon 143
Overview of Office Awareness

Office Awareness works by either specifying Awareness Servers that are already on your network, or
configuring a special Office Awareness Beacon. As long as the endpoint computers remain in contact with
the Office Awareness Servers or Beacon, they will remain in connected mode and continue to use the
connected policy. This helps to maintain the correct levels of security and user productivity, even if the
Endpoint Security server becomes disabled or disconnected.
By using Office Awareness in conjunction with Endpoint Security Standby Servers, you can create a more
stable environment for your users. When used together, if the Endpoint Security server becomes disabled,
these features ensure that your endpoint computers continue to use the correct Policies and you can quickly
activate one of the standby servers to restore administration functionality.
To have Office Awareness, a client must be synchronized with the Endpoint Security server and received
the list of Office Awareness Servers. Because of this, Office Awareness may take some time to go into
effect for all endpoint computers.
Note - By default, when an endpoint computer cannot contact the

programs. If you are using office awareness and want your program
group permissions to apply instead, see the workaround in Group
Permissions and Policies (on page 80).
Using Office Awareness Servers

Office Awareness Servers, are servers that already exist on your network, such as DNS, DHCP, or Gateway
servers. When you specify these servers as your Office Awareness Servers, the client uses them to
determine whether or not the endpoint computer is connected to your network. If it cannot contact these
servers, the client applies the disconnected policy.
This is the easiest method of providing office awareness. However, it is potentially vulnerable to spoofing.
The risk of spoofing can be reduced by using the MAC address instead of the IP address of the servers. For
an authenticated method, use the Office Awareness Beacon.
For Office Awareness to function correctly, you must specify Office Awareness Servers that are already in
use by your endpoint computers.
Page 142
To specify Office Awareness Servers:
3. In the Office Awareness area, click Edit.
4. Add the servers you want to use.
Options Description
All of these servers Select this option to keep enforcing the connected policy only
are found when the Endpoint Security client can contact all the specified
servers.
Any of these Select this option to keep enforcing the connected policy when
servers are found the Endpoint Security client can contact any one of the
specified servers.
Server Type The type of Office Awareness Server.
Address The address of the Office Awareness Server.

Use the MAC address instead of the IP for additional security.
5. Click Save.
Using the Office Awareness Beacon

Use the Office Awareness Beacon as a more secure way of providing Office Awareness. The Office
Awareness Beacon is a special Server that you install and then specify. Unlike regular Office Awareness
Servers, the Office Awareness Beacon provides authenticated communication to the clients, preventing
spoofing, and it does not cause significant network traffic.
Beacon Details
A Beacon server is any HTTP server with port 2100 configured as SSL that is bound to a well- known
certificate. The certificate must contain the root CA that is generated by Smart Center at its initial install. This
CA is also contained in all Endpoint client packages, allowing for Beacon authentication.
An Endpoint Security Server consists of three major components:
• Security Management Server (or remote Smart Center)
• Check Point Apache server
• Check Point Tomcat server
The Apache server in every Endpoint Security server installation (either active or standby) is also a Beacon
server. This section describes the installation of a standard Standby Endpoint Security server and
modifications to result in an installed standalone Beacon server.
Installing a New Beacon Server

Install a new Beacon server after you install the Primary Security Management Server.
If you want to make an existing HTTP server into a Beacon server, see Configuring an Existing Server (on
page 144).
To install a Beacon server:
1. Run the Check Point Installer.
2. Choose to install the Endpoint Security Server only.
3. Select Endpoint Security with Remote SmartCenter.
This installation must connect to the SmartCenter remotely.
4. Wait for the Endpoint Security installer to begin.
Configuring Office Awareness Page 143

5. Select Standby Endpoint Security Server and proceed with installation.
6. The cpconfig utility will run.
You do not need to specify a license.
7. Define a temporary administrator.
8. Set a Secure Internal Communication Activation Key.
This is a one-time password that must be set to push a certificate from SmartCenter to the Beacon
installation.
9. Complete the installation and reboot the machine as required.
You must now establish communication between SmartCenter and the Beacon server.
Establishing Communication
To establish a secure communication channel between SmartCenter and the Beacon server:
1. From SmartDashboard, connect to your Security Management Server.
2. Right-click the checkpoint Network object and select New Check Point > Host.
3. Provide a name for the Beacon server and its IP address.
4. Click Communication and enter the Secure Internal Communication Activation Key that you created
when you installed the Beacon server.
5. Click Initialize.
6. Select Integrity Server in the Check Point Products list.
7. Click OK.
8. Select Policy > Install Database.
9. Click OK.
10. Reboot the Beacon server.
The Beacon server is now fully configured. You must now register the Beacon server with the Endpoint
Security server.
Registering the Beacon Server

You must register the Beacon server with the Endpoint Security server after SIC is established.
Important - It is recommended that you perform this task with the

assistance of your Check Point sales representative or a Check
Point Technical Support Engineer.
To Register the Beacon Server with the Endpoint Security server:

1. Log into the Endpoint Security Administrator Console.
2. Go to the tech support page.
Access this page by holding down the CTRL and ALT keys while double clicking on the Endpoint
Security logo in the upper left of the Administrator Console.
3. Click the Server Resources tab.
4. Enter the IP address of the Beacon server in the Beacon Servers section of the page.
5. Click Add Beacon Server.
The Beacon server is now part of the Endpoint Security server network. Its IP address will be sent to all
Endpoint Security clients.
Configuring an Existing Server

You also can configure an existing HTTP server as the Beacon server.
To configure an existing HTTP server as the Beacon:
1. Install a Beacon server.
You will be using this server to create the certificates and then uninstalling it.
2. Establish communication between the Beacon server and the Security Management Server.
See Establishing Communication (on page 144). Do not register the server.

3. Copy the generated certificates to the existing HTTP server.
The certificates are located at:
[install root]\EndpointSecurityServer\engine\webapps\ROOT\conf\ssl\apache\
integrity-smartcenter.cert
[install root]\EndpointSecurityServer\engine\webapps\ROOT\conf\ssl\apache\
integrity-smartcenter.key
4. Uninstall the Beacon server.
5. Modify the SSL configuration of the HTTP server to bind port 2100 to the certificates.
If the existing server is an Apache server, use the installed Apache ssl.conf file as a guide. It is located
at:
[install root]\ EndpointSecurityServer\apache2\conf\ssl.conf
6. When the existing server has been configured, register it with the Endpoint Security server. See
Registering the Beacon Server (on page 144).

Chapter 11
Linux Agent Installation and
Configuration
Endpoint Security Agent for Linux® provides enterprise Endpoint Security for Linux users.
Note - This chapter is intended specifically Endpoint Security Agent for

Linux. All references in this chapter to Endpoint Security Agent refer to
the Linux version, unless otherwise specified.
In This Chapter
Deployment Workflow 146

Managing Linux Groups 146
Creating the Linux Policy 147
Understanding Policy Enforcement on Linux 148
Installation of Client on Linux 149
Customizing the Endpoint Security Agent Configuration 154
Running Endpoint Security Agent 156
Deployment Workflow
To successfully deploy Endpoint Security Agent for Linux to endpoint computers on your Endpoint Security-
protected network, perform the procedures below in order. Each phase of the deployment process is
dependant on the items you verified or configured in the previous phase.
To deploy Endpoint Security Agent for Linux:
1. Create a user catalog and group for the protected Linux computers.
See Linux Groups (see "Managing Linux Groups" on page 146).
2. Create and assign a connected enterprise policy to the Linux user group.
3. First see Supported Policy Settings (on page 147), for information about supported policy settings.
4. Create and export a disconnected policy for Endpoint Security Agent.
5. Install Endpoint Security Agent for Linux on the endpoint computers.
See Installation (see "Installation of Client on Linux" on page 149).
6. Customize Endpoint Security Agent for Linux (optional).
See Customizing the Endpoint Security Agent Configuration (on page 154).
Managing Linux Groups

To assign Policies and ensure that those Policies are exclusively deployed to the Linux users in your
environment, you may isolate Linux users on your network. You can do this by creating user catalogs and
configuring the ilagent.conf file to send the Policies to that catalog.
You may want to design Policies specifically for Endpoint Security Agent for Linux for the following reasons:
• Setting specific security Policies: You may wish your Linux users to have different security rules than
your Windows users.
Page 146
• Reducing policy size: The Linux version of Endpoint Security Agent does not use program control, so
you can reduce your policy size for Linux users by disabling program control in the policy you define for
them. Disabling program control reduces the policy size by up to 80% by excluding the program list from
the policy. Reducing the policy size may decrease your bandwidth requirements.
To assign an enterprise security policy to Linux users, create a user catalog group. Endpoint Security Agent
users get the policy assigned to their user catalog. Linux users who are not identified as being part of that
user catalog, get the Default Policy.
To manage Linux computer groups:
1. Go to the Endpoint Manager page, and select New Catalog > Custom.
The New Custom Catalog page appears.
2. Complete fields for the custom catalog.
3. Click Save.
4. Select the catalog you created and click New Group.
5. Complete fields for the user group.
6. Click Save.
7. Set the cm_auth parameter to the catalog and group you created.
• Log into the Linux system and open a terminal window.
• Change the directory to /usr/local/ilagent/etc
• Open ilagent.conf.
• Change the value of the cm_auth parameter and save the file.
• Restart Endpoint Security Agent.
8. Add the userID attribute in the policy.xml file to the user catalog you created, and deploy that package to
Linux users only.
Creating the Linux Policy

Endpoint Security Agent enforces the following two Policies:
• The connected policy
• The disconnected policy
The connected policy is managed and assigned on the Endpoint Security server. Endpoint Security Agents
enforce this policy when the protected computer is connected to the Endpoint Security server.
Note - Endpoint Security Agent for Linux does not support Office
Awareness.
The disconnected Endpoint Security Agent for Linux policy is centrally created but can only be managed on
the protected computer. You can configure Endpoint Security Agent to enforce this policy when the
protected computer is not connected to the Endpoint Security server.
Supported Policy Settings

Endpoint Security Agent enforces most firewall rule settings and connection state-related client settings in
an Endpoint Security security policy. It ignores all other unsupported settings that are included in the policy.
The following describes Endpoint Security Agent supported policy settings:
• Names and Notes. Policy information, name, description and notes, used to identify the policy on both
Endpoint Security server and protected computer.
• Policy assignment. Delivers enterprise security Policies to protected computers.
• Most firewall rule settings. Blocks or allows network traffic by source, destination, and protocol.
Linux Agent Installation and Configuration Page 147

Note - Endpoint Security Agent supports all firewall settings EXCEPT
for Time and day settings (rules with these settings are enforced all
the time) and IGMP protocol type and number (rules with these
settings are enforced for all IGMP traffic).
If the computer is not compliant with the minimum version, Endpoint
Security Agent for Linux logs the event in the log file. The session is
not restricted.
• Client-Server Communications: Heartbeat frequency and Log transfer frequency.

• Policy Arbitration Rules: Permit user to shutdown the Endpoint Security client when enterprise
policy is active, and Enforce this policy when client is disconnected.
Understanding Policy Enforcement on

Linux
The policy Endpoint Security Agent enforces changes according to the protected computers connection
state as follows:
• When the protected computer disconnects from Endpoint Security server. On disconnection, Endpoint
Security Agent loads and enforces the disconnected policy.
Note - If you enable Enforce this policy when client is
disconnected in the enterprise policy, Endpoint Security Agent
enforces the enterprise policy whether it is connected or not.
• When the protected computer connects to the Endpoint Security server. On connection, Endpoint
Security Agent loads and enforces the enterprise policy deployed by the server.
• When the protected computer is connected and receives a different enterprise policy from Endpoint
Security server. Endpoint Security Agent loads and enforces the new enterprise policy. The IPtable
settings are overwritten by the new policy.
Note - Endpoint Security Agent for Linux does not display any alerts to
the user upon enforcement.
Disconnected Policy for Linux - Options

Consider the following options when setting up and configuring the disconnected policy for Linux:
• To provide a more permissive policy when protected computers are not connected, create and export a
disconnected policy with limited number of classic firewall rules.
• To reduce the policy size, set Program Rules, Program Control for policy_name: Disable program
control. This setting excludes the list of referenced programs from the policy.
• To provide the same level of security when protected computers are not connected, in the enterprise
policy set Client Settings, Policy arbitration rules: Enforce this policy when client is
disconnected. Endpoint Security Agent enforces the enterprise policy when disconnected.
• To allow the users to configure their own security settings when the protected computer is not
connected, do not include a disconnected policy in the installation package or change the disconnected
policy value in the Endpoint Security Agent configuration file to null.
Managing Linux Disconnected Policy

This section explains how to change the name or location of the disconnected policy.
After you install the Endpoint Security Agent, you can modify the disconnected policy settings only on the
protected computer. If you modify settings or replace the disconnected policy (without changing the file
name or location), simply restart Endpoint Security Agent. No other configuration tasks are required.

