Professional Documents
Culture Documents
CP R73 EPS Server AdminGuide
CP R73 EPS Server AdminGuide
(Secure Access)
R73
Administration Guide
23 February, 2010
More Information
The latest version of this document is at:
http://supportcontent.checkpoint.com/documentation_download?ID=10635
For additional technical information about Check Point visit Check Point Support Center
(http://supportcenter.checkpoint.com).
Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your
comments to us (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Endpoint Security
Server (Secure Access) R73 Administration Guide).
Introduction ............................................................................................................... 9
Policies ...................................................................................................................9
Policy Components and Settings ...........................................................................9
Using Endpoint Security Administrator Console.....................................................9
Modes and Views ............................................................................................10
Switching Views...............................................................................................10
Integration With Other Check Point Products.......................................................10
System Architecture .............................................................................................11
Endpoint Security Server .................................................................................12
Administrator Console .....................................................................................12
Endpoint Security Clients ................................................................................12
Getting Started ........................................................................................................ 14
Choosing Your Enterprise Policy Types ...............................................................14
Choosing Your Security Model .............................................................................14
Gathering Topology Information ...........................................................................15
Planning User Support .........................................................................................15
Distributing First Client .........................................................................................15
Configuring and Deploying the Default Policy ......................................................16
Policy Stages ...................................................................................................16
Default Policy...................................................................................................16
Creating a Basic Policy....................................................................................16
Deploying the Policy ........................................................................................19
Testing Policy and Zones ................................................................................19
Creating a More Advanced Policy ...................................................................19
Testing Program and Enforcement Rules .......................................................23
Assigning Policies ................................................................................................23
Creating Catalogs ............................................................................................23
Assigning a Custom Policy ..............................................................................24
Managing Domains ................................................................................................. 25
Multi-Domain Administrators ................................................................................25
System Domain and Non-System Domains .........................................................25
Checking Your Domain ........................................................................................26
Switching Domains ...............................................................................................27
Creating Domains ................................................................................................27
Deleting Domains .................................................................................................27
Managing Administrators ...................................................................................... 28
Administrator Roles ..............................................................................................28
Default Roles and Customized Roles ..............................................................30
Privileges .........................................................................................................30
Planning Administrator Configuration ...................................................................30
Creating Roles .....................................................................................................30
Creating Administrator Accounts ..........................................................................32
Editing Administrator Accounts ............................................................................33
Deleting Administrator Accounts ..........................................................................33
SmartCenter Administrators .................................................................................33
Managing Catalogs ................................................................................................. 34
Supported Catalog Types ....................................................................................34
User Catalogs ......................................................................................................34
Custom Catalogs .............................................................................................34
LDAP Catalogs ................................................................................................35
NT Domain Catalogs .......................................................................................38
RADIUS Catalogs ............................................................................................40
Authenticating Users .......................................................................................41
Synchronizing User Catalogs ..........................................................................42
IP Catalogs ...........................................................................................................43
Groups .................................................................................................................43
Managing Security Policies ................................................................................... 44
Understanding Policies ........................................................................................44
Connected Policies ..........................................................................................45
Disconnected Policies .....................................................................................45
Personal Policies .............................................................................................45
Policy Arbitration..............................................................................................46
Policy Packages ..............................................................................................46
Security Policy Component Overview .............................................................46
Policy Objects ..................................................................................................48
Rule Evaluation and Precedence ....................................................................48
Policy Lifecycles ..............................................................................................49
Using a Default Policy ..........................................................................................53
Creating Policies Using a Policy Template...........................................................53
Creating a Policy Using a File ..............................................................................54
Creating Access Zones as Policy Objects............................................................55
Locations .........................................................................................................55
Trusted Zone ...................................................................................................55
Blocked Zone...................................................................................................56
Internet Zone ...................................................................................................56
Security Rules .................................................................................................56
Setting Security Levels ....................................................................................56
Configuring New Network Detection Options ..................................................57
Defining Zones ................................................................................................57
Configuring Advanced Packet Handling Settings ............................................58
Creating Firewall Rules as Policy Objects............................................................59
Firewall Rule Rank in Security Policies ...........................................................59
Example of Rank .............................................................................................60
Creating Firewall Rules ...................................................................................60
Adding Firewall Rules to Policies ....................................................................62
Ranking Firewall Rules ....................................................................................62
Enabling and Disabling Firewall Rules ............................................................62
Editing Firewall Rules ......................................................................................62
Removing Firewall Rules from a Policy ...........................................................63
Deleting a Firewall Rule...................................................................................63
Creating Enforcement Rules as Policy Objects....................................................63
Enforcement Rule Types .................................................................................63
Enforcement Rules Process ............................................................................64
What a Restricted User Experiences...............................................................64
Planning Enforcement Rules ...........................................................................65
Providing Remediation Resources for Users...................................................65
Using Rules that Observe or Warn ..................................................................67
Enabling Enforcement Rule Alerts and Logging ..............................................67
Creating Enforcement Rules for Programs, Files and Keys ............................68
Anti-virus Rules ...............................................................................................70
Creating Client Enforcement Rules .................................................................74
Editing Enforcement Rules ..............................................................................75
Deleting Enforcement Rules ............................................................................76
Grouping Enforcement Rules ..........................................................................76
Adding Enforcement Rules to Policies ............................................................76
Configuring Compliance Check Settings .........................................................77
Adding Restriction Firewall Rules to Your Policy.............................................77
Configuring the Heartbeat Interval...................................................................77
Tracking Enforcement Rule Compliance .........................................................78
Creating Program Rules .......................................................................................79
Program Permissions ......................................................................................79
Program Groups ..............................................................................................80
Permission Precedence...................................................................................81
Global and Policy Permissions ........................................................................81
Program Evaluation Process ...........................................................................81
Program Observation ......................................................................................82
Using Checksums............................................................................................82
Planning Program Control ...............................................................................82
Creating Appscans ..........................................................................................85
Adding Programs Manually .............................................................................88
Creating Program Groups ...............................................................................88
Setting Program Permissions ..........................................................................89
Setting Policy-Level Permissions ....................................................................90
Configuring Alert Levels ..................................................................................91
Editing Anti-malware Settings ..............................................................................91
Enabling Updates ............................................................................................92
Enabling Support for Legacy Clients ...............................................................93
Configuring Anti-malware Protection ...............................................................93
Enforcing Anti-spyware Scans and Treatments ..............................................98
Editing SmartDefense Settings ............................................................................98
Configuring SmartDefense in a Policy .............................................................99
Editing Messaging Settings ..................................................................................99
Configuring MailSafe Protection in a Policy.....................................................99
Deploying Policies ..............................................................................................100
Creating Policy Packages ..................................................................................100
Simple View - Activating Policies .......................................................................100
Assigning Policies ..............................................................................................100
Policy Inheritance ..........................................................................................100
Assignment Order..........................................................................................102
Assigning Policies..........................................................................................103
Setting the Assignment Priority .....................................................................103
Monitoring Policy Assignment .......................................................................103
Rolling Back Policy Versions .............................................................................. 103
Exporting Policies ................................................................................................ 104
Deleting Policies ................................................................................................... 104
VPN Policies .......................................................................................................... 105
Using a Default VPN Policy ................................................................................105
Configuring the Default VPN Policy ...................................................................105
Creating a New VPN Policy ...............................................................................106
Managing Policy Templates................................................................................. 107
Preconfigured Policy Templates.........................................................................107
Creating a Policy Template ................................................................................107
Modifying a Policy Template ..............................................................................108
Withdrawing a Policy Template ..........................................................................108
Deleting Policy Templates ..................................................................................108
Program Advisor................................................................................................... 109
Program Advisor Server .....................................................................................109
Client Program Advisor Process ........................................................................109
Endpoint Security Server Program Advisor Process ..........................................111
Enabling Program Advisor .................................................................................112
Viewing Program Advisor Recommendations ....................................................112
Overriding Program Advisor Recommendations ................................................113
Managing Unknown Programs ...........................................................................113
Managing Updates ................................................................................................ 114
Overview of Updates ..........................................................................................114
Update Delivery Process ....................................................................................115
Update Staging Process ....................................................................................115
Making Updates Instantly Available ...................................................................116
Configuring Automatic Client Updates ...............................................................116
Configuring Client Update Staging .....................................................................116
Deploying or Rejecting Previewed Updates .......................................................117
Offline Updates ..................................................................................................117
Monitoring Anti-Malware Activity ........................................................................ 117
Monitoring Infection Activity on Endpoints..........................................................118
Monitoring Infection History ................................................................................118
Monitoring Scan and Update Status ..................................................................118
Gateways and Cooperative Enforcement ........................................................... 120
Introduction to Cooperative Enforcement ...........................................................120
Configuring Cooperative Enforcement ...............................................................121
Adding Gateway Catalogs .............................................................................122
Testing Gateway Cooperative Enforcement ..................................................124
Adding Gateway Groups ...............................................................................125
Supporting the User ............................................................................................. 126
Educating the Endpoint User .............................................................................126
Informing Endpoint Users in Advance ...........................................................126
Providing Information About Your Security Policy .........................................127
Describing the Distribution Process...............................................................127
Providing Remediation Resources .....................................................................127
Using Alerts for User Self-help ......................................................................127
Using the Sandbox for User Self-Help...........................................................127
Recommended Sandbox Customizations .....................................................128
Preparing your Help desk Staff ..........................................................................129
Documentation ..............................................................................................129
Training..........................................................................................................129
Distributing Endpoint Security Client ................................................................. 129
Upgrading the Client ..........................................................................................129
Client Installation Packages ...............................................................................129
Policies in Client Installations .............................................................................130
VPN Options ......................................................................................................130
Migrating from Check Point SecureClient (Optional) .....................................130
Planning Your VPN Configuration .................................................................132
Workflow for Configuring and Deploying VPN in Packages ..........................132
Installation Options .............................................................................................133
Install Key (Password) ...................................................................................133
Setting Install Key ..........................................................................................133
Silent Installations and Upgrades ..................................................................134
Connection Information .................................................................................134
User Identification ..........................................................................................134
Custom Parameters.......................................................................................134
Importing Client Executables .........................................................................135
Creating Client Packages ..............................................................................136
Exporting Client Packages ............................................................................136
Distributing the Client Package URL .............................................................136
Client Connectivity Report .............................................................................137
Client Version Report ....................................................................................137
Command Line Switches ...............................................................................137
Distributing Client with GPO ...............................................................................138
Distributing Client with Command-Line ..............................................................139
Command-Line Syntax ..................................................................................139
MSI Switches .................................................................................................139
MSI Error (Return) Codes..............................................................................140
Uninstalling Clients .............................................................................................. 140
Silently Removing a Client .................................................................................140
Uninstalling MSI files ..........................................................................................140
Uninstalling Using Product Code .......................................................................140
Obtaining Product Code ................................................................................141
Uninstalling Using a Script .................................................................................141
Configuring Office Awareness ............................................................................ 142
Overview of Office Awareness ...........................................................................142
Using Office Awareness Servers........................................................................142
Using the Office Awareness Beacon ..................................................................143
Beacon Details ..............................................................................................143
Installing a New Beacon Server ....................................................................143
Establishing Communication .........................................................................144
Registering the Beacon Server......................................................................144
Configuring an Existing Server ......................................................................144
Linux Agent Installation and Configuration ....................................................... 146
Deployment Workflow ........................................................................................146
Managing Linux Groups .....................................................................................146
Creating the Linux Policy ...................................................................................147
Supported Policy Settings .............................................................................147
Understanding Policy Enforcement on Linux .....................................................148
Disconnected Policy for Linux - Options ........................................................148
Managing Linux Disconnected Policy ............................................................148
Installation of Client on Linux .............................................................................149
Installation Methods.......................................................................................149
Installing with Installation Script.....................................................................150
Uninstalling with Installation Script ................................................................151
Installing using the Endpoint Security Agent RPM ........................................151
Customizing the Endpoint Security Agent Configuration....................................154
Configuration File Settings ............................................................................154
Changing Connection Manager Address.......................................................155
Changing cm_auth Parameter.......................................................................156
Running Endpoint Security Agent ......................................................................156
Using the Command Line Interface ...............................................................156
Using the Service Manager ...........................................................................157
Checking the Log...........................................................................................157
Setting Log Upload Parameters ....................................................................158
Configuration and Maintenance .......................................................................... 159
Managing Your Products ....................................................................................159
Licensing .......................................................................................................159
Version Information .......................................................................................160
Starting and Stopping Services .....................................................................160
Uninstalling Check Point Products - Windows ...............................................161
Uninstalling Check Point Products - Linux.....................................................161
Uninstalling Check Point Products - SecurePlatform ....................................161
Managing Communication .................................................................................162
Windows Firewall...........................................................................................162
Allowing Endpoint Hotspot Registration ........................................................162
Disabling Wireless on LAN ............................................................................163
Proxy Configuration .......................................................................................163
Configuring a RADIUS Server .......................................................................164
Certificate Management ................................................................................165
Changing your JDBC IP Address ..................................................................166
Heartbeats .....................................................................................................166
Client Logging................................................................................................166
Managing Data ...................................................................................................167
Events and Logging .......................................................................................167
Configuring Recommended Event Logs ........................................................167
Using SNMP with Endpoint Security .............................................................170
Trap Formats .................................................................................................170
Linux Configuration........................................................................................170
Managing Events ...........................................................................................170
Managing Disk Space....................................................................................171
Data Backup and Restore .............................................................................171
Log Purging ...................................................................................................172
Administrator Console Navigation ...................................................................... 173
Administrator Console Navigation Reference ....................................................173
Legacy VPN CLI .................................................................................................... 180
Commands .........................................................................................................180
Security Gateway Configuration ......................................................................... 182
Configuring Multiple Entry Point (MEP) ..............................................................182
Configuring Endpoint Compliance ......................................................................183
Enforcement Rules in the Endpoint Security Policy ......................................183
Configuring Secure Configuration Verification (SCV) ....................................184
Configuring Location Awareness .......................................................................184
Index ...................................................................................................................... 185
Chapter 1
Introduction
Endpoint Security allows you to centrally manage all endpoints: centralized organization of nodes in the
environment, centralized deployment, monitoring, and configuration of all Endpoint Security features on all
endpoints. Endpoint Security is integrated with other Check Point products complete unified security
management.
In This Chapter
Policies 9
Policy Components and Settings 9
Using Endpoint Security Administrator Console 9
Integration With Other Check Point Products 10
System Architecture 11
Policies
Policies are how you deliver security rules to your endpoint users. Administrators create enterprise policies
using the Endpoint Security Administrator Console and assign them to endpoint users or groups of endpoint
users. Endpoint Security deploys these enterprise policies to endpoint computers, where the Endpoint
Security clients receive and enforce them. You can create connected and disconnected enterprise policies
for your users. If your users have Flex, they may also configure a personal policy for themselves.
Page 9
Log into the Endpoint Security Administrator Console at:
http://<Endpoint Security IP Address>/signon.do
Switching Views
In Single mode, Endpoint Security starts in Simple view. After installation, you can choose to change to
Advanced view.
