CP R81.20 Harmony Endpoint Server AdminGuide
CP R81.20 Harmony Endpoint Server AdminGuide
CP R81.20 Harmony Endpoint Server AdminGuide
HARMONY ENDPOINT
SERVER
R81.20
Administration Guide
Check Point Copyright Notice
© 2022 - 2024 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and
distributed under licensing restricting their use, copying, distribution, and decompilation. No
part of this product or related documentation may be reproduced in any form or by any means
without prior written authorization of Check Point. While every precaution has been taken in
the preparation of this book, Check Point assumes no responsibility for errors or omissions.
This publication and features described herein are subject to change without notice.
TRADEMARKS:
Refer to the Copyright page for a list of our trademarks.
Refer to the Third Party copyright notices for a list of relevant copyrights and third-party
licenses.
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-
date with the latest functional improvements, stability fixes, security
enhancements and protection against new and evolving attacks.
Certifications
For third party independent certification of Check Point products, see the Check
Point Certifications page.
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments.
Revision History
Date Description
4 September Added "Smart App Control" on page 418 for Windows 11.
2023
11 January 2023 Added new Push Operations. See "Performing Push Operations" on
page 60.
Table of Contents
Introduction to Endpoint Security 18
Managing the Security of Users, Not Just Machines 18
Organization-Centric model 18
Policy-centric Model 18
Endpoint Security Client 18
Centralized Monitoring 20
Centralized Deployment 21
Endpoint Security Architecture 22
Endpoint Security Server and Client Communication 25
SmartEndpoint Console and Server to Server Communication 25
Client to Server Communication 26
The Heartbeat Interval 27
SHA-256 Certificate Support 27
TLSv1.2 Support 27
External PKI Certificates for Client-Server Communication 29
Importing External PKI Certificates 29
Installing CA Certificates on Clients 30
Installing SSL Certificates on Servers 31
Replacing SSL Certificates in an Existing Environment 32
Installing Full Disk Encryption Certificates 32
Installing Certificates for Offline Groups 33
Monitoring Certificates 33
Connection Port to Services on an Endpoint Security Management Server 34
Background 35
Procedures 38
Endpoint Security Licenses 48
Endpoint Security Product Licenses 48
Client Logging 95
Finding Components 96
Show/Hide components 97
Users and Computers 98
Using the Users and Computers Tab 99
Using the Object Details Window 100
Changing Authentication Settings 100
Using the Users and Computers Tree 101
Managing Users 103
Managing OUs or Groups 104
Managing Computers 105
Managing Users of a Computer 105
Resetting a Computer 106
Editing Properties of Non-AD Objects 108
Managing Virtual Groups 109
Active Directory Scanner 110
Configuring a Directory Scanner Instance 110
The Organization Scanners Page 112
Directory Synchronization 112
Troubleshooting the Directory Scanner 113
SSL Troubleshooting 113
Configuring DNS for GSS Connections 114
Strengthening Active Directory Authentication to use LDAPS 114
Endpoint Security Administrator Roles 118
Deploying Endpoint Security Clients 119
Uploading Client Packages to the Repository 120
Automatic Deployment Using Deployment Rules 125
Manual Deployment Using Packages for Export 131
Configuring Software Signatures for Packages for Export 135
Seeing the Deployment Status 136
Anti-Malware 315
Prerequisites for Anti-Malware 315
Configuring Anti-Malware Policy Rules 317
Scan All Files on Access 317
Malware Signature Updates 319
Anti-Ransomware Files 320
Shared Signature Server for Anti-Malware 321
Configuring the Shared Signature Server and Clients 322
Performing Periodic Anti-Malware Scans 326
Periodic Scan Options 327
Exclude Files and Folders from Scan 327
Scan Optimization 329
Malware Treatment 330
Submitting Malware and False Detections 332
Harmony Endpoint Anti-Ransomware, Behavioral Guard and Forensics 333
Anti-Ransomware Files 334
Configuring Forensics and Anti-Ransomware Policy Rules 336
Automatic Threat Analysis Settings 336
Configuring Network Blades for Forensics Triggers and Remediation 337
Monitoring and Exclusions 338
Disk Space for Forensics 339
Quarantine Settings and Attack Remediation 340
File Quarantine Settings 341
Anti-Ransomware Backup Settings 342
Manual Anti-Ransomware Restoration 343
Anti-Ransomware Restoration 343
Integration with Third Party Anti-Virus Vendors 345
Supported Third Party Anti-Virus Vendors 345
Enabling or Disabling Forensics Third Party Anti-Virus Vendor Integration 345
Manual Analysis with CLI 347
Preventing the Leakage of Sensitive Information Through Git (Developer Protection) 409
Client-Side Warning Notifications 410
Installing the Application Control Policy 411
Client Settings 412
Configuring Client Settings Policy Rules 412
Client User Interface Settings 413
Log Upload 414
Installation and Upgrade Settings 415
Users Disabling Network Protection 416
Sharing Data with Check Point 417
Smart App Control 418
Remote Access VPN 419
Access Zones 420
Trusted Zone 421
Changing the Access Zones Policy 423
Network Objects 425
Configuring a Host as a Network Object 425
Configuring an Address Range as a Network Object 425
Configuring a Network as a Network Object 426
Configuring a Site as a Network Object 426
Configuring a Group as a Network Object 427
Configuring a Site Group as a Network Object 427
Remote Help 429
Web Remote Help 430
Turning on Web Remote Help on Endpoint Security Management Server 430
Configuring the Length of the Remote Help Response 430
Logging into Web Remote Help portal 431
Configuring a Standalone Web Remote Help Server 432
Managing Web Remote Help Accounts 432
Configuring SSL Support for AD Authentication 437
Organization-Centric model
You can import users and computers to the Endpoint Security Management Server, which
uses your organization's existing hierarchy to provide a graphical tree of endpoints computers.
You then define software deployment and security policies centrally for all nodes and entities,
making the assignments as global or as granular as you need.
Policy-centric Model
You can predefine security policies before setting up the organization. The Endpoint Security
Management Server interface provides a granular view of all the Endpoint Security policies,
grouped by the components they configure.
You create and assign policies to the root node of the organizational tree as a property of each
Endpoint Security component. Policies can be deployed one by one or all together. Because
different groups, networks, OUs, computers, and users have different security needs, you can
configure different components accordingly.
Component Description
Anti-Malware Protects clients from known and unknown viruses, worms, Trojan
horses, adware, and keystroke loggers.
Firewall and Defines the topology of the organizational network, separating it into
Application Control Trusted and Internet domains.
Blocks or allows network traffic based on attributes of network
connections.
Controls network access on a per-application basis, letting you
restrict application access by zone and direction.
Full Disk Encryption Combines Pre-boot protection, boot authentication, and strong
encryption to make sure that only authorized users are given access
to information stored on desktops and laptops.
Manages:
n How a Full Disk Encryption user logs in to the computer
n How failed logins are handled
n Password security
n Access to remote help
Component Description
Capsule Docs Provides security classifications and lets organizations protect and
share documents safely with various groups - internal and external.
URL Filtering Lets organizations control access to web sites by category, user or
group.
Harmony Endpoint Detects bot-infected machines and blocks bot C&C communication
Anti-Bot to prevent bot damage. Provides detailed information about the
device affected by the bot activity, about the bot process itself, and
other relevant information.
Harmony Endpoint Prevents ransomware attacks. Monitors files and the registry for
Anti-Ransomware, suspicious processes and network activity. Analyzes incidents
Behavioral Guard reported by other components.
and Forensics
Harmony Endpoint Threat Extraction quickly delivers safe files while the original files
Threat Extraction, are inspected for potential threats.
Emulation and Anti- Threat Emulation sends files on the endpoint computer to a sandbox
Exploit for emulation to detect evasive zero-day attacks.
Centralized Monitoring
The Endpoint Security Management Server provides reports for the whole system as well as
individual users and computers.
n General status reports can be viewed in the SmartEndpoint GUI client. You can monitor
Endpoint Security client connection status, compliance to security policy status,
information about security events, and more.
n Historical data for clients and servers can be viewed in the Logs tab of the
SmartConsole Logs & Monitor view.
Centralized Deployment
Deployment in the Endpoint Security Management Server lets you control specific
components and Endpoint Security versions installed on the protected end-user computers.
Item Description
1 Active Directory The repository of the user information of the organization. (Not
Server part of the Endpoint Security Management Server.)
Item Description
Item Description
For Endpoint Security Server and Endpoint Security Client requirements, see the R81.20
Release Notes.
Item Description
Service
Communication Notes
(Protocol/Port)
Service
Communication Notes
(Protocol/Port)
HTTPS Client package The packages are signed and verified on the
(TCP/443) downloads client before being installed.
Endpoint clients send "heartbeat" messages to the Endpoint Security Management Server to
check the connectivity status and report updates. The time between heartbeat messages is
known as the heartbeat interval.
The endpoint computer Compliance state is updated at each heartbeat. The heartbeat interval
also controls the time that an endpoint client is in the About to be restricted state before it is
restricted.
It is possible to create restricted policies that will automatically be enforced once the endpoint
client enters a restricted state
4. Click OK.
For R80 and higher clean installations, the management certificate is encrypted with SHA-256
encryption by default. In R77.X and lower environments, or upgrades from those versions,
SHA-256 is not supported for the Root CA. You can use SHA-256 for renewed certificates after
the previous certificate expires. See sk103840 for more information.
After the management certificate expires, the renewed certificate will be signed with SHA-256
encryption.
TLSv1.2 Support
By default, the Endpoint Security servers in this release support TLSv1.2 and TLSv1 for
communication between clients and servers.
2. Edit:
$UEPMDIR/apache/conf/ssl.conf
to:
SSLProtocol TLSv1.2
1. Open SmartEndpoint.
2. From the Menu, go to Manage > Certificate Management.
The Endpoint Security Management window opens.
3. Click Import.
The Import Certificate Wizard opens.
4. On the Import Certificate page:
c. Click Next.
See Private Key Imported Successfully.
d. Click Finish.
8. Click Finish.
9. Click Close.
To install a CA certificate:
1. Open SmartEndpoint.
2. In the Users and Computers tab, in the Global Actions section, click Push Operation.
The Create Push Operation wizard opens.
3. At the top, select Client Settings.
See the Push Operations report in the Reporting tab for more information about the
operation.
6. Select the relevant certificate from the list and click Assign.
Note - The server name in the Issued To field of the selected SSL certificate should be
identical to the server's DN. Hover over the selected certificate to see the complete
information.
7. Click Next.
8. Select the server with the new certificate to Install Database.
9. Click Finish.
See The installation process finished.
10. In a High Availability environment, Install Database again on the secondary server.
A device will report the push operation at 20% with this message: CA certificate
received by Endpoint. This occurs when it has downloaded new CA certificate and is
trying to find a server with an SSL certificate signed by same CA.
4. Install the new SSL certificate on one of the servers accepting clients.
5. Wait for all of the clients' Push Operation status to be completed.
6. Repeat step 2 to gradually migrate more servers to new SSL certificates.
Repeat steps 3-5 to migrate more clients.
Do the procedures on the primary and secondary servers last.
1. Open SmartEndpoint.
2. In the Users and Computers tab, select the Entire Organization folder, and click
Manage Certificates.
3. Click the Manage button next to Remote Help Certificate or Unlock on LAN Certificate.
4. Select the Remote Help or Unlock on LAN certificate and click Assign.
5. A message shows, asking if you would like to install the policy now. Click Yes or No.
6. If you clicked Yes to install the policy, a message shows that all changed data must be
saved. Click Yes to save changes and continue.
7. Click Install.
4. Continue with the New Offline Group wizard, as described in Configuring an Offline
Group.
When editing an existing offline group:
1. Go to Group Details and click Edit.
2. Click Manage and select the specific certificate.
3. Click OK.
Monitoring Certificates
You can monitor the certificates on each server and computer from the Reporting tab >
Activity Reports > Endpoint Connectivity.
These columns of the report relate to the certificates installed (the columns are hidden by
default):
n Active Certificate - Shows the details of the currently active CA certificate on the
computer.
n StandBy Certificate - Shows the details of a CA certificate in standby state on the
computer. This CA is not used but can be used in the future.
n Active Certificate Applied On. - Shows the date when the currently active CA certificate
became active.
Background
Important:
n A Security Management Server listens to SSL traffic for all services on the TCP port
443 in these cases:
l If you performed a clean installation of a Security Management Server and
enabled the Endpoint Policy ManagementSoftware Blade.
l If you upgraded a Security Management Server with disabled Endpoint Policy
Management Software Blade to and enabled this Software Blade after the
upgrade.
In these cases, when Endpoint Security SSL traffic arrives at the TCP port 443, the
Security Management Server automatically redirects it (internally) to the TCP port
4434.
In R81 and higher, an administrator can manually configure different TCP ports for the
Gaia Portal (and other services) and Endpoint Security - 443 or 4434. For the
applicable procedures, see .
For the applicable procedures, see the R81 Harmony Endpoint Security Server
Administration Guide > Chapter Endpoint Security Architecture > Section Connection
Port to Services on an Endpoint Security Management Server.