Note - You can configure Endpoint Security Agent to only enforce a
policy when it is connected to the Endpoint Security server Server by
setting the disconnected_policy value to null ("") in the Endpoint
Security Agent configuration file.
To change the name or location of the disconnected policy:

1. Using the Endpoint Security Administration Console, create and export a disconnected policy.
2. Log onto the protected computer as root.
3. Copy the updated disconnected policy to the /usr/local/ilagent/etc directory.
4. If the policy name or location changed, update the configuration file.
• Open the configuration file with a text editor.
[root@localhost root] # vi /usr/local/ilagent/etc/ilagent.conf
• Change the value of the disconnected policy parameter.
<param name="disconnected_policy" value="disconnected_v2.xml"/>
• Save your changes, then close the file.
5. Restart Endpoint Security Agent.
See Running Endpoint Security Agent (on page 156) for detailed instructions on starting and stopping
the client.
The disconnected policy update is complete. The disconnected policy IPtable settings are replaced with
the disconnected policy settings.
Installation of Client on Linux

This section explains how to install, upgrade, and remove the Endpoint Security Agent using either the RPM
package manager or a standard installation script.
Before installing Endpoint Security Agent on Linux:
1. Configure a Linux user catalog and group on Endpoint Security server
2. Assign a policy to the Linux user group
3. Create and export a disconnected policy.
The Endpoint Security Agent on Linux starts immediately after installation, downloads the enterprise
security policy and begins enforcing it.
Installation Methods
Use the installation method that is best for your environment.
• Installation script - This method requires manual input, but allows administrators to customize settings.
See Installing using the installation script (see "Installing with Installation Script" on page 150).
• Custom build an RPM file for your environment - This method decreases the work involved with
large deployments by allowing you to install Endpoint Security Agent without having additional
configuration steps. However, it also requires that protected computers have the same configuration and
requires the use of Endpoint Security Agent default configuration settings. For example, use this method
to install Endpoint Security Agent on ten computers that have the same disconnected policy. You can
install Endpoint Security Agent on all their computers using the same customized RPM file. See
Installing using the Endpoint Security Agent RPM (on page 151).
• Pre-configured RPM file - This method allows you to perform large Endpoint Security Agent
deployments using RPM package manager without creating a customized installation RPM. It has two
post installation configuration steps. For example, use this installation method when you have a few
computers that you want to run Endpoint Security Agent on. See Installing using the Endpoint Security
Agent RPM (on page 151) and Building a customized RPM (on page 152).

Installing with Installation Script
These instructions explain how to do a basic installation using the default settings. The script allows you to
configure the IP address of the Endpoint Security server, as well as choose the directory where Endpoint
Security Agent is installed.
Note - After installation, copy the disconnected policy to the computer

and update the configuration file.
Use the following command line switch to silently run the installation.
Option Description
--silent Install Endpoint Security Agent with the default settings.

Note the installer prompts you for the Endpoint Security server
CM address.
To install using a script:

1. Move the avalon-x.x.xxx.x.bin installation file and disconnected policy to the Linux endpoint computer.
2. On the endpoint computer, log in as root.
3. Change the mode of the Endpoint Security Agent installation files.
[root@localhost root] # chmod 755 avalon-x.x.xxx.x.bin
4. Execute the installation script.
[root@localhost root] # ./avalon-x.x.xxx.x.bin
Note - To execute the script in silent mode and use the default
settings in step 7, type the following command.
[root@localhost root] # ./avalon-x.x.xxx.x.bin --silent
The installation script detects the operating system and directory structure.
Found RedHat OS
Checking for iptables executables...
Checking for iptables filter table...
Checking for LOG iptables target...
Found LOG target
Checking for ULOG iptables target...
Found ULOG target
Checking for /proc/net/dev ...
Checking for /dev/random ...
Checking for /dev/null ...
5. When prompted, enter the Endpoint Security server Connection Manager (CM) address:
https://225.225.225.225/cm
6. When prompted, enter the catalog, group, and user information with the auth path:
manual://<catalog>/<Group>/<user>
7. Provide the local Endpoint Security Agent information.
Note - To accept the defaults, press return without entering any

information. You are not prompted for this information when running
the installer silently.
• Enter the directory where you want Endpoint Security Agent to be installed.
Please enter target directory [default /usr/local/ilagent]:
• Type Y to run Endpoint Security Agent in jail or N to run Endpoint Security Agent unprotected.
Chroot ilagent daemon to target directory? [y/n, default Y]: Y
Checking for installed ilagent...
• For first time installations, you are prompted to create Endpoint Security Agent directories.
ir /usr/local/ilagent/bin does not exist. Create? [y/n, default Y]: Y
Automatically create all dirs? [y/n, default Y]: Y

Note - If you used a custom directory in step a, then verify that the
default directory is the same.
• Set up Endpoint Security Agent logging.

Create logrotate file for ilagent? [y/n, default Y]: Y
Enter logrotate files path [default /etc/logrotate.d]:
• Automatically create the Endpoint Security Agent start and stop scripts.
Create rc script for ilagent? [y/n, default Y]: Y
Enter rc scripts path [default /etc/init.d]:
Starting ilagent ...
Starting ilagentd
8. Copy the disconnected policy to the /usr/local/ilagent/etc.
[root@localhost root] # cp /tmp/disconnected.xml /usr/local/ilagent/etc/disconnected.xml
9. Set the disconnected_policy parameter in the Agent configuration file to the location you specified in
step 7, relative to the root directory.
The default value for the disconnected_policy parameter is "/etc/disconnected.xml"
After the installation is complete, Endpoint Security Agent automatically starts, connects to the Endpoint
Security server, then downloads the enterprise security policy and begins enforcing the policy. If the
Endpoint Security server is not available, Endpoint Security Agent enforces the disconnected policy.
Uninstalling with Installation Script

To uninstall Endpoint Security Agent on Linux:
1. Log into the Linux computer as root.
2. Go to the Endpoint Security Agent bin directory.
[root@localhost root] # cd /usr/local/ilagent/bin
Note - If you installed Endpoint Security Agent in a different directory,

be sure to go to that directory.
3. Execute the uninstall script.

[root@localhost bin] # ./uninstall
The uninstall log is saved as /var/log/ilagent_install.log.
4. After Endpoint Security Agent uninstall script is complete, remove the remaining Endpoint Security
Agent directory.
[root@localhost root]# cd /usr/local
[root@localhost root]# rm -Rf ilagent
Endpoint Security Agent and all related IPtables entries are removed from the computer. The original
IPtable settings are reset.
Installing using the Endpoint Security Agent RPM

The Endpoint Security Agent RPM uses all the default configuration settings except for the Endpoint
Security server IP address and the disconnected policy.
Note - You can customize the configuration by replacing the

configuration file and restarting Endpoint Security Agent, after you
install the product using RPM.
Before You Begin

Before you install Endpoint Security Agent, define a Linux user group for the protected computers, create
and export a disconnected policy, and create and assign an enterprise policy to the user group on the
Endpoint Security server.
Then gather and/or verify the following items:

• For customized RPM, Endpoint Security Agent RPM build script (ilagent-build-rpm-1.xxx.x-x.bin)
• For pre-configured RPM, Endpoint Security Agent RPM (avalon-x.x.xxx.x-x.i386.rpm)
• RPM package manager version 4.2-1 or higher (rpm-build-4.2-1.i386.rpm)
• Disconnected policy
• Endpoint Security server Connection Manager address
• IPtable service installed and started
Building a Customized RPM

This section explains how to create a custom Endpoint Security Agent RPM that you can use to install or
upgrade the Endpoint Security Agent.
Note - You can log into the Endpoint Security server administration
console from the computer where you are creating the Endpoint
Security Agent RPM, then export the disconnected policy directly to
the /tmp directory.
To build a custom Endpoint Security Agent RPM:

1. Log in as root user.
2. Move the Endpoint Security Agent RPM build script, ilagent-build-rpm-1.xxx.x-x.bin, and the
disconnected policy to the computer.
Put the build script in the root directory and the disconnected policy into /tmp.
3. Change the mode of the ilagent-build-xxx.x.bin file.
[root@localhost root] # chmode 755 ilagent-build-rpm-1.xxx.x-x.bin
4. Create the RPM file.
[root@localhost root] #. /ilagent-build-rpm.2.0.001.0.bin cm_address cm_auth
disconnected_policy_path
Note - The syntax of the command above is:

- ilagent-build-rpm-1.xxx.x-x.bin is the RPM build script
- cm_address is the connection manager address
- cm_auth is the directory, user group, and user.
- disconnected_policy_path is the complete path and file name of the
policy that Endpoint Security Agent enforces when it is not connected
to the Endpoint Security server. Optional.
The script outputs the RPM to:

/usr/src/redhat/RPMS/i386/avalon-x.x.xxx.x-x.i386.rpm
5. Go to that directory and change the mode of the file.
[root@localhost root] # cd /usr/src/redhat/RPMS/i386 && chmod 755 avalon-
x.x.xxx.x-x.i386.rpm
Installing Endpoint Security Agent using RPM

Note - If you install Endpoint Security Agent using the preconfigured
RPM, then you must configure the Endpoint Security server
Connection Manager address after the installation is complete (see
Customizing the Endpoint Security Agent Configuration (on page
154)).
To install using an RPM:

2. Move the Endpoint Security Agent RPM, avalon-x.x.xxx.x-x.i386.rpm to the computer.
3. Verify that Endpoint Security Agent is not already installed on the computer.
[root@localhost root] # rpm -qa ilagent
When the Endpoint Security Agent is already installed, the program name displays. If it is installed, then
either uninstall before continuing or follow the upgrade instructions in the next section.
4. Execute the installer.

[root@localhost root] # rpm -i ilagent-xxx.x.rpm
5. Verify that the installation completed successfully.
ilagent-xxx.x
Upgrading Endpoint Security Agent using RPM

Upgrade previous versions of the Endpoint Security Agent using a customized RPM or pre-configured
Endpoint Security Agent RPM.
Note - You can also use the upgrade command, to change the
disconnected policy or Endpoint Security server Connection Manager
address. First build a new RPM using the new IP address or
disconnected policy, then follow the instructions in this section.
To upgrade using RPM:

2. Move the Endpoint Security Agent RPM, avalon-x.x.xxx.x-x.i386.rpm to the computer.
3. Verify that Endpoint Security Agent is already installed on the computer.
When the Endpoint Security Agent is already installed, the program name displays. If it is not installed,
then use the first time installation instructions in the Installing Endpoint Security Agent using RPM (on
page 152).
4. Execute the upgrade.
[root@localhost root] # rpm -U ilagent-xxx.x.rpm
5. Verify that the installation completed successfully.
ilagent-xxx.x
Uninstalling Endpoint Security Agent using RPM

This section explains how to remove Endpoint Security Agent using the RPM package manager. When you
remove the Endpoint Security Agent from the endpoint computer, the Endpoint Security Agent software and
all of the firewall rules added to the iptables are removed.
To uninstall using RPM:
2. Get the name of Endpoint Security Agent that is installed on the computer.
ilagent-xxx.x
Endpoint Security Agent program name displays. If it is not installed, no information is returned.
3. Using the name of Endpoint Security Agent, execute the uninstall command.
[root@localhost root] # rpm -e ilagent-xxx.x
4. Verify that the Endpoint Security Agent is no longer installed on the computer.
[root@localhost root] #
5. To clean up the system, remove the ilagent directory and rpm file:
[root@localhost root] # rm -Rf /usr/local/ilagent
[root@localhost root] # rm -f /usr/src/redhat/RPMS/i386/ilagent-xxx.x.rpm
When the uninstall using the Endpoint Security Agent RPM completes, Endpoint Security Agent and
firewall rules added to iptables by the policy are removed from the computer.