You can also switch from Advanced to Simple view, but only if have not used features that are not included
in Simple view. If you have used Advanced features, the Change View option is not available.
To switch between views:
1. At the top of the Endpoint Security Administrator console (in Single mode only), click Change View. The
Confirm Change View page opens.
2. Click Change View.
Introduction Page 10
• Unified Logging, Reporting, and Monitoring – Endpoint Security logs are stored in a format that
makes them readable by third party and Check Point Products, such as SmartView Tracker, Eventia
Reporter and Eventia Analyzer. This has the following advantages:
• Logs use a file system instead of a database, which allows you to archive and rotate the logs in the
same way as other Check Point logs.
• Log info is stored locally if the remote logging server is unavailable.
• Perimeter, internal, and Web Security events are all logged in one place.
• Using Eventia Reporter you can schedule reports to run during periods of low system use. You can
also e-mail reports to other people, and upload reports to a Web site.
• Using SmartView Tracker, you can view logs in real time using a thick client application. The client
application provides easy log navigation and filtering.
• Certain reports in SmartPortal are available from the Endpoint Security Administrator console. See
Monitoring Client Security. This allows you to view the detailed reports you are interested in directly
from the Endpoint Security Administrator Console.
• SmartView Monitor displays real time Endpoint Security statistics, along with all other Check Point
events.
• Shared Administrator Logins – You can use the same login for Endpoint Security as you do for other
Check Point products. SmartDashboard automatically creates an Integrity object upon installation and
grants Endpoint Security access to all administrators with SmartDashboard access.
Note - Administrator accounts created in SmartCenter can launch Endpoint
Security using the same read/write privileges assigned to them in
SmartCenter. However, these administrators are not able to create
administrator accounts in Endpoint Security.
You cannot create administrator accounts in SmartCenter using the roles
and role permissions available in Endpoint Security (for example, you
cannot create an administrator account with the ability to assign Policies,
but not edit Policies, or an account with only the ability to run reports). To
create these types of accounts you must log directly into Endpoint Security
using the masteradmin login.
System Architecture
The Endpoint Security system consists of two basic components: Endpoint Security Server, and the
Endpoint Security clients installed on your endpoint computers. You can also optionally include other items
in your system, such as gateways, RADIUS servers and LDAP servers.
Introduction Page 11
All Endpoint Security Installations include SmartPortal, which provides reporting functionality, and other
Check Point components that function in the background.
Figure 1-1 Basic Endpoint Security Architecture
Administrator Console
The Endpoint Security Administrator Console is the graphical user interface you will use to create your
security Policies and deploy them to your users. You can also use the Administrator Console to pre-package
Endpoint Security client executables with configuration settings and Policies before you deliver them to your
users.
Agent Client
Use Endpoint Security Agent when you want to centrally manage security at all times. It has a simpler
interface, less messages, and does not allow the user to control security settings. This client is useful for
computers that belong to your organization, over which you have full legal control.
If you use the version of Agent that also has VPN capability, the users are provided with an interface to
configure their VPN and to manage some Anti-virus and Anti-spyware functions.
If endpoint users have the Agent client, without VPN, new networks are added by default to the Trusted
Zone and newly detected programs are allowed. This makes it less secure than Flex when the personal
Introduction Page 12
policy is active. If you want to use Agent for remote users or users with laptops, you should specify a
Disconnected Policy to increase security.
Agent supports both Windows and Linux.
Flex Client
Use Flex when you want the endpoint user to control more security settings, and under certain conditions to
get prompts to make security decisions. Flex users can create personal security Policies for use while not
connected to your network.
Generally, use Flex for expert users who are familiar with security issues. Flex is also useful when you want
to provide Endpoint Security for computers you do not own and over which you are legally restricted from
exercising too much control.
The Flex client includes a user interface called the Check Point Flex Control Center. Endpoint users use the
Control Center to configure personal Policies. (To access the Flex Control Center, right-click the Endpoint
Security icon in the system tray and choose Show Client.)
Introduction Page 13
Chapter 2
Getting Started
To help you get started with Endpoint Security, to set up and deploy security measures as quickly as
possible, this section provides recommendations for planning and step-by-step tasks for initial configuration
and deployment on clients.
In This Chapter
Page 14
While you can configure Endpoint Security to arbitrate between security models, it is easier to begin with
only one security model. Choose the security model that best fits the way your company network is
organized and gather relevant information.
There are several options for catalog types, but for Getting Started, we will assume that you are using either
an IP-based system or LDAP using Microsoft Active Directory. If you choose the LDAP option for this
sample configuration, you will need the following information:
• Primary Host
• User Filter
• Group Filter
• User-ID Attribute
• Server Port
• Base DN
• Administrator Name
• Administrator Password
Policy Stages
The following sections explain how to secure your system using the following stages:
1. Distributing Your First Policy — Achieve a basic level of security immediately by distributing the pre-
configured Policy.
2. Creating a Basic Policy — Modify the default Policy using some basic features.
3. Creating a More Advanced Policy — Add some more features to your basic Policy.
4. Creating Custom Policies — Create catalogs and assign specialized Policies to the users in those
catalogs.
Default Policy
Check Point provides you with a pre-configured, default policy that you can use as your first policy. This
policy includes some basic security features. Use the default policy as your first policy, without making any
changes to it.
Perform the tasks in the following order to create your basic policy:
1. Configuring Zones (on page 16)
2. Configuring Program Advisor (on page 18)
3. Deploying the Policy (on page 19)
4. Testing Policy and Zones (on page 19)
Configuring Zones
Endpoint Security uses Zones to control network activity. Divide your network into the Access Zones of
Trusted, Blocked, and Internet; and then set security levels for those Zones.
Trusted Include in this Zone all the locations that you trust that
your users need access to. For example: DNS, Mail
Server, Domain Controller, File and Print servers. Do not
place your entire network in the Trusted Zone.
Blocked Include in this zone all the locations that you do not want
your endpoint users communicating with. You may choose
to include dangerous, or undesirable locations, or internal
locations that you want to restrict access to, such as
Human Resources servers.
Defining Zones
In this task you define the Trusted Zone and the Blocked Zone for your endpoint users. The first step is to
define Locations: a host, site, IP address, IP range, or subnet that you can define as either trusted or
untrusted.
To define locations:
1. Click Policies.
2. In the Default Policy row, click Edit.
You are now redefining security settings for your default policy. The security settings you define in this
policy will apply to all users who are not assigned a custom policy.
3. Click Access Zones.
4. In the Define Zones area, click Add.
The Add Locations to Zones page opens.
5. Click New Location and choose the location type from the drop-down.
The New Location page opens, with the fields relevant to the selected location type.
6. Provide the information for the location.
7. Click Save.
8. Add all locations that you can define now.
After defining locations, add them to either the Trusted Zone or the Blocked Zone.
To define the Trusted Zone:
1. In the Add Locations to Zone page, select the locations that you want to add to the Trusted Zone.
2. In the Add to Zone drop-down, select Trusted Zone.
3. At the top of the page, click Add.
Zone Rules
Zone rules control the traffic to and from the Access Zones you have defined for a selected policy. This task
is performed in the Edit Policy page > Access Zones tab and shows the recommended settings.
To set Zone rules:
1. In the Security Rules for Internet Zone area, click Show Settings.
2. From the Security Level drop-down, choose High.
3. In the Security Rules for Trusted Zone area, click Show Settings.
4. From the Security Level drop-down, choose Medium.
5. In the Advanced Security Settings area, click Advanced.
6. Make sure Block fragments at all security levels is cleared.
7. Click Save.
You have now configured your Access Zones in your default policy.
If a program is not handled by either Program Advisor or a custom program group, it is placed in the
unknown program group. By default, the unknown program group permissions are all set to block. These
permissions apply to all the programs in the group until you override them with specific, custom permissions.
Make Settings Available To Includes the group settings in the policy file that
Unconnected Clients is sent to the endpoint computer.
If this option is not selected, and a program is
not governed by either an individual program
permission or by Program Advisor, clients that
cannot connect to the Endpoint Security server
will use the permissions for unknown programs.
Terminate all programs in this Choose this option to shut down all the
group programs that are in the group.
Use the following settings for Choose this option to specify permissions
the programs in this group (allow, block, ask user) for this program to act
as client and as server, in the Trusted Zone or
the Internet Zone.
6. Click Save.
By default, this group will be the highest ranking group. Programs are controlled by the permissions of
the first group they match, so Firefox will be blocked by this rule, instead of being allowed by the
browsers rule.
7. Redeploy your Policies.
Although you can configure program permissions at both the global and the policy level, both settings
are included in your security policy. You must redeploy your policy to have either global or policy-level
changes take effect.
Assigning Policies
After you configure and deploy the default policy, you can create more specific security Policies and assign
them to users. The most efficient and consistent method is to create catalogs (groups of users) and assign
customized Policies to relevant catalogs.
To perform these tasks, if you are in Single mode and Simple view, switch to Advanced view.
Creating Catalogs
Use catalogs to sort your users into groups for the purpose of assigning security Policies. You may wish to
assign Policies according to user catalogs or according to IP range, depending on how your company
network is organized. This section will use LDAP with Microsoft Active Directory as an example of a user
catalog, but other options are available and are created in a similar way.
Creating an IP Catalog
Create an IP catalog to assign a policy to users according to their IP range.
To create an IP catalog
1. Click Endpoints.
2. Click New Catalog and choose IP Catalog.
3. In IP Catalog Name, provide a name for the user group.
4. In Address Range, provide the relevant IP addresses.
5. Click Save.
In This Chapter
Multi-Domain Administrators 25
System Domain and Non-System Domains 25
Checking Your Domain 26
Switching Domains 27
Creating Domains 27
Deleting Domains 27
Multi-Domain Administrators
Multi-Domain mode has different types of administrators.
Table 3-1 Global and Domain administrators
Roles Description
Page 25
Table 3-2 System and Non-System Domains
Domain Description
System Domain This domain provides centralized control for creating new domains and
performing tasks that involve the entire system. The System Domain is
created when you install Endpoint Security and is the Domain you see
the first time you log in as a Global Administrator.
There is only ever one System Domain and only Global Administrators
have access to it.
Non-System These domains are created in the System Domain. The tasks
Domains performed here affect only the endpoint users in this domain.
The administrative tasks you perform will vary depending on whether you are in the System Domain or Non-
System Domain in Multi Domain mode, or if you are in Single mode.
Table 3-3 Tasks Available in Different Domains
Feature System Domain Tasks Non-System Domains Tasks or
Single Mode
Domains and Create Domains. Create Catalogs and Groups
Catalogs
Default Policy Set the Default Policy settings. Inherits the Default Policy from the
The default policy is inherited by System Domain. You can make
all the domains you create. changes to the Default Policy to refine
your security, or use the default policy
as a template for new Policies.
Policy Create policy templates and Use the policy templates to create new
Templates publish them for use in Non- Policies.
System Domains.
Policy Objects Create any policy objects that Use the policy objects you inherited
you think will be universally from the System Domain to create
useful for your Domains. Policies. You can also create policy
objects for your domain.
Creating Domains
You must be in the System Domain of a Multi Domain mode Endpoint Security to create a new domain.
To create a new domain:
1. Switch to the System Domain.
2. Click Domains.
The Domain Manager page opens.
3. Click New Domain.
The New Domain page opens.
4. Provide a Domain Name and Description.
5. Click Save.
Deleting Domains
Before you delete a domain, make sure you are prepared for the effects this will have on your
configurations, administrators, and endpoints users.
When you delete a domain, all the information for that domain is also deleted, including:
• Entities
• Domain Administrator information
• Sandbox pages
• Policies and Data Manager items
Note - To save policy information before deleting, export the policy
(Policies > Policy Manager > Export link of relevant policy).
If Domain Administrators are logged on when their domain is removed, they are automatically logged off. If
an endpoints user is logged on when their domain is removed, the user session is restricted or terminated
on the next heartbeat.
To delete a domain:
1. Switch to the System Domain.
2. Click Domains.
The Domain Manager page opens.
3. In the row of the domain, click Delete.
A confirmation dialog prompts you to verify your action.
4. Click Yes.
In This Chapter
Administrator Roles 28
Planning Administrator Configuration 30
Creating Roles 30
Creating Administrator Accounts 32
Editing Administrator Accounts 33
Deleting Administrator Accounts 33
SmartCenter Administrators 33
Administrator Roles
According to your environment, decide on the users who will have administrator roles, and which parts of the
organization each will manage.
Page 28
If you choose to assign a Domain Administrator to a specific catalog, be aware that this administrator can
assign Policies only to members of that catalog and its groups.
Figure 4-2 Administrator Inheritance in Multi-Domain
• Administrator A has access to your entire system. This administrator can assign Policies to any user.
• Administrator B is assigned to Domain 2. Administrator B can view and change settings for the domain
(in Multi-Domain mode) or the entire organization (in Single-Domain mode) and can assign Policies to
users in this domain.
• Administrator C is assigned to Catalog 3. Administrator C can view and change domain settings, but can
only assign Policies to endpoint users in Catalog 3.
• Administrator D is assigned to Group 2. Administrator D can view and change settings for the domain (in
Multi-Domain mode) or the entire organization (in Single-Domain mode), but can only assign Policies to
endpoint users in Group 2.
You can limit the types of tasks an administrator can perform through the use of roles.
Each administrator must be assigned a role. Roles are composed of privileges, which determine the
Endpoint Security features the administrator can access.
Use roles as a convenient way to assign a set of privileges to administrators.
Privileges
Privileges consist of a set of read/write permissions for various Endpoint Security features.
For each privilege, there are three possible permission settings:
• No access - The administrator cannot access the feature. All links to the feature are hidden.
• Read - The administrator can view the feature, but cannot change settings or perform actions and
cannot see the controls.
• Read/Write - The administrator can access and change the settings and actions.
Creating Roles
You can create a new role by duplicating an existing role on the Role Manager page and then making edits,
or by defining an entirely new role.
To create a role:
1. Click System Configuration > Administrators > Manage Roles.
The Role Manager page opens.
Note - You cannot create a role with greater privileges than your own.
Endpoint Security does not display privileges for which you have
insufficient permission.
Privilege Description
Domain Manager Add, edit, or delete entities and domains in Endpoint Security.
(Available in the System Domain only)
Firewall Rule Create, edit, or delete firewall rules, source and destination
Management address profiles, and protocol and port profiles for use in
security Policies.
Enforcement Rule Create, edit, and delete enforcement rules for use in security
Manager Policies. Configure a reference client with the anti-virus
software you want to enforce on your network.
Program Edit and create program groups for use in security policy
Management program control rules. Import, edit and remove SmartSum
reference source files.