In R81 and higher, an administrator can manually configure different TCP ports for the
Gaia Portal (and other services) and Endpoint Security - 443 or 4434. See the
applicable procedures below.
n When you enable the Endpoint Policy Management Software Blade on a Security
Management Server, the SSL connection port to these services automatically
changes from the default TCP port 443 to the TCP port 4434:
l Gaia Portal
n When you disable the Endpoint Policy Management Software Blade on a Security
Management Server, the SSL connection port automatically changes back to the
default TCP port 443.
Procedures
Possible configuration scenarios are:
Scenario 1 - Gaia Portal uses the default self-signed SSL certificate, Gaia Portal listens on TCP
port 443, and Endpoint Security listens on TCP port 4434
cp -v $UEPMDIR/apache/conf/ssl.conf{,_BKP}
vi $UEPMDIR/apache/conf/ssl.conf
Listen 0.0.0.0:4434
d. In the "SSL Virtual Host Context" section, configure this value in the
"VirtualHost" directive:
<VirtualHost _default_:4434>
cp -v /web/templates/httpd-ssl.conf.templ{,_BKP}
vi /web/templates/httpd-ssl.conf.templ
SSLPassPhraseDialog "exec:/opt/CPuepm-
R81.20/apache/bin/SSLPassPhraseDialog"
SSLCertificateFile "/opt/CPuepm-
R81.20/engine/conf/ssl/sic_cert.pem"
SSLCertificateKeyFile "/opt/CPuepm-
R81.20/engine/conf/ssl/sic_cert-key.pem"
SSLCertificateChainFile "/opt/CPuepm-
R81.20/engine/conf/ssl/root_sic_cert.pem"
$UEPMDIR/system/install/gaia_apache_conf_generate
Scenario 2 - Gaia Portal uses an external SSL certificate, Gaia Portal listens on TCP port 443,
and Endpoint Security listens on TCP port 4434
c. Import the new Gaia Portal SSL certificate on the Endpoint Security
Management Server.
Follow "Importing External PKI Certificates" on page 29.
d. Install the new CA certificate on Endpoint Clients.
Follow "Installing CA Certificates on Clients" on page 30.
e. Install the new Gaia Portal SSL certificate on the Endpoint Security
Management Server.
Follow "Installing SSL Certificates on Servers" on page 31.
2. Connect to the command line on the Endpoint Security Management Server.
cp -v $UEPMDIR/apache/conf/ssl.conf{,_BKP}
vi $UEPMDIR/apache/conf/ssl.conf
Listen 0.0.0.0:4434
d. In the "SSL Virtual Host Context" section, configure this value in the
"VirtualHost" directive:
<VirtualHost _default_:4434>
cp -v /web/templates/httpd-ssl.conf.templ{,_BKP}
vi /web/templates/httpd-ssl.conf.templ
SSLPassPhraseDialog "exec:/opt/CPuepm-
R81.20/apache/bin/SSLPassPhraseDialog"
SSLCertificateFile "/opt/CPuepm-
R81.20/engine/conf/ssl/sic_cert.pem"
SSLCertificateKeyFile "/opt/CPuepm-
R81.20/engine/conf/ssl/sic_cert-key.pem"
SSLCertificateChainFile "/opt/CPuepm-
R81.20/engine/conf/ssl/root_sic_cert.pem"
dbset :save
$UEPMDIR/system/install/gaia_apache_conf_generate
Scenario 3 - Gaia Portal uses the default self-signed SSL certificate, Gaia Portal listens on TCP
port 4434, and Endpoint Security listens on TCP port 443
cp -v $UEPMDIR/apache/conf/ssl.conf{,_BKP}
vi $UEPMDIR/apache/conf/ssl.conf
Listen 0.0.0.0:443
d. In the "SSL Virtual Host Context" section, configure this value in the
"VirtualHost" directive:
<VirtualHost _default_:443>
cp -v /web/templates/httpd-ssl.conf.templ{,_BKP}
vi /web/templates/httpd-ssl.conf.templ
SSLPassPhraseDialog exec:/bin/passphrase_xlate
SSLCertificateFile /usr/local/apache2/conf/server.crt
SSLCertificateKeyFile
/usr/local/apache2/conf/server.key
SSLCertificateChainFile /usr/local/apache2/conf/server-
ca.crt
$UEPMDIR/system/install/gaia_apache_conf_generate
Scenario 4 - Gaia Portal uses an external SSL certificate, Gaia Portal listens on TCP port 4434,
and Endpoint Security listens on TCP port 443
cp -v $UEPMDIR/apache/conf/ssl.conf{,_BKP}
vi $UEPMDIR/apache/conf/ssl.conf
Listen 0.0.0.0:4434
d. In the "SSL Virtual Host Context" section, configure this value in the
"VirtualHost" directive:
<VirtualHost _default_:4434>
cp -v /web/templates/httpd-ssl.conf.templ{,_BKP}
vi /web/templates/httpd-ssl.conf.templ
SSLPassPhraseDialog exec:/bin/passphrase_xlate
SSLCertificateFile /usr/local/apache2/conf/server.crt
SSLCertificateKeyFile
/usr/local/apache2/conf/server.key
SSLCertificateChainFile /usr/local/apache2/conf/server-
ca.crt
$UEPMDIR/system/install/gaia_apache_conf_generate
Trial License A 30 day trial license is automatically installed when you install Endpoint
Security. This license lets you use all Endpoint Security components for a
limited number of endpoint client seats.
Product You must purchase a Product license for each Endpoint Security
component running on a client. Licenses can be purchased as a
Subscription, a contract that is renewed annually, or a one-time purchase.
License Enforcement
License activity conforms to these conditions:
n You can add Endpoint Security licenses as required using one of these methods:
l SmartConsole. See the R81.20 Security Management Administration Guide.
l The Gaia Portal. See the R81.20 Gaia Administration Guide.
l The cplic or cpconfig CLI commands. See the R81.20 CLI Reference Guide.
n You can remove a client license by resetting the client or deleting the client using
SmartEndpoint. These licenses are returned to the license pool.
n Each client gets its Container and Endpoint Security component licenses from a pool of
available licenses.
n If you have mixed licenses, for example Harmony Basic for Server and Harmony
Advanced on Laptops, then each client gets a random license from the pool mixed
licenses available.
n You can combine licenses to reach the total number of required clients.
n License validation occurs when the client sends a SYNC or heartbeat messages to the
server.
Getting Licenses
This procedure assumes that you have a user account for the Check Point User Center, and
that the necessary licenses and contracts are purchased.
2. Click Products.
3. Select Get Contracts File in the drop-down menu at the right of the row.
4. In the window that opens, save the contract file and click Open.
5. Connect with SmartConsole to the Endpoint Security Management Server.
6. Click Menu > SmartUpdate.
7. Select License & Contracts > Updated Contracts > From File.
8. In the window that opens, browse to where you saved the contract file and click Open.
The contract is applied to the Endpoint Security Management Server.
If the Endpoint Security Management Server does not have access to the Internet, prepare the
contract file download from the User Center differently.
7. Click OK.
8. Install Database.
License Status
You can see the status of container and component licenses in Endpoint Security
Management Server on the Reporting tab > Licenses Report. This pane shows the total
number of seats and seats in use. If the number of seats exceeds the number of licenses, you
must add the number of licenses shown as Insufficient Seats.
The lower section of the report shows the details of each license including:
n License Name and status
n Endpoint Security components
n Seats in Use
n Total seats
d. Click OK.
4. Install the database:
a. Click Menu > Install database.
b. Select all objects.
c. Click Install.
d. Click Close.
5. Open the SmartEndpoint Client:
a. In the top-left corner of SmartConsole, click Menu.
b. Select SmartEndpoint.
Using SmartEndpoint
Use SmartEndpoint, which connects to the Endpoint Security Management Server, to manage
your Endpoint Security environment. This section shows what you can do on each tab in
SmartEndpoint.
Overview Tab
The Overview tab shows a graphical summary of important security information about the
endpoint clients in your organization. This tab includes three information panes:
Active Alerts
This pane shows the number of active security alerts in different categories. You can click the
View Current Status link for each category to see the endpoints that generated the alerts. The
alert list updates every ten minutes.
You can enable/disable alerts, configure alert thresholds and configure email notifications in
Reporting tab > Alerts. See "Alerts" on page 58.
Security Status
This pane shows a chart of different security status categories, including:
n Deployment Progress - Shows the progress of package deployment to endpoint
computers.
n Blade Health Check - Shows which computers have installed components that are not
running.
n Disk Encryption Status - Shows the status of Full Disk Encryption on endpoint
computers.
n Anti-Malware Updates - Shows which endpoint computers have or are lacking current
Anti-Malware signature updates.
n Malware Infections - Shows which endpoint computers are malware-free, have not been
scanned, or have malware problems.
n Compliance Verification - Shows which endpoint computers are compliant with the
security policy and which are restricted or have pending warnings.
n Bot Detections - Shows which endpoint computers have bot problems.
For each category you can see:
n Trend tab - A line chart that shows the trend over time.
n Endpoints tab - A table that shows Endpoint computers in greater detail.
You can also click the Getting Started link to run the Endpoint Security Express Setup
Wizard. Do the steps in the wizard pages to quickly configure the default policy for each
component. The wizard also lets you run the "Active Directory Scanner" on page 110 and
configure "Uploading Client Packages to the Repository" on page 120.
Opening SmartEndpoint
You can open SmartEndpoint in these ways:
n Go to Start > All Programs > Check Point SmartConsole <Version> > SmartEndpoint
<Version>.
n Open SmartConsole, and from the Menu, select SmartEndpoint.
Policy Tab
You define and manage the policy for each Endpoint Security component in the Policy tab.
The policy tab contains the Policy Management Toolbar and the Policy Rule Base.
To create a network:
1. Open the Users and Computers tab.
2. Right-click Networks and select New Address Range.
3. Double-click an object in the User or Computer Name field to open a Details window.
You can assign, create, and change policies from the Details window.
Each report shows a summary chart and an Endpoint List that shows the users and
computers. You can sort and filter the monitoring information by different criteria.
Double-click a user or computer to see its status and the configured rules and actions for each
installed component.
Item Description
Search Enter a text string to search all columns and results that contain the string are
shown.
Status: Select a status to filter by. The options are based on the open report. Endpoints
with that status are shown.
In: Narrow the results to an OU, node or group in the organization. Click to select
an item in the Select Node window.
Alerts
The alerts pane shows which endpoint computers are in violation of critical security rules.
These violation types can trigger alerts:
n Certificate Expiration
n Compliance Warning
n Deployment Failed
n Encryption Problem
n Anti-Malware Issues
n High-Availability server out-of-sync:
l A data batch is in the error state.
l The synchronization engine is offline.
l The number of unsent data batches is more than 300. This occurs when the rate at
which the synchronization server processes the sync data is lower than rate at
which the sync data is generated.
l A secondary server or a remote help server is not registered as the synchronization
engine on the primary server.
The lower section of the pane contains two tabs:
n Trend - Shows a line chart showing the trend of security violations over time
n Endpoints - Shows the standard endpoint computer list
Message
When Sent Comments
Type
Initial Alert Number of endpoints with security violations Shows the number of
exceeds the specified threshold endpoints with violations and
the violation type
Alert Number of endpoints with security violations Shows that the alert has
Resolved falls below the specified threshold been resolved
6. Click Add.
7. Click OK.
You must configure your email server settings for the Security Analysis to send alert email
messages. If you use Capsule Docs it is also important to configure this. The settings include
the network and authentication parameters necessary for access to the email server. You can
only define one email server.
3. Select the Port number for the email server (default = 25).
4. If the email server requires an SSL connection, select Enable SSL Encryption.
5. If email server authentication is necessary, select User authentication is required and
enter the credentials.
6. Click Send Test Email to make sure that you can successfully access the email server.
7. In the window that opens, enter an email address that the test will be sent to and click
Send.
n If the verification succeeds, an email is sent to the email address entered and a
Success message shows in the Email Server Settings window.
n If the verification fails, an Error message shows in the Email Server Settings
window. Correct the parameters errors or resolve network connectivity issues.
Stand on the Error message to see a description of the issue.
8. Click OK to save the email server settings and close the window.
Note - If there is no response from the Endpoint Security client, the Push Operation
will time out after 24 hours. You must reinitiate the Push Operation.
Push
Category Windows macOS Linux
Operations
Push
Category Windows macOS Linux
Operations
Registry Yes No No
Actions
Collect Yes No No
Processes
3. Select the devices on which you want to perform the push operation.
Note - You can perform Run Diagnostics on only one device at a time.
4. Click Next.
Push
Description
Operations
Push
Description
Operations
Push
Description
Operations
Agent Settings
Push 2FA
Operati Description Requi
ons red
Deploy Installs the Initial Client on the target devices remotely using No
New any device as the medium to run the push operation. This is
Endpoi suitable if do not have third party tools such as Microsoft
nts System Center Configuration Manager (SCCM) or Intune to
install the client.
Field Description
Push 2FA
Operati Description Requi
ons red
C:\Windows\SysWOW64\config\systemprofile\CPInfo.
n For macOS, client logs are stored in the directory
/Users/Shared/cplogs.