Customizing the Endpoint Security Agent
Configuration
To customize the configuration file of Endpoint Security Linux Agent, open the file with a text editor and
change the settings. Then restart Endpoint Security Agent to run the client with the new configuration.
Configuration File Settings

The configuration file is located in the /usr/local/ilagent/etc directory. The table below explains
how to set each parameter.
Note - If you run the Endpoint Security Agent or IPtables in jail, make
all paths relative to chroot_path.
Sample configuration file

<ilagent-conf>
<param name="cm_address" value="https://localhost/cm"/>
<param name="cm_auth" value="manual://catalog/group/user"/>
<param name="is_port" value="5054"/>
<param name="pidfile" value="/usr/local/ilagent/run/ilagent.pid"/>
<param name="cxn_signature" value="/usr/local/ilagent/etc/ilagent.sig"/>
<param name="ipt_accept_log_chain" value="LFA_LOG_ACCEPT"/>
<param name="ipt_drop_log_chain" value="LFA_LOG_DROP"/>
<param name="ipt_accept_log_prefix" value="LFA_ACCEPT_"/>
<param name="ipt_drop_log_prefix" value="LFA_DROP_"/>
<param name="ipt_log_source" value="ULOG"/>
<param name="ipt_nl_group" value="15"/>
<param name="ipt_nl_qthreshold" value="1"/>
<param name="ipt_log_limit" value="100"/>
<param name="ipt_log_limit_burst" value="10"/>
<param name="chroot_path" value="/var/ilagent"/>
<param name="logfile" value="ilagent.log"/>
<param name="ipt_cmd" value="/sbin/iptables"/>
<param name="ipt_save" value="/sbin/iptables-save"/>
<param name="ipt_restore" value="/sbin/iptables-restore"/>
<param name="disconnected_policy" value="disconnected.xml"/>
<param name="received_policy" value="ilagent-policy.xml"/>
<param name="dumpfile" value="/run/dump.log"/>
<param name="statusfile" value="/run/status.log"/>
</ilagent-conf>
Table 11-19 Linux Agent Configuration Parameters
Parameter Description
cm_address Endpoint Security server Connection Manager address.
cm_auth Catalog, group, and username this policy is assigned to
is_port Endpoint Security server port. Use the default setting of

5054
pidfile Complete path to ilagentd pid (process identifier) file
cxn_signature Path to the file that contains a unique identifier of

Endpoint Security Agent. Primarily used for debugging.
ipt_accept_log_ch Chain where packet logging and accepting rules are

ain placed
ipt_drop_log_chai Chain where rules packet logging and dropping rules are
n placed

Parameter Description
ipt_accept_log_pr Log messages prefix for accepted packets

efix
ipt_drop_log_pref Log messages prefix for dropped packets

ix
ipt_log_source Name of firewall events log messages source.

Specify either the syslog file name or 'ULOG' value.
ipt_nl_group When using ULOG, specify the netlink group (1-32) to

which the packet is sent.
See man iptables for details.
ipt_nl_qthreshold When using ULOG, specify the number of packets

queued inside the kernel.
ipt_log_limit Maximum number of packets logged per second
ipt_log_limit_bur Affects packet shaping mechanism of IPtables.

st
ipt_cmd Path of iptables executable
ipt_restore Path of iptables-restore executable
ipt_save Path of iptables-save executable
disconnected_poli Path to the policy file Endpoint Security Agent enforces

cy when disconnected from the Endpoint Security server.
See Managing the disconnected policy (see "Managing
Linux Disconnected Policy" on page 148). The default is
'/etc/disconnected.xml'. You can disable the
disconnected policy by removing the file specified here.
received_policy Path to the enterprise security policy Endpoint Security

Agent enforces when connected to the Endpoint Security
server.
chroot_path Complete path to jail directory.

When you enter a value, ilagentd calls chroot() to that
directory. This directory must contain all required files
and libraries.
logfile Complete path to ilagentd log file. The default is

/usr/local/ilagent/run/ilagent.log.
dumpfile Complete path to ilagentd dump file
statusfile Complete path to ilagentd status file
Changing Connection Manager Address

You may need to change the Endpoint Security server information in the configuration file, such as when the
Endpoint Security server Connection Manager address changes or you installed Endpoint Security Agent
using the provided RPM.

To change the Endpoint Security Server Connection Manager address:
1. Open the configuration file with a text editor.
[root@localhost root] # vi /usr/local/ilagent/etc/ilagent.conf
2. Change the value of cm_address parameter to the Endpoint Security server IP address.
<param name="cm_address" value="https://server_ip/cm"/>
3. Save your changes, then close the file.
4. Restart Endpoint Security Agent (see "Running Endpoint Security Agent" on page 156).
Changing cm_auth Parameter

You can change the cm_auth parameter to connect the Endpoint Security Agent using a different catalog,
group, or user.
To change the cm_auth parameter
1. Log into the Linux system and open a terminal window.
2. Change the directory to /usr/local/ilagent/etc
3. Open ilagent.conf.
4. Change the value of the cm_auth parameter and save the file.
5. Restart Endpoint Security Agent.
It will connect to the sever using the new catalog, group, and user.
Running Endpoint Security Agent

This section explains the different methods that you can use to start, stop or restart Endpoint Security Agent
on the protected computer.
When you stop Endpoint Security Agent, the endpoint computer is no longer protected.
When you start Endpoint Security Agent, it immediately attempts to connect to the Endpoint Security server
and begins enforcing the:
• Enterprise security policy if the connection is established.
• Disconnected policy if the connection cannot be established.
Using the Command Line Interface

Starting, stopping and restarting Endpoint Security Agent from the CLI (command line interface) varies
depending on the installation type. Use the instructions that correspond to your installation.
Table 11-20 Linux Agent Controls
Option Description
-c <filename> Specifies the complete path to the configuration file.

--config <filename> When this option is used alone, it starts Endpoint Security
Agent using the specified configuration file.
When options -s and -i are used, this option is required.
-h Displays ilagent version and lists available CLI options.
-i Displays Endpoint Security Agent status.

--info Requires configuration file option.
-s Shuts down Endpoint Security Agent.

--shutdown Requires configuration file option.
-V Displays Endpoint Security Agent version.

Endpoint Security Agent RPM
Log into the endpoint computer as root and use the following commands to start and stop Endpoint Security
Agent RPM from the command line interface. These commands start and stop Endpoint Security Agent
even when a policy prevents the client from being shutdown.
To start Endpoint Security Agent:
• Type the following command to start Endpoint Security Agent:
[root@localhost root] # /etc/init.d/ilagentd start
To stop Endpoint Security Agent:
• Type the following command to stop Endpoint Security Agent:
[root@localhost root] # /etc/init.d/ilagentd stop
To restart Endpoint Security Agent:
• Type the following command to restart Endpoint Security Agent:
[root@localhost root] # /etc/init.d/ilagentd stop && /etc/init.d/ilagentd
start
Endpoint Security Agent Script

Log into the endpoint computer as root and use the following commands to start and stop Endpoint Security
Agent installed using the script from the command line interface.
Note - If Endpoint Security Agent is enforcing a policy that prevents

the client from being shutdown, Endpoint Security Agent cannot be
stopped using any of the script stop or restart commands described in
this section.
To start Endpoint Security Agent:

• Type the following command to start Endpoint Security Agent:
[root@localhost root] # ./usr/local/ilagent/bin/ilagentd
To stop Endpoint Security Agent:
• Type the following command to stop Endpoint Security Agent:
[root@localhost root] # ./usr/local/ilagent/bin/ilagentd --shutdown -c
<config_file>
To restart Endpoint Security Agent:
• Type the following command to restart Endpoint Security Agent:
[root@localhost root] # ./usr/local/ilagent/bin/ilagentd --shutdown -c
<config_file>
[root@localhost root] # ./usr/local/ilagent/bin/ilagentd -c <config_file>
Using the Service Manager

When Endpoint Security Agent is installed, you register it as a service. Therefore, whether you installed
Endpoint Security Agent using the installation script or with the RPM package manager, you can start, stop,
and restart Endpoint Security Agent using the service manager interface.
To start, stop, or restart Endpoint Security Agent service:
1. Open the services manager, then locate the ilagent service.
2. Click Start, Stop, or Restart.
The Endpoint Security Agent status changes according to the option you selected.
Checking the Log

Endpoint Security Agent's log file is located by default at /usr/local/ilagent/run/ilagent.log. You can view the
log using any text editor.

Setting Log Upload Parameters
Endpoint Security bases its reports on logs uploaded from clients. Log upload parameters have default
values, but you can change the defaults to control how often clients send the logs.
To set log upload parameters:
If you have not already configured client settings, the defaults are displayed.
2. Click Edit.
3. Complete the fields in the Log Upload and Log Upload Size areas to configure the parameters.
Note - Setting excessively low parameters can result in a loss of

performance. Setting excessively high parameters will result in your
reports being less up-to-date.

Chapter 12
Configuration and Maintenance
Use this chapter to perform general configuration and maintenance tasks for your Endpoint Security system.
Most of the tasks in this chapter are optional, depending on your other configuration choices.
In This Chapter
Managing Your Products 159

Managing Communication 162
Managing Data 167
Managing Your Products

Licensing
Use the instructions in this section to manage your licenses for Endpoint Security and its features.
Introduction to Licensing
All installations require a client license, which allows you to run clients on your endpoints. Optionally, you
can also purchase licenses for special Endpoint Security features. The following licenses are available for
Endpoint Security:
• Clients—Permits a specified number of endpoints to run the client. This license is required.
• Smart Defense Program Advisor—Permits Endpoint Security to receive the latest Program Advisor
updates. The license is good for an unlimited number of endpoints.
• Check Point Anti-spyware (endpoints)—Permits a specified number of endpoints to use Check Point
Anti-spyware.
• Check Point Anti-spyware (updates)—Permits the Endpoint Security server to receive the latest Anti-
spyware updates.
• Check Point Anti-virus (endpoints)—Permits a specified number of endpoints to use Check Point
Anti-virus.
• Smart Defense Anti-virus (updates)—Permits Endpoint Security to receive the latest Anti-virus
updates.
You can obtain these licenses from the Check Point User center or from your Check Point representative.
You must install and attach Endpoint Security licenses with one of the Check Point license management
tools: SmartUpdate, the cplic command, or (for local licenses only) the Check Point Configuration Tool. (For
information on these options, see Attaching Licenses.)
After a feature has been enabled on the Endpoint Security server, you can incorporate that feature into
security Policies, which you can then deploy to clients. An endpoint computer's active policy controls which
features are enabled on that endpoint.
Expired or Exceeded Licenses

Each Check Point product comes with a trial license that allows unrestricted use of the product for 15 days.
Trial licenses include all product features.
Page 159
For complete details on all licensing options and enforcement behaviors, contact your Check Point
representative.
For the Endpoint Security clients license, the Endpoint Security server checks for the maximum number of
endpoints that connected during the last 24 hours. This check runs every 24 hours after the server starts. If
your installation exceeds the number of allowed endpoints, the Endpoint Security server goes into read-only
mode. Your endpoints are still protected by their existing Policies, but you will be unable to make changes
until you enter your new license through Smart Update. Contact your Check Point representative to get a
new license and restore editing privileges.
While you are waiting for your new Endpoint Security clients license, you can use a trial license. Contact
your Check Point representative to obtain a trial license.
If a feature license expires, Endpoint Security either disables editing privileges or prohibits administrator
access to the feature.
Managing Central and Local Licenses