Confirm Password The password for this account. (Appears only when
Administrator Authentication is enabled)
SmartCenter Administrators
Administrator accounts created in SmartCenter can launch Endpoint Security using the same read/write
privileges assigned to them in SmartCenter. However, these administrators are not able to create
administrator accounts in Endpoint Security. Also, you cannot create administrator accounts in SmartCenter
using the roles and privileges available in Endpoint Security. To create these types of accounts you must log
directly into Endpoint Security using the masteradmin login.
In This Chapter
User Catalogs
Use user catalogs to assign Policies according to the department or location of the endpoint users. For
example, to allow the Human Resources department users to have access to computers with employee
information, while preventing access by other users, define user catalogs for HR and other departments,
and assign one policy with this specific permission to HR group.
If a user belongs to multiple catalogs and groups, and each catalog and group is assigned a different policy,
the user gets the policy of the catalog that was added first.
Important - When you add active directory catalogs, make sure you
add them in order of importance.
For example, if UserA is in the LDAP directory and also in a custom catalog, decide which policy (the policy
for the LDAP catalog of users or the policy for the custom catalog of users) should have preference for users
and add that catalog first.
Custom Catalogs
Use custom catalogs in conjunction with the User ID field in the client packager to create your own catalogs,
according to your policy needs. After you have created your custom catalog, create and deploy client
packages (with the appropriate values in the User ID field) to the users you want to include in the catalog.
To create a custom catalog:
1. Click Endpoint.
The Endpoint Manager page opens.
2. Click New Catalog and select Custom.
3. Provide a name and description.
Page 34
4. Click Save.
To add users to a custom catalog:
1. Click Client Configuration.
2. Click New Package and select a client type, or click an Edit link.
3. In the Edit Client page, open the Advanced Settings tab.
4. In the Custom User ID field, provide: manual://<Catalog_Name>
All endpoint machines that receive the package will belong to the custom catalog you specify here, and
will receive the Policies assigned to that catalog.
LDAP Catalogs
Use LDAP catalogs to organize your users according to the directory groups in your existing LDAP.
Endpoint Security supports RFC 1777-compliant LDAP (Lightweight Directory Access Protocol) servers
versions 2 and 3. Endpoint Security provides the configuration filters for Novell eDirectory for Windows,
Netscape Directory Server for Windows 2000, and Windows Active Directory Service (native/mixed mode). If
you are using any other LDAP server, you must have the user and group filter information to import the
directories. For more information, see your LDAP provider's documentation.
Parent Name The name of the domain to which the catalog belongs.
Primary Host The fully qualified host name (in FQDN format) or IP
address of the primary host server.
The first part of the host name should be in uppercase.
To ensure a match with what the endpoint transmits,
you should also repeat the uppercase host name in the
list of secondary hosts.
User Filter The user filter indicates how to find the user attributes.
If you select a standard provider in the Catalog
Subtype field, Endpoint Security provides the value
automatically.
If you select the Custom catalog subtype, this field will
be blank and you must enter a value. For example, the
filter
(|(objectClass=user)(objectClass=person))
consists of LDAP attributes and Boolean expressions
telling Endpoint Security to import LDAP objects of
class user or person.
Group Filter The group filter indicates how to find the group
attributes. If you select a standard provider in the
Catalog Subtype field, Endpoint Security provides the
value automatically.
If you select the Custom catalog subtype, this field will
be blank and you must enter a value. For example, the
filter
!(|(objectClass=user)(objectClass=person))
consists of LDAP attributes and Boolean expressions
telling Endpoint Security to import LDAP objects of
classes other than user or person.
Secondary Host and The name of the primary and secondary hosts and
Port ports. To ensure a match with what the endpoint
transmits, you should also repeat the uppercase host
name here. Include secondary host names if the
primary machine has more than one host name and
address.
Use commas to separate host names.
For example,
172.1.1.1,HQDHCP1.zonelabs.com,ZLDC2
demonstrates alternate hostnames are comma-
delimited.
If alternate port numbers exist, separate port numbers
with a colon.
For example, 172.1.1.1:489 demonstrates alternate
port numbers are separated with a colon.
If you do not enter a port number, then each host's port
number defaults to the primary port number that you
entered in the Server Port field. However, if you do type
a port number, then the port number in this field
overrides the primary port number (entered in the
Server Port field).
Proxy Login Server Check this box to designate the catalog (and, by
extension, the associated external user directory) to
use for proxy login.
Proxy login is the method the Endpoint Security server
uses to identify users when it cannot obtain
authentication confirmation directly from the client. In
such cases, Endpoint Security proxies authentication to
the user directory that is the source of the designated
catalog.
Make note of the catalog you designate for proxy login,
and be prepared to tell users which user ID to supply if
Endpoint Security prompts them for proxy login.
Auto Add Checking this box turns on the auto-add feature for this
catalog. Auto-add allows users that are not found in the
catalog to be automatically added to it.
You can import information from any server that conforms to the LDAP 2.0 or later specification using
the Custom Catalog Subtype. For information about filtering syntax, see the documentation for that
LDAP provider.
NT Domain Catalogs
Use NT Domain catalogs to organize your users according to the directory groups in your existing NT
Domain.
Auto Add Enables the auto-add feature for this catalog. Auto-add
allows users that are not found in the catalog to be
automatically added to the proxy catalog.
5. If you chose Select groups to import, click Import Groups to display a list of NT Domain groups to
import, and click the arrows to choose groups to import and to set the priority.
Although a user can exist in more than one group within NT Domain, the user cannot exist in more that
one Endpoint Security group. Therefore, Endpoint Security establishes an order of priority when it
imports specific groups from NT Domains.
• If a user exists in more than one NT Group, Endpoint Security places the user only in the higher-
priority group.
• If the user name is not present in any NT Groups, it is added to the top level domain group when
imported.
6. Click Save.
RADIUS Catalogs
If you are going to assign Policies only at the RADIUS directory level and not at the individual user level, you
do not need to import the RADIUS catalogs. Endpoint Security adds users when they are successfully
authenticated during proxy login and assigns the RADIUS catalog-level policy automatically, if you use the
Auto Add feature. Endpoint Security supports RFC 2865-compliant RADIUS software.
Auto Add Enables the auto-add feature for this catalog. The auto-add
feature allows users that are not found in the catalog to be
automatically added to the proxy catalog.
User Data File The fully-qualified path to the user data file, which contains
the exported RADIUS user information.
Windows example: C:\checkpoint\MyRADIUSUserFile
UNIX example: /checkpoint/MyRADIUSUser File
Server Port The server port on which the RADIUS server listens for
connection requests. This field defaults to 1812.
Secondary Host and The name of a secondary host and port. Use this field if the
Port primary machine has more than one host name and address,
or if you are clustering or load balancing.
Authenticating Users
Endpoint Security imports user directory information from LDAP, NT Domain, and RADIUS servers, allowing
endpoint users to be authenticated against those directories.
Scheduling Synchronization
You can configure Endpoint Security to automatically synchronize with your LDAP or NT Domain user
directory.
It is recommended that you synchronize small catalogs daily. If your catalogs are large and synchronizations
take too long, you may wish to synchronize weekly.
To configure automatic synchronization:
1. In Single-Domain or Simple mode: Go to the Endpoint Manager page.
In Multi-Domain mode: Switch to System Domain and go to the Domain Manager page.
2. In the Synchronize drop-down menus, specify the day and time to synchronize.
3. Click Update.
Manual Synchronization
To manually synchronize a catalog:
1. Go to the Endpoint Manager page.
2. In the row for the catalog, find the Synchronize button.
IP Catalogs
Use IP Catalogs if your users are organized by IP range.
To create an IP Catalog:
1. Click Endpoints.
The Endpoint Manager page opens.
2. Click New Entity and choose IP Catalog.
3. Complete the fields with the appropriate information.
IP Catalog Fields Description
Address Range The IP address range to include in the catalog. The IP range
must be unique across all domains.
Subnet Mask The subnet mask to include in the catalog, if any. Enter the IP
address and then the subnet mask. For example,
172.18.22.160 / 255.255.254.0.
4. Click Save.
Groups
Add user groups to custom catalogs and IP catalogs.
To create a group:
1. Click Endpoints.
The Endpoint Manager page opens.
2. Click the name of the catalog to which you want to add the group.
The Endpoint Manager page refreshes and the New Group button is now available.
3. Click New Group.
4. In the Group Name field, type a name for the group.
Every group in a catalog must have a unique name, but user groups in different catalogs may have the
same name.
5. Click Save.
To add users to a group:
1. Click Client Configuration.
2. Click New Package and select a client type, or click an Edit link.
3. In the New or Edit Client page, open the Advanced Settings tab.
4. In the Custom User ID field, provide: manual://<Catalog_Name>/<Group_name>
5. If this is a new package, provide Package Name.
6. Click Save.
All endpoint machines that receive the package will belong to the catalog and group you specify here,
and will receive the Policies assigned to that catalog or group.
In This Chapter
Understanding Policies 44
Using a Default Policy 53
Creating Policies Using a Policy Template 53
Creating a Policy Using a File 54
Creating Access Zones as Policy Objects 55
Creating Firewall Rules as Policy Objects 59
Creating Enforcement Rules as Policy Objects 63
Creating Program Rules 79
Editing Anti-malware Settings 91
Editing SmartDefense Settings 98
Editing Messaging Settings 99
Deploying Policies 100
Creating Policy Packages 100
Simple View - Activating Policies 100
Assigning Policies 100
Understanding Policies
Enterprise Policies provide centralized management of your Endpoint Security. Administrators create
enterprise Policies and assigned them to domains (in Multi-Domain mode) or endpoints.
Depending on your organization's security needs, you may wish to enforce different Policies when endpoints
are connected or disconnected from the your network. To do this, define your Policies and then designate
them as the connected or disconnected Policies.
Designate connected or disconnected when you assign the policy to users.
Note - In Simple mode, when you activate the policy, you designate
its status.
Page 44
Connected Policies
The connected enterprise policy is the policy that is enforced when the endpoint computer is either
connected to Endpoint Security server; or if you have configured Office Awareness, connected to your
network. Generally, this is a fairly restrictive policy. This policy is used not only to protect the endpoint
computer from threats, but also to protect other computers on your network and to enforce your corporate
Policies. For example, a connected policy might require more restrictive firewall rules, require a particular
antivirus program, or block programs that violate your company computer use Policies, such as illegal file
sharing.
Disconnected Policies
The disconnected enterprise policy is enforced when the endpoint computer is not connected to your
network or to the Endpoint Security server. Sometimes this policy is less restrictive, but provides a minimum
level of security that you can then depend upon at all times. In other implementations, you may want this
policy to be more restrictive to prevent recreational use of endpoint computers.
Through the use of the Office Awareness feature, the client is able to tell whether or not the endpoint
computer is connected to your network. See Configuring Office Awareness (on page 142).
When the endpoint computer is not connected to your network, the connected policy is deactivated and the
disconnected policy comes into effect. The connected policy continues to try to connect to your network. The
disconnected policy doesn't send heartbeats. Once the connected policy successfully connects to the
network, it comes back into effect and disables the disconnected policy.
The goal of the disconnected policy is usually to protect the endpoint computer from the worst threats while
allowing the user more freedom. For example, a disconnected policy might require that the endpoint have
Anti-virus protection, but not be as strict about which brand or version. It might also allow users to run
entertainment programs that they are not allowed to run while connected.
If you do not want to control an endpoint computer's security when it is disconnected, you can omit the
disconnected policy. In the case of Flex users, the personal policy is enforced in the absence of a
disconnected policy.
Windows versions of Flex and Agent can use disconnected Policies. If you deploy a policy package to an
Agent for Linux, the disconnected policy within the policy package will be ignored. Agent for Linux will only
take the connected enterprise policy. Use the RPM Package builder to configure a disconnected policy for
Agent for Linux. For more information, see the Agent for Linux Installation and Administration Guide.
Unlike the personal policy, the disconnected policy is an enterprise policy, so it cannot be modified by the
endpoint user and can be centrally managed by the Endpoint Security server after installation.
Personal Policies
Flex users can create their own security Policies: personal Policies. The personal policy gives some
control over security management to the endpoint user, who defines the policy using the Flex Control Center
(user interface).
Agent users do not have access to personal policy settings, although Agent does include an empty personal
policy accessible only through a configuration file.
The personal policy is installed with the client by default. You can specify a pre-configured personal policy
through the client packager or the client parameters, depending on your client deployment method.
Policy Arbitration
If a Flex endpoint user has a personal policy, the Policies are arbitrated. Generally, the more restrictive
policy rule is the one that is enforced. Arbitration occurs with both the connected and disconnected
enterprise Policies.
For example, if the enterprise policy is configured to allow inbound traffic on port 135, but the personal policy
is configured to block it, the traffic will be blocked. Such traffic will also be blocked if the personal policy is
configured to allow it, and the enterprise policy is configured to block it.
To disallow arbitration on Flex clients:
1. While creating the policy for the Flex clients, open the Client Settings tab of the Edit Policy page.
2. Select Enforce enterprise Policies only.
Policy Packages
Policy packages are bundles of Policies that can be assigned together. Using packages, you can indicate
which policy to enforce as the connected policy and which to enforce as the disconnected policy.
Policy arbitration rules for policy packages are the same as policy arbitration rules for unpackaged
enterprise Policies. However, policy arbitration rules are enforced after the connection state determines
which enterprise policy is enforced. Then the enforced enterprise policy is arbitrated with the personal
policy.
Firewall Rules
Firewall rules take a traditional perimeter firewall approach to securing the endpoint. Firewall rules block or
allow network traffic based on attributes of communication packets. You can use firewall rules to block or
allow traffic based on the following attributes:
• Source and/or destination locations
• Protocol and/or port
• Time and/or day activities occurs
Zone Rules
In addition to firewall rules, you can also control network traffic through the use of Access Zones and Zone
Rules. Access Zones are groups of locations to which you assign the same network permissions: Trusted,
Internet, or Blocked. Zone Rules control network activity to and from your Zones.
Zone Rules
Zone rules control the traffic to and from the Access Zones you have defined for a selected policy. This task
is performed in the Edit Policy page > Access Zones tab and shows the recommended settings.
To set Zone rules:
1. In the Security Rules for Internet Zone area, click Show Settings.
2. From the Security Level drop-down, choose High.
Program Control
Program rules restrict network access on a per-program basis. Whereas firewall rules restrict access
according to package content, and Zone Rules according to location, Program Control allows you to restrict
network access between a particular program and either your Trusted or Internet Zone.
Program Advisor
Program Advisor is a service provided by Check Point that gives program permission recommendations for
programs. Use Program Advisor to get professional recommendations from Check Point security
professionals about which permissions to assign to common programs. This reduces your workload while
improving security and usability. Program Advisor requires the purchase of an additional license.
Program Advisor
Smart Defense Program Advisor is a service provided by Check Point that gives policy recommendations for
programs. Use Program Advisor to get professional recommendations from Check Point security
professionals about which permissions to assign to common programs. This reduces your workload while
improving security and usability. Program Advisor also lets you choose to terminate malicious programs on
endpoint computers.