Field Description
Point servers
n Upload CPInfo reports to Corporate
Push 2FA
Operati Description Requi
ons red
Push 2FA
Operati Description Requi
ons red
Files upload
Push 2FA
Operati Description Requi
ons red
Field Description
Push 2FA
Operati Description Requi
ons red
Push 2FA
Operati Description Requi
ons red
Field Description
Push 2FA
Operati Description Requi
ons red
Copy File
File path Full path of the file or folder you want to copy,
including the file or folder name.
Example:
n For File - C:\Users\<user_
name>\Desktop\test.doc
n For Folder - C:\Users\Username\Desktop\
Push 2FA
Operati Description Requi
ons red
Field Description
name>\Documents
n For Folder - C:\Users\Username2\
Notes:
n The file or folder name you specify is
Move File
File path Full path of the file or folder you want to move,
including the file or folder name.
Example:
n For File - C:\Users\<user_
name>\Desktop\test.doc
n For Folder -
C:\Users\Username>\Desktop\
Push 2FA
Operati Description Requi
ons red
Field Description
name>\Documents
n For Folder -
C:\Users\Username1\Documents\
Notes:
n If you provide the full file path, the is
Delete File
File path Full path of the file you want to delete, including
the file name.
For example, C:\Users\<user_
name>\Desktop\test.doc
Push 2FA
Operati Description Requi
ons red
Security client.
n You cannot create separate VPN sites for each user that
Supported fields:
Field Description
Push 2FA
Operati Description Requi
ons red
Field Description
Push 2FA
Operati Description Requi
ons red
Field Description
Push 2FA
Operati Description Requi
ons red
Field Description
CAPI store)
n p12-certificate
n securityIDKeyFob
n securityIDPinPad
n SoftID (not tested)
n challenge-response (not tested)
Push 2FA
Operati Description Requi
ons red
Push 2FA
Operati Description Requi
ons red
n To notify the user about the push operation, select the Inform user with
notification checkbox.
n To allow the user to post pone the push operation, select the Allow user to
postpone operation checkbox.
7. Under Scheduling:
n To execute the push operation immediately, click Execute operation immediately.
n To schedule the push operation, click Schedule operation for and click to select
the date.
8. Click Finish.
9. View the results of the operations on each endpoint in the Endpoint List section (in the
Push Operations menu) at the bottom part of the screen.
Activity Reports
The Activity Reports group includes these endpoint and Endpoint Policy Server status
reports:
n Endpoint Connectivity - Shows the last time each endpoint computer connected to the
network.
n Endpoints with Not Running Blades - Shows the status of components for users and
endpoint computers. You can use this report to see which components are running or not
running.
n Protected by Endpoint Security - Shows if endpoint computers are protected by
Endpoint Security.
Versions in Use
You can search and filter the list using several criteria.
Discovered Devices
The Discovered Devices report shows all devices that were or are connected to Endpoint
Security client computers. If you right-click on a device you can select Show All Events to see
who used the device, on which computer, and when.
Right-click the header of the Device Category column and select Create Filter to see only
specified devices.
Policy Reports
A policy report shows information about the assigned policies on each Endpoint Security Client
computer in the organization. You cannot see the Policy Report in SmartEndpoint. It is a CSV
file that is created on the Endpoint Security Management Server at scheduled times.
n General fields:
l User Name - ntlocal for local user, ntdomain://<DOMAIN-NAME>/<USER
LOGON NAME> for domain users
l Computer Name - Name of the computer
l User Location - User domain distinguished name (empty for local users)
l Group Names - The names of the groups the user is in
l IP Address - The most updated IP address of the device
l Last Contact - The last time the computer had contact with the Endpoint Security
Management Server
l OS Name - The full name of the Operating System, for example: Windows 8.1
Professional Edition
l OS Version - The version of the Operating System, for example: 6.2-9200-
SP0.0-SMP
l OS Type - Workstation or Server
l Machine Type - Laptop or Desktop
l Domain Name - Active Directory domain, if relevant
n Policy (includes OneCheck User Settings, Full Disk Encryption, Media Encryption & Port
Protection, and Client Settings):
l <Blade> ID - A unique identifier of a policy rule that applies to the user or computer
l <Blade> Name - The rule name (given by the administrator)
l <Blade> Description - The rule comment (given by the administrator)
l <Blade> Actions - The names of the rule actions
l <Blade> Version - The version of the rule
l <Blade> Modified By - The name of the administrator that last modified the rule
l <Blade> Install Time - When the component was installed on the client
l <Blade> Inherited From - The Active Directory path the rule was originally assigned
on and inherited by this machine.
Licenses Report
The Licenses Status Report shows the status of the container and component licenses. The
summary chart shows the number of seats licensed and the number of seats in use. The
licenses list shows detailed license information and status for a selected component or the
container. You can export license status information to a file.
To see license warnings, click Details.
Deployment Tab
You use this tab to:
n Create Deployment Rules
n Configure Endpoint security client packages for export
n Configure these advanced package settings:
l VPN client settings
l The Package repository once uploaded to the server
l The file signing method to protect the integrity of the client package
Client Logging
Endpoint Security clients upload logs to the Endpoint Security Management Server
On the server, the logs are stored in the common log database, which you can see in the Logs
tab of the SmartConsole Logs & Monitor view.
Note - The VPN component uploads SCV logs to the VPN Security Gateway.
n Uploaded according to the Common Client Policy to the Endpoint Security Management
Server and viewable in the Logs tab of the SmartConsole Logs & Monitor view.
n Client logs can be used for external audit requirements and internal trouble-shooting.
For more details, see the Endpoint Security Client User Guide for your client release.
Finding Components
You can use a search feature to find components such as computers, users, directories, and
programs.
To find a component:
1. In the Search field tool bar, enter a string to match a component.
2. Click Search.
The Search Results show on the Users and Computers tab.
3. If the component you are looking for is listed, double-click it.
Alternatively:
Right-click any user shown on the Reporting tab and select Edit.
Show/Hide components
You can choose which components show in SmartEndpoint and which are hidden.
General Details - Shows basic information about the selected object and the status of each
component. You can click on a component to go to the detailed information pane for that
component.
n Details (Users and computers only) - Shows LDAP information and groups that the user
or computer is a member of.
n Content (OUs and groups only) - Shows the members of the selected OU or group.
n components - Shows detailed rule and status information for each component. For OUs
and Groups detailed status reports are shown. See "Monitoring Endpoint Security
Deployment and Policy" on page 57.
You can change these OneCheck User Settings in the User Details window:
n The Pre-boot authentication method when the Full Disk Encryption component is active.
The default authentication method is Password. See "Pre-boot Authentication Methods"
on page 246.
n Lock a user out after a specified number unsuccessful login attempts from the Pre-boot
screen. See "Account Lock" on page 252.
n Change a user password.
n Add or remove certificates for smartcard authentication.
n Add or remove authorized computers or groups for Full Disk Encryption Pre-boot.
Managing Users
The Users and Computers tab shows status and assigned rules for each component. You can
also edit rules and create custom rules as necessary.
To change rules:
1. Select a user the Users and Computers tree.
2. Select a component in the Blades pane.
3. Click Edit Rule.
4. Do the steps in the Edit Specific Rule wizard.
See the applicable component topics for configuration details.
Managing Computers
You manage individual computers in the Users and Computers window. This window shows
computer details and the policies and user assigned to them. You can configure which users
can log on the computer.
To change rules:
1. Select a computer in the Users and Computers tree.
2. Select a component in the Blades pane.
3. Click Edit Rule.
4. Do the steps in the Edit Specific Rule wizard.
See the applicable component topics for configuration details.
5. On the SmartEndpoint toolbar, select File > Save.
5. Click OK.
6. On the SmartEndpoint toolbar, select File > Save.
Resetting a Computer
When the Endpoint Security client is installed on a computer, information about the computer
is sent to and stored on the Endpoint Security Management Server. Resetting a computer
means deleting all information about it from the server. Resetting a computer does not remove
the object from the Users and Computers tree or change its position in the tree.
Important - You can only reset a computer if the Endpoint Security client is not
installed. If you reset a computer that has Endpoint Security installed, important data
will be deleted and the computer can have problems communicating with the
Endpoint Security Management Server.
Computer reset:
n Removes all licenses from the computer.
n Deletes Full Disk Encryption Recovery data.
n Deletes the settings of users that can log on to it.
n Removes the computer from Endpoint Security Monitoring.
n Deletes the Pre-boot settings.
n Is marked as unregistered.
After you reset a computer, you must reformat it before it can connect again to the Endpoint
Security service.
Note - Resetting a Computer is different than deleting it. If you delete a computer,
everything in the databases that is connected to that computer is deleted.
To reset a computer:
1. In the Users and Computers tab or anywhere in SmartEndpoint where a computer
object is shown, right-click a computer and select Reset Computer Data.
2. When the Reset Computer message shows, click Yes to confirm.
3. On the SmartEndpoint toolbar, select File > Save.
The Active Directory Scanner does not scan Groups of type "Distribution".
On the Active Directory server, set the Groups Scope to Domain Local only.
Note - If the scanner is for a specific OU in the domain, only the groups and group members in
the OU are included in the scan. If your groups contain members from different OUs we highly
recommend configuring the LDAP Path of the scan to the root of the domain, to avoid
inconsistencies.
If the domains use DNS servers, make sure that:
n The DNS server is configured on the Endpoint Security Management Server.
n The DNS server can supply a list of domain controllers in its domain. We recommend
that you configure the DNS server to supply a list of the domain controllers for all
domains that the Directory Scanner will scan.
Note - xxx
4. In the Advanced area, select or enter the IP Address of the Domain Controller. If the
domain has DNS, this is filled in automatically.
5. In LDAP Path, click the browse button to select an OU. If you do not select an OU,
the full domain is scanned.
6. You can change the default values in the Advanced area:
n Connection - Choose the type of connection for the Directory Scanner
communication:
n GSS Enabled - Uses DNS to create Kerberos ticket requests. If DNS is not
configured correctly on the Endpoint Security Management Server, the connection
is not successful. By default, this is not selected.
n SSL Enabled - Uses SSL Tunneling. You must have an SSL certificate installed on
the Domain Controller. By default, this is not selected.
n Port - The port over which the scan occurs.
n Scan Interval - The Endpoint Security Management Server sends a request to the
Domain Controller to see if changes were made to the domain. If changes were
made, the Directory Scanner synchronizes Endpoint Security nodes in the Users
and Computers tree with nodes in the Active Directory. The Scan Interval is the
time, in minutes, between the requests.
7. Click OK.
The scan shows in the Organization Scanner window.
Note - Scanning the Active Directory takes time. AD objects show in the sequence
they are discovered
Directory Synchronization
At the specified interval of a scanner instance, the Directory Scanner synchronizes Endpoint
Security nodes in the Users and Computers tree with nodes in the Active Directory. When
synchronization occurs:
n New Active Directory objects are added to Endpoint Security and inherit a policy
according to the Endpoint Security policy assignment.
n Deleted users are removed from the Users and Computers tree, but only if they had no
encrypted removable media devices. Deleted users with encrypted removable media
devices move to the Deleted Users/Computers folder. The user no longer exists in the
Active Directory, but the server keeps the encryption keys for possible recovery.
You can delete these users manually using SmartEndpoint.
n Computers deleted from the Active Directory that do not have Endpoint Security are
deleted from Users and Computers.
n Computers deleted from the Active Directory that do have Endpoint Security move to the
Deleted Users/Computers folder because they might require recovery. You can delete
these computers manually from the Management Console.
n Objects updated in the Active Directory are also updated on the server.
n Unchanged records stay unchanged.
Issue Solution
A corrupted object exists in the Active Remove the object or deny the account used by
Directory. the Directory Scanner read permission to that
object. If the corrupt object is a container object,
permission is denied for all objects in the
container.
SSL Troubleshooting
If you use an SSL connection for the Directory Scanner communication, you might see a
message that is related to SSL configuration. Find the problem and solution here.
# Issue Solution
2 Wrong SSL Port Change the SSL port or disable SSL. You can do this in the
configuration.
3 Cannot connect to Make sure that an LDAP server is running on the LDAP path
the domain controller of the configured domain controller.
# Issue Solution
4 SSL certificate is not n Get an SSL certificate from your Domain Controller and
installed import it to the Endpoint Security Management Server.
or
n Disable SSL.
The DNS server configured on the Endpoint Security Management Server must be able to
resolve IP address by name and name by IP address for all domains that are scanned by the
Directory Scanner. If DNS is not configured properly, the authentication fails.
Make sure that:
n The DNS server is configured on the Endpoint Security Management Server.
n The DNS server can recognize the DNS servers of all domains that the Directory
Scanner will scan.
To make sure the DNS server is configured correctly for GSSAPI authentication:
1. On the Endpoint Security Management Server, run: nslookup.
2. Test the name to IP resolving for all domain controllers that are used by the Directory
Scanner.
3. Test the IP to name resolving or all domain controllers that are used by the Directory
Scanner.
The output of this command is a list of certificates. The certificates are separated by a
line like this:
================ Certificate 0 ================
where 0 is the index number of the certificate.