When licensing your products, decide whether to manage the licenses centrally or locally. The differences
between central and local licensing are as follows:
• Central licensing—You use SmartUpdate or the cplic command to store licenses in a central repository
on SmartCenter Server, and then to attach the licenses to the desired computers. Central licenses are
not tied to an IP address, and therefore can be reassigned as necessary. This is the recommended form
of license management, and it is especially useful for distributed installations.
• Local licensing—Each license is tied to the IP address of the computer on which it is installed.
Licenses are attached either with SmartUpdate or (locally) with the Check Point Configuration Tool or
the command-line interface. If the IP address of the licensed computer changes, you must generate a
new license for that computer.
Generating Licenses
Check Point provides certificate keys for each license you purchase. Use the certificate keys to generate
licenses.
To generate a license:
1. Gather the Certificate key and the Host IP address (for central licenses, use the SmartCenter Server
host IP address).
2. Log in to the Check Point User Center (www.checkpoint.com/usercenter) and navigate to the Getting
Started page.
3. Follow the User Center instructions for generating a license.
4. Use SmartUpdate or the cplic command-line tool to attach licenses to your installations (see the
documentation of these products).
Version Information
It is important to know the version of your Endpoint Security server. This helps you to make sure you are
using the correct documentation, the correct versions of the Endpoint Security clients, and is useful if you
need to contact support.
To view your version information, click About.
Starting and Stopping Services

To stop, start, or reset Endpoint Security, Apache, or Tomcat services on Windows:
1. Go to Control Panel | Administrative Tools | Services.
2. Right-click on the service and choose the option you want.
To start or stop Endpoint Security on Linux:
1. Log in to Endpoint Security host as root: [root@localhost /] #
2. Run the start, stop, or restart shell:
• Start: <Install Directory>/bin/IntegrityStart
• Stop: <Install Directory>/bin/IntegrityStop
Configuration and Maintenance Page 160

Uninstalling Check Point Products - Windows

To uninstall on Windows:
1. Go to Start | Control Panel | Add or Remove Programs and remove Endpoint Security.
2. On the same computer, remove the Check Point software packages, making sure to remove the
Check Point VPN-1 Pro component last, after removing all other Check Point software components.
3. If you have a distributed installation, access the SmartCenter host and go to the command line. Stop all
Check Point services by running cpstop. Then go to Start | Control Panel |
Add or Remove Programs. Remove the Check Point software packages, making sure to remove the
Check Point VPN-1 Pro component last.
Repeat this step for any other SmartCenter hosts in your configuration (for example, a separate host
running a remote log server).
Uninstalling Check Point Products - Linux

Follow the instructions below to uninstall Check Point software from a Linux system. On any host from which
you are removing Check Point software, you must remove the CPSuite-xxx-00 component (where xxx is
the version number) last, after removing all other Check Point software components.
To uninstall from a Linux system:
1. Navigate to the uninstallation directory (by default, /opt/CPIntegrity/Uninstall_Integrity),
and issue the following command:
./Uninstall_Integrity
At the prompt, press Enter. The Endpoint Security uninstallation wizard starts.
2. Work through the uninstallation wizard.
3. Issue the following command to see a list of Check Point components installed on your system:
rpm -qa| grep CP
Note that this command displays all software components containing "CP," including some which are not
Check Point components.
4. Issue the following command for each component to remove, making sure to remove the CPSuite-
xxx-00 component (where xxx is the version number) last:
rpm -e <package_name>
5. If you have a distributed installation, access the SmartCenter host and run cpstop. Then repeat steps 3
and 4 on the SmartCenter host.
Repeat this step for any other SmartCenter hosts in your configuration (for example, a host running a
remote log server).
Uninstalling Check Point Products - SecurePlatform

There is usually no reason to uninstall a Check Point product from a SecurePlatform host while leaving
SecurePlatform intact. If you want to install a newer version of a Check Point product on SecurePlatform, it
is recommended to back up your data and then reboot the host from the installation CD. Rebooting from the
CD will remove SecurePlatform from the host and replace it with the version appropriate for your new
installation. (Installation CDs for the SecurePlatform versions of Check Point products include the
appropriate version of SecurePlatform for the installation.)
In rare cases, you may want to uninstall a Check Point product while leaving SecurePlatform intact. For
example, if you are currently running Endpoint Security and SmartCenter on one host, and you want to
convert to a distributed installation (with Endpoint Security and SmartCenter on separate hosts), you would
back up your data and then uninstall Endpoint Security or SmartCenter from the current host (without
uninstalling SecurePlatform). In such cases, follow the instructions below.
To uninstall from a SecurePlatform system:
1. On the desired computer, stop all Check Point services by running cpstop.
2. To uninstall Endpoint Security, navigate to the uninstallation directory (by default,
/opt/CPIntegrity/Uninstall_Integrity), and issue the following command:
./Uninstall_Integrity

At the prompt, press Enter. The Endpoint Security uninstallation wizard starts.
3. Work through the uninstallation wizard.
Remove Endpoint Security.
If you are removing only Endpoint Security, this step completes the process.
4. Run the following command to see a list of Check Point components installed on your system:
rpm -qa| grep CP
Note that this command displays all software components containing "CP," including some which are not
Check Point components.
5. Run the following command for each component to remove, making sure to remove the CPSuite-xxx-
00 component (where xxx is the version number) last:
rpm -e <package_name>
You must remove Endpoint Security before removing SmartCenter.
Managing Communication
Use the instructions in this system to manage communication between the Endpoint Security server, the
Endpoint Security clients, other Check Point products, and the Internet.
Windows Firewall
Microsoft Windows XP with SP2 includes an integrated personal firewall. However, Check Point
recommends that only one firewall be run on an endpoint computer. Microsoft has made a similar
recommendation. You can configure the Endpoint Security client to shut down the Windows firewall using
the Microsoft-provided API, and to restart the Windows firewall if the Endpoint Security client is shut down.
Whether SP2 is installed on a computer already running Endpoint Security client version 5.0.556.144 or
later, or the Endpoint Security client is installed on an endpoint that already has SP2 installed, the behavior
is similar:
• Endpoint Security will shut down the Windows firewall after the post-SP2 installation restart.
• If the Endpoint Security client is shut down after SP2 is installed, the client notifies Windows that it is
being shut down, and Windows restarts the windows firewall.
• If Endpoint Security client is restarted, the Windows firewall is again shut down.
If a user or administrator re-enables the Windows firewall while the Endpoint Security client firewall is
running, they should coexist without problems, as the two firewall operate on different system levels.
To disable Windows Firewall:
1. Click Policies.
4. In the General Connections Settings area, choose Disable the Windows Firewall.
Allowing Endpoint Hotspot Registration

Some Policies are too restrictive to allow hotspot use for users who want to access your network from a
hotel or public place. This is especially relevant for disconnected Policies, and for enterprise Policies that
are enforced when disconnected, because these Policies are in effect when a user is trying to connect to a
hotspot.
For this reason, the Enable Hotspot Registration feature makes temporary access possible, while
maximizing security by controlling the parameters of hotspot-specific port openings. Regardless of the
restrictiveness of a policy, you can allow a temporary, controlled opening by selecting the Enable Hotspot
Registration option in the policy.
If you do not enable Hotspot Registration, and the client policy doesn't allow access to hotspot ports, users
will not be able to access the wireless hotspot Web page, and therefore they will not be able to access the
Internet or your network.

Hotspot Registration works with most VPN types and configurations.
How Hotspot Registration Works on the Endpoint

When endpoint users are at a public space or hotel, they access your network through the following
process:
1. The user selects Register to Hotspot/Hotel from the Endpoint Security icon in their system tray menu.
2. The three ports common to Internet hotspot registration (80, 8080, 443) are opened. A maximum of five
IP addresses are allowed during the connection time.
3. The Hotspot port opening lasts until any of the following occurs:
• The user connects to the network
• Ten minutes pass
• Three failed connection attempts
To enable hotspot registration in a security policy:
1. Click Policies.
4. Select the Enable Hotspot Registration option.
5. Click Save.
Disabling Wireless on LAN

You can use the Disable Wireless on LAN feature to prevent your endpoint users from being connected to
an unauthorized wireless network while using your LAN. This helps to protect your network from threats that
your endpoint users may acquire from the wireless network.
To disable wireless while on the LAN
1. Go to the Client Settings page (Policies > Edit)
2. Select the Disable wireless adapters when connected to LAN option.
3. Click Save.
Proxy Configuration
If you plan to use the Program Advisor feature, Anti-spyware, or Anti-virus features in an environment that
includes a proxy server for Internet access, perform the configuration steps below to let Endpoint Security
connect to Check Point's central servers (containing Program Advisor settings or Anti-spyware/Anti-virus
definitions) through the proxy server. Note that all configuration entries are case-sensitive.
You can perform these steps when enabling Program Advisor, Anti-spyware or Anti-virus.
To configure a proxy server in Windows:
-DproxySet=true
-Dhttp.proxyPort=<port>
-Dhttps.proxyPort=<port>
5. Stop the "Check Point Tomcat" service, and then restart it.
To configure a proxy server (in a standard Linux installation):
1. Edit ~/engine/bin/catalina.sh, replacing the line:
JAVA_OPTS="-Xms256M -Xmx512M -Djava.awt.headless=true"
with the line:

JAVA_OPTS="-Xms256M -Xmx512M -Djava.awt.headless=true -DproxyHost=true
2. Save the file.
3. Restart Endpoint Security by issuing:
<Install Directory>/bin/IntegrityStop
<Install Directory>/bin/IntegrityStart
To reset the JAVA_OPTS environment variable:
• Use the appropriate setenv call to reset the value of JAVA_OPTS to:
"-Xms256M -Xmx512M -Djava.awt.headless=true -DproxyHost=true
Configuring a RADIUS Server

The Endpoint Security server is configured by default to use its own administrator authentication method. If
you wish to use a RADIUS server instead you will need to configure it.
Prerequisites for RADIUS

Before beginning to configure your RADIUS server, make sure you have done the following:
• Record the RADIUS server host name or IP address and port (default port is 1812).
• Record your RADIUS server shared secret.
• Create an Endpoint Security account, called "masteradmin" on the RADIUS server.
Updating RADIUS Configuration File

To update the configuration file:
1. Shutdown the Endpoint Security server.
2. Log in.
SPLAT users should log in as 'administrator'. Windows users should log in as an administrator.
3. Go to the configuration file location.
For Windows the default location is:
<ENDPOINT_SECURITY_USER_INSTALL_DIR>\engine\webapps\ROOT\conf
For Linux the default location is:
<ENDPOINT_SECURITY_USER_INSTALL_DIR>/engine/webapps/ROOT/conf
4. Create a backup of integrity.xml.
5. Open template-integrity-config.xml in a text editor.
6. In the AdminConsole node, remove the comment tags from the first RADIUS JAAS node, and remove
the JAAS node for 'inbuilt authentication of administrator users'.
7. Save you changes and close the file.
Make sure your XML is well-formed.
Configuring RADIUS Properties File

To configure the properties file:
1. Go to the location of the properties file.
For Windows, the default location is:
<ENDPOINT_SECURITY_USER_INSTALL_DIR>/engine/webapps/ROOT/conf
For Linux, the default location is:
<ENDPOINT_SECURITY_USER_INSTALL_DIR>\engine\webapps\ROOT\conf
2. Create a backup of integrity.global.properties.
3. Open install-upgrade.properties in a text editor.