Anti-spyware
Check Point Anti-spyware protects your network from threats ranging from worms and Trojan horses to
adware and keystroke loggers. Anti-spyware is a service Check Point provides to customers who purchase
a separate Anti-spyware license. Endpoint Security regularly receives updated spyware definitions from the
SmartDefense Anti-spyware Service, a central server maintained by Check Point. Administrators use these
definitions in specific Policies or in global Anti-spyware settings to enforce regular spyware scans and
treatments on endpoints.
Anti-virus
Check Point Anti-virus protects your endpoint users from known and unknown viruses by scanning for
known viruses and for characteristics of viruses. You have the option of configuring the schedule, deploying
the updates only after testing them, or even deploying the latest update immediately whenever necessary.
When a virus is detected, the client can render it harmless, either by repairing or denying access to the
infected file.
SmartDefense
Activating SmartDefense on your endpoints protects your network from network attacks. These attacks are
characterized by the misuse of allowed traffic and services. They have the capacity to slow or immobilize a
network and cause Denial of Service (DoS) conditions that block endpoint access to hosts and servers.
When SmartDefense protections are in place on your endpoints, the network is protected from attacks such
as the Ping of Death, SQL Slammer, Tear Drop, HTTP worm, etc. Attempted attacks and treatments are
also tracked and recorded for your observation.
Mail Protections
Use Endpoint Security to protect against e-mail threats using MailSafe. The MailSafe feature puts limits on
outgoing e-mail to prevent e-mail worms and other malicious code from using the endpoint computer to send
messages.
Policy Objects
Policy objects are the interchangeable parts of your Policies. You can re-use policy objects in different
Policies. The following are policy objects:
• Firewall Rules
• Locations (for Zones)
• Ports and Protocols
• Enforcement Rules
After you create a policy object it is available for use in all your Policies. You can create policy objects:
• In Advance - You can use the Policy Objects page to create all, or most of your policy objects at once.
This is useful when you first start your implementation and want to enter all your locations, ports, and
protocols at once.
• As Needed - At any time you can create policy objects as you need them while configuring your
Policies.
Hard-Coded Rules
Hard-Coded Rules are provided by Endpoint Security by default to facilitate traffic and help provide some
basic security. These rules take precedence over rules in your Policies and are not displayed in the
Endpoint Security Administrator Console. You can manually reconfigure the following hard-coded rules by
making changes to the XML policy file, but this is not recommended.
• Allow UDP packets to and from the Endpoint Security port 80
• Allow TCP packets to and from the Endpoint Security port 443
• Allow traffic from the local machine to port 53 on any computer. This rule allows access to the Domain
Name Service.
• Accept ICMP (Internet Control Message Protocol) type 9 to local machine. This rule allows router
advertisement.
• Block all traffic from sources which is not in the Trusted or the Internet Zone. This rule is the 'cleanup
rule', which blocks all unhandled traffic.
Security Rules
Network traffic is evaluated the same way whether it is incoming or outgoing.
Policy Lifecycles
Effective threat management requires that you provide adequate security while maintaining accessibility as
needed. It is recommended that you achieve this through the use of a policy lifecycle. Policy lifecycles
involve iterative deployment of Policies based on information about your system and security needs.
For example:
First deploy the Default Policy to achieve a basic level of security. Then deploy stricter versions of the policy
to increase security. Finally, create custom Policies for certain sets of users. Afterwards, continue creating
and deploying new Policies to adjust your security level to your needs.
To minimize the support version, you should take extra care when:
• Defining the Trusted Zone — Make sure you have included all the necessary resources. With the High
Threat Lifecycle, your users will not be able to access resources that are not included in the Trusted
Zone.
• Managing Programs — Make sure that you have included all the programs your users need, as they
will be unable to use programs that have not been assigned permissions either by you, or by Program
Advisor. If you do not have Program Advisor, or if you have a lot of programs that are not included in
Program Advisor, such as proprietary applications, it is recommended that you use a scan of a reference
computer (see Creating Appscans (on page 85)).
• Setting Your Enforcement Rules — Make sure that you have plenty of remediation resources
available to help your users to become compliant with your restricting Enforcement rules.
Creating an Initial Policy - High
The goal of this initial policy is to give maximum security immediately. The initial policy uses the High
Security template.
To create the initial policy:
1. Create locations for any IP or IP ranges you know you will want to block or explicitly allow.
2. Create any firewall rules you want to use.
3. If you have a Program Advisor license, enable it.
4. If you do not have Program Advisor, or if you users have programs that are not included in Program
Advisor, create a reference source using a reference computer and import it using the Program Manager
page.
The security policy you are creating will block all unknown programs.
5. Create a new policy using the High Security policy as a template.
6. Include your firewall rules in the policy.
7. Add your locations to the policy.
By default, the High Security policy template will set your Internet Zone security level to High and your
Trusted Zone security level to Medium.
8. Create your enforcement rules and set them to Restrict.
You will also need to create Restriction Firewall Rules with remediation resources and add them to the
policy.
9. Deploy the policy and policy package.
For security reasons, Policies that contain enforcement rules with remediation files are not imported. If you
need to import such a policy, remove the enforcement rule manually from the policy file.
If the imported policy is missing required tags or attributes, they are supplied with default values. You should
review the settings in all the policy tabs before deploying a policy made from a file, to ensure that you are
providing the correct level of protection.
To create a policy using a file:
1. Click Policies.
2. The Policy Manager page opens.
3. Click New, and select From File.
4. Name the policy and then browse to the location of the policy file.
5. Click Import.
The Edit Policy page opens.
6. After reviewing and modifying the tabs of the policy as needed, click Save.
The Version Comments page opens.
7. Provide comments to indicate the changes made in this version of the policy. Comments help identify
major changes in case a roll back is needed later.
8. Click Save (policy is saved but cannot be downloaded) or Save & Deploy (save the policy and make it
available for endpoints to download, after you assign the policy to entities).
If you have not already done so, deploy clients to your endpoint computers.
Locations
Zones are made up of locations. Locations refer to network locations that you define. Locations can be
defined by specifying any of the following:
• Host
• Site
• IP address
• IP range
• IP subnet and mask
You should create locations in Endpoint Security for areas you want to:
• Allow access to or from
• Restrict access to or from
You can use locations as sources and destinations for creating Access Zones and firewall Rules. You can
either define locations as you need to use them in your Policies, or you can define them before you create
you Policies. Once you have defined a location you can use it in any policy.
Trusted Zone
The Trusted Zone contains traffic sources that you know and trust. In designing Policies, you configure the
Trusted Zone to include only the network elements your protected computers need to communicate with. Do
not place your entire network in the Trusted Zone.
Consider the following when configuring your Trusted Zone:
• Remote host computers connected to the protected computer (if not included in the subnet definitions for
the corporate network)
• Corporate Wide Area Network (WAN) subnets that will be accessed by the protected computer
• Corporate LANs that will be accessed by the protected computer
• Check Point Endpoint Security Server
• DNS servers
• Local host computer's NIC loopback address (depending on Windows version)
Blocked Zone
The Blocked Zone contains traffic sources that you don't want your protect computers communicating with
at all. In designing Policies, you will populate the Blocked Zone with dangerous or otherwise undesirable
hosts. You may choose to include dangerous, or undesirable external locations, or internal locations that
you want to restrict access to, such as Human Resources servers.
Internet Zone
The Internet Zone contains all traffic sources that you have not placed in either the Trusted Zone or Blocked
Zone. Internet Zone sources may be outside or inside the perimeter firewall, anywhere on your local network
or on the Internet.
By default, all sources and destinations of network traffic are in the Internet Zone. By placing trusted traffic
sources in the Trusted Zone, you can give your endpoint users access to needed resources while keeping
them safe from Internet threats.
Security Rules
Security Rules control network activity to and from your Zones. Generally, you will want to set permissive
rules for your Trusted Zone and moderate rules for your Internet Zone. Security Rules allow you to set rules
for an entire Zone of locations, instead of having to set rules for each location individually.
Leave the network Select to have the Endpoint Security client automatically
in the Internet Zone include newly-detected networks in the Internet Zone. This is a
higher-security option, but it may result in users being unable
to communicate with valid subnets.
Defining Zones
Define your Zones by adding the appropriate locations to them. You can create locations as you need them
from the Zones tab, or you can create your locations in the Location Manager and then add them to the
Zones.
To create re-usable Location objects:
1. Research your network setup to see which subnets, hosts, or other resources need to be trusted or
blocked.
2. Click Policies.
The Policy Manager page opens.
3. Click Manage Policy Objects.
The Policy Objects page opens.
4. Open the Locations tab.
5. Click New Location and choose the location type from the drop-down.
The New Location page opens, with the fields relevant to the selected location type.
To configure Zones:
1. Click Policies.
The Policy Manager page opens.
2. Under the policy you want, click Edit.
3. Open the Access Zones tab.
4. In the Define Zones area, click Add.
5. Select the locations and choose the Zone to put them in.
6. Click Add.
7. Click Save.
Block VPN protocols Causes the Endpoint Security client to block all Virtual
(ESP, AH, GRE, and Private Network (VPN) protocols when the Zone security
SKIP) at High level is set to high.
Security
This is recommended for most configurations.
In the first example, FTP Local is rank 0 and FTP Internet is rank 1.
• FTP requests from clients on the local subnet match the source address (Private Subnet) and all other
conditions of the FTP Local rule. The client executes FTP Local; the traffic is allowed.
• FTP requests from clients outside the local subnet do not match FTP Local conditions, so the client
checks the next rule (FTP Local is not executed). The traffic matches the conditions of FTP Internet. The
client executes FTP Internet; the traffic is blocked.
In the first example, FTP Local is rank 0 and FTP Internet is rank 1.
• FTP requests from clients on the local subnet match the source address (Private Subnet) and all other
conditions of the FTP Local rule. The client executes FTP Local; the traffic is allowed.
• FTP requests from clients outside the local subnet do not match FTP Local conditions, so the client
checks the next rule (FTP Local is not executed). The traffic matches the conditions of FTP Internet. The
client executes FTP Internet; the traffic is blocked.
In the second example, FTP Internet is rank 0 and FTP Local is rank 1.
• All FTP requests from clients on the local subnet and other all locations match the conditions of the first
rule, FTP Internet, sot he client executes FTP Internet; all traffic is blocked.
Note - When FTP Internet is rank 1, traffic always matches the
conditions of the first rule. Therefore, the client will never evaluate
traffic against second rule, FTP Local.
Indicates that the rule is global; settings are managed in the System Domain
by global administrators.
Indicates that the rule is local; settings are managed in the domain you are in.
Used By The number of Policies that use the rule. (selected single
domain only)
6. In the Source Locations options, choose Any Source Location (the rule will be applied to all traffic
coming from any source) or Select from Location list.
If you choose to select from the list, the locations table appears. It lists all pre-defined locations, and
provides the New Location button to allow you to create another location if needed.
7. In the Affected Ports & Protocols options, choose Any Port or Protocol (the rule will be applied to all
traffic using any port or protocol) or Select from Protocol list.
If you choose to select from the list, the ports and protocols table appears. It lists all pre-defined ports
and protocols, and provides the New Protocol button to allow you to create another port object or
protocol object, if needed.
8. Click Save.
Note - If you have a rule that blocks or allows all traffic, do not
enable logging for Firewall rules.
Enforcement rules determine whether the client can establish and maintain a session with the Endpoint
Security server and your internal network. The client periodically checks the endpoint computer for the
enforcement rule conditions you set.
Note - You must select and modify the sandbox page for each
language you are using.
Operating Systems To enforce the rule for all version of Microsoft Windows,
choose All. To enforce the rule for a specific version of
Windows, choose a version of Windows.
Check for registry Checks for a specific key and value in the Windows Registry
key and value on the endpoint computer. Provide the Registry Key to check
and the Value to check.
Check for file and Validates the properties of a program file on the endpoint
properties computer. If you select this option, provide the File Name to
check (for example: example.exe), and File Properties (basic
property for checking the file):
Running at all times - check for programs running at all times
(relevant if file is an executable)
Location - check for files with this pathname on the endpoint
Version number - check for files matching, or falling in the
range of, the minimum and maximum version numbers
Last modified less than 'n' days ago - check for files that
were modified within this number days
Match Smart Checksum - use SmartSum to obtain checksum
and check the file that matches this number
7. Specify whether the conditions are required or prohibited, and what the action for non-compliance will
be.
Option Description
Type of check Determines whether the rule requires or prohibits the software.
8. Specify the message and remediation resources that will be provided if the endpoint computer is non-
compliant.
Option Description
Language The language for the sandbox page text. This option is only
displayed if you enabled client languages during installation.
Upload a file to use Uses the specified file for remediation. If you plan to apply the
as a remediation resource automatically, you must enter an executable file.
resource
Include link to Uses the specified link for remediation. If you plan to apply the
external URL resource automatically, the link must lead to an executable
file.
Automatically apply Applies the resource without asking for end-user confirmation.
remediation
resource
Apply remediation Applies the resource only after end-user confirmation. The
after user endpoint computer cannot access the corporate network until
confirmation the user allows the remediation
Determine MD5 for Causes Endpoint Security to determine the resource's MD5
Verification checksum. If you return to edit the rule after saving it, the
checksum will appear in the Enter MD5 checksum field.
Note that the Endpoint Security server must have the same
network access as the client in order to download the MD5.
Anti-virus Rules
Use Anti-virus Rules to require endpoints to run a specific Anti-virus program. If the endpoint becomes
non-compliant, the client can restrict the user session, warn the user without restricting, or observe the
violation without restricting. You can specify a remediation resource that users can download and install
themselves. For restricted users, you have the option of configuring Endpoint Security to run remediation
resources automatically.
When creating an Anti-virus provider rule, you can either enter Anti-virus engine and DAT file information
manually or use a reference client.
Manual configuration requires frequent maintenance to keep up with software and DAT file updates. You
can automate your updates by specifying a single computer (called an Anti-virus reference client) to provide
software and DAT file information to Endpoint Security. When you update the DAT file or Anti-virus engine
on the reference client, Endpoint Security updates its Anti-virus provider rules accordingly.
Note - Client versions 7.0 and higher use a different method to detect
Anti-virus providers on endpoint computers than previous clients. It is
highly recommended that you use the same version of the client on
your reference client as you distribute to your other endpoint
computers.
Browse for a user Designates the reference client by name. Provide a partial
below string of a user with a client to be used as a reference point
and then click Search to browse the list of users who have this
client.
5. Click Save.
The reference client is now available for use in an anti-virus enforcement rule.
6. Create a new Anti-virus Enforcement Rule that uses information from the reference client.
Keep clients in
Requires endpoints to match the settings of an anti-virus
sync with the
reference client. In the text field, enter the number of days
reference client
(from the time you update the reference client) by which
endpoints must comply.
This option is available only if you have already set up an
Anti-virus reference client.
Minimum engine
Requires that a minimum version of the anti-virus program's
version
engine be present on the endpoint computer. If you select
this option, type or paste the minimum engine version.