2. Find a certificate:
n That has a subject that is the FQDN of the Domain Controller. In the example
below: DC.mulberry.com
n In which one of certificate extensions has the OID Server Authentication
(1.3.6.1.5.5.7.3.1).
3. Get the index number of the certificate.
This is the number which appears in the separation header before each certificate. In this
example it is 0.
For example:
certutil -store MY 0 C:\certificates\DCCert.cer
5. Copy the certificate file to the Endpoint Security server. In a High Availability
environment, copy the file to the Primary and Secondary servers.
6. Import a certificate to Endpoint Security server keystore. Run:
cd $CPDIR/jre_64
./bin/keytool -import -keystore ./lib/security/cacerts -file
<file_name> -alias <alias>
For example:
./bin/keytool -import -keystore ./lib/security/cacerts -file
/home/admin/ServerCert.cer -alias SSLCert
These are the client packages. Some may not be available for your client release.
The Dynamic Package is a self-extracting executable EXE file. All other packages are either
EPS.MSI files for Windows or zip files for macOS.
After you upload the packages to the repository, they are stored by default at
$FWDIR/conf/SMC_Files/uepm/msi
Directory Package
Directory Package
Dynamic Complete Endpoint Security Client for any CPU (32-bit or 64-
bit). This is a self-extracting executable EXE file with all
components (Blades).
Only the components you select are part of the exported
package, so that it can be much smaller than an exported
Windows MSI package. In contrast, MSI packages include all
the components in the smallest package in the repository that
contains the selected components. You can also configure
the Dynamic Package so that it includes only the installation
prerequisites that you need, for example .NET or Anti-
Malware signatures.
Dynamic packages are optimized for upgrades, so the
package that is downloaded to the Endpoint Security client
includes only the changes from the installed version. This
results in a significant decrease in network traffic. A typical
download size for an upgrade using the Dynamic Package
with all components is less than 200 MB, compared to
hundreds of MB for an MSI package.
Best Practice - Use the Dynamic Package for your client
release.
Directory Package
Master_ENCRYPTION Full Disk Encryption and Media Encryption & Port Protection
Client for 32-bit systems
Master_ENCRYPTION_ Full Disk Encryption and Media Encryption & Port Protection
x64 Client for 64-bit systems
After you upload a Dynamic Package to the repository, you can configure the package to
further reduce the size of the package that installs on the Endpoint Security clients.
1. Open SmartEndpoint and connect to the Endpoint Security Management Server.
3. Select a Dynamic Package. Those are the packages that have Additional Settings
in the Settings column.
4. In the Settings column, select Additional Settings and click Advanced Package
Configuration.
5. In the Configure Package window, configure these options:
Page Option
Page Option
upgrades only.
6. Click OK
Important - You must not change the name of a client MSI package from EPS.msi. It
is permitted to change the name of a Dynamic Package (the .EXE file).
7. Click OK.
The Endpoint Security Management Server downloads the package from the internet
and saves it to the specified folder.
You can get the Initial Client from SmartEndpoint, the distribution media, or download an
Endpoint Security client from the Support Center. If you do not get the Initial Client from
SmartEndpoint, you must give endpoint users the Endpoint Security Management Server
host name or IP address. They enter this information to connect to the Endpoint Security
Management Server manually.
You can use third-party deployment software to deploy the Initial Client to endpoint
computers. The MSI package can be run manually by users or silently by a third party
deployment tool.
For new client installations with automatic software deployment, use the eps.msi Initial
Client.
For upgrades from E80.x and higher, use a complete software package, not the Initial
Client.
To upgrade legacy R73 clients, use the PreUpgrade.exe Initial Client, which unlocks legacy
files using a predefined uninstallation password. It then continues to install the Initial Client
package.
Deployment rules let you manage Endpoint Security Component Package deployment and
updates using SmartEndpoint. The Default Policy rule applies to all endpoint clients for
which no other rule in the Rule Base applies. You can change the default policy as
necessary.
You can define more rules to customize the deployment of components to groups of
endpoint computers with different criteria, such as:
n Specified Organizational Units (OUs) and Active Directory nodes
n Specified computers
n Specified Endpoint Security Virtual Groups, such as the predefined Virtual Groups
("All Laptops", "All Desktops", and others.). You can also define your own Virtual
Groups.
You must install an Initial Client on endpoint computers before you can deploy components
with automatic software deployment.
c. Select components to install and clear components that are not to be installed
with this rule.
6. Click Next.
7. In the Name and Comment window, enter a unique name for this rule and an optional
comment.
8. Click Finish to add the rule to the Deployment Rules.
9. Click Save.
10. Install the policy.
You can deploy Endpoint Security components to Endpoint Security clients according to
Virtual Groups.
This example shows Software Deployment Rules that specify the components to be
deployed to the All Laptops and All Desktops Virtual Groups.
Read the comments in the rules.
- Software
Deployment
- 2 more rules
4. To change the name, Double-click the Name cell and enter a different name.
5. To change an Applies To parameter, right-click an entity and select an option:
n Add new entity to this rule - Select an entity from the tree to add to the rule.
n Remove entity from this rule - Select an entity to delete.
n Navigate to item - Go to the selected entity in the Users and Computers tab.
n Add to Virtual Group - Add the selected entity to a Virtual Group.
6. In the Actions column:
n Select a package version or click Manage Client Versions to upload a different
client version from in the Packages Repository.
n Select components to install and clear components that are not to be installed
with this rule.
After the Initial Client is successfully deployed and you have Deployment rules, install
Endpoint Security Component Packages from SmartEndpoint.
Edit the Client Settings rules to change client installation settings.
You can select Manage Client Versions, to add more package versions to the
repository.
5. Click the Desktop Blades and Laptop Blades cells and then select the components to
include in each package.
6. Optional: In the Settings column select a Virtual Group or create a new one. Users
who install this package will automatically be put in this Virtual Group.
7. Optional: In the Settings column, if you defined an Endpoint Connect VPN
component, right-click the VPN setting and do one of these actions:
n Select a predefined VPN site from the list.
n Use a local VPN settings file
n Add a new VPN site
8. If you are upgrading legacy Endpoint Security release, in the Settings column:
n Double-click the legacy upgrade option and select Support client pre-install
upgrade.
n Select Silent mode active or Silent mode not active.
n Select the Legacy Secure Access option and click Configure Upgrade
Password to enter and confirm the password.
n Select the Legacy Full Disk Encryption EW option and click Configure
Upgrade Password to enter and confirm the applicable passwords.
9. In the Software Deployment Rules window, click Save.
To delete an existing package definition, select the package Name and click Remove
Package.
When you use an exported package, you can configure each component package to
connect to a default VPN site.
You can configure a default VPN site for packages for export. You cannot configure a
default VPN site with automatic Deployment rules. To distribute a defined VPN site with
Deployment rules, you can:
n Use Deployment rules to distribute an Endpoint Security component package without
Endpoint Connect VPN.
n Create a package for export that includes only Endpoint Connect VPN and distribute
it manually.
By default, no VPN site is defined for a new package. In the Packages for Export window,
in the Settings cell of the package, the default setting is No VPN site defined.
Exporting a Package
b. Click Download.
5. Click OK.
Send the package to the users. When using Dynamic Package, the exported package is a
self extracting executable (*.EXE). By default, the filename is EPS.exe. For other types of
package, the name of the package is EPS.msi and/or PreUpgrade.exe.
Endpoint users manually install the packages. On Windows 8.1 and higher clients, you must
install an exported package with Run as administrator selected. You cannot install it with a
double-click.
You can also use third party deployment software, a shared network path, email, or some
other method
2. In the Certificate Settings area select one of these file signing methods:
n None
n Internal
n Custom
If you select custom, do these steps:
a. Click Browse and get the certificate (*.p12 file).
b. Enter a name and password for the certificate.
The certificate is created on the Endpoint Security Management Server.
c. Send the *.p12 file to client computers before you install the client package.
3. Optional: If Remote Access VPN is part of the package, you can configure a VPN site.
4. Select the location to save the package.
The package starts to download.
5. The package, Endpoint_Security_Installer.zip shows in the configured location. This is
the file that you distribute to endpoint users.
Manual Deployment
Click Close.
If the installation was successful, the Endpoint Security icon shows in the menu bar.
If the Endpoint Security client was encrypted, the uninstall script first prompts for a reboot
so that the volumes can be decrypted. After decryption, the script continues to uninstall
the client.
After you uninstall the Endpoint Security client, the administrator must reset the
computer through SmartEndpoint on the Security Management Server. See "Resetting a
Computer" on page 106.
5. The Endpoint Agent on each assigned client downloads the new package. The client
installation starts based on the settings in the Client Settings policy rule. You can
configure:
n If the Client Settings policy forces installation and automatically restarts without
user notification.
n If the Endpoint Agent sends a message to the user that an installation is ready and
gives the user a chance to postpone the installation or save work and install
immediately.
6. The Endpoint Agent installs the new client.
If the user does not click Install now, installation starts automatically after a timeout.
7. After installation, the Endpoint Agent may reboot the computer.
Gradual Upgrade
To upgrade more gradually, you can create a new deployment profile and distribute it only to
specified computers.
Note - For an exported package, save the new package in a different location than the
previous package
When you are prepared to upgrade all clients, upgrade all deployment profiles.
Offline Upgrades
During an offline upgrade, the endpoint has no connection with the Endpoint Security
Management Server. For this reason, the Preupgrade.exe package delivered to the client
must contain:
n All the passwords necessary to successfully uninstall legacy products
n The new client with the necessary components and policies
Offline upgrades use the Preupgrade.exe file, which is automatically created in the same
directory as the MSI package.
a. Silent Mode - Choose if silent mode is active. When active, the procedure tool runs
silently without user intervention. If silent mode is not active, users can see the GUI
of the Upgrade tool. If silent mode is active, select what happens after the upgrade:
n Force restart after upgrade.
n Prompt user to restart after upgrade.
b. Secure Access upgrade - To enable a Secure Access upgrade you must enter the
uninstallation password. Click on Legacy Secure Access upgrade not supported
and select Configure Upgrade Password.
In the Legacy Secure Access Upgrade window, select Support Legacy upgrade
and enter and confirm the uninstallation password.
c. Legacy Full Disk Encryption upgrade - To enable an upgrade from legacy Full
Disk Encryption EW, you must enter the uninstallation password. Click on Legacy
Full Disk Encryption EW upgrade not supported and select Configure Upgrade
Password.
In the Legacy Full Disk Encryption EW window, select Support Legacy upgrade
and enter and confirm the uninstallation password.
6. Make sure the components in the Desktop Blades and Laptop Blades columns are
correct.
7. Optional: In the Settings column, add a Virtual Group destination for the package. Click
Do not export to Virtual Group and select New.
8. Select File > Save.
1. Double-click Preupgrade.exe.
2. Follow the on-screen instructions to install the package.
Online Upgrades
During an online upgrade the endpoint has a connection to the server. When the initial client is
installed, it connects to the server. The initial client uses the Common Client Settings that
contains uninstall passwords for legacy products.
After the package is installed, you can add a package with Endpoint Security components. See
"Upgrading with Deployment Rules" on page 139.
To upgrade a client package from Full Disk Encryption MI or from EW without the
password:
1. In the existing MI or EW environment, create a user or user group with this name:
_allow_upgrade_
f. Click OK.
3. Make sure that all clients are connected to the server and receive the update after the
next heartbeat.
4. Install a new Initial Client on the legacy client computers.
Do not:
n Upgrade when the disk is not fully encrypted.
n Start another upgrade before a computer is fully protected with the first upgrade.
n Uninstall the upgrade before a computer is fully protected with the upgraded version.
[HKEY_CLASSES_ROOT\Msi.Package\shell\runas\command]
@=hex
(2):22,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,
00,6f,00,74,\
00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,0
0,5c,00,6d,00,\
73,00,69,00,65,00,78,00,65,00,63,00,2e,00,65,00,78,00,65,00,2
2,00,20,00,2f,\
00,69,00,20,00,22,00,25,00,31,00,22,00,20,00,25,00,2a,00,00,00
n To install or uninstall using the command line, the user must have administrator
privileges ("Run as administrator").
n Microsoft packages. During installation, the 1720 error message may occur:
Microsoft suggests KB311269: Register the WScript object by running the "wscript
-regserver" command from a command prompt or from the Run option on the Start
menu.
n For information about the DES encryption on Windows 7 clients, see "Step 1 of 3:
Configuring the Active Directory Server for Authentication" on page 195.
Repairing Clients
If a client deployment fails, you can Repair the client, which installs the Endpoint Security client
on the computer again. Repair a client in one of these ways
If the VPN client is unable to connect to the configured Security Gateway, a Connectivity to
the VPN server is lost message shows. To resolve this:
1. Make sure that the Check Point Endpoint Security service (the EPS service) is up and
running.
2. If this service does not exist, install it by opening a command prompt and running:
1. Make sure that the original EPS.msi and PreUpgrade.exe files are present on the
endpoint computer.
2. Go to Control Panel > Programs and Features > Uninstall or change a program.
3. Uninstall the Endpoint Security client.
4. If the client has Full Disk Encryption installed, run the Uninstall or change a program
applet again after the disk completes the decryption.