4. Specify the following properties:
• radius.authtype=<CHAP or PAP>
• radius.server=<IP address of your radius server>
If your RADIUS server is on the same computer as Endpoint Security, you must log in using the IP
address rather than "localhost." To do this, open a browser and use the IP address (instead of the string
"localhost") to access the Endpoint Security login page.
• radius.port=<Port for your radius server. Usually 1812.>
• Radius.secret=<Radius secret code>
• upgrade.from.version=<empty>
5. Save your changes and close the file.
6. Go to the utility location.
For Windows, the location is:
%ProgramFiles%\checkpoint\Integrity\engine\webapps\ROOT\bin
For Linux, the directory is:
/opt/CPIntegrity/engine/webapps/ROOT/bin
7. Run the upgrade utility appropriate for your operating system:
• upgradeServer.bat (Windows)
• upgradeServer.sh (Linux).
Note - If you are migrating from Integrity 5.x do not run these utilities
until you have logged into the Endpoint Security server to complete the
migration.
Restart Endpoint Security.
Certificate Management
Endpoint Security allows you to include a certificate in your client package.
Use certificates in your package to prevent other servers from masquerading as your Endpoint Security
server, compromising your security. The clients validate the server certificate when synchronizing with the
server.
You can include the self-signed certificate that is automatically created during install, or you can use a
Certificate Authority certificate. In most implementations, you will only need a self-signed certificate. The
Endpoint Monitor Report page in the Administrator Console allows you to conveniently manage your
certificates.
You should only include certificates in your client package after you have completely set up your Endpoint
Security server. If you change the server after deploying the packages with certificates, your endpoint users
will be unable to connect.
Creating a Certificate Authority Certificate

Use Certificate Authority certificates when you want to use a certificate from a trusted source.
To create a Certificate Authority certificate:
1. Go to the Certificate Manager page (System Configuration > Certificates).
2. Delete the current Client Certificate.
If you already have a certificate with the alias 'Client Certificate', delete it now.
3. Create a certificate request.
• Click New and choose CA Request.
• Complete the fields and click Generate.
4. When the Certificate Authority issues the certificate, install it using the Certificate Manager.
• Click New and choose CA Issued Certificate.
• In the Description field, type 'Client Certificate'.
You must use this description for your certificate.
• Paste your certificate into the Certificate field.
• Click Install.

5. Restart Endpoint Security.
You can now use this certificate in your client packages.
Creating a Self-Signed Certificate

Use a Self-Signed Certificate when you do not need a certificate from a trusted source. This certificate uses
the external host name and external IP address that you specified during installation. Do not use self-signed
certificates if you have not specified fully-qualified values for the external host name and IP address during
installation, or your endpoints computers will not be able to contact the server.
To create a self-signed certificate:
1. Go to the Certificate Manager page (System Configuration > Certificates).
2. Delete the current Client Certificate.
If you already have a certificate with the alias 'Client Certificate', delete it now.
3. Click New and choose Self Signed.
4. In the Description field, type 'Client Certificate'.
You must use this description for your certificate.
5. Choose your key size and click Generate.
You can now include this certificate in your client package.
Changing your JDBC IP Address

When you install your Endpoint Security server, it uses the startup.xml file to locate the database and get
the configuration properties. If you set an IP address instead of a hostname for your database and later
change your database location, Endpoint Security will not be able to connect to the database until you reset
the IP.
To reset the IP Address:
1. Change the /conf/startup.xml to point to the new database IP.
2. Change the JDBC IP in the CONFIG_PROPRTY table in the Database.
The property to change is: db.main.URL
3. Restart the server.
Heartbeats
After a sync has occurred between the Endpoint Security server and a client, a heartbeat regularly occurs
based on the interval specified by the administrator. Heartbeats occur over TCP on port 80. Heartbeats
contain various pieces of information concerning the status and compliance state of the endpoint computer.
This information is stored in the datastore and is used for the Endpoint Monitor report.
To change the heartbeat interval:
2. Click Edit.
3. In the Heartbeat area, enter the interval in the Interval (Secs) field.
4. Click Save.
Client Logging
Use the client logs to troubleshoot issues with your clients. Your endpoint users can use the Client
Diagnostic Utility to gather the most commonly-needed logs. Your endpoint users will need to have
permissions to modify registry keys.
To log client events:
1. On the endpoint computer, go to the C:\program files\checkpoint\Integrity Client folder.
2. Double click the TVDEBUG.REG file and allow it to add information to the registry.
This enables debug logging.
3. Reboot to have the settings take effect.
4. Have the endpoint user recreate the problem and note the time that it occurred
The endpoint user can now use the log upload utility to gather the relevant logs into one file.

To gather logs:
1. On the endpoint computer, go to: C:\program files\checkpoint\Integrity Client
Double click the Client Diagnostic Utility file.
2. Optionally, you can change the File Destination.
The utility will place the logs in a zip file at the destination you specified. When you have finished
debugging the issue, you should deactivate the debug logging.
To deactivate debug logging:
1. On the endpoint computer, go to the C:\program files\checkpoint\Integrity Client folder.
2. Double click the TVDEBUG.REG file and allow it to add information to the registry.
This disables debug logging.
3. Reboot to have the settings take effect.
Managing Data
Use the instructions in this section to manage the data for your Endpoint Security system in Multi-Domain or
Single-Domain mode. (This section is not relevant to Simple mode.)
Events and Logging

Endpoint Security produces log entries and messages in several preconfigured formats. You can configure
Endpoint Security to direct messages to various destinations.
The preconfigured log and message types are:
• SMTP — Sends an event message to an SMTP destination, such as e-mail or a pager. Messages are
sent as the events occur.
• SNMP trap — Sends an event message to a SNMP Manager. Messages are sent as the events occur.
• Syslog — Sends a syslog message to a system log server.
• JBDC — Sends events to a database configured on the same server as the Endpoint Security main and
log databases.
• Text — Records event messages in a text file (on the Endpoint Security server or any other accessible
server). Messages are appended as the events occur.
By default, text files are written to the local host of the nodes. Each node writes to its own text file when
a local directory and file are specified. To configure all nodes in the cluster to write to the same text file,
mount a drive to the Endpoint Security hosts and specify the path to the mounted drive. Note that the
drive must be mounted in the same way to all nodes in the Endpoint Security cluster.
Note - For Endpoint Security to write to a text file, you must give
the user at least read/write permission to the directory and text file,
whether the file is stored on the local host or a mounted drive. If the
user does not have permission to write to the file or an invalid path
is entered, errors occur each time the server tries to write to the file.
Configuring Recommended Event Logs

This section describes how to configure recommended event notifications.
Routing Fatal Messages (SMTP)

Endpoint Security generates Fatal events when immediate intervention is required to keep the system
running or to bring the system back online. Use the following configuration to send Fatal messages to a list
of e-mail recipients, including those with SMTP-compatible pagers.
Note - To use this feature, you must be running an SMTP server

through which Endpoint Security can send messages.

Table 12-21 Settings to Send Fatal Event Messages via SMTP
Field Setting Description
Name Fatal Events Identifies the event to

administrators.
Description E-mail fatal event Describes the event type to

messages. administrators.
Type SMTP Formats the event message in the

body of an e-mail.
Log Levels Fatal Specifies the type of event to send.
Event Classes Select All Select all ones you want to send to
the receipt list.
Note that you can set up separate
recipient lists for different event
types.
Server host Host name or IP address Specifies the server Endpoint

of the SMTP mail server Security will use to send
messages.
Email from Sender's e-mail address Provides a contact for the

recipient. It is recommended to use
your Endpoint Security support
team's e-mail address.
Subject E-mail subject line Sets the e-mail subject line.
Recipients Recipients' e-mail Identifies addresses to which to

addresses send messages.
You can set up separate events for
different groups.
Routing Log Upload System (SMTP)

The Log Upload System loads client logs into the Endpoint Security database. The Log Upload System does
not produce any fatal errors for Endpoint Security. However, critical information may be lost if this system
fails.
Note - You may want to set up two events for the Log Upload System,
one that sends warning level messages to administrators specifically
assigned to the affected area, and another to broader group who
would be affected by a complete failure.
Table 12-22 Settings to Send Log Upload System via SMTP

Name Log Upload System Identifies the event to administrators.
Description Critical messages Describes the event type to administrators.

from e-mail
reporting system
Type SMTP Formats the event message in the body of an

e-mail.

Log Levels Warn and Error Specifies the type of event to send.
Event Classes Log Upload System Specifies the type of message to send.
Server host Host name or IP Specifies the server Endpoint Security will
address of the use to send messages.
SMTP mail server
Email from Sender's e-mail Provides a contact for the recipient. It is

address recommended to use your Endpoint Security
support team's e-mail address.
Subject E-mail subject line Sets the e-mail subject line.
Recipients Recipients' e-mail Identifies addresses to which to send

addresses messages.
You can set up separate events for different
groups.
Adding Messages to System Log

By default, logging is set to the default log4j configuration in integrity.xml, which sends all logging to
integrity.log in the /usr/local/integrity/webapps/ROOT/logs directory. Once the Endpoint
Security server is installed and running, it is recommended to create a general Syslog logging configuration
that receives all these log events from the remote servers.
Endpoint Security will send log messages to the local system log or to a syslog server. Configure Endpoint
Security on the syslog server or, if using the local host, verify that the user has permission to write to the file
on the local host.
To create a syslog that is stored on a host other than the Endpoint Security host, configure the syslog server
to listen for remote events and configure Endpoint Security to send syslog events to the syslog server.
Table 12-23 System Log Settings
Name System Log Identifies the event to administrators.
Description System status Describes the event type to administrators.

events.
Type syslog Causes Endpoint Security to write events to a

system log file.
Log Levels Warn, Error, and Specifies the types of events to log.
Fatal
It is recommended to log all these event
types.
Event Classes All Specifies the types of events to log.
Server Host name or IP Specifies the server Endpoint Security will use
hostname address of syslog to send messages. (For example, use
server 127.0.0.1 to store locally.)
Facility USER Enter the name of the syslog-facility handling

Endpoint Security event messages.

Using SNMP with Endpoint Security
This section outlines the format of SNMP traps emitted by Endpoint Security.
Set up an event destination to which to send SNMP traps. See Creating events (on page 171).
Trap Formats
Traps include a header and a message. All traps have a common header, as all are generated by Endpoint
Security. Here is an example trap showing administrator login:
[public] [1.3.6.1.4.2620] [enterprise] [2734006] [127.0.0.1] [6]
[1234567] [Ver1] [1.3.6.1.4.1.2620.1.27.160] [2005-08-23 14:47:12, 719,
INFO, [logInfoQueue-HQs:1] , [root] , [AdminLogin] Administrator Login,
ADMIN=masteradmin, SESSION_IP=209.87.212.91]
The trap header begins with [public] and ends with the event OID, [1.3.6.1.4.1.2620.1.27.160].
The message begins with the event time, [2005-08-23 14:47:12] and continues to the end of the trap.
The trap header consists of the following:
• [public]—a community string
• [1.3.6.1.4.2620] [enterprise]—the enterprise OID
• [2734006]— ???
• [6]— ???
• [127.0.0.1]— ???
• [Ver1] [1.3.6.1.4.1.2620.1.27.160]—the version and the complete event OID
The message body consists of the following:
• 2005-08-23 14:47:12—the event time
• 719— ???
• INFO—the event level
• [logInfoQueue-HQs:1]—the class name
• [root]—the log4j appender level
• [AdminLogin] Administrator Login, ADMIN=masteradmin,
SESSION_IP=209.87.212.91—the body of the message. It shows information about the
administration login.
Linux Configuration
In Linux, SNMP traps sent from the Endpoint Security server are logged to /var/log/messages file but the
messages are in hex codes. You must enable SYSLOG and SNMP Traps in Linux by issuing the following
commands:
Command Description
syslogd -h -r -m 0 enables syslog with remote option
snmptrapd -Oa enables snmptrapd and routs the output to syslog
Managing Events
This section explains how to manage event logs and messages in the Endpoint Security Administrator
Console.

Creating Events
Use these steps to create events. See the associated online help for more information about specific event
types, event classes, and log levels.
To create or edit an event:
2. Click System Configuration > Event Notification.
The Event Manager page opens.
3. Click New.
4. Modify the information as desired and then click Next.
5. Change the location, or other details, and then click Save.
The event is updated and the changes take effect immediately on the local host.
Deleting Events
Deleting an event from Endpoint Security completely removes it from the system. Endpoint Security
immediately stops recording and sending events from the local host.
Managing Disk Space

Closely monitor the Endpoint Security disk space usage. Endpoint Security and Apache logs can consume a
lot of disk space on the server. The Endpoint Security server will fail to respond to the clients and/or not
work as expected if there are no free disk space. You should monitor the disk usage, and remove old logs
as needed. Monitor the 'integrity/logs' directory on the Endpoint Security server.
Data Backup and Restore

To prevent the loss of data, you should configure Endpoint Security to periodically create a copy of the data.
You may also wish to periodically copy this information to another location. If your Endpoint Security system
should become unusable, you will then be able to restore from your backup.
Configuring Data Backups

Data backups occur on a daily basis, at the time you specify. The duration of the backup process is
determined by the amount of information in your datastore, but generally will not exceed five minutes. During
the data backup, administrators are not able to access the Endpoint Security Administrator Console.
Endpoint Security will continue to perform all security functions during the backup.
Data backups are stored in the /engine/webapps/ROOT/WEB-INF/data/backups directory. Each
backup is contained in a subdirectory named according to the time it was created. These subdirectories
contain a complete backup of all of the Endpoint Security data.
To configure data backups:
1. If you are in Multi-Domain mode, switch to System Domain.
2. Click System Configuration > Server Settings > Edit.
The Server Settings page opens.
3. Click Edit.
4. In the Embedded Database Backups area, enable backups and configure the settings.
For best performance results, do not schedule the database backup for the same time as the database
purge.
5. Click Save.
You may want to use a third-party application or script to automatically copy these files to a secure,
offsite location for storage.
Important - To avoid exposing your security settings to individuals

who may wish to exploit them, make sure any location you use for
database backup is secure.