This program
Requires that the anti-virus program always be running on
must always be
the endpoint computer.
running
Minimum DAT file
Enforces a minimum DAT file version.
version
7. Specify the action, what happens to endpoint computers that are out of compliance.
Options Description
Observe clients
Observes and records endpoints that are not running the
that don't comply
required anti-virus software.
Language The language for the sandbox page text. (This option is only
displayed if you enabled client languages during
installation.)
Upload a file to use Uses the specified file for remediation. If you plan to apply
as a remediation the resource automatically, you must enter an executable
resource file.
Include link to Uses the specified link for remediation. If you plan to apply
external URL the resource automatically, the link must lead to an
executable file.
Apply remediation Applies the resource only after end-user confirmation. The
after user endpoint computer cannot access the corporate network
confirmation until the user allows the remediation.
Determine MD5 for Causes Endpoint Security to determine the resource's MD5
Verification checksum. If you return to edit the rule after saving it, the
checksum will appear in the Enter MD5 checksum field.
Note that the Endpoint Security server must have the same
network access as the client in order to download the MD5.
Client Type The client type: Flex or Agent. Each type can be with or
without VPN.
Minimum Version The minimum version number for the client. If the endpoint's
client version is lower that the minimum version number,
then the endpoint will be required to update the client before
accessing the corporate network.
7. Set the rule action, to determine what happens to endpoint users that are out of compliance with the
rule.
Rule Action Description
Observe clients Observes and records endpoints that do not comply with the
that don't comply enforcement rule.
Warn clients that Warns users whose endpoints do not comply, but lets them
don't comply access the network.
If you choose to restrict or warn, you should configure the
custom text for this client rule and provide the upgrade
package.
Restrict clients that Restricts endpoints when they do not comply with the client
don't comply rule. This enables the auto-remediation options.
If you choose to restrict, you must configure compliance check
settings and restriction firewall rules for the Policies you use
this rule in. You must save and deploy the policy for the
enforcement rule to take effect.
Language The language for the sandbox page text. (This option is only
displayed if you enabled client languages during installation.)
Use Client Upgrades the client with the selected client package.
Package from
Note: if you want to use reporting for the auto-update feature,
Server
you must use the same connection string for the updated
client package as you used for the initial client deployment.
Use resource from Upgrades the client from an external source. If you plan to
external URL apply the resource automatically, the link must lead to an
executable file.
Provide the URL of the upgrade client or the URL of a
sandbox page that Endpoint Security created when you
created the upgrade client package.
Upgrade with user Upgrades the client only after end-user confirmation. The
confirmation endpoint computer cannot access the corporate network until
the user allows the upgrade.
URL Resource Available if both Use resource from external URL and
Verification Automatically start the upgrade when a client goes out of
compliance are selected.
Provides an MD5 checksum to verify the URL client package
download, using one of the following options:
• Fetch MD5 checksum from URL—causes Endpoint
Security to determine the resource's MD5 checksum. If
you return to edit the rule after saving it, the checksum
will appear in the Verify against MD5 checksum
field. (Note that Endpoint Security server must have the
same network access as the client in order to download
the MD5.)
• Verify against MD5 checksum—verifies against the
checksum you enter.
•
Program Permissions
Program permissions control the program access on endpoint computers. You can set the permissions for
individual programs or groups of programs. Program activity is evaluated according to the following criteria:
• Zone - Traffic is evaluated by the Zone (Internet or Trusted) that the program is trying to communicate
with.
• Role - Traffic is evaluated according to whether the program is trying to establish a connection (acting as
a client) or listen for a connection (acting as a server)?
You can set the following permissions for programs and program groups:
• Allow - Allows the program to establish or accept the connection
Program Groups
Your endpoint users may use hundreds, or even thousands of programs. To facilitate managing your
programs, it is recommended that you generally set program permissions for groups of programs, rather
than for individual programs. Check Point provides some program groups. You can also create custom
groups to manage your programs.
Default Groups
Check Point provides the following default program groups:
• PA quarantined programs - If you are using Program Advisor, this group contains all the programs that
Program Advisor recommends terminating. This group has precedence over all other groups. You
cannot change the rank of this group, disable this group, or override its group permissions. You can,
however, override the permissions for the individual programs in this group, but this is not
recommended. If you do not have a Program Advisor license, this group does not appear.
• PA referenced programs - If you are using Program Advisor, this group contains all the programs that
Program Advisor recommends allowing or asking the user about. This group always ranks immediately
after your custom groups. You cannot change the rank of this group or override its group permissions.
You can, however, disable this group or override the permissions for the individual programs in the
group. If you do not have a Program Advisor license, this group does not appear.
Custom Groups
You can also create custom groups. Custom groups act as filters, grouping programs together according to
the criteria you specify.
Some possible uses for custom groups include:
• Grouping by publisher - Use this option when you want to apply the same permissions to all software
from the same company.
• Grouping by file name - Use this option to apply the same permissions to all versions of a program. This
is useful when your users are using many different version of the same program, such as Microsoft
Outlook. You can also use this for programs that change checksum frequently, such as programs that
your organization is creating.
Permission Precedence
Program traffic is moderated according to the permissions of the first group it belongs to. Groups are ranked
in the following order:
• PA quarantined programs
• Custom groups, in the order they appear in the Program Group Permissions page.
• PA referenced programs
• Unrecognized programs
You can change the order of your custom groups, but you cannot change the order of any of the default
groups.
If you need to make an exception to the permissions for a group, you can set individual permissions for that
program. Generally, for maximum efficiency you should set permissions on the group level whenever
possible and only make exceptions when absolutely necessary.
Program Observation
Programs do not appear in the program control user interfaces until they are observed by the Endpoint
Security system.
You can configure the client to detect programs on your endpoint computers as they attempt to connect with
the Internet or Trusted Zones. This is useful for determining what programs are actually in use by your
endpoint users.
Using Checksums
You may wish to identify programs by their checksums, instead of by filename alone. Checksums are unique
identifiers for programs that cannot be forged. This prevents malicious programs from masquerading as
other, innocuous programs.
Use the following features to identify programs by their checksums:
• Appscans - You can configure a reference computer with the typical programs that your endpoint
computers have. Scanning this computer produces a reference source file that contains all the
checksums for all the programs on the computer. You can import this scan file into the Endpoint Security
system. This is useful when groups of your endpoint users have computers with very similar software
configurations.
• Manual Input - You can also create checksums of individual programs and manually enter them, one by
one, into the system. This is only recommended if you have a very limited number of programs to enter.
Unknown attack protection Good Any unknown application that tries to accept
a connection from the Internet Zone is
blocked.
User restriction Low Users are able to run any program that
sends traffic to the network. They are also
able to run any programs that accepts a
connection from a trusted host.
Unknown attack protection Very good Applications that try to accept a connection
are blocked.
User restriction Medium Users are able to run any program that
send traffic to the network. They are not be
able to run any programs that accept
connections.
Unknown attack protection Very good Any application trying to send traffic or
accept a connection from the Internet Zone
is blocked.
User restriction High Users are able to run any program that
communicates within the Trusted Zone. If a
program communicates anywhere on the
Internet Zone, it is blocked.
Block All
The block all option completely prevents applications on the protected computer from communicating with all
other computers. This provides the highest possible level of program control, but you must have adequate
custom program groups with the correct permission levels to avoid disrupting your endpoint users.
Table 6-10 Impact of Blocking All Network Applications
Impact area Level Description
User restriction High Users are able to run any program that
communicates within the Trusted Zone. If a
program communicates anywhere on the
Internet Zone, it is blocked.
Creating Appscans
An Appscan is an XML file that contains MD5 and Smart checksums of the programs on a particular
computer in your environment.
Using Appscans you can quickly create program rules for the most common applications and operating
system files in use on your network.
Create an Appscan for each disk image used in your environment. You can then create rules that will apply
to those applications. Using Appscans to populate your Endpoint Security system is particularly useful if
your endpoint computers tend to have the same programs.
You create Appscans by running the SmartSum utility (appscan.exe) on a computer with a tightly-controlled
disk image, then importing the file into Endpoint Security.
Creating an Appscan
Before running Smart checksum, set up a computer with all the programs that are standard for protected
computers in your organization. If you have several different configurations, perform these steps for each
endpoint computer standard configuration.
2. On the protected computer, open a command prompt window (go to Start | Run..., then type cmd).
3. In the command prompt window, go to the root directory by entering "cd \".
Appscan Switches
Use the following switches to modify your scan.
Table 6-11 Appscan switches and functions
Switch Function
/e Use the /e switch to inventory all executable files in the target directory
or drive, regardless of extension.
Example 5: c:\appscan /s "C:\program files" /e
In Example 5, all files are incorporated into the scan.
Importing Appscans
After generating an Appscan file, import it into Endpoint Security. You can also import any of the provided
Appscans for other versions of Windows from the Samples folder in your installation folder.
To import an Appscan:
1. Click New Program and select Import Scan.
2. Browse to the Appscan file: scan.xml
3. Click Import.
MD5 Checksum The MD5 checksum of the file. MD5 checksums are 128-bit
checksums.
Smart Checksum The Smart checksum of the file. The 128-bit Smart Checksum
allows program files that change frequently, or have unique
MD5 checksums when installed in a specific endpoint
computer, to be validated.
Make Settings Available To Includes the group settings in the policy file that
Unconnected Clients is sent to the endpoint computer.
If this option is not selected, and a program is
not governed by either an individual program
permission or by Program Advisor, clients that
cannot connect to the Endpoint Security server
will use the permissions for unknown programs.
Terminate all programs in this Choose this option to shut down all the
group programs that are in the group.
Use the following settings for Choose this option to specify permissions
the programs in this group (allow, block, ask user) for this program to act
as client and as server, in the Trusted Zone or
the Internet Zone.
7. Click Save.
8. Redeploy your Policies.
Although you can configure program permissions at both the global and the policy level, both settings
are included in your security policy. You must redeploy your policy to have either global or policy-level
changes take effect.
You can also set permissions for individual programs. These permissions override the permissions set for
the program group. Permissions given to an individual program persist even if the program changes groups.
Override settings and All settings for the group are ignored for this program; as
terminate the application soon as it is observed to be installed or activated, it is shut
down.
Override settings with the Set the permissions for this program for when it is in the
settings below Trusted Zone and when in the Internet Zone. For each zone,
set permissions for when the program is acting as client and
when it is acting as server.
Note - You cannot configure more permissive settings for the Internet
Zone than for the Trusted Zone, nor for server connections than for
client connections. For example, if the Client - Trusted setting is
Block, all settings must be Block; if the Server - Internet setting is
Allow, all settings must be Allow.
Note - You cannot configure more permissive settings for the Internet
Zone than for the Trusted Zone, nor for server connections than for
client connections. For example, if the Client - Trusted setting is
Block, all settings must be Block; if the Server - Internet setting is
Allow, all settings must be Allow.
6. Click Done.
To set policy-level permissions for an individual program:
1. In the Program Rules tab, click the link of the group to which the program belongs.
Note - Firewall rules are enforced in the order listed. These rules are
applied only if the program has the required permission to act as a
server or act as a client for the Zone involved.
3. Click Add.
4. Click Done.
5. Click Save.
Anti-malware Settings
Use the Anti-Malware tab of a policy to configure Anti-Spyware, Antivirus, and WebCheck settings for the
current policy.
General Settings
What general settings are available depends on whether you have enabled legacy clients ("Enabling
Support for Legacy Clients" on page 93) or not.
Table 6-12 Option when Legacy Clients Are Disabled
Option Description
Protect against Activates Antivirus in the policy for all clients with Antivirus or
viruses Anti-malware installed. When activated, on-access scans are
always performed automatically on client files.
WebCheck Settings
Use WebCheck to set options for web security.
Option Description
Enable Site Status Checks security-related information about each site visited. If
Check this setting is enabled, users can click the Site Status button in
the WebCheck toolbar for details about the security level of
any site they are currently visiting.
Enable Anti- Tracks recently discovered phishing and spyware sites, and
phishing interrupt browsing with a warning.
(Signature)
WebCheck trusted To onfigure which sites are safe to exclude from WebCheck
sites protection, provide the safe site URL in the Domain/Site field,
and click Add.
Schedule regular Select the day and time for a scheduled scan.
Anti-Spyware
Note - If a client moves from one policy to another (for
scans
example, from Connected Policy to VPN Policy), the client will
do the scan for both schedules. For example, if the Connected
Policy is scheduled to run on the 13th of every month, and the
VPN Policy is scheduled to run every Monday, the Anti-
Spyware scan will run every Monday and again on the 13th.
To avoid too many scans (which takes resources from the
computer), make sure that policy schedules are synchronized.
Restrict clients that Restrict clients that have not run the scheduled spyware
don't comply with scans.
the Anti-Spyware
Endpoints that are not successfully scanned at the scheduled
Scan settings
time are restricted according to the restriction Enforcement
Rules you created with <tp_es>.
Frequency Select Daily, Weekly, or Monthly for the deep scan to run on
endpoints with this policy.
Note - To avoid too many scans (which takes resources from
the computer), make sure that policy schedules are
synchronized. (See the explanation in Anti-Spyware Scan
Settings above.
Starting On The date and time for the Antivirus scan schedule to start.
Scan Riskware This setting activates Anti-Spyware scanning for all R73
clients.
Enable NTFS File We recommend that you use this setting, which optimizes
System based scans by skipping untouched files securely on computers with
optimizations NTFS file systems.
Enable Checksum We recommend that you use this setting, which optimizes
based optimization scans by skipping untouched files securely on computers that
do not have NTFS file systems.
Schedule regular Frequency: Select Daily, Weekly, or Monthly for the deep
Antivirus scans scan to run on endpoints with this policy.
Note - To avoid too many scans (which take resources from
the computer), make sure that policy schedules are
synchronized. See the explanation in the section for Anti-
Spyware Scan settings above.
Starting On: The date and time for the Antivirus scan
schedule to start.
Scan Riskware This setting activates Anti-malware scanning for all R73
clients.
Enable NTFS File We recommend that you use this setting, which optimizes
System based scans by skipping untouched files securely on computers with
optimizations NTFS file systems.
Enable Checksum We recommend that you use this setting, which optimizes
based optimization scans by skipping untouched files securely on computers that
do not have NTFS file systems.
Excluded path Use this feature to specify paths to be excluded from Antivirus
scans.
Specify the fully-qualified path for the file types or directories
you want excluded from the scan, and then click Add.
Use this option to save time when scanning, or exclude certain
types of files, such as large database files.
Treatment Settings
How you define treatment settings depends on if you have enabled legacy clients ("Enabling Support for
Legacy Clients" on page 93) or not.
Use these settings to configure the action that Endpoint Security clients should perform when certain types
of infections are detected.
Table 6-16
SmartDefense creates a framework of defense against attacks that are intended to harm the network by
flooding it. You activate SmartDefense on your network by enabling it in the Policies you deploy to your
endpoints. While endpoint users are not allowed to configure SmartDefense, they do have the option of
viewing SmartDefense logs with the client Alerts and Logs feature.