After you uninstall the Endpoint Security client, you must reset the computer through
SmartEndpoint on the Security Management Server. See "Resetting a Computer" on
page 106.
Configuring Logging
Each Endpoint Security client sends logs to the Endpoint Security Server (Endpoint Policy
Server or Endpoint Security Management Server) to which the client is connected.
To see all collected logs together in the Logs tab of the SmartConsole Logs & Monitor view,
you must configure Log Indexing for each Endpoint Security Server in the SmartConsole.
Do this procedure for each Endpoint Security Server.
To configure Logging from one Endpoint Security Server to a different Endpoint Security
Server:
1. Open SmartConsole and connect to the Endpoint Security Management Server.
Prerequisites
n The two Endpoint Security servers must have the same Endpoint Security version.
n The two Endpoint Security servers must have the same Check Point products installed.
n The offline target server must have the same IP address and hostname as the source
server.
n The source and the target servers are primary Endpoint Security servers. The export and
import operations are not supported from or to a secondary server.
3. Run the Endpoint Security Management Security utility and set the new PAT version:
uepm patver set <old_PAT_version_number> + 10
The Policy tab contains the Policy Management Toolbar and the Policy Rule Base.
The Policy Rule Base contains a policy for each of the Endpoint Security components
(formerly known as a Blades). These policies enforce protections on endpoint computers.
The policy for each component is made up of rules. This shows some example of rules in the
Policy tab:
Each rule applies to a specific component, and to a specific part of the organization. Each rule
has a set of actions.
The policy for each component has a default rule that applies to the entire organization. You
can change the actions of a default rule, but you cannot make the default rule apply to a
specific part of the organization. You cannot delete the default rule.
You can create new rules that apply to specific parts of the organization.
Column Description
Applies To The part of the organization (the entity) to which the rule applies
Click
To do this
this
Show only the actions that are different than the default rule for that component
Change the order of the rules for the component. Re-order the rules to define the
assignment priority of rules for a specific component
One user with multiple computers: One computer with multiple users:
The policies for some Endpoint Security components are enforced for each user. See "Rule
Types for Each Endpoint Security Component" on page 157.
n User Rules are independent of computer the user is connected to. However, you can
override user rules using "Virtual Groups in Policy Rules" on page 169.
n Computer Rules are independent of the user who is logged on to the computer.
Note - Deployment Rules are defined for computers, not for users.
Rule Entities
When you configure a rule, you specify the entities that the rule Applies To.
These are some of the entities you can specify:
n Entire Organization (the root of the organization folders)
n OUs
n Network IP ranges
n AD Groups
n Virtual Groups
n Users (for User Policies only)
n Computers (for Computer Policies only)
Important -
Application Control is not supported on all versions of Windows Server.
Do not deploy this component on clients that run operating systems that are not
supported. You can also disable it in the policy.
To disable components on operating systems that are not supported:
1. Configure a rule that disables the unsupported component.
2. Install the policy on all clients that run operating systems that do not
support the component.
If you install Anti-Malware and Firewall policies on servers, it is best for the policies to be
machine-based and not user-based. In machine-based policy, the policies assigned to the
machine have priority over the policies assigned to users who connect to the machine.
To enforce machine-based policies, we strongly recommend that you put all servers in a
server Virtual Group.
For supported servers, see the Release Notes for your Endpoint Security client version.
Each component has a default rule that applies to the Entire Organization. You can change
the default rule for the component, but you cannot delete it.
For each component, you can add rules that apply to specific parts (entities) of the
organization.
n To create a rule, select an existing rule and from the Policy toolbar, click Create a Rule
n To create a rule with same settings as an existing rule, right-click the rule and select
Clone Rule.
n To delete a rule, select the rule, right-click, and select Delete Rule.
Creating a Rule
For each component, you can add one or more rules that apply to specific parts (entities) of the
organization.
The new rule is added to the bottom of the policy of the component.
To create a rule:
1. Select an existing rule
3. On the Select Enforcement state page, select Add Rule for and select a state:
Connected, Disconnected, or Restricted.
Endpoint Security can enforce policy rules on computers and users based on their
connection and compliance state.
When you create a policy rule, you select the connection and compliance states for
which the rule is enforced. You can define rules with these states:
n Connected state rule is enforced when a compliant endpoint computer has a
connection to the Endpoint Security Management Server. This is the default rule
for a component policy. It applies if there is no rule for the Disconnected or
Restricted states of the component. All components have a Connected Rule.
5. On the Select Entities page, select those OUs, groups or individuals that this rule
applies to.
To search for an entity: Type text in the field.
You can add multiple entities.
6. Click Next.
7. On the Change Rule Actions page, right-click the applicable actions and configure the
action.
Select from a pre-defined action. To create your own, select Edit Shared Action.
8. Click Next.
9. On the Edit rule Name and comment page, enter a descriptive Name and optionally
Comment.
10. Click Finish.
11. In the Policy Management Toolbar, click Install to install the policy on Endpoint Security
clients.
Example
Read the comments in the rules.
- Firewall
- 2 more rules
2. In the Policy Toolbar. use the Move Up and Move Down buttons to change the
order of the rule.
Example
This is how the Endpoint Security client applies the rules after you change order of the rules in
the previous example policy.
If there is more than one rule for an Endpoint Security component, the Endpoint Security client
applies the rules in this order:
n First rule that applies to the user or computer in the "more rule(s)"section.
n If no rule matches the user or computer, the default rule applies.
Best Practice - Put rules for specified users or computers, in the "more rule(s)"section, above
rules for groups and containers they are members of.
Example 1
Read the comments in the rules.
- Firewall
- 2 more rules
Example 2
Read the comments in the rules.
- Firewall
- 2 more rules
Editing a Rule
You can modify a rule in the Policy tab. You can change the:
n Name
n Entities that the rule Applies To. However, you cannot change the entities in a default
rule. The default rule applies to the Entire Organization.
n Actions - Best practice is to not change predefined actions. If you want to change a
setting, create a custom action.
n Comment
2. Click
In the Applies To column of the rule, select the entity and click Remove
Edit a A Policy action can be used in more than one rule. That is why it is called a
Shared Shared Action.
Action Important -If you edit a shared action, the change applies everywhere the
action is used. For example, if you change an action that is used in rule A and
in rule B, the change happens in both rules.
Clone an If an action is used in more than one rule and you want to change the action
Action in one rule and not the others, clone the action. Then, use the cloned action in
one of the rules, and changed the settings of the cloned action. You can use
the cloned action in more than one rule. Custom actions show below the
predefined actions
Use a Many actions have more than one predefined setting You can easily change
Predefined the action by selecting a different predefined setting.
Action
Best Practice - Do not change predefined actions. If you want to change a setting, create a
custom action.
4. Click the Used in N rules link to see where the action is used.
To save a rule:
n Select a rule, and in the Policy tab, click Save rule.
or
n Select a rule, and from the File menu, select Save.
In the Policy tab, in the Show for area of the toolbar, type the name of a user, computer, OU,
or other entity.
If you show the Policy for a specific user, you can select the associated computer.
You cannot edit the policy when list is filtered
To restore the default view and show the entire Policy, click Clear .
8. In the Change rule action settings page, Select the actions you want to change, and
change the settings.
9. Click Next.
10. In the Enter rule name and comment page, add the details.
11. Click Finish.
12. Click Save.
Review the rule that is assigned to the entity for this component. Notice that Inherited From
shows Direct Assignment. In the Policy tab, you can see the new component rule for the entity.
Important - You can use virtual groups to manage computers and servers in all
environments. To manage users with a virtual group, you must do one of these steps:
n Use Full Disk Encryption and enable User Acquisition.
n Import objects into Endpoint Security with the Active Directory Scanner. Then,
you can move them between virtual groups manually.
For each Endpoint Security component, only one rule can be assigned to a user or computer.
Therefore, if a user belongs to more than one group, with a different rules assigned to each
group, the Endpoint Security Management Server applies the first rule that matches the users
or computer.
n Using Active Directory but do not want to use it for Endpoint Security. For example:
l Different administrators manage the Active Directory and Endpoint Security.
l Your Endpoint Security requirements are more complex than the Active Directory
groups. For example, you want different groups for laptop and desktop computers.
n Using a non-Active Directory LDAP tool.
n Working without LDAP.
n Creating computer-based policies for Endpoint Security components that normally
support only user-based Policies.
n All Servers
n All Mac OS X Desktops
n All Mac OS X Laptops
n All Windows Desktops
n All Windows Laptops
n Capsule Docs external users - Users that are not part of the organization's Active
Directory but are registered on the Endpoint Security Management Server as an external
user. See "Working with External Users" on page 311. These are typically users who are
not part of the organization, but must be able to view documents which originated in the
organization.
n Capsule Docs internal users -Users that are part of the organization's Active Directory.
The users and computers can be added to another virtual group, or removed from a virtual
group and added to another virtual group.
If you add objects to a virtual group with an installation package, the objects are not
automatically put into these virtual groups. You must do so manually. See .
- Media
Encryption &
Port Protection
Default Media Entire This rule applies to all users that are not
Encryption & Organization logged into computers in "Media Encryption
Port Protection computer Group"
settings for the
entire
organization
- 1 more rule
This example shows Software Deployment Rules that specify the components to be deployed
to the All Laptops and All Desktops Virtual Groups.
- Software
Deployment
- 2 more rules
3. Select Virtual Groups and then the select the virtual group that you want to see.
Note - We recommend that you enter the FQDN so that if the IP address of the
server changes, the client uses the FQDN to communicate with the server. It
also allows you to use an internal non-routable, private IP address for the server
(for example 10.1.2.3).
4. In the IP Address field, enter the IP address of the Endpoint Policy Server.
Note - The Harmony Endpoint Security Client uses either FQDN or IP address,
whichever is quicker to communicate with the server and displays it in the
Endpoint Security Client Home screen.
6. Click Next.
7. Select an option to initiate secure trusted communication now or later:
n Initiate trusted communication (If the servers are up and able to communicate)
l Enter and confirm an Activation Key. You will enter this same key on the
other servers.
l Click Initialize.
n Skip and initiate trusted communication later (If the servers are not ready to
communicate)
8. Click Next.
A warning pop-up window shows.
9. Click OK.
The output 1 indicates that your server is an Endpoint Policy Server and the output 0
indicates that your server is an Endpoint Management Server
Item Description
The Endpoint Policy Server handles the most frequent and bandwidth-consuming
communication. The Endpoint Policy Server handles these requests without forwarding them
to the Endpoint Security Management Server:
n All heartbeat and synchronization requests.
n Policy downloads
1. The Endpoint Security Management Server creates a list of Endpoint Policy Servers
based on the servers configured in the SmartEndpoint.
2. The Endpoint Security Management Server pushes the list to the clients.
3. The Device Agent on the client does a proximity analysis after a specified interval to find
the Endpoint Policy Server 'closest' to it. Some events in the system can also cause a
new proximity analysis. Proximity is based on the response time of a specified HTTP
request sent to all servers on the list.
Note - Proximity is not based on the physical location of the server. A client in
New York will connect to the California Endpoint Policy Server if the California
Endpoint Policy Server replies before the New York Endpoint Policy Server.
Clients continue to connect to the closest Endpoint Policy Server until the next proximity
analysis.
Note - You cannot figure which particular Endpoint Policy Servers a client should use,
only a list of servers for the client to choose from.
3. Enter or select the Client will re-evaluate the nearest Policy Server after value (default
= 120 minutes).
This value is the interval, in minutes, after which endpoint clients search for the closest
available Endpoint Policy Server.
4. Optional: Select Enable Endpoint Security Management Server to be the Endpoint
Policy Server.
This option includes Endpoint Security Management Servers in the search for the closest
Endpoint Policy Server.
5. Enter or select the Client will restrict non-compliant endpoint after value (default = 5
heartbeats). See "The Heartbeat Interval" on page 395.
6. Click OK.
7. Install policies to endpoint computers.
Note - If you do not explicitly enable the Endpoint Security Management Server to
behave as an Endpoint Policy Server, it is still in the proximity analysis list. If no other
Endpoint Policy Servers can reply to a client, the Endpoint Security Management
Server replies.
The first synchronization can take a long time, based on the amount of policies and installation
packages that the Endpoint Policy Server must download from the Endpoint Security
Management Server.
When the first synchronization is complete, the Endpoint Policy Server will show as Active in
the Reporting tab.
1 Week
None
8. Click OK.
4. In the General Properties page of the window that opens, enter a unique name and an
IP address for the server.
5. In the Management tab of the General Properties page, select Network Policy
Management.
Secondary Server, Logging & Status, and Provisioning are selected automatically
DO NOT enable Endpoint Policy Management on the server.
6. Click Communication to create SIC trust between the Secondary Endpoint Security
Management Server and the Primary Endpoint Security Management Server.
7. In the window that opens enter these configuration parameters:
n One-time password (twice to confirm) - SIC Activation Key that you entered in the
Check Point Configuration Tool
n Click Initialize to create a state of trust between the Endpoint Security
Management Servers. If the trust creation fails, click Test SIC Status to see
troubleshooting instructions
n If you must reset the SIC, click Reset, then reset the SIC on the Secondary server
and click Initialize.