Restoring from Backups
If your data should become corrupted, or Endpoint Security should become unusable, you can restore from
backups.
To restore from a backup:
1. Shut down Endpoint Security.
Shut down the Apache and Tomcat services.
2. Remove the corrupted or unusable data files:
• Go to /engine/webapps/ROOT/WEB-INF/data.
• Remove all iss_main files, but do not remove the backups directory.
3. Copy the backup files.
If you copied backup directories to another location using a third-party application or script, look in that
location. Otherwise look in the backups directory on your Endpoint Security computer.
• Go to /engine/webapps/ROOT/WEB-INF/data/backups.
• Open the directory for the backup you want.
Backup directories are named for the time they are created.
• Copy the files in the backup directory.
4. Put the copied files in the data directory, /engine/webapps/ROOT/WEB-INF/data.
5. Restart Endpoint Security.
Restart the Apache and Tomcat services. If the XML in the backup policy files becomes corrupt,
Endpoint Security defaults to the most secure settings for Program Control.
Log Purging
You can configure Endpoint Security to purge the logs used for reports using the Endpoint Security
Administrator Console. These logs are used for reports. Purges happen daily, at the time you specify. The
amount of time required for the purge depends on the amount of files, but generally will not exceed half an
hour.
To purge logs:
1. If you are in Multi-Domain mode, switch to System Domain.
2. Click System Configuration > Server Settings > Edit.
The Server Settings page opens.
3. Click Edit.
4. In the Database Purge Settings area, set the time for the purge.
Note - For best performance results, do not schedule the database

purge for the same time as the database backup.
5. Click Save.

Appendix A
Administrator Console Navigation
In This Appendix
Administrator Console Navigation Reference 173
Administrator Console Navigation

Reference
Use the following table to locate pages in the Administrator Console. Where there is a version of the page
for a new item and a version for editing an existing item the navigation for both is given. Depending on your
administrator role and permissions, you may be only able to view some pages.
Page Name Location
About Check Point Endpoint Security About
Access Zones Policies | Edit | Access Zones
Add Enforcement Rules Policies | Edit | Enforcement Settings | Add
Add Firewall Rule to Policy Policies | Edit | Firewall Settings | Add
Add Locations to Zone Policies | Edit | Access Zones | Add
Add Program Rules Policies | Edit | Program Rules | Add
Add Restriction Firewall Rules to Policies | Edit | Enforcement Settings | Add

Policy
Administrator Multi- / Single-Domain: System Configuration

| Administrators | Edit / New
Simple: Administrators | New
Administrator Manager Multi- / Single-Domain: System Configuration

| Administrators
Simple: Administrators
Advanced Settings Client Configuration | Edit | Advanced

Settings
Client Configuration | New Package |
Advanced Settings
Anti-virus / Policies | Edit | Anti-virus Anti-spyware

Anti-spyware
Page 173
Page Name Location
Anti-virus Provider Brands Report Multi- / Single-Domain: Reports | Endpoint

Monitor | <choose report>
Simple: Endpoint Monitor | <choose report>
Anti-virus Reference Client Multi- (Non-System Domains) / Single-

Configuration Domain:
System Configuration | Reference Clients
Anti-virus Reference Clients System Configuration | Reference Clients
Anti-virus Rule Policies | Manage Policy Objects |

Enforcement Rules | Edit
Policies | Manage Policy Objects |
Enforcement Rules | New
Assign Policies Multi-Domain (System Domain): Domains |

<select domain> | Endpoints | <select
catalog> | Assign Policy
Multi- (Non-System Domains) / Single-
Domain: Endpoints | <select catalog> |
Assign Policy
Assignment Priority Single-Domain: Endpoints | Edit

Multi-Domain: Domains | Edit (System
Domain)
Certificate Authority Request Multi- / Single-Domain: System Configuration

| Certificates | New | CA Request
Certificate Authority Request, View Multi- / Single-Domain: System Configuration

| Certificates | View
Certificate Manager Multi- / Single-Domain: System Configuration

| Certificates
Change Password Change Password
Check Point Anti-virus Scanned Date Multi- / Single-Domain: Reports | Endpoint

Report Monitor | <choose report>
Check Point Spyware Scanned Date Multi- / Single-Domain: Reports | Endpoint

Report Monitor | <choose report>
Client Configuration Client Configuration

(In Multi-Domain, System Domain only)
Client Connectivity Report Multi- / Single-Domain: Reports | Endpoint

Client Package Installer Versions Client Configuration | Manage Client

Installers
Client Rule Policies | Edit | Enforcement Settings | Add |

New Rule | Client Rule
Administrator Console Navigation Page 174

Page Name Location
Client Settings Policies | Edit | Client Settings
Client Updates Home | <click Modify Client Update Settings>
Client Version Report Multi- / Single-Domain: Reports | Endpoint

Create New Policy Multi- / Single-Domain: Policies | New | From

Template
Custom Catalog Endpoints | New Catalog | Custom

(In Multi-Domain, Non-System Domain only)
Custom Group Endpoints | <click catalog name> | New

Group
Customize Sandbox Multi- / Single-Domain: System Configuration

| Sandbox Pages
Domain Multi-Domain: Domains | Edit or New

Domain
Domain Manager Multi-Domain: Domains
Endpoint Details Multi- / Single-Domain: Reports | Endpoint

Activity | Apply Filter
Simple: Endpoint Activity | Apply Filter
Endpoint Manager Endpoints (In Multi-Domain, Non-System

Domain only)
Endpoint Status Report Multi- / Single-Domain: Reports | Endpoint

Endpoints Report Multi- / Single-Domain: Reports | Endpoint

Activity
Simple: Endpoint Activity
Enforcement Rule Policies | Manage Policy Objects |

Enforcement Rules | Edit
Policies | Manage Policy Objects |
Enforcement Rules | New | Enforcement
Rule
Enforcement Rules Manager Policies| Manage Policy Objects |

Enforcement Rules
Enforcement Settings Policies | Edit | Enforcement Settings
Enforcement Violations by Policy Multi- / Single-Domain: Reports | Endpoint


Page Name Location
Enforcement Violations by Rule Multi- / Single-Domain: Reports | Endpoint

Event Destination Multi- (System Domains) / Single-Domain:

System Configuration | Event Notification |
Edit or New
Event Details Report Multi- / Single-Domain:

Reports | Client Events | <choose a report
(other than Summary or Compliance
Status)> | click Apply Filter | <click a graph>
Event Manager Multi- (System Domains) / Single-Domain:

System Configuration | Event Notification
Firewall Rule Manager Policies | Managing Policy Objects | Firewall

Rules
Firewall Settings Policies | Edit | Firewall Settings
Gateway Gateways | New Gateway | <choose

gateway type>
(Multi-Domain: Non-System Domains only)
Gateway Catalog Group Multi- (System Domains): Domains | <select

domain> | Gateways | < click gateway
name> | New Group (System Domain)
Gateways | <click gateway name> | New
Group
Gateway Manager Gateways (Multi-Domain: Non-System

Domains only)
Generate Self-Signed Certificate Multi- / Single-Domain: System Configuration

| Certificates | New | Self Signed
Import Certificate Multi- / Single-Domain: System Configuration

| Certificates | New | From File
Import Installer Client Configuration | Manage Installer

Versions | New
Import Policy Multi- / Single-Domain: Policies | New | From

File
Import Programs Program Permissions | New Program |

Import Scan
Incoming Firewall Rule Policies | Manage Policy Objects | Firewall

Rules | New Rule | Incoming Firewall Rule
Policies | Manage Policy Objects | Firewall
Rules | <click rule name>
Infection Events Home | <click a number in the Endpoint

Infections table>
Infection History Reports Infection History

Page Name Location
Install Certificate Authority Certificate Multi- / Single-Domain:

System Configuration | Certificates | New |
CA Issued Certificate
Endpoint Monitor Report Multi- / Single-Domain: Reports | Endpoint

Monitor
Simple: Endpoint Monitor
IP Catalog Multi- (Non-System Domains) / Single-

Domain:
Endpoints | New Catalog | IP Catalog
IP Group Endpoints | <click catalog name> | New

Group
(In Multi-Domain: Non-System Domains only)
LDAP Catalog Multi- (Non-System Domains) / Single-

Domain:
Endpoints | New Catalog | LDAP
Location Policies | Manage Policy Objects | Locations

| <select location> | Edit
Policies | Manage Policy Objects | Locations
| New
Location Manager Policies | Manage Policy Objects | Locations
Manually-Added Program Program Permissions | New Program | Add

Manually
Messaging Settings Policies | Edit | Messaging Settings
Name and Notes Policies | Edit | Name and Notes
NTDomain Catalog Endpoints | Edit

Endpoints | New Catalog | NTDomain
Office Awareness Settings Client Configuration | Edit

(In Multi-Domain: System Domains only)
Outgoing Firewall Rule Policies | Manage Policy Objects | Firewall

Rules | New | Outgoing
Policies | Manage Policy Objects | Firewall
Rules | <click rule name>
Package Details Client Configuration | Edit

Client Configuration | New
Policies Using Policies | Manage Policy Objects | <click

policy object tab> | Used By
Policy Assignment Report Multi- / Single-Domain: Reports | Endpoint

Policy History Policies | History
Policy Manager Policies

Page Name Location
Policy Objects Policies | Manage Policy Objects
Policy Package Policies | New | Policy Package
Ports and Protocols Manager Policies | Manage Policy Objects | Ports &
Protocols
Program Advisor Configuration Multi- (Non-System Domains) / Single-

Domain:
System Configuration | Program Advisor
Program Group Program Permissions | New Group
Program Group Permissions Program Permissions

Program Groups Program Permissions | New Group

Program Permissions | Edit
Program Permissions Program Permissions | <program group

name>
Program Rules Policies | Edit | Program Rules
RADIUS Catalog Endpoints | Edit

Endpoints | New Catalog | RADIUS
Role Multi- / Single-Domain: System Configuration

| Administrators | Manage Roles | Edit or
New
Simple: Administrators | Manage Roles |
New
Role Manager Multi- / Single-Domain: System Configuration

| Administrators | Manage Roles
Simple: Administrators | Manage Roles
Self-Signed Certificate Multi- / Single-Domain: System Configuration

| Certificates | <click certificate name> or
New | Self Signed
Server Settings Multi- (System Domain) / Single-Domain:

System Configuration | Server Settings | Edit
SmartDefense Policies | Edit | SmartDefense
Synchronization Status Endpoints | Synchronize

User Events Report Client Configuration | Edit | VPN Settings

Client Configuration | New Package | VPN
Settings
VPN Settings Client Configuration | Edit | VPN Settings

Client Configuration | New Package | VPN
Settings

Appendix B
Legacy VPN CLI
In This Appendix
Commands 180
Commands
The VPN engine commands can be used to generate status information, stop and start services, or connect
to defined sites using specific user profiles. Typically, endpoint users do not need to open a command
prompt and use these commands, but you may wish to include the commands in a script that you transfer to
remote users. This is a way to expose VPN engine operations (such as Connect/Disconnect) to external
third party applications via scripting.
The general format for VPN engine commands is:
C:\> scc <command> [optional arguments]
Note - You can use the Endpoint Security Administrator Console to

include VPN functionality in an Endpoint Security client installation
package. For details, see VPN Options (on page 130).
Table 12-24 SecureClient (Legacy VPN) Commands