When SmartDefense protections are in place on your network endpoints, the network is protected from the
following attacks:
• Ping of Death
Warn the user Sets a number and frequency of outgoing e-mails that trigger a
when too many warning to the endpoint user. Provide the number of e-mail
messages are sent messages and the interval in the appropriate text boxes (or
out in a specified accept the defaults of 50 messages and two seconds).
interval.
Warn the user Sets the number of e-mail recipients (per e-mail message) that
when the number triggers a warning to the endpoint user. Provide the number of
of recipients in an recipients that triggers the warning (or accept the default of
e-mail exceeds: 50).
Assigning Policies
For Endpoint Security clients to get a policy and policy updates, the policy must be assigned to the
endpoints.
You can assign Policies to a number of entity types, with the endpoints inheriting their policy from a larger
container entity. For example, the root node should have at least a Firewall policy assigned to it. This policy
is then inherited by all the nodes in the tree, unless you assign another Firewall policy to a specific node. If
that node has children nodes, they inherit this Firewall policy; unless you overwrite it with another one.
Policy Inheritance
Endpoint Security users inherit Policies through the hierarchy of domains (in Multi-Domain mode), gateways,
catalogs, and groups, according to the assignment priority you choose. Assignment priority determines
Assignment Order
You will want to assign Policies to your most inclusive organizational units first. After you have established
your basic security policy assignments in this way, you can make exceptions by assigning different Policies
to the sub-units.
Assign your Policies in the following order for maximum efficiency:
Order Entity to assign When to assign to this entity:
policy to:
1 Domains Assign a policy to a domain to have all the
(Multi-Domain mode) members of that domain receive that policy. This
provides a basic level of security for all the domain
members.
Exporting Policies
You can export a policy for use with another Endpoint Security server.
To export a policy:
1. Click Policies.
The Policy Manager page opens.
2. In the row for the policy, click Export.
A dialog appears, asking you if you want to save the file.
3. Click Save.
4. Choose the location and name for your policy and click Save.
The policy is saved as an XML file. You can import this policy into another Endpoint Security server by
creating a new policy using the file.
Deleting Policies
You cannot delete a policy while it is assigned or is included in a client package.
To delete a policy:
1. Click Policies.
The Policy Manager page opens.
2. Remove all policy assignments for the policy.
• Select the policy, and click View Assignments.
The Endpoint Manager page appears, showing only those catalogs that have your chosen policy
assigned to them.
• Select the catalogs and select a new policy assignment from the Policy drop-down.
You can explicitly assign a different policy to the catalogs, or you can choose to have the catalog
inherit the policy from its parent.
• Click Assign.
Be sure to perform these steps for all the catalogs that are assigned the policy.
3. Remove the policy from all policy packages.
VPN Policies
If your network uses a virtual private network, you should create a separate policy for the VPN users and
assign it to the gateway they use. When users are connecting to the internet outside your LAN, they may be
exposed to many more security risks than when they are connected to your network. If an endpoint
computer is compromised or infected, it may be a source of security risk to other computers on your
network.
There are two basic approaches to dealing with this risk:
• Provide users with very restrictive VPN and disconnected Policies, but have lenient connected Policies.
This prevents security problems at their source, by preventing the original infection or compromise.
However, this high level of protection comes at the cost of usability. If your VPN policy is very restrictive,
your endpoint users may be unable to perform tasks on their computers, resulting in more support
expenses.
• Provide users with a very permissive disconnected policy, but use a very strict VPN and connected
Policies to ensure that their computers are clean and compliant when they are on your network.
This helps prevent infections from spreading to other computers in your network, but does not inhibit
usability. This can be a good solution when you are creating Policies for contractors who are using their
own computers, rather than your companies. This is also useful in countries where laws prohibit
restricting endpoint user activities when they are not working.
Specify connected and disconnected Policies by creating policy packages and assigning them to user or IP
catalogs. Specify VPN Policies by assigning a policy or policy package to the VPN gateway.
Note - If you are using a supported gateway, the policy assigned to that
gateway always has priority.
3. Create a policy using the Medium Security template and assign it to the gateway or IP catalog you
created.
4. Populate your Trusted Zone.
Add the locations you want these users to have access to. It is recommended that you include the
following locations in the Trusted Zone:
• The internal and external IP Addresses of your VPN gateway
• The appropriate LAN/WAN subnets of the internal network: Class A, B, or C networks, such as
10.0.0.0, subnet masks, DNS or DHCP addresses
• The loopback address: 127.0.0.1
• The DNS server
5. Save and deploy the policy.
In This Chapter
High Security The High Security policy template provides an elevated level of
security at the expense of user connectivity.
Because high-level security settings can block communications
from legitimate sources, you should add such sources to the
Trusted Zone before deploying the policy.
It is also important to define programs or to use Program Advisor
with this policy.
This policy turns on a high number of alerts for evaluation
purposes. To minimize user interruptions, disable all alerts other
than enforcement alerts before general deployment.
Medium Security The Medium Security policy template provides mid-level security
with minimal end-user interruptions.
Page 107
To create a policy template:
1. Click Policies.
The Policy Manager page opens.
2. Select the policy you want to publish as a template, and click Edit.
Optionally, you can select Lock this policy to prevent other administrators from changing the policy
template settings. This setting is not published. Therefore, Policies created from this template will not
automatically be locked.
3. Select Publish this policy as a template to all domains.
4. After reviewing and modifying the tabs of the policy as needed, click Save.
The Version Comments page opens.
5. Provide comments to indicate the changes made in this version of the policy. Comments help identify
major changes in case a roll back is needed later.
6. Click Save (policy is saved but cannot be downloaded) or Save & Deploy (save the policy and make it
available for endpoints to download, after you assign the policy to entities).
If you have not already done so, deploy clients to your endpoint computers.
Note - In the case of Flex users with policy arbitration enabled, Flex
will both ask the user whether or not to allow access and attempt to
contact the Endpoint Security server for program permissions. Flex
records the results of both queries in the personal and enterprise
Policies, respectively
The Endpoint Security server receives program permission requests from the client. In conjunction with the
Program Advisor server, the Endpoint Security server determines what permissions should be applied to the
program, and how it should be displayed in the Program Group Permissions page of the Endpoint
Security Administrator Console.
1. The Endpoint Security server receives the request from the client.
2. The Endpoint Security server checks for a matching reference source. If the program has a matching
reference source, the Endpoint Security server sends a response to the client. The client applies the
permissions you have set for referenced programs in the deployed enterprise policy.
3. The Endpoint Security server checks if Program Advisor is enabled. If Program Advisor is not enabled,
the Endpoint Security server sends a response to the client. The client applies the permissions you have
set for 'Unknown Programs' in the deployed enterprise policy.
4. The Endpoint Security server checks for custom overrides. You can set the Endpoint Security server to
override Program Advisor's recommendations with your own permission set. If you have set custom
4. Click Edit.
• If you want Program Advisor to terminate the processes for malicious programs, select Allow
Program Advisor to terminate malicious applications.
• If you want endpoints to receive Program Advisor recommendations when they cannot contact the
Endpoint Security server, select Allow clients to ask Program Advisor directly when the
Endpoint Security server is unavailable.
If you choose this option, endpoints will not receive any permission overrides you have set until they
connect to the Endpoint Security server again and either restart the program or receive a new policy.
5. Click Save.
Override settings and All settings for the group are ignored for this program; as
terminate the application soon as it is observed to be installed or activated, it is shut
down.
Override settings with the Set the permissions for this program for when it is in the
settings below Trusted Zone and when in the Internet Zone. For each zone,
set permissions for when the program is acting as client and
when it is acting as server.
5. Click Save.
When you set permissions for an individual program, the permissions are displayed in color.
Permissions inherited from a group are gray.
Managing Updates
Use the Updates feature to receive, manage, and deploy anti-malware and WebCheck updates.
Overview of Updates
Use the Updates feature to receive, manage, and deploy:
• Virus definition updates - These updates ensure your endpoints are constantly protected against new
viruses. The updates include DAT files, which are libraries of virus signatures.
• Spyware definition updates - These updates help to protect your endpoints against the latest spyware.
Using the Updates feature, you can:
• View available updates -By default, the Endpoint Security server receives the update information
hourly from the Check Point update server, and makes it available for retrieval by your endpoints. The
update is listed on the Home page and the Client Updates page.
• Specify an automatic client updates schedule -You can specify a schedule for how often the
Endpoint Security server makes the latest update available for endpoint retrieval. (This feature creates
automatic deployment, and does not allow you to test each update on a smaller group.)
• Preview updates with a test group - You can deploy client updates to selected endpoints for testing
before rolling the updates out to all clients. This feature, called staging, allows you to update a select
group of test endpoints. You can then determine if an update is acceptable to you before choosing to
deploy it. (With this option, there is no automatic deployment of updates.)
• Immediately deploy client updates - At any time, you can choose to immediately make the latest
collection of client components available to all clients. This is particularly useful if a virus outbreak
occurs.
Note - Because this method makes the updates available, but does
not require clients to synchronize, it may take up to an hour for all your
endpoints to get the update.
Important - To remove a user from the Test Group, click the Remove
from Group link; do not click the Delete link in the Computer Name
column.
Offline Updates
Offline updates provide remote users with a way to get Anti-virus and Anti-spyware updates without being
connected to your corporate network. Users can get updates from your company server, or they can receive
updates directly from Check Point.
To Set Up Offline Updates:
Go to the Home page and click the View Client Update Settings link.
1. Select the Provide offline users access options.
2. If you are using a proxy server for internet access, make sure you allow traffic to the appropriate update
server:
• Anti-virus update server - http://kav-integrity.zonelabs.com/
• Anti-spyware update server - http://upd.zonelabs.com/zonealarm/online/
When the endpoint computers connect to the server, they automatically receive the latest updates.
Note - Your users must be using the most current version of the Anti-
virus software to use the Check Point servers.
Event Type Use to select the type of events to display: Anti-virus, Anti-
spyware, WebCheck, or Summary of all.
Total Users Total number of users with detected infections. This number
includes users with both resolved and unresolved infections.
Click the number to go to the User Events Report page, which
provides a detailed list of the users.
You can launch SmartPortal for more event reporting: click View Events.
In This Chapter
Page 120
Note - If you are using a Check Point InterSpect™ or VPN-1
UTM/Power gateway, you can also have intra-LAN Cooperative
Enforcement.
If you use an unsupported gateway, Endpoint Security can monitor
client events and the user status, but it will not be able to restrict
access at the gateway level. You must use Enforcement Rules in
conjunction with Restriction Firewall rules to restrict endpoint users.
See Enforcing Endpoint Security (see "Creating Enforcement Rules
as Policy Objects" on page 63).
Note - For all Cisco ASA and Concentrator gateways, choose Cisco
VPN Gateway.
4. Complete the fields with the appropriate information for your gateway.
SIC Object Name The Secure Internal Communication ("SIC") Name assigned
on the InterSpect gateway to this Endpoint Security server.
The SIC Object Name corresponds to the Name specified to
the InterSpect SmartDashboard.
SIC Activation Key The Secure Internal Communication Activation Key assigned
on the InterSpect gateway to this Endpoint Security server.
The SIC Activation Key corresponds to the Activation Key
specified to InterSpect SmartDashboard.
Cisco Public Host The public host name for the Cisco VPN 3000 series
Name concentrator.
Cisco Private Host The private host name for the Cisco VPN 3000 series
Name concentrator.
Nortel Public Host The public host name for Nortel Contivity with TunnelGuard.
Name
Check Point VPN-1 The public host name for the Check Point -1 VPN gateway.
Public Host Name
VPN-1 Host Name The IP address or host name for the Check Point -1 VPN
UTM/Power gateway.
RADIUS client IP The IP address of the RADIUS proxy, if you use one.
Address
Primary RADIUS The port on which the primary RADIUS server listens.
Authentication Port
EAP Type The EAP type. Default is 44. If your NAS filters out EAP type
44, use a lower number, ensuring that you specify the same
number on the Endpoint Security client.
Compliant VLAN Use this field to specify the VLAN that should be accessible to
compliant users, if you are not using a RADIUS attribute to do
so.
Compliant Filter Use this field to specify the Filter ID, if you are not using a
RADIUS attribute to do so.
Note that the filter should not block HTTP port 8443 or UDP
port 6054.
Restrict VLAN The number for the restricted VLAN (optional). If there is no
restricted VLAN, leave this field blank.
Note that, if there is another Endpoint Security server on the
VLAN, the user receives the policy of that Endpoint Security
server. Users who visit the VLAN will not be able to reconnect
to the internal network via the wireless access point if Reject
Connections on Non-Compliance is selected.
Note that, for Cisco devices, you must specify the VLAN name
instead of the ID.
Restrict Filter The filter name for the VLAN (optional). If there is no VLAN or
if the VLAN does not have a filter, leave this field blank.
Note that the filter should not block HTTP port 8443 or UDP
port 6054.
In This Chapter
Page 126
Providing Information About Your Security Policy
Users are less likely to be confused and place unnecessary help desk calls if they understand clearly any
corporate policy changes entailed by Endpoint Security deployment. For example, you may want to inform
users if:
• Endpoint Security is a corporate requirement on all company computers
• Users that are out of compliance with enforcement rules are restricted
• Specific programs are required or prohibited by your policy.
• Specific programs are no longer allowed Internet access or may be terminated (for example, media
players or music file sharing tools).
Be as specific as possible. For example, if your enforcement rules will require a certain Anti-virus program
be sure to say which one, which version, and provide information and resources so that users can become
compliant with the rule in advance and without support.
It is recommended that you continuously provide information to endpoint users about Endpoint Security and
your security policy. You should provide information and instructions whenever you make a significant
change to your security Policies that will affect the user experience. This is especially true for changes that
tighten your security policy, as they may impact availability for the user. You should also make sure that the
information you provide is readily available, especially to new users.
Documentation
Make sure that your help desk staff have all the relevant Endpoint Security documentation available. You
may also want to provide them with a list of common programs you have prohibited and programs that your
policy requires.
Training
You should give your help desk staff at least basic training in the Endpoint Security system. You may want
to have them perform some basic policy deployments in a pilot environment so they can become familiar
with how Policies affect the endpoint user.
Your help desk staff should also be familiar with how to upload Endpoint Security Client diagnostic
information.
VPN Options
You can choose to include Virtual Private Network (VPN) capability with your Agent or Flex client installation
package. By providing a secure VPN for your endpoint users, you give them remote access to your network
while also administering high levels of privacy and authentication.
This feature combines VPN capability with the security protection of the Endpoint Security client. By using
this feature in combination with Enforcement rules, you have the option of controlling access at the VPN
gateway based on the presence or absence of certain software. This VPN functionality is designed to work
with the Check Point VPN-1 gateway, so you need the VPN-1 gateway installed on your network before
packaging and deploying VPN packages.
Installation Options
Important - It is highly recommended that you create a unique install
key (rather than use the default key) in client installation packages.