8. Click Close.
9. Click OK.
10. From the menu, select Install Database.
11. Wait for the peer initialization and the full sync with peer to finish.
1. After the previous procedure is completed, in SmartConsole, open the secondary server
object.
2. In the Management tab of the General Properties page, select Endpoint Policy
Management.
3. Click OK.
4. Select File > Save.
5. From the menu, select Install Database.
6. Follow the steps in "Synchronizing MSI Files, Dynamic Packages and Drivers" on the
next page.
Note: The MSI folder contains many folders with unique names. When you add a new file
to a folder on the Active server, copy this file to the same folder on the Standby server.
a. On the Active Security Management Server, copy these folders:
n $FWDIR/conf/SMC_Files/uepm/msi
n $FWDIR/conf/SMC_Files/uepm/packages
n $FWDIR/conf/SMC_Files/uepm/recimg
n $FWDIR/conf/SMC_Files/uepm/archives
b. On the Standby Security Management Server, replace theses folders with the
folders that you copied from the Active Security Management Server:
n $FWDIR/conf/SMC_Files/uepm/msi
n $FWDIR/conf/SMC_Files/uepm/packages
n $FWDIR/conf/SMC_Files/uepm/recimg
n $FWDIR/conf/SMC_Files/uepm/archives
d. Run:
i. cd $FWDIR/conf/SMC_Files/uepm
ii. chmod –R u+rwx,g+rwx,0-rwx msi/
iii. chmod –R u+rwx,g+rwx,0-rwx packages/
iv. chmod –R u+rwx,g+rwx,0-rwx recimg/
v. chmod –R u+rwx,g+rwx,0-rwx archives/
vi. find msi/ -type d –exec chmod g+s {} \;
vii. find packages/ -type d –exec chmod g+s {} \;
viii. find recimg/ -type d –exec chmod g+s {} \;
2. On the Standby Security Management Server, replace theses folders with the folders
that you copied from the Active Security Management Server: $FWDIR/conf/SMC_
Files/uepm/DRIVERS
Before Failover
Whenever possible, change the Active Endpoint Security Management Server to Standby
before you change the Standby Endpoint Security Management Server to Active, and check
online synchronization status on the Secondary server and all Remote Help servers.
Notes -
n A standby Endpoint Security Management Server cannot be changed to Active
until the first synchronization of the Endpoint Security database is completed.
n While the Primary server is offline and the Secondary server is active, external
Remote Help servers do not get updates.
Deleting a Server
You can delete a Remote Help server or a Secondary Endpoint Security Management Server.
Before you do that, make sure none of the remaining servers have connectivity to the deleted
entities.
Important - If you use Active Directory Authentication, then Full Disk Encryption and
Media Encryption & Port Protection are only supported on endpoint computers that
are part of Active Directory.
Note - If you have endpoint computers in your environment that are not part of Active
Directory, Full Disk Encryption and Media Encryption & Port Protection will not work
on them.
Endpoint Security Strong Authentication uses the Kerberos network authentication protocol.
To enable the Active Directory server to validate the identity of clients that authenticate
themselves through Kerberos, run the ktpass.exe command on the Active Directory
Server. By running the ktpass command, you create a user that is mapped to the ktpass
service. This creates a Principal Name for the AD server. The Principal Name must have the
following format: ServiceName/realm@REALM
Important - After you create the user that is mapped to the ktpass service, do not
make changes to the user. For example, do not change the password. If you do
change the user, the key version increases and you must update the Version Key
in the New Authentication Principal Properties window in SmartEndpoint.
2. Go to Start > All Programs > Administrative Tools > Active Directory Users and
Computers.
3. Create a domain user and clear the User must change password at next logon
option.
4. Run this command to map a service to a user:
Syntax:
Example:
Explanations:
5. Save the console output to a text file. See the version number (vno) and encryption
type (etype).
Sample output:
Notes -
n Make sure that the clock times on the Endpoint Security servers and
the Kerberos server are less than 5 minutes apart. If difference in the
clock times is more than 5 minutes, a runtime exception shows and
Active Directory authentication fails. On Gaia, use NTP or a similar
service.
n To use Capsule Docs with Single Sign-On, disable User Access
Important - Use the Unauthenticated mode only for evaluation purposes. Never
use this mode for production environments. Configure the authentication settings
before moving to production.
2. Click Add.
The New Authentication Principal Properties window opens.
3. Enter the details from the output of ktpass.exe that you configured in "Step 1 of 3:
Configuring the Active Directory Server for Authentication" on page 195:
Field Description
Field Description
Version Key Enter the version number according to the Active Directory output
in the vno field.
For example: 7
Password Enter (and confirm) the password of the Active Directory Domain
Admin user you created for Endpoint Security use.
For example: 123456
4. Click OK.
5. When you are ready to work in Strong Authentication mode, select Work in
authenticated mode in the Authentication Settings Properties window.
6. Click OK.
Important - After turning on Strong Authentication, wait one minute before initiating
any client operations.
It will take time for the clients and the Endpoint Security Management Server to
synchronize. During this time, the environment will remain unauthenticated, and
some operations will fail. The exact amount of time depends on the
synchronization interval (see "Active Directory Scanner" on page 110).
After you have finished configuring strong authentication for Active Directory, save your
changes.
1. Go to the Policy tab of SmartEndpoint.
2. In the Policy Toolbar, click Save .
When you configure a new user account in AD, you are given the option to select a UPN suffix,
which by default will be the DNS name for your AD domain. It can be useful to have a selection
of UPN suffixes available. If your AD domain name is ad.example.com, it might be more
convenient to assign users a UPN suffix of example.com. To make additional UPN suffixes
available, you need to add them to AD.
export TDERROR_ALL_KERBEROS_SERVER=5
uepm_stop ; uepm_start
Results in Authentication.log
n If the Authentication.log file on the server shows:
The database was cleaned or the process to include authentication in the client package
was faulty. To fix:
1. Repeat the process to configure Active Directory authentication (See "Configuring
Active Directory Authentication" on page 195).
2. Make a new client package.
3. Restart the Endpoint Security server:
reboot
reboot
l Make sure that the Endpoint Security Management Server and all clients are
synchronized with the Active Directory server.
l Make sure that in the Windows Date and Time Properties window, the
Automatically adjust clock for daylight saving changes option has the same
value (selected or cleared) for all computers in the system, including the Active
Directory server.
l The following workaround is not recommended, for security reasons, but is offered
if you cannot fix the clock skew error with synchronization changes.
To ensure that authentication occurs even if the clocks of the client, the Endpoint
Security Management Server and the Active Directory server are out of synch,
define an acceptable skew. By default, the authentication clock skew is 3600
seconds. You can change the Endpoint Security settings. In the
$UEPMDIR/engine/conf/global.properties file, add this line:
authentication.clockSkew.secs=<seconds>, where you replace
<seconds> with the clock skew in seconds that you want to allow.
n If the Authentication.log file on the server shows:
Update the Key version number in the Active Directory SSO Configuration window.
You might have changed the user that is mapped to the ktpass service (see "Step 1 of
3: Configuring the Active Directory Server for Authentication" on page 195.
unset TDERROR_ALL_KERBEROS_SERVER
echo $TDERROR_ALL_KERBEROS_SERVER
uepm_stop ; uepm_start
2. To authenticate with user credentials, log off and then log in again.
To authenticate with device credentials, restart the computer.
If the Authentication.log file on the client shows:
Check the service name. Make sure that there are no typing errors and that the format is
correct.
If there was an error, correct it on the Check Point Endpoint Security Management Server.
9. Click Next.
10. In the Enter rule name and comment page, fill in the details.
11. Click Finish.
12. In the main toolbar, click Save rule, and Install the Policy.
Making sure the Full Disk Encryption policy is installed on the client
1. On the Windows client computer, in the system tray, right-click the lock icon of the
Endpoint Security client.
2. Select Display Overview and open the Full Disk Encryption page.
3. Make sure the Policy Details show the Full Disk Encryption Policy.
Volume Encryption
These actions define if the volumes of the hard disk are encrypted or not.
Action Description
Encrypt all local hard disks All volumes of the hard disk are automatically fully
encrypted. The encrypted disk is only accessible to
authorized users.
Do not encrypt local hard disks - The hard disk is not encrypted.
Encrypt only minimum volumes
required for Pre-boot
To change the volumes and devices that are encrypted, select these options:
n To have only minimum encryption for Pre-boot protection, select Minimum volumes for
Pre-boot authentication.
n To select the exact drives that are encrypted, select Custom Volume Encryption and
click Configure Volumes.
n To encrypt volumes that are found after the initial Full Disk Encryption installation on a
computer, select Allow encryption of volumes that were detected after the initial
installation.
n To encrypt IRRT devices, select Allow protection/encryption on IRRT devices.
n To use a Self-Encrypting drive (SED), select Allow using the hardware encryption
functionality of self-encrypting drives.
Self-Encrypting drives encrypt and decrypt immediately.
If you select Custom Volume Encryption for the Encrypted disks and volumes setting,
configure the encryption and Pre-boot settings for each volume.
Self-Encrypting Drives
To configure volume encryption settings for Self-Encrypting drives, edit the Volume
Encryption action of the Full Disk Encryption rule.
The disk encryption setting Allow Self-Encrypting Drives (SED) hardware functionality lets
Full Disk Encryption probe and use SED disks that comply with the OPAL standard. If a
compatible system and disk are detected, Full Disk Encryption uses the hardware encryption
on the disk instead of the traditional software encryption.
When using SED drives, do not change the default settings for Encrypted disks and volumes.
The required settings are:
n Encrypt all visible disk volumes
l Boot protect hidden disk volumes
o Encrypt hidden disk volumes
When SED encryption is in effect on a client computer, the Drive Information in the
Encryption Status of the client shows SED added to the volume name. You can see this in the
Client UI and in the Computer Details > Full Disk Encryption in SmartEndpoint.
n AES encryption is always used with SED drives.
n You cannot use custom volume encryption with SED drives. The client overrides custom
volume configuration.
n Manage SED drives in the same way as software-encrypted drives.
For SED Requirements, see the Release Notes for your Endpoint Security client version.
Either search the Web for the release notes, or:
1. Open the Endpoint Security Homepage .
2. Go to Detailed Information per Release > Detailed Client Releases Information.
Action Description
Authenticate user Users must authenticate to their computers in the Pre-boot before the
before OS loads operating system loads.
(Pre-boot)
If you choose Authenticate user before OS loads (Pre-boot), you can choose Temporary
Pre-boot bypass (Wake on LAN) settings to bypass Pre-boot in specified situations:
n Allow bypass when connected to LAN - On computers that are connected to an
Endpoint Security server through Ethernet, Pre-boot is not necessary. The client
automatically authenticates securely through the network without Pre-boot. If automatic
network authentication is not possible, manual Pre-boot authentication is required. This
option is supported on UEFI and Mac computers. See Unlock on LAN Requirements in
the Release Notes for your Endpoint Security client version. Either search the Web for
the Release Notes, or find them in the Endpoint Security Homepage.
l Unlock Pre-boot user on successful OS login - If users are away from the LAN
and get locked out of Pre-boot (because of incorrect logons), they can log on the
next time they are on the LAN. When they log on to the operating system, the Pre-
boot lock is unlocked.
n Allow OS login after temporary bypass - For scenarios when you want to temporarily
bypass the Pre-boot, for example, for maintenance, see "Temporary Pre-boot Bypass"
on the next page. Temporary Pre-boot Bypass reduces security.
If you choose Do not authenticate user before OS loads (Not recommended), the user
experience is simpler, but it is less secure. Users log in to Windows only, and the options in
Integrate with OS login part of the action properties become available. To reduce security
issues, configure settings in Require Pre-boot if one or more of these conditions are met:
n Single Sign-On (SSO) together with Pre-boot Authentication.
n Pre-boot with Bypass Pre-boot when connected to LAN.
n Display Last Logged on User in Pre-boot - The username of the last logged on user
shows in the Pre-boot logon window. That user only needs to enter a password or Smart
Card pin to log in.
n Use TPM for Pre-boot integrity -This uses the TPM security chip to measure Pre-boot
components. If they are not tampered with, the TPM allows the system to boot. See
sk102009 for more details.
Note: The software based hardware hash is disabled when TPM is configured.
You can also use TPM in addition to Pre-boot authentication for two-factor
authentication.
Temporary Pre-boot Bypass reduces security. Therefore use it only when necessary and for
the amount of time that is necessary. The settings in the Full Disk Encryption policy set when
the Temporary Pre-boot Bypass turns off automatically and Pre-boot protection is enabled
again.
There are different types of policy configuration for Temporary Pre-boot Bypass:
n Temporary Pre-boot Bypass
n Temporary Pre-boot Bypass from a script
n Temporary Pre-boot Bypass when connected to LAN
Note - If the mouse is moved or a key pushed on the keyboard in the Pre-boot
environment, the Temporary Pre-boot Bypass functionality is disabled.