Command Explanation
SCC VPN commands are used to generate status

information, stop and start services, or connect to
defines sites using specific user profiles.
scc connect This command connects to the site using the specified
profile, and waits for the connection to be established.
In other words, the OS does not put this command
into the background and executes the next command
in the queue.
scc connectnowait This command connects asynchronously to the site

using the specified profile. This means, the OS moves
onto the next command in the queue and this
command is run in the background.
scc disconnect This command disconnects from the site using a

specific profile.
scc erasecreds This command unsets authorization credentials.
scc listprofiles This command lists all profiles.
scc numprofiles This command displays the number of profiles.
scc restartsc This command restarts VPN services.
Page 180
Command Explanation
scc passcert This command sets the user's authentication

credentials when authentication is performed using
certificates.
scc setmode This command switches the VPN engine command-

line mode.
scc startsc This command starts VPN services.
scc status This is command displays the VPN connection status.
scc stopsc This command stops VPN services.
scc suppressdialogs This command enables or suppresses VPN engine

dialog popups. By default, suppressdialogs is off.
scc userpass This commands sets the user's authentication

credentials -- username, and password.
scc ver This command displays the current VPN engine

version.
scc icacertenroll This command enrolls a certificate with the internal

CA, and currently receives 4 parameters - site,
registration key, filename and password. Currently the
command only supports the creation of p12 files.
Legacy VPN CLI Page 181

Appendix C
Security Gateway Configuration
In This Appendix
Configuring Multiple Entry Point (MEP) 182

Configuring Endpoint Compliance 183
Configuring Location Awareness 184
Configuring Multiple Entry Point (MEP)

For the legacy VPN client, the gateways have to belong to the same VPN domain for MEP to function. For
Endpoint Connect, the gateways do not have to belong to the same VPN domain and the client does not
send probing RDP packets to discover the available gateways.
Endpoint Connect's behavior in a MEP deployment is determined by a list of gateway addresses held in a
.ttm configuration file on the gateway. If the client fails to connect to any of the gateways, further attempts
cease. If the client does connect, the topology of the VPN domain is downloaded to the client.
To configure the security gateway for MEP
1. On the security gateway, open $FWDIR/conf/trac_client_1.ttm for editing.
2. Search for the enable_gw_resolving attribute:
:enable_gw_resolving (
:gateway (
:default (true)
)
)
Verify the attribute is set to its default value: true.
3. Manually add the mep_mode attribute using the following syntax:
:mep_mode (
:gateway (
:default (xxx)
)
)
Where xxx is the value for one of the following four MEP methods:
• dns_base. If this value is selected, Endpoint Connect resolves gateway IP addresses according to
DNS Geo Clustering
• first_to_respond. If this value is selected, Endpoint Connectprobes all gateways on the list and
builds a new list according to response time. The first gateway to respond becomes the first gateway
on the list.
• primary_backup. If this value is selected, Endpoint Connect works sequentially through the list,
attempting to connect to the first IP address, then the second, and so on.
• load_sharing. If this value is selected, Endpoint Connect randomly tries a gateway on the list. If the
attempt fails, Endpoint Connectrandomly selects the next address from those remaining on the list.
4. Manually add the ips_of_gws_in_mep attribute using the following syntax:
:ips_of_gws_in_mep (
:gateway (
:default (192.168.53.220&#192.168.53.133&#)
)
)
This is the list of IP addresses the client should try according to the chosen MEP method. Note that:
Page 182
• IP addresses are separated by an ampersand and hash symbol (&#)
• The last IP address in the list is followed by a final &#.
5. Install a policy.
Configuring Endpoint Compliance

To determine whether the machine with Endpoint Security installed should be given access to remote
corporate resources, the Endpoint Connect VPN client:
• Takes advantage of Endpoint Security policy enforcement rules
• Implements the SCV protocol to confirm compliance
How it works
• On the Endpoint Security Server, the administrator configures an Endpoint Security Policy with
Enforcement Rules. The endpoint machine receives this policy from the server, and must fulfill these
conditions to be considered compliant.
• When the VPN Client connects to the security gateway, attempting to open a connection to resources
within the VPN domain, the gateway requests the Client's SCV compliance status.
• Using the SCV protocol, the Client sends its status to the VPN gateway. The status is whether the client
complies with the enforcement rules defined in the Endpoint Security policy.
• The gateway receives the status. According to the client's state, the gateway allows or blocks the
connection.
Enforcement Rules in the Endpoint Security Policy

Enforcement Rules (known previously as ACE rules) are defined in the Endpoint Security Server Policy and
enforced by the Endpoint Security Client . Enforcement rules ensure endpoint machines comply with the
Security Policy of the organization. To be complaint, endpoint machines must fulfill the conditions of each
rule.
To configure Enforcement rules:

1. Log into the Endpoint Security Administrator Console at: http://<Endpoint Security IP
Address>/signon.do
2. On the Edit Policy > Enforcement Settings tab, configure enforcement rules of the type:
Rule Type Description
General Enforcement Enforcement rules that require or prohibit a specific file, program, or
registry key.
Anti Virus Enforcement Requires a specific anti-virus program version and configuration to be
present on the endpoint.
Client enforcement Requires from Endpoint Client a specific Secure Access flavor
(agent/flex) and Client version.
Enforcement rules are implemented on the client side. In the policy administrator, configure actions for the
client to take when the endpoint becomes non-complaint.
• The client can be set to Observe, Warn, or Restrict computers that are out of compliance.
• If the enforcement rule is set to Warn or Observe, the action takes place immediately.
• If the enforcement rule is set to Restrict the action takes place after the endpoint computer has been
out of compliance for the specified number of heartbeats. For a restricted computer, configure Policy
Restrictions. For example if a computer is restricted because of an out of date anti-virus program, the
computer can be restricted to specific subnets within the larger corporate network.
• Set up remediation resources for endpoints that Endpoint Security has warned or restricted. Warned
users must apply the remediation resources manually. Restricted users can apply the resources
manually or you can configure Endpoint Security to run the resources automatically.
Security Gateway Configuration Page 183

For more information, see Creating Enforcement Rules as Policy Objects (on page 63)
Configuring Secure Configuration Verification (SCV)

In addition to compliance checks on the Client side, the Administrator can configure whether the VPN
security gateway will verify if the remote access clients are securely configured (compliant) according to the
Endpoint Security Policy.
To configure SCV Enforcement on the Security Gateway:

1. Open SmartDashboard > Global Properties > Remote Access > Secure Configuration Verification.
2. Select Apply Secure Configuration Verification on Simplified Mode Security Policies
3. Select an action to take if the client fails SCV compliance:
• Block the connection
• Accept and log a warning to the administrator
Configuring Location Awareness

Endpoint Connect intelligently detects whether it is inside or outside of the VPN domain (Enterprise LAN),
and automatically connects or disconnects as required. When the client determines it is within the internal
network, the VPN connection is terminated. If the client is in Always-Connect mode, the VPN connection is
established again when the client exits.
To configure location awareness

1. Verify that the:
• Security gateway is either R70, or NGX R65 with HFA40 installed
• NGX R66 plug-in for Connectra is installed on the SmartCenter server
2. In SmartDashboard, open Global Properties > Remote Access > Endpoint Connect
3. In the Location Aware Connectivity area, select Yes from the drop-down box and click Configure....
The Location Awareness Settings window opens.
4. Select the criteria by which the client determines whether it is within the internal network:
• Client can access its defined domain controller. This refers to the Microsoft Domain controller, or
Active Directory available on the internal network, which cannot be accessed through a VPN tunnel.
• Client connection arrives from within the following network. Use this setting to define a group of
known internal networks.
5. If necessary, click Manage to define a new Simple Group, Group With Exclusion, or Network.
6. Click Advanced....
The Location Awareness - Fast Detection of External Locations window opens.
Use these options to identify external networks. For example, create a list of wireless networks or DNS
suffixes that are known to be external. Or cache (on the client side) names of networks that were
previously determined to be external. As this is an exclusion list, it should contain internal SSIDs or
suffixes. If the SSID is not in the list, checking stops. The client is located external to the network.
Selecting one or more of these options enhances the performance of location awareness.
Security Gateway Configuration Page 184

Configuring Advanced Packet Handling Settings
• 58
Index Configuring Alert Levels • 91