This prevents endpoint users from guessing the key and uninstalling
the client. Allowing endpoint computers that are not protected by an
client to connect to your network is a security risk.
If you do not set a unique install key and are using a supported
gateway, it is highly recommended that you use the gateway to restrict
or terminate the connection if the client is not running. This prevents
the endpoint user from removing the client and then connecting to your
network while unprotected. See Gateways and Cooperative
Enforcement (on page 120).
Connection Information
It is essential that the clients have the connection information they need to contact the Endpoint Security
server. The necessary connection information for the Endpoint Security server is provided by default. You
can also manually change this information or import configuration files (config.xml) from another server.
If you change the connection information for your Endpoint Security server, you must distribute new
package files with the new server's connection information.
User Identification
You can assign a Single Sign On ID or a User ID to your endpoint computers as part of the client package.
A Single Sign On ID allows endpoint users to sign on once per start up.
A User ID allows you to add users to custom catalogs by that name. If you want to include the endpoint
computers that receive this package in a custom catalog, type the catalog name and, optionally, the group
name in the User ID field.
Use the following format: manual://<Catalog_Name>/<Group_Name>
When the endpoint computers that receive this package connect to the Endpoint Security server, they will
become members of the catalog and group you specified here.
Note - If you are creating a client package to use with the auto-
upgrade feature (and if you are using a different Endpoint Security
server than you used for the initial deployment) and you want to view
installation results in the auto-upgrade report, then you must use the
same user ID (connection string) for the upgraded client package as
you used for the initial client deployment.
Custom Parameters
A Custom Parameter field is included in the Advanced Settings of the client packager. In this field you can
enter commands to further refine installer behavior.
To enter custom parameters, use the <parameter>=<value> format.
To specify multiple custom parameters, separate each with a space.
For example:
RESETVPNCONFIG=YES FORCEREBOOTDIALOG=YES
Important - Do not click the Open button as the executable will install
on the console of the administrator.
You can now use which ever distribution method you choose to distribute the Endpoint Security client
package to your endpoint users.
To convert the client package .exe file to an MSI file:
1. Go to the directory to which you saved the .exe file.
Example:
cd c:\downloads
2. Run the .exe package installer with the parameter msi.
For example:
<client package filename>.exe msi
The directory now contains a new file called <client package filename>.msi, which you can use to
perform GPO or third-party deployments of the client.
Command-Line Syntax
The following is the general form for the installation command lines.
<client package msi filename>/<MSI Switches> <Installation Parameters>
Example:
<client package filename>.msi INSTALLPASSWORD=psswrd
Note the following when creating your command lines.
• Endpoint Security client parameters must be in uppercase.
• If an Endpoint Security client parameter or MSI switch value includes a space, it must be enclosed in
escape quotes.
Note - The syntax used for the command lines in this chapter may
differ from the command lines that you used in previous versions.
Always use the documentation that is for the software version you are
using.
MSI Switches
The installer supports all the standard MSI switches, except /j and /p. See the MSI documentation for more
information about these switches. MSI Switches are provided for your convenience when working with the
most common switches.
Switch Description
For a list of all error codes, see the Microsoft MSDN article on Windows Installer Error Codes
(http://msdn.microsoft.com/en-us/library/aa368542(VS.85).aspx).
Uninstalling Clients
Use these instructions to uninstall Endpoint Security clients on a large number of endpoint computers. You
must have administrator privileges to uninstall Endpoint Security clients.
In This Chapter
Page 142
To specify Office Awareness Servers:
1. If you are in Multi-Domain mode, switch to the System Domain.
2. Click Client Configuration.
3. In the Office Awareness area, click Edit.
4. Add the servers you want to use.
Options Description
All of these servers Select this option to keep enforcing the connected policy only
are found when the Endpoint Security client can contact all the specified
servers.
Any of these Select this option to keep enforcing the connected policy when
servers are found the Endpoint Security client can contact any one of the
specified servers.
5. Click Save.
Beacon Details
A Beacon server is any HTTP server with port 2100 configured as SSL that is bound to a well- known
certificate. The certificate must contain the root CA that is generated by Smart Center at its initial install. This
CA is also contained in all Endpoint client packages, allowing for Beacon authentication.
An Endpoint Security Server consists of three major components:
• Security Management Server (or remote Smart Center)
• Check Point Apache server
• Check Point Tomcat server
The Apache server in every Endpoint Security server installation (either active or standby) is also a Beacon
server. This section describes the installation of a standard Standby Endpoint Security server and
modifications to result in an installed standalone Beacon server.
Establishing Communication
To establish a secure communication channel between SmartCenter and the Beacon server:
1. From SmartDashboard, connect to your Security Management Server.
2. Right-click the checkpoint Network object and select New Check Point > Host.
3. Provide a name for the Beacon server and its IP address.
4. Click Communication and enter the Secure Internal Communication Activation Key that you created
when you installed the Beacon server.
5. Click Initialize.
6. Select Integrity Server in the Check Point Products list.
7. Click OK.
8. Select Policy > Install Database.
9. Click OK.
10. Reboot the Beacon server.
The Beacon server is now fully configured. You must now register the Beacon server with the Endpoint
Security server.
In This Chapter
Deployment Workflow
To successfully deploy Endpoint Security Agent for Linux to endpoint computers on your Endpoint Security-
protected network, perform the procedures below in order. Each phase of the deployment process is
dependant on the items you verified or configured in the previous phase.
To deploy Endpoint Security Agent for Linux:
1. Create a user catalog and group for the protected Linux computers.
See Linux Groups (see "Managing Linux Groups" on page 146).
2. Create and assign a connected enterprise policy to the Linux user group.
3. First see Supported Policy Settings (on page 147), for information about supported policy settings.
4. Create and export a disconnected policy for Endpoint Security Agent.
5. Install Endpoint Security Agent for Linux on the endpoint computers.
See Installation (see "Installation of Client on Linux" on page 149).
6. Customize Endpoint Security Agent for Linux (optional).
See Customizing the Endpoint Security Agent Configuration (on page 154).
Page 146
• Reducing policy size: The Linux version of Endpoint Security Agent does not use program control, so
you can reduce your policy size for Linux users by disabling program control in the policy you define for
them. Disabling program control reduces the policy size by up to 80% by excluding the program list from
the policy. Reducing the policy size may decrease your bandwidth requirements.
To assign an enterprise security policy to Linux users, create a user catalog group. Endpoint Security Agent
users get the policy assigned to their user catalog. Linux users who are not identified as being part of that
user catalog, get the Default Policy.
To manage Linux computer groups:
1. Go to the Endpoint Manager page, and select New Catalog > Custom.
The New Custom Catalog page appears.
2. Complete fields for the custom catalog.
3. Click Save.
4. Select the catalog you created and click New Group.
5. Complete fields for the user group.
6. Click Save.
7. Set the cm_auth parameter to the catalog and group you created.
• Log into the Linux system and open a terminal window.
• Change the directory to /usr/local/ilagent/etc
• Open ilagent.conf.
• Change the value of the cm_auth parameter and save the file.
• Restart Endpoint Security Agent.
8. Add the userID attribute in the policy.xml file to the user catalog you created, and deploy that package to
Linux users only.
Note - Endpoint Security Agent for Linux does not support Office
Awareness.
The disconnected Endpoint Security Agent for Linux policy is centrally created but can only be managed on
the protected computer. You can configure Endpoint Security Agent to enforce this policy when the
protected computer is not connected to the Endpoint Security server.
• When the protected computer connects to the Endpoint Security server. On connection, Endpoint
Security Agent loads and enforces the enterprise policy deployed by the server.
• When the protected computer is connected and receives a different enterprise policy from Endpoint
Security server. Endpoint Security Agent loads and enforces the new enterprise policy. The IPtable
settings are overwritten by the new policy.
Note - Endpoint Security Agent for Linux does not display any alerts to
the user upon enforcement.
Installation Methods
Use the installation method that is best for your environment.
• Installation script - This method requires manual input, but allows administrators to customize settings.
See Installing using the installation script (see "Installing with Installation Script" on page 150).
• Custom build an RPM file for your environment - This method decreases the work involved with
large deployments by allowing you to install Endpoint Security Agent without having additional
configuration steps. However, it also requires that protected computers have the same configuration and
requires the use of Endpoint Security Agent default configuration settings. For example, use this method
to install Endpoint Security Agent on ten computers that have the same disconnected policy. You can
install Endpoint Security Agent on all their computers using the same customized RPM file. See
Installing using the Endpoint Security Agent RPM (on page 151).
• Pre-configured RPM file - This method allows you to perform large Endpoint Security Agent
deployments using RPM package manager without creating a customized installation RPM. It has two
post installation configuration steps. For example, use this installation method when you have a few
computers that you want to run Endpoint Security Agent on. See Installing using the Endpoint Security
Agent RPM (on page 151) and Building a customized RPM (on page 152).
Use the following command line switch to silently run the installation.
Option Description
Note - To execute the script in silent mode and use the default
settings in step 7, type the following command.
[root@localhost root] # ./avalon-x.x.xxx.x.bin --silent
The installation script detects the operating system and directory structure.
Found RedHat OS
Checking for iptables executables...
Checking for iptables filter table...
Checking for LOG iptables target...
Found LOG target
Checking for ULOG iptables target...
Found ULOG target
Checking for /proc/net/dev ...
Checking for /dev/random ...
Checking for /dev/null ...
5. When prompted, enter the Endpoint Security server Connection Manager (CM) address:
https://225.225.225.225/cm
6. When prompted, enter the catalog, group, and user information with the auth path:
manual://<catalog>/<Group>/<user>
7. Provide the local Endpoint Security Agent information.
• Enter the directory where you want Endpoint Security Agent to be installed.
Please enter target directory [default /usr/local/ilagent]:
• Type Y to run Endpoint Security Agent in jail or N to run Endpoint Security Agent unprotected.
Chroot ilagent daemon to target directory? [y/n, default Y]: Y
Checking for installed ilagent...
• For first time installations, you are prompted to create Endpoint Security Agent directories.
ir /usr/local/ilagent/bin does not exist. Create? [y/n, default Y]: Y
Automatically create all dirs? [y/n, default Y]: Y
Note - You can log into the Endpoint Security server administration
console from the computer where you are creating the Endpoint
Security Agent RPM, then export the disconnected policy directly to
the /tmp directory.
Note - You can also use the upgrade command, to change the
disconnected policy or Endpoint Security server Connection Manager
address. First build a new RPM using the new IP address or
disconnected policy, then follow the instructions in this section.
Note - If you run the Endpoint Security Agent or IPtables in jail, make
all paths relative to chroot_path.
ipt_drop_log_chai Chain where rules packet logging and dropping rules are
n placed
In This Chapter
Introduction to Licensing
All installations require a client license, which allows you to run clients on your endpoints. Optionally, you
can also purchase licenses for special Endpoint Security features. The following licenses are available for
Endpoint Security:
• Clients—Permits a specified number of endpoints to run the client. This license is required.
• Smart Defense Program Advisor—Permits Endpoint Security to receive the latest Program Advisor
updates. The license is good for an unlimited number of endpoints.
• Check Point Anti-spyware (endpoints)—Permits a specified number of endpoints to use Check Point
Anti-spyware.
• Check Point Anti-spyware (updates)—Permits the Endpoint Security server to receive the latest Anti-
spyware updates.
• Check Point Anti-virus (endpoints)—Permits a specified number of endpoints to use Check Point
Anti-virus.
• Smart Defense Anti-virus (updates)—Permits Endpoint Security to receive the latest Anti-virus
updates.
You can obtain these licenses from the Check Point User center or from your Check Point representative.
You must install and attach Endpoint Security licenses with one of the Check Point license management
tools: SmartUpdate, the cplic command, or (for local licenses only) the Check Point Configuration Tool. (For
information on these options, see Attaching Licenses.)
After a feature has been enabled on the Endpoint Security server, you can incorporate that feature into
security Policies, which you can then deploy to clients. An endpoint computer's active policy controls which
features are enabled on that endpoint.
Page 159
For complete details on all licensing options and enforcement behaviors, contact your Check Point
representative.
For the Endpoint Security clients license, the Endpoint Security server checks for the maximum number of
endpoints that connected during the last 24 hours. This check runs every 24 hours after the server starts. If
your installation exceeds the number of allowed endpoints, the Endpoint Security server goes into read-only
mode. Your endpoints are still protected by their existing Policies, but you will be unable to make changes
until you enter your new license through Smart Update. Contact your Check Point representative to get a
new license and restore editing privileges.
While you are waiting for your new Endpoint Security clients license, you can use a trial license. Contact
your Check Point representative to obtain a trial license.
If a feature license expires, Endpoint Security either disables editing privileges or prohibits administrator
access to the feature.
Generating Licenses
Check Point provides certificate keys for each license you purchase. Use the certificate keys to generate
licenses.
To generate a license:
1. Gather the Certificate key and the Host IP address (for central licenses, use the SmartCenter Server
host IP address).
2. Log in to the Check Point User Center (www.checkpoint.com/usercenter) and navigate to the Getting
Started page.
3. Follow the User Center instructions for generating a license.
4. Use SmartUpdate or the cplic command-line tool to attach licenses to your installations (see the
documentation of these products).
Version Information
It is important to know the version of your Endpoint Security server. This helps you to make sure you are
using the correct documentation, the correct versions of the Endpoint Security clients, and is useful if you
need to contact support.
To view your version information, click About.
Managing Communication
Use the instructions in this system to manage communication between the Endpoint Security server, the
Endpoint Security clients, other Check Point products, and the Internet.
Windows Firewall
Microsoft Windows XP with SP2 includes an integrated personal firewall. However, Check Point
recommends that only one firewall be run on an endpoint computer. Microsoft has made a similar
recommendation. You can configure the Endpoint Security client to shut down the Windows firewall using
the Microsoft-provided API, and to restart the Windows firewall if the Endpoint Security client is shut down.
Whether SP2 is installed on a computer already running Endpoint Security client version 5.0.556.144 or
later, or the Endpoint Security client is installed on an endpoint that already has SP2 installed, the behavior
is similar:
• Endpoint Security will shut down the Windows firewall after the post-SP2 installation restart.
• If the Endpoint Security client is shut down after SP2 is installed, the client notifies Windows that it is
being shut down, and Windows restarts the windows firewall.
• If Endpoint Security client is restarted, the Windows firewall is again shut down.
If a user or administrator re-enables the Windows firewall while the Endpoint Security client firewall is
running, they should coexist without problems, as the two firewall operate on different system levels.
To disable Windows Firewall:
1. Click Policies.
2. Under the policy you want, click Edit.
3. Open the Client Settings tab.
4. In the General Connections Settings area, choose Disable the Windows Firewall.
5. Save and deploy the policy.
Proxy Configuration
If you plan to use the Program Advisor feature, Anti-spyware, or Anti-virus features in an environment that
includes a proxy server for Internet access, perform the configuration steps below to let Endpoint Security
connect to Check Point's central servers (containing Program Advisor settings or Anti-spyware/Anti-virus
definitions) through the proxy server. Note that all configuration entries are case-sensitive.