If you run scripts to do unattended maintenance or installations (for example, SCCM) you
might want the script to reboot the system and let the script continue after reboot. This requires
the script to turn off Pre-boot when the computer is rebooted. Enable this feature in the
Temporary Pre-boot Bypass Settings windows. The Temporary Pre-boot Bypass script can
only run during the timeframe configured in Temporary Pre-boot Bypass Settings.
1. In a Full Disk Encryption rule in the Policy, right-click the Do not authenticate before
OS loads Pre-boot Action and select Edit Properties.
2. Configure these options to Require Pre-boot authentication if one or more of these
conditions are met:
n More than X failed logon attempts were made - If a user's failed logon attempts
exceed the number of tries specified, Pre-boot is required. The computer
automatically reboots and the user must authenticate in Pre-boot.
n The hard disk is not used by the original computer (hardware Hash) -If selected,
the client generates a hardware hash from identification data found in the BIOS
and on the CPU. If the hard drive is stolen and put in a different computer, the hash
will be incorrect and Pre-boot is required. The computer reboots automatically, and
the user must authenticate in Pre-boot.
Warning - Clear this option before you upgrade BIOS firmware or replace
hardware. After the upgrade, the hardware hash is automatically updated to match
the new configuration.
n The computer cannot reach any of the configured locations - Requires Pre-boot
when Location Awareness requirements are not filled. If you select this, configure
the locations that the computer tries to reach in the list below.
3. Before Pre-boot authentication is required, show this message -Enter a message to
display to the user if a configured condition is met and Pre-boot is required. For example,
to call the Help Desk if the Pre-boot window opens.
4. Click Use TPM for Pre-boot integrity to use the TPM security chip available on many
PCs during pre-boot in conjunction with password authentication or Dynamic Token
authentication. The TPM measures Pre-boot components and combines this with the
configured authentication method to decrypt the disks. If Pre-boot components are not
tampered with, the TPM lets the system boot. See sk102009 for more details.
Note - These permissions are also in the Pre-boot Customization Menu on client
computers. To open the Pre-boot Customization Menu:
n On BIOS systems - Press both shift keys on a client computer while Full Disk
Encryption loads during the start up.
n On UEFI systems - Press the Ctrl and Space key on the computer keyboard.
Permission Notes
Enable USB Select to use a device that connects to a USB port. If you use a USB
device in Pre- Smart Card you must have this enabled. If you do not use USB Smart
boot environment Cards, you might need this enabled to use a mouse and keyboard
(BIOS only) during Pre-boot.
Enable PCMCIA Enables the PCMCIA Smart Card reader. If you use Smart Cards that
(BIOS only) require this, make sure it is enabled.
Permission Notes
Verification text Select to notify the user that the logon has been successful, halting the
for a successful boot-up process of the computer for the number of seconds that you
logon will be specify in the Seconds field.
displayed for
Allow hibernation Select to allow the client to be put into hibernation and to write memory
and crash dumps dumps. This enables Full Disk Encryption protection when the
computer is in hibernation mode.
Note: hibernation must be enabled in Windows for this option to apply.
All volumes marked for encryption must be encrypted before Full Disk
Encryption permits the computer to hibernate.
Enable TPM two Select to use the TPM security chip available on many PCs during pre-
factor boot in conjunction with password authentication or Dynamic Token
authentication authentication. The TPM measures Pre-boot components and
(Password & combines this with the configured authentication method to decrypt the
Dynamic disks. If Pre-boot components are not tampered with, the TPM lets the
Tokens) system boot. See sk102009 for more details.
Enable Remote Select to let users use Remote Help to get users access to their Full
Help Disk Encryption protected computers if they are locked out.
Remote Help Configure how many characters are in the Remote Help response that
response length users must enter.
Action Description
Automatically learn Before hard disk encryption, automatically register users that
and authorize logged access their local computers and authorize them to access their
in users computers after encryption.
Note - It is always possible to manually authorize users to
access encrypted computers
Before you enable Automatically learn and authorize logged in users, make sure clients can
get device and user policies from the server.
l At least one user has been acquired after x day(s) - Select how long to wait
before Pre-boot is enforced on acquired users.
This setting limits the number of days when user acquisition is active for the client.
If the limit expires and one user is acquired, Pre-boot is enforced and encryption
can start. If no users are acquired, user acquisition continues.
Pre-boot becomes enforced on acquired users after one of the criteria are met.
n Continue to acquire users after Pre-boot has been enforced - Pre-boot is active for
users who were acquired and user acquisition continues for those who were not
acquired.
l User acquisition will stop after having acquired additional (x) user(s) - User
acquisition continues until after the selected number of additional users are
acquired.
Note - If you need to terminate the acquisition process, for example the client fails to
acquire users even though an unlimited time period is set, define a new policy where
automatic acquisition is disabled.
Action Description
Enable lock Users log on one time to authenticate to the operating system, Full
screen Disk Encryption, and other Endpoint Security components.
authentication
(OneCheck)
Enable
OneCheck
Identity Single
Sign On for OS
Use native sign Use the native OS logon mechanism. You can enable Single-Sign On
on for OS (not OneCheck) in OneCheck User Settings to have one log on that
applies to the OS and Full Disk Encryption.
n After selecting the Check Point Endpoint Security screensaver option, enter the:
l Text that shows when the screensaver is active.
l Number of minutes the client remains idle before the screensaver activates.
3. Optional: Select Require that only an authorized Pre-boot user is allowed to log into
Windows. If selected, only users that have permission to authenticate to the Pre-boot on
that computer can log on to the operating system.
4. Optional: Select Use Pre-boot account credentials in OS lock screen. If selected,
users authenticate in the regular Operating System login screen but with the credentials
configured for Pre-boot.
Best practice is to only use this feature when there is no Active Directory available. For
customers that use Active Directory, we recommend a combination of User Acquisition,
OneCheck Logon, and Password Synchronization that will let users use the same
credentials for Pre-boot and Windows login.
If system failure prevents the operating system from starting on a client computer, you can
use Full Disk Encryption Recovery Media to decrypt the computer and recover the data.
Client computers send recovery files to the Endpoint Security Management Server one time
during the initial deployment so that you can create recovery media if necessary. After the
recovery, the files are restored as decrypted, like they were before the Full Disk Encryption
installation, and the operating system can run without the Pre-boot.
After the recovery, you must install Full Disk Encryption on the computer.
Recovery Media:
n Is a snapshot of a subset of the Full Disk Encryption database on the client.
n Contains only the data required to do the recovery.
n Updates if more volumes are encrypted or decrypted.
n Removes only encryption from the disk and boot protection.
n Does not remove Windows components.
n Restores the original boot record.
Users must authenticate to the recovery media with a username and password. There are
the options for which credentials to use:
n Users that are assigned to the computer and have the Allow use of recovery media
permission (in OneCheck User Settings rule > Advanced > Default logon settings)
can authenticate with their regular username and password.
n When you create the recovery media, you can create a temporary user who can
authenticate to it. A user who has the credentials can authenticate to that recovery
media. Users do not require Allow use of recovery media permission to use the
recovery media. Smart Card users must use this option for recovery.
You can create Full Disk Encryption recovery media that can run on a failed computer to
decrypt it. Create the recovery media on the server or with an external tool.
The media can be on a CD/DVD, USB device, or REC file.
Note - Creating a recovery media on a USB flash disk formats the device and
removes all previous content.
7. Give the Recovery Media file or device to the user who will do the recovery.
8. Make sure the user knows:
n Which username and password to use.
n How to boot the computer: with a CD or USB device.
Use the newly created Full Disk Encryption recovery media to decrypt the failed computer.
Note - During the decryption process, the client cannot run other programs.
Full Disk Encryption Drive Slaving Utility - Use this to access specified files and folders on the
failed, encrypted disk that is connected from a different "host" system.
Full Disk Encryption Drive Slaving Utility lets you access Full Disk Encryption protected disk
drives that become corrupted as a result of an Operating System failure . The Drive Slaving
Utility is hardware independent.
Full Disk Encryption Dive Slaving Utility replaces older versions of Full Disk Encryption drive
slaving functionality, and supports R73 and all E80.x versions. You can use the Full Disk
Encryption Drive Slaving Utility instead of disk recovery.
Notes -
n On an E80.x client computer with 2 hard disk drives, the Full Disk Encryption
database can be on a second drive. In this case, you must have a recovery
file to unlock the drive without the database.
n Remote Help is available only for hard disk authentication. It is not available
for recovery file authentication.
Before you run the Full Disk Encryption Drive Slaving Utility, make sure to do these:
n Authenticate the Full Disk Encryption encrypted disk
n On systems with active Pre-boot Bypass, you must authenticate with Full Disk
Encryption account credentials
We recommend that you use a recovery file when you are not sure if the hard disk drive or
the Full Disk Encryption internal database on your system are corrupted.
Note - To unlock a protected USB connected hard disk drive, you must first start the
Drive Slaving Utility, and then connect the disk drive.
The Full Disk Encryption - Drive Slaving window opens.
2. Select a Full Disk Encryption protected disk to unlock.
Note - To prevent data corruption, shut down the system or use a safe removal
utility before you disconnect the USB connected drive.
Dynamic Mount Utility - Use this to access specified files and folders on the failed, encrypted
disk. You create a WinPE CD/DVD media that contains the Dynamic Mount Utility application.
Boot the WinPE CD/DVD media on the failed, encrypted computer. When users authenticate
through the Dynamic Mount Utility they can extract files and folders from the encrypted system.
To access data on the hard disk of a Full Disk Encryption-protected computer without doing
a Recovery, use the Dynamic Mount Utility of Full Disk Encryption. See sk108858.
You must enable the Self-Help Portal on the Endpoint Security Management Server to activate
it.
Note - In Gaia Portal > Hosts and DNS page, make sure to configure:
n The DNS Sever
n Domain Name
n DNS suffix
The Self-Help Portal only works with Active Directory users. Before you can use the Portal,
make sure that the Endpoint Security Active Directory Scanner is configured and that the
Active Directory is scanned.
Users must be authorized for Pre-boot on one or more computers before they register in the
Portal.
You can force users to re-register to the Self-Help Portal or block users from recovering
password in the portal.
Select Lock Password Self-Help to prevent users from recovering passwords in the
portal.
3. A confirmation message shows. Click Yes.
To see the status of user enrollment and recovery for the Self-Help Portal:
In SmartEndpoint, in the Reporting tab, select User Authentication Policy > Self Help Status.
Best Practices -
1. When you change the encryption policy for clients from Check Point Full Disk
Encryption to BitLocker Management, the disk on the client is decrypted and
then encrypted. This causes the disk to be in an unencrypted state for some
time during the process. We recommend that you do not change the encryption
policy for entire organization in one operation. Make the change for one group
of users at a time.
2. Define the BitLocker policy before installing the Endpoint Security package on
the client computers. This ensures that encryption will happen just one time,
with BitLocker. It avoids Check Point FDE encryption followed by FDE
decryption and BitLocker encryption.
5. In the Select Entities page, select the computers for which you want to configure
BitLocker encryption.
6. Click Next.
7. In the Change rule action settings page, click Encryption Engine, and select Use
BitLocker Management.
A warning message shows. Read it carefully.
8. Click Yes.
Two actions remain: Encryption Engine and Access Management.
9. Edit the BitLocker Management policy: Click Use BitLocker Management and select
Edit Shared Action.
10. Configure these settings:
Setting Options
15. In the main toolbar, click Save rule , and Install the Policy .
1. On the Windows client computer, in the system tray, right-click the lock icon of
Endpoint Security client.
2. Select Display Overview and open the Full Disk Encryption page.
3. Make sure the Policy Details show the BitLocker Management Policy.
Best Practice - When you change the encryption engine of a client from Check Point
Full Disk Encryption to BitLocker Management, or from BitLocker Management to
Check Point Full Disk Encryption, the disk on the client is decrypted and then
encrypted. This causes the disk to be in an unencrypted state for some time during
the process. We recommend that you do not change the entire organization to
BitLocker in one operation. Make the change for one group of users at a time.
Switching the encryption engine from Check Point Full Disk Encryption to BitLocker
Management
3. In the main toolbar, click Save rule , and Install the Policy
4. On the client computers of the clients in the rule, this message shows:
Switching the encryption engine from BitLocker Management to Check Point Full Disk
Encryption
3. In the main toolbar, click Save rule , and Install the Policy .
Decryption of the BitLocker managed disks starts on the Endpoint Security client
computers in the rule.
Encryption with Check Point Full Disk Encryption starts.
4. On the client computers this message shows:
5. To allow Full Disk Encryption to collect the credentials of the user, the user must click
Lock.
Check Point Full Disk Encryption is now active on the Endpoint Security client computer in
the rule.
Define and install a Full Disk Encryption policy with BitLocker Management. Follow the
procedure in "Configuring a BitLocker Encryption Policy" on page 227, with these
guidelines:
n Define a Full Disk Encryption rule that Applies To to either the Entire Organization or
only to the entities that need BitLocker Management.
n In the properties of the Use BitLocker Management action, select Windows Default
as the Encryption algorithm.
This is important because it leaves the existing BitLocker encryption in place.
Selecting another algorithm explicitly may result in a re-encryption if the existing
algorithm does not match the algorithm in the policy. It is a good idea to avoid re-
encryption because it can take a long time. The time it takes depends on the disk size,
disk speed and PC hardware.
Taking control of unmanaged BitLocker computers using Check Point Full Disk Encryption
Follow the procedure for taking control of unmanaged BitLocker computers using BitLocker
Management.
After the computers are under Check Point BitLocker Management, define a rule with
Check Point Full Disk Encryption that Applies To to either the Entire Organization or only
to the entities that need Check Point Full Disk Encryption. Follow the procedure in
"Configuring a Check Point Full Disk Encryption Policy" on page 204.
Best Practice - When you change the encryption policy for clients from BitLocker
Management to Check Point Full Disk Encryption, the disk on the client is
decrypted and then encrypted. This causes the disk to be in an unencrypted state
for some time during the process. We recommend that you do not change the
encryption policy for entire organization in one operation. Make the change for one
group of users at a time.
BitLocker Recovery
BitLocker recovery is the process by which you can restore access to a BitLocker-protected
drive in the event that you cannot unlock the drive normally.
In SmartEndpoint you can use the Recovery Key ID for a computer to find the Recovery Key
for an encrypted client computer. With the Recovery Key, the user can unlock encrypted drives
and perform recoveries.
Important - Treat the Recovery Key like a password. Only share it using trusted and
confirmed channels.
1. Open SmartEndpoint and go to Menu > Tools > BitLocker Management Recovery.
The BitLocker Management Recovery window opens
2. Start typing the Recovery Key ID of the client. The Recovery Key ID is a string of
numbers and letters that looks like this:
C9F38106-9E7C-46AE-8E88-E53948F11776
After you type a few characters, the Recovery Key ID fills automatically.
3. Optional: If you don't have the Recovery Key ID for the client, you can search for it. For
this and other recovery options:
a. Click Advanced.
The BitLocker Management Advanced Recovery window opens.
b. To search for the Recovery Key ID, type the Common Name of the computer, or
browse for it
c. If the disk sectors containing the encrypted keys are damaged or unreadable, you
can export to external media a BitLocker Key Package to use for recovery. In
Select File name and location, browse to a location. To learn how to use the
Microsoft recovery tools to decrypt the disk, see the Microsoft BitLocker Recovery
Guide.
d. Click Close.
4. In the BitLocker Management Recovery window, click Get Recovery Key.
The Recovery Key shows. It is a string of numbers that looks like this:
409673-073722-568381-219307-302434-260909-651475-146696
5. On the client computer, type the Recovery Key.
Note - During deployment of the Full Disk Encryption component on the client,
the Full Disk Encryption service automatically defragments the volume to create
the 32MB of continuous free space, and suspends the Windows hibernation
feature while the disk is encrypted.
n Deliver Recovery File - The client sends a recovery file to the server. It includes users
on the computer that have permission to use the recovery media.
n Waiting for Restart - The user must reboot the client. After it is rebooted, users will see
the Pre-boot. Users get a message to log in with their Windows credentials. Then Full
Disk Encryption starts to encrypt the volumes according to the policy.
n Encryption in Progress - Full Disk Encryption is encrypting the volumes.
CPinfo is used to collect data about components in the Full Disk Encryption environment on
the client. We recommend that you send the collected data to Check Point for analysis.
If you do not enter an output folder, CPinfo collects data about components in the Full Disk
Encryption Pre-boot environment on the client.
Run CPinfo if:
n Encrypting or decrypting fails on Windows.
n The selected disk or volume does not encrypt or decrypt.
n Full Disk Encryption related issues occur.
n You experience system issues or crashes.
CPinfo gathers:
n All files in the data directory.
n Installation log.
n File version data for executables.
n Registry values for Full Disk Encryption
n GinaDll, UpperFilters and ProviderOrder.
n SMBios structure.
n Installed application lists.
n Microsoft Windows Partition list.
To run CPinfo:
1. In the notification area, right-click the client icon.
2. Select Display Overview.
3. In the right pane, click Advanced.
4. Click Collect information for technical support.
CPinfo opens in the command prompt.
5. Press ENTER to start.
The information is collected. A window opens that shows the location of the cab file.
6. Press a key to exit CPinfo.
Using CPinfoPreboot
Use an external USB device to collect the Pre-boot data. The device must have at least 128
MB of free space, and sufficient storage for the output cab file. CPinfoPreboot cannot run
on boot media prepared with the Full Disk Encryption filter driver
Note - Microsoft Windows does not automatically detect USB devices after
boot up. The USB device must be connected while booting the computer.
You can use the debug logs to examine the deployment phase or problems that occur. The
information there is included in CPinfopreboot. Send the full results of CPinfopreboot
to Check Point Technical Support for analysis.
The client debug log file is on the user's Endpoint Security client computer (for Windows 7
and higher) at:
C:\ProgramData\CheckPoint\Endpoint Security\Full Disk Encryption
The log file name is dlog1.txt. For BitLocker it is called Win_Nem.log. For an
explanation of the error messages that can show in Win_Nem.log, see sk157995.
Pre-boot Issues
If users have trouble with their mice or keyboards during Pre-boot, you might need to
change the setting of Enable USB device in Pre-boot environment. This setting is in the
Full Disk Encryption Policy > Pre-boot Settings. You can also change this setting from the
Pre-boot Customization Menu by pressing both shift keys while Full Disk Encryption is
loading when the computer starts up.
Trouble with Password on First Pre-boot
When the Pre-boot window opens for the first time on a computer, users get a message to
log in with their Windows password. If the Windows password does not meet the
requirements configured for the Pre-boot, the authentication does not work.
To resolve this, change the password requirements in the OneCheck User Settings to
match the Windows requirements. Then install the new OneCheck User Settings policy on
the client.
Full Disk Encryption utilizes the client logger module for audit logging. Logs are created in
the Pre-boot and Windows environments. Logs created in Pre-boot are cached in the Full
Disk Encryption system area before they are transferred to the client logger module. Full
Disk Encryption logs these operations:
n User acquisition
n Installation and upgrade
n Policy changes
n Dynamic encryption
n User authentication/user locked events
Upgrade Issues
Here are some issues that can occur in the Deployment Phase and possible causes and
solutions.
Problem: The deployment is stuck at the user acquisition stage
Configure the global settings for the Pre-boot authentication method from the OneCheck User
Settings policy rule. The settings configured here apply to all users. You can override the
global settings for specified users.
Select an Action to define the default Pre-boot authentication method:
Action Description
Authenticate users with Password Users can only authenticate with a username and
password.
Authenticate users using Smart Users can authenticate with either username and
Card or Password password or Smart Card.
The password settings are taken from the OneCheck User Settings rules that are assigned to
the user.
Right-click an Action and select Edit to configure more settings if you select to use Smart Card
authentication.
Important - Before you configure Smart Card authentication only as the default, make
sure that you understand the requirements. See "Before You Configure Smart Card
Authentication" on page 259. All requirements must be set up correctly for users to
successfully authenticate with Smart Cards.
To configure Smart Card only or for Smart Card or Password as the default:
1. Select one of the Smart Card options as the Default Pre-boot authentication method.
4. In the Select Smart Card driver to be deployed area, select the drivers for your Smart
Card and Reader. All selected drivers will be installed on endpoint computers when they
receive policy updates.
If you do not see a driver required for your Smart Card, you can:
n Enter a text string in the Search field.
n Click Import to import a driver from your computer. If necessary, you can download
drivers to import from the Check Point Support Center.
5. In the Directory Scanner area, select Scan user certificates from Active Directory if you
want the Directory Scanner to scan user certificates.
6. If you selected to scan user certificates, select which certificates the Directory Scanner
will scan:
By default, users get the Pre-boot authentication method from the global Pre-boot
Authentication Settings. You can assign custom authentication settings to users on the User
Details page. You can also assign a user password and manually add user certificates on this
page.
7. If you select Dynamic Token, click Select token. The user can only authenticate with the
selected token. See "Managing Dynamic Tokens" on page 263.
n Select a token from the list or click Add or Import to add a new token.
n Click OK.
8. Click OK.
9. On the OneCheck User Settings page:
n For Password authentication - You can enter a User Password or Change
Password.
n For Smart Card authentication - In the User Certificates area, make sure the user
has a valid certificate to use with the Smart Card. If a certificate is not shown, you
can click Add to import a certificate.
Action Description
Use custom If you select this, select the requirements for which type of
password characters the password must contain or not contain.
complexity
Option Description
Use custom If you select this, select the requirements for which type of
requirements characters the password must contain or not contain:
n Consecutive identical characters, for example, aa or 33
n Require special characters. These can be: ~ = + - _ ( )
' $ @ , .
n Require digits, for example 8 or 4.
n Require lower case characters, for example g or t.
n Require upper case characters, for example F or G.
n Password must not contain user name or full name.
Minimum length of Enter the minimum number of characters for a valid password.
password
Password can be Enter the minimum number of days that a password must be valid
changed only after before the user can change it.
Password expires Enter the maximum number of days that a password can be valid
after before the user must change it.
Password Synchronization
Pre-boot is a program that prevents the operating system from booting until the user
authenticates. You can synchronize the Pre-boot and operating system passwords.
Action Description
Account Lock
You can configure Full Disk Encryption to lock user accounts after a specified number of
unsuccessful Pre-boot login attempts:
n Temporarily - If an account is locked temporarily, users can try to log on again after a
specified time.
n Permanently - If the account is locked permanently, it stays locked until an administrator
unlocks it.
Select one of these Actions to define if and when user accounts are locked:
Action Description
Do not lock out users upon Users are not locked out of their accounts if they try to
failed authentication. log on unsuccessfully. This setting is not
recommended.
Temporarily lock user account After a configured amount of failed log on attempts (the
upon failed authentication default is 5), the user's account is temporarily locked.
attempts
Permanently lock user account After a configured amount of failed log on attempts (the
upon failed authentication default is 10), the user's account is permanently
attempts locked.
Right-click an Action to edit the properties. You can also create custom Account Lock actions.
Option Description
Number of failed logons Maximum number of failed logon attempts allowed before
before the account is an account is permanently locked. The account is locked
locked until an administrator unlocks it.
Option Description
Logon Settings
OneCheck User Settings Logon Settings define additional settings for how users can access
computers. Expand the Advanced section in the OneCheck User Settings rule to configure
this.
Option Description
Allow logon Lets a different user than the logged on user authenticate in Pre-boot to a
to system system in hibernate mode.
hibernated
by another
user
Allow use of Let user authenticate to use recovery media to recover and decrypt data
recovery from an encrypted system.
media Note: In E80.20 and higher, if this is not selected, users can still access
recovery media that is created with a temporary user and password.
Allow user to Let users change the password on an endpoint client during the Pre-boot.
change his
credentials
from the
endpoint
client
Allow Single Let users use Single Sign On to log on to Pre-boot and Windows when
Sign-On use OneCheck Logon is disabled. Single Sign on applies only to Pre-boot and
Windows and not to different components, such as VPN or Media
Encryption. Users are always allowed to use Single Sign On when
OneCheck Logon is running.
Option Description
Allow Let users get help from an administrator to reset the account
account to password (for example, if the user forgets the password).
receive
remote
password
change help
Allow Let the user get help from an administrator to log on, one time. One-
account to time logon is for users who have lost their dynamic tokens, USB
receive tokens, or Check Point Smart Card. It is also useful if the user made
One-Time too many failed attempts but does not want to change the password.
Logon help
4. Click Unlink.
A new link is created with a different Windows account at the next Windows log in.
You can add Active Directory users and groups to devices, OUs, or groups for Pre-boot
authentication. In SmartEndpoint, groups have an option of Authorize Pre-boot nodes in
addition to Authorize Pre-boot users.
After you add a group to a device, group or OU, users in the group are directly assigned to the
entity and do not need to go through user acquisition. If you add more users to the group after it
was assigned to an entity, the new users are automatically directly assigned also.
The maximum amount of users in a group that can be assigned to a device, group, or OU for
Pre-boot is 1000.
To use Smart Card authentication, you must have these components and requirements:
n Smart Card authentication is only supported on Endpoint Security clients of version
E80.30 or higher. Make sure all users have a supported version.
You can see which versions users have in the Endpoint Security Management Console
> Monitoring tab > Versions in Use.
n Users must have the physical Smart Card in their possession.
n Users' computers must have a Smart Card reader driver and token driver installed for
their specific Smart Card. Install these drivers as part of the global Pre-boot
Authentication Settings.
n Each user must have a certificate that is active for the Smart Card.
l The Directory Scanner can scan user certificates from the Active Directory.
Configure this in the global Pre-boot Authentication Settings.
l You can manually import a certificate for a user in User Details > Security Blades
> OneCheck User Settings.
n In a Full Disk Encryption Policy rule, open the Authenticate user before OS loads
action. Click on Advanced Pre-boot Settings and make sure that Enable USB devices
in pre-boot environment is selected.
Scenario
Your organization uses Check Point Endpoint Security with username and password
authentication for Full Disk Encryption Pre-boot. You want to move all users to Smart Card
authentication for even greater security. Your organization uses Active Directory.
What to do:
1. Plan your