Configuring an Existing Server • 144
Configuring and Deploying the Default Policy •
16
A Configuring Anti-malware Protection • 93
About Third-Party Scripts • 131 Configuring Automatic Client Updates • 116
Active Directory Compatibility • 38 Configuring Client Update Staging • 116
Adding Enforcement Rules to Policies • 22, 76 Configuring Compliance Check Settings • 77
Adding Firewall Rules to Policies • 61 Configuring Cooperative Enforcement • 121
Adding Gateway Catalogs • 121 Configuring Data Backups • 171
Adding Gateway Groups • 125 Configuring Endpoint Compliance • 182
Adding Messages to System Log • 169 Configuring Enforcement Settings • 21
Adding Programs Manually • 87 Configuring Location Awareness • 183
Adding Restriction Firewall Rules to Your Policy Configuring MailSafe Protection in a Policy • 99
• 77 Configuring Multiple Entry Point (MEP) • 181
Administrator Console • 12 Configuring New Network Detection Options •
Administrator Console Navigation • 173 57
Administrator Console Navigation Reference • Configuring Office Awareness • 142
173 Configuring Program Advisor • 18
Administrator Roles • 28 Configuring RADIUS Properties File • 164
Agent Client • 12 Configuring Recommended Event Logs • 167
Allowing Endpoint Hotspot Registration • 162 Configuring Secure Configuration Verification
Anti-spyware • 47 (SCV) • 183
Anti-virus • 47 Configuring SmartDefense in a Policy • 99
Anti-virus Rules • 70 Configuring the Default VPN Policy • 105
Appscan Switches • 86 Configuring the Heartbeat Interval • 77
Assigning a Custom Policy • 24 Configuring Zones • 16
Assigning Policies • 23, 100, 103 Confirming WINS Server Settings • 38
Assignment Order • 102 Connected Policies • 45
Authenticating Users • 41 Connection Information • 134
Creating a Basic Policy • 16
B Creating a Certificate Authority Certificate • 165
Beacon Details • 143 Creating a More Advanced Policy • 19
Before You Begin • 151 Creating a New VPN Policy • 106
Block All • 85 Creating a Policy Template • 107
Block All Non-trusted Communication • 84 Creating a Policy Using a File • 54
Block All Servers • 84 Creating a RADIUS Catalog • 40
Block Internet Zone Servers Only • 83 Creating a Self-Signed Certificate • 166
Blocked Zone • 56 Creating Access Zones as Policy Objects • 55
Building a Customized RPM • 152 Creating Administrator Accounts • 32
Creating an Anti-virus Enforcement Rule • 71
C Creating an Appscan • 85
Creating an Example Enforcement Rule • 21
Certificate Management • 165 Creating an Initial Policy - High • 52
Changing cm_auth Parameter • 156 Creating an Initial Policy - Low • 50
Changing Connection Manager Address • 155 Creating an IP Catalog • 23
Changing Login Credentials • 38 Creating an LDAP Catalog • 23
Changing your JDBC IP Address • 166 Creating an NT Domain Catalog • 39
Checking the Log • 157 Creating Appscans • 85
Checking Your Domain • 26 Creating Catalogs • 23
Choosing Your Enterprise Policy Types • 14 Creating Client Enforcement Rules • 73
Choosing Your Security Model • 14 Creating Client Packages • 136
Client Connectivity Report • 137 Creating Domains • 27
Client Installation Packages • 129 Creating Enforcement Rules as Policy Objects •
Client Logging • 166 63
Client Program Advisor Process • 109 Creating Enforcement Rules for Programs, Files
Client Version Report • 137 and Keys • 67
Command Line Switches • 137 Creating Events • 171
Command-Line Syntax • 139 Creating Firewall Rules • 60
Commands • 179 Creating Firewall Rules as Policy Objects • 59
Configuration and Maintenance • 159 Creating LDAP Catalogs • 35
Configuration File Settings • 154 Creating Policies Using a Policy Template • 53
Configurations for Unknown Programs • 83 Creating Policy Packages • 100
Configuring a RADIUS Server • 164 Creating Program Groups • 20, 88
Creating Program Rules • 79 Enforcement Rules Process • 64
Creating Roles • 30 Enforcing Anti-spyware Scans and Treatments •
Creating Subsequent Policies • 51, 52 98
Creating the Linux Policy • 147 Establishing Communication • 144
Creating the Second Policy • 51 Events and Logging • 167
Custom Catalogs • 34 Example 1
Custom Groups • 81 Allow local traffic and block other traffic • 60
Custom Parameters • 134 Example 2
Customizing the Endpoint Security Agent All access is Blocked • 60
Configuration • 154 Example of Rank • 59
Expired or Exceeded Licenses • 159
D Exporting Client Packages • 136
Data Backup and Restore • 171 Exporting Policies • 104
Default Groups • 80
F
Default Policy • 16
Default Roles and Customized Roles • 30 Firewall Rule Rank in Security Policies • 59
Defining Zones • 17, 57 Firewall Rules • 46
Deleting a Firewall Rule • 63 Flex Client • 13
Deleting Administrator Accounts • 33 Formatting the User Data File • 40
Deleting Domains • 27
Deleting Enforcement Rules • 75 G
Deleting Events • 171 Gateways and Cooperative Enforcement • 120
Deleting Policies • 104 Gathering Topology Information • 15
Deleting Policy Templates • 108 Generating Licenses • 160
Deploying or Rejecting Previewed Updates • Getting Started • 14
117 Global and Policy Permissions • 81
Deploying Policies • 100 Group Permissions and Policies • 80
Deploying the Policy • 19 Grouping Enforcement Rules • 76
Deployment Workflow • 146 Groups • 43
Describing the Distribution Process • 127
Disabling Windows Firewall • 13 H
Disabling Wireless on LAN • 163
Hard-Coded Rules • 48
Disconnected Policies • 45
Heartbeats • 166
Disconnected Policy for Linux - Options • 148
High Threat Lifecycle • 52
Distributing Client with Command-Line • 138
How Hotspot Registration Works on the
Distributing Client with GPO • 138
Endpoint • 163
Distributing Endpoint Security Client • 129
Distributing First Client • 15 I
Distributing the Client Package URL • 136
Documentation • 129 Importing Appscans • 87
Importing Client Executables • 135
E Increasing the LDAP Result Size Limit • 35
Informing Endpoint Users in Advance • 126
Editing Administrator Accounts • 33
Install Key (Password) • 133
Editing Anti-malware Settings • 91
Installation Methods • 149
Editing Enforcement Rules • 75
Installation of Client on Linux • 149
Editing Firewall Rules • 62
Installation Options • 133
Editing Messaging Settings • 99
Installing a New Beacon Server • 143
Editing SmartDefense Settings • 98
Installing Endpoint Security Agent using RPM •
Educating the Endpoint User • 126
152
Enabling and Disabling Firewall Rules • 62
Installing using the Endpoint Security Agent
Enabling Enforcement Rule Alerts and Logging
RPM • 151
• 67
Installing with Installation Script • 149
Enabling Program Advisor • 112
Integration With Other Check Point Products •
Enabling Support for Legacy Clients • 93
10
Enabling Updates • 92
Internet Zone • 56
Endpoint Security Agent RPM • 157
Internet Zone/Act as a Client • 82
Endpoint Security Agent Script • 157
Internet Zone/Act as a Server • 82
Endpoint Security Clients • 12
Introduction • 9
Endpoint Security Server • 12
Introduction to Cooperative Enforcement • 120
Endpoint Security Server Program Advisor
Introduction to Licensing • 159
Process • 111
IP Catalogs • 43
Enforcement Rule Types • 63
Enforcement Rules • 48 L
Enforcement Rules in the Endpoint Security
Policy • 182 LDAP Catalogs • 35
Page 186
Legacy VPN CLI • 179 Policy Arbitration • 46
Licensing • 159 Policy Components and Settings • 9
Linux Agent Installation and Configuration • 146 Policy Inheritance • 100
Linux Configuration • 170 Policy Lifecycles • 49
Locations • 55 Policy Objects • 48
Log Purging • 172 Policy Packages • 46
Low Threat Lifecycle • 50 Policy Stages • 16
Preconfigured Policy Templates • 107
M Preparing your Help desk Staff • 129
Mail Protections • 47 Prerequisites for RADIUS • 164
Making Updates Instantly Available • 116 Privileges • 30
Managing Administrators • 28 Program Advisor • 47, 109
Managing Catalogs • 34 Program Advisor Server • 109
Managing Central and Local Licenses • 160 Program Control • 47
Managing Communication • 162 Program Evaluation Process • 81
Managing Data • 167 Program Groups • 80
Managing Disk Space • 171 Program Observation • 82
Managing Domains • 25 Program Permissions • 79
Managing Events • 170 Providing Information About Your Security
Managing Linux Disconnected Policy • 148 Policy • 127
Managing Linux Groups • 146 Providing Remediation Resources • 127
Managing Policy Templates • 107 Providing Remediation Resources for Users •
Managing Security Policies • 44 65
Managing Unknown Programs • 113 Proxy Configuration • 163
Managing Updates • 114 Proxy Login and Auto Add • 42
Managing Your Products • 159
R
Manual Synchronization • 42
Migrating from Check Point SecureClient RADIUS Catalogs • 40
(Optional) • 130 Ranking Firewall Rules • 62
Migrating from SCV and Desktop Security Recommended Sandbox Customizations • 128
Rules • 131 Registering the Beacon Server • 144
Modes and Views • 10 Removing Firewall Rules from a Policy • 62
Modifying a Policy Template • 108 Restoring from Backups • 172
Monitoring Anti-Malware Activity • 117 Rolling Back Policy Versions • 103
Monitoring Infection Activity on Endpoints • 118 Routing Fatal Messages (SMTP) • 167
Monitoring Infection History • 118 Routing Log Upload System (SMTP) • 168
Monitoring Policy Assignment • 103 Rule Evaluation and Precedence • 48
Monitoring Scan and Update Status • 118 Rules that Observe • 67
MSI Error (Return) Codes • 139 Rules that Warn • 67
MSI Switches • 139 Running Endpoint Security Agent • 156
Multi-Domain Administrators • 25
S
N
Sample Program Permission Configurations •
NT Domain Catalogs • 38 83
Scheduling Synchronization • 42
O Security Gateway Configuration • 181
Obtaining Product Code • 140 Security Policy Component Overview • 46
Offline Updates • 117 Security Rules • 48, 56
Overriding Program Advisor • 21 Setting Firewall Rules • 19
Overriding Program Advisor Recommendations Setting Install Key • 133
• 113 Setting Log Upload Parameters • 158
Overview of Office Awareness • 142 Setting New Network Handling Parameters • 17
Overview of Updates • 114 Setting Policy-Level Permissions • 90
Setting Program Control • 20
P Setting Program Permissions • 89
Setting Restriction Firewall Rules • 22
Permission Precedence • 81
Setting Security Levels • 56
Personal Policies • 45
Setting the Assignment Priority • 103
Planning Administrator Configuration • 30
Silent Installations and Upgrades • 134
Planning Enforcement Rules • 65
Silently Removing a Client • 140
Planning Policy Lifecycles • 50
Simple View - Activating Policies • 100
Planning Program Control • 82
SmartCenter Administrators • 33
Planning User Support • 15
SmartDefense • 47
Planning Your VPN Configuration • 131
Starting and Stopping Services • 160
Policies • 9
Suggested Policy Settings • 50
Policies in Client Installations • 130
Page 187
Supported Catalog Types • 34 Viewing Anti-virus Versions • 79
Supported Policy Settings • 147 Viewing Compliance Status • 78
Supporting the User • 126 Viewing Program Advisor Recommendations •
Switching Domains • 26 112
Switching Views • 10 Violations by Rule and Policy • 79
Synchronizing User Catalogs • 42 VPN Agent and VPN Flex • 13
System Architecture • 11 VPN Options • 130
System Domain and Non-System Domains • 25 VPN Policies • 105
T W
Testing Gateway Cooperative Enforcement • What a Restricted User Experiences • 64
124 Windows Firewall • 162
Testing Policy and Zones • 19 Withdrawing a Policy Template • 108
Testing Program and Enforcement Rules • 23 Workflow for Configuring and Deploying VPN in
Tracking Enforcement Rule Compliance • 78 Packages • 132
Tracking Rules that Warn or Observe • 67
Training • 129 Z
Trap Formats • 170 Zone Rules • 18, 46
Trusted Zone • 55
Trusted Zone/Act as a Client • 83
Trusted Zone/Act as a Server • 82
U
Understanding Policies • 44
Understanding Policy Enforcement on Linux •
148
Uninstalling Check Point Products - Linux • 161
Uninstalling Check Point Products -
SecurePlatform • 161
Uninstalling Check Point Products - Windows •
161
Uninstalling Clients • 140
Uninstalling Endpoint Security Agent using
RPM • 153
Uninstalling MSI files • 140
Uninstalling Using a Script • 140
Uninstalling Using Product Code • 140
Uninstalling with Installation Script • 151
Update Delivery Process • 115
Update Staging Process • 115
Updating RADIUS Catalogs • 41
Updating RADIUS Configuration File • 164
Upgrading Endpoint Security Agent using RPM
• 153
Upgrading the Client • 129
User Catalogs • 34
User Identification • 134
Using a Default Policy • 53
Using a Default VPN Policy • 105
Using Alerts for User Self-help • 127
Using Checksums • 82
Using Endpoint Security Administrator Console
•9
Using Office Awareness Servers • 142
Using Program Advisor with a Proxy Server • 18
Using Reference Clients • 70
Using Rules that Observe or Warn • 67
Using SNMP with Endpoint Security • 170
Using the Command Line Interface • 156
Using the Office Awareness Beacon • 143
Using the Sandbox for User Self-Help • 127
Using the Service Manager • 157
V
Version Information • 160
Page 188

CP R73 EPS Server AdminGuide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CP R73 EPS Server AdminGuide

Uploaded by

Copyright:

Available Formats

Endpoint Security Server

© 2010 Check Point Software Technologies Ltd.

Policy Components and Settings

Using Endpoint Security Administrator

Modes and Views

Multi Domain Mode

Single Domain Mode

Integration With Other Check Point

Endpoint Security Server

Endpoint Security Clients

VPN Agent and VPN Flex

Disabling Windows Firewall

Choosing Your Enterprise Policy Types 14

Choosing Your Enterprise Policy Types

Choosing Your Security Model

Gathering Topology Information

Planning User Support

Distributing First Client

Getting Started Page 15

Configuring and Deploying the Default

Creating a Basic Policy

Note - Whenever you save a policy, it is recommended that you add

Getting Started Page 16

Internet All locations not included in either the Trusted or the

Setting New Network Handling Parameters

Getting Started Page 17

Configuring Program Advisor

Using Program Advisor with a Proxy Server

Getting Started Page 18

Testing Policy and Zones

Creating a More Advanced Policy

Setting Firewall Rules

Getting Started Page 19

Note - Program Advisor has professionally-chosen security settings for

Creating Program Groups

Name The name of the program group.

Description The description of the program group.

Rank The priority of the group, determining

4. Define the program with the Filter Settings.

Getting Started Page 20

Overriding Program Advisor

Configuring Enforcement Settings

Note - For best performance, it is recommended that you create no

Creating an Example Enforcement Rule

Getting Started Page 21

Adding Enforcement Rules to Policies

Setting Restriction Firewall Rules

Getting Started Page 22

Creating an LDAP Catalog

Getting Started Page 23

Getting Started Page 24

Global Administrator In Multi-Domain mode, global administrators have access to all

Domain Each domain has an administrator. This user is responsible for

System Domain and Non-System Domains

Administrator Create Domain or Global Create Domain Administrator accounts

Sandbox Create Sandbox Templates Use the Sandbox Templates provided

Checking Your Domain

Managing Domains Page 26

Managing Domains Page 27

Managing Administrators Page 29

Default Roles and Customized Roles

Planning Administrator Configuration

Managing Administrators Page 30