You can perform these steps when enabling Program Advisor, Anti-spyware or Anti-virus.
To configure a proxy server in Windows:
1. Open the Registry Editor (regedit.exe).
2. Edit "My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Apache Software Foundation\Procrun 2.0
\IntegrityTomcat\Parameters\Java\options" by adding the following:
-DproxySet=true
-Dhttp.proxyHost=<hostname>
-Dhttp.proxyPort=<port>
-Dhttps.proxyHost=<hostname>
-Dhttps.proxyPort=<port>
3. Close the Registry Editor.
4. Open the Services panel.
5. Stop the "Check Point Tomcat" service, and then restart it.
To configure a proxy server (in a standard Linux installation):
1. Edit ~/engine/bin/catalina.sh, replacing the line:
JAVA_OPTS="-Xms256M -Xmx512M -Djava.awt.headless=true"
with the line:
Note - If you are migrating from Integrity 5.x do not run these utilities
until you have logged into the Endpoint Security server to complete the
migration.
Restart Endpoint Security.
Certificate Management
Endpoint Security allows you to include a certificate in your client package.
Use certificates in your package to prevent other servers from masquerading as your Endpoint Security
server, compromising your security. The clients validate the server certificate when synchronizing with the
server.
You can include the self-signed certificate that is automatically created during install, or you can use a
Certificate Authority certificate. In most implementations, you will only need a self-signed certificate. The
Endpoint Monitor Report page in the Administrator Console allows you to conveniently manage your
certificates.
You should only include certificates in your client package after you have completely set up your Endpoint
Security server. If you change the server after deploying the packages with certificates, your endpoint users
will be unable to connect.
Heartbeats
After a sync has occurred between the Endpoint Security server and a client, a heartbeat regularly occurs
based on the interval specified by the administrator. Heartbeats occur over TCP on port 80. Heartbeats
contain various pieces of information concerning the status and compliance state of the endpoint computer.
This information is stored in the datastore and is used for the Endpoint Monitor report.
To change the heartbeat interval:
1. Click Client Configuration.
2. Click Edit.
3. In the Heartbeat area, enter the interval in the Interval (Secs) field.
4. Click Save.
Client Logging
Use the client logs to troubleshoot issues with your clients. Your endpoint users can use the Client
Diagnostic Utility to gather the most commonly-needed logs. Your endpoint users will need to have
permissions to modify registry keys.
To log client events:
1. On the endpoint computer, go to the C:\program files\checkpoint\Integrity Client folder.
2. Double click the TVDEBUG.REG file and allow it to add information to the registry.
This enables debug logging.
3. Reboot to have the settings take effect.
4. Have the endpoint user recreate the problem and note the time that it occurred
The endpoint user can now use the log upload utility to gather the relevant logs into one file.
Managing Data
Use the instructions in this section to manage the data for your Endpoint Security system in Multi-Domain or
Single-Domain mode. (This section is not relevant to Simple mode.)
Note - For Endpoint Security to write to a text file, you must give
the user at least read/write permission to the directory and text file,
whether the file is stored on the local host or a mounted drive. If the
user does not have permission to write to the file or an invalid path
is entered, errors occur each time the server tries to write to the file.
Event Classes Select All Select all ones you want to send to
the receipt list.
Note that you can set up separate
recipient lists for different event
types.
Note - You may want to set up two events for the Log Upload System,
one that sends warning level messages to administrators specifically
assigned to the affected area, and another to broader group who
would be affected by a complete failure.
Log Levels Warn and Error Specifies the type of event to send.
Event Classes Log Upload System Specifies the type of message to send.
Server host Host name or IP Specifies the server Endpoint Security will
address of the use to send messages.
SMTP mail server
Log Levels Warn, Error, and Specifies the types of events to log.
Fatal
It is recommended to log all these event
types.
Server Host name or IP Specifies the server Endpoint Security will use
hostname address of syslog to send messages. (For example, use
server 127.0.0.1 to store locally.)
Trap Formats
Traps include a header and a message. All traps have a common header, as all are generated by Endpoint
Security. Here is an example trap showing administrator login:
[public] [1.3.6.1.4.2620] [enterprise] [2734006] [127.0.0.1] [6]
[1234567] [Ver1] [1.3.6.1.4.1.2620.1.27.160] [2005-08-23 14:47:12, 719,
INFO, [logInfoQueue-HQs:1] , [root] , [AdminLogin] Administrator Login,
ADMIN=masteradmin, SESSION_IP=209.87.212.91]
The trap header begins with [public] and ends with the event OID, [1.3.6.1.4.1.2620.1.27.160].
The message begins with the event time, [2005-08-23 14:47:12] and continues to the end of the trap.
The trap header consists of the following:
• [public]—a community string
• [1.3.6.1.4.2620] [enterprise]—the enterprise OID
• [2734006]— ???
• [6]— ???
• [127.0.0.1]— ???
• [Ver1] [1.3.6.1.4.1.2620.1.27.160]—the version and the complete event OID
The message body consists of the following:
• 2005-08-23 14:47:12—the event time
• 719— ???
• INFO—the event level
• [logInfoQueue-HQs:1]—the class name
• [root]—the log4j appender level
• [AdminLogin] Administrator Login, ADMIN=masteradmin,
SESSION_IP=209.87.212.91—the body of the message. It shows information about the
administration login.
Linux Configuration
In Linux, SNMP traps sent from the Endpoint Security server are logged to /var/log/messages file but the
messages are in hex codes. You must enable SYSLOG and SNMP Traps in Linux by issuing the following
commands:
Command Description
Managing Events
This section explains how to manage event logs and messages in the Endpoint Security Administrator
Console.
Deleting Events
Deleting an event from Endpoint Security completely removes it from the system. Endpoint Security
immediately stops recording and sending events from the local host.
Log Purging
You can configure Endpoint Security to purge the logs used for reports using the Endpoint Security
Administrator Console. These logs are used for reports. Purges happen daily, at the time you specify. The
amount of time required for the purge depends on the amount of files, but generally will not exceed half an
hour.
To purge logs:
1. If you are in Multi-Domain mode, switch to System Domain.
2. Click System Configuration > Server Settings > Edit.
The Server Settings page opens.
3. Click Edit.
4. In the Database Purge Settings area, set the time for the purge.
5. Click Save.
Page 173
Page Name Location
Ports and Protocols Manager Policies | Manage Policy Objects | Ports &
Protocols
Commands 180
Commands
The VPN engine commands can be used to generate status information, stop and start services, or connect
to defined sites using specific user profiles. Typically, endpoint users do not need to open a command
prompt and use these commands, but you may wish to include the commands in a script that you transfer to
remote users. This is a way to expose VPN engine operations (such as Connect/Disconnect) to external
third party applications via scripting.
The general format for VPN engine commands is:
C:\> scc <command> [optional arguments]
scc connect This command connects to the site using the specified
profile, and waits for the connection to be established.
In other words, the OS does not put this command
into the background and executes the next command
in the queue.
Page 180
Command Explanation
Page 182
• IP addresses are separated by an ampersand and hash symbol (&#)
• The last IP address in the list is followed by a final &#.
5. Install a policy.
How it works
• On the Endpoint Security Server, the administrator configures an Endpoint Security Policy with
Enforcement Rules. The endpoint machine receives this policy from the server, and must fulfill these
conditions to be considered compliant.
• When the VPN Client connects to the security gateway, attempting to open a connection to resources
within the VPN domain, the gateway requests the Client's SCV compliance status.
• Using the SCV protocol, the Client sends its status to the VPN gateway. The status is whether the client
complies with the enforcement rules defined in the Endpoint Security policy.
• The gateway receives the status. According to the client's state, the gateway allows or blocks the
connection.
General Enforcement Enforcement rules that require or prohibit a specific file, program, or
registry key.
Anti Virus Enforcement Requires a specific anti-virus program version and configuration to be
present on the endpoint.
Client enforcement Requires from Endpoint Client a specific Secure Access flavor
(agent/flex) and Client version.
Enforcement rules are implemented on the client side. In the policy administrator, configure actions for the
client to take when the endpoint becomes non-complaint.
• The client can be set to Observe, Warn, or Restrict computers that are out of compliance.
• If the enforcement rule is set to Warn or Observe, the action takes place immediately.
• If the enforcement rule is set to Restrict the action takes place after the endpoint computer has been
out of compliance for the specified number of heartbeats. For a restricted computer, configure Policy
Restrictions. For example if a computer is restricted because of an out of date anti-virus program, the
computer can be restricted to specific subnets within the larger corporate network.
• Set up remediation resources for endpoints that Endpoint Security has warned or restricted. Warned
users must apply the remediation resources manually. Restricted users can apply the resources
manually or you can configure Endpoint Security to run the resources automatically.
Page 186
Legacy VPN CLI • 179 Policy Arbitration • 46
Licensing • 159 Policy Components and Settings • 9
Linux Agent Installation and Configuration • 146 Policy Inheritance • 100
Linux Configuration • 170 Policy Lifecycles • 49
Locations • 55 Policy Objects • 48
Log Purging • 172 Policy Packages • 46
Low Threat Lifecycle • 50 Policy Stages • 16
Preconfigured Policy Templates • 107
M Preparing your Help desk Staff • 129
Mail Protections • 47 Prerequisites for RADIUS • 164
Making Updates Instantly Available • 116 Privileges • 30
Managing Administrators • 28 Program Advisor • 47, 109
Managing Catalogs • 34 Program Advisor Server • 109
Managing Central and Local Licenses • 160 Program Control • 47
Managing Communication • 162 Program Evaluation Process • 81
Managing Data • 167 Program Groups • 80
Managing Disk Space • 171 Program Observation • 82
Managing Domains • 25 Program Permissions • 79
Managing Events • 170 Providing Information About Your Security
Managing Linux Disconnected Policy • 148 Policy • 127
Managing Linux Groups • 146 Providing Remediation Resources • 127
Managing Policy Templates • 107 Providing Remediation Resources for Users •
Managing Security Policies • 44 65
Managing Unknown Programs • 113 Proxy Configuration • 163
Managing Updates • 114 Proxy Login and Auto Add • 42
Managing Your Products • 159
R
Manual Synchronization • 42
Migrating from Check Point SecureClient RADIUS Catalogs • 40
(Optional) • 130 Ranking Firewall Rules • 62
Migrating from SCV and Desktop Security Recommended Sandbox Customizations • 128
Rules • 131 Registering the Beacon Server • 144
Modes and Views • 10 Removing Firewall Rules from a Policy • 62
Modifying a Policy Template • 108 Restoring from Backups • 172
Monitoring Anti-Malware Activity • 117 Rolling Back Policy Versions • 103
Monitoring Infection Activity on Endpoints • 118 Routing Fatal Messages (SMTP) • 167
Monitoring Infection History • 118 Routing Log Upload System (SMTP) • 168
Monitoring Policy Assignment • 103 Rule Evaluation and Precedence • 48
Monitoring Scan and Update Status • 118 Rules that Observe • 67
MSI Error (Return) Codes • 139 Rules that Warn • 67
MSI Switches • 139 Running Endpoint Security Agent • 156
Multi-Domain Administrators • 25
S
N
Sample Program Permission Configurations •
NT Domain Catalogs • 38 83
Scheduling Synchronization • 42
O Security Gateway Configuration • 181
Obtaining Product Code • 140 Security Policy Component Overview • 46
Offline Updates • 117 Security Rules • 48, 56
Overriding Program Advisor • 21 Setting Firewall Rules • 19
Overriding Program Advisor Recommendations Setting Install Key • 133
• 113 Setting Log Upload Parameters • 158
Overview of Office Awareness • 142 Setting New Network Handling Parameters • 17
Overview of Updates • 114 Setting Policy-Level Permissions • 90
Setting Program Control • 20
P Setting Program Permissions • 89
Setting Restriction Firewall Rules • 22
Permission Precedence • 81
Setting Security Levels • 56
Personal Policies • 45
Setting the Assignment Priority • 103
Planning Administrator Configuration • 30
Silent Installations and Upgrades • 134
Planning Enforcement Rules • 65
Silently Removing a Client • 140
Planning Policy Lifecycles • 50
Simple View - Activating Policies • 100
Planning Program Control • 82
SmartCenter Administrators • 33
Planning User Support • 15
SmartDefense • 47
Planning Your VPN Configuration • 131
Starting and Stopping Services • 160
Policies • 9
Suggested Policy Settings • 50
Policies in Client Installations • 130
Page 187
Supported Catalog Types • 34 Viewing Anti-virus Versions • 79
Supported Policy Settings • 147 Viewing Compliance Status • 78
Supporting the User • 126 Viewing Program Advisor Recommendations •
Switching Domains • 26 112
Switching Views • 10 Violations by Rule and Policy • 79
Synchronizing User Catalogs • 42 VPN Agent and VPN Flex • 13
System Architecture • 11 VPN Options • 130
System Domain and Non-System Domains • 25 VPN Policies • 105
T W
Testing Gateway Cooperative Enforcement • What a Restricted User Experiences • 64
124 Windows Firewall • 162
Testing Policy and Zones • 19 Withdrawing a Policy Template • 108
Testing Program and Enforcement Rules • 23 Workflow for Configuring and Deploying VPN in
Tracking Enforcement Rule Compliance • 78 Packages • 132
Tracking Rules that Warn or Observe • 67
Training • 129 Z
Trap Formats • 170 Zone Rules • 18, 46
Trusted Zone • 55
Trusted Zone/Act as a Client • 83
Trusted Zone/Act as a Server • 82
U
Understanding Policies • 44
Understanding Policy Enforcement on Linux •
148
Uninstalling Check Point Products - Linux • 161
Uninstalling Check Point Products -
SecurePlatform • 161
Uninstalling Check Point Products - Windows •
161
Uninstalling Clients • 140
Uninstalling Endpoint Security Agent using
RPM • 153
Uninstalling MSI files • 140
Uninstalling Using a Script • 140
Uninstalling Using Product Code • 140
Uninstalling with Installation Script • 151
Update Delivery Process • 115
Update Staging Process • 115
Updating RADIUS Catalogs • 41
Updating RADIUS Configuration File • 164
Upgrading Endpoint Security Agent using RPM
• 153
Upgrading the Client • 129
User Catalogs • 34
User Identification • 134
Using a Default Policy • 53
Using a Default VPN Policy • 105
Using Alerts for User Self-help • 127
Using Checksums • 82
Using Endpoint Security Administrator Console
•9
Using Office Awareness Servers • 142
Using Program Advisor with a Proxy Server • 18
Using Reference Clients • 70
Using Rules that Observe or Warn • 67
Using SNMP with Endpoint Security • 170
Using the Command Line Interface • 156
Using the Office Awareness Beacon • 143
Using the Sandbox for User Self-Help • 127
Using the Service Manager • 157
V
Version Information • 160
Page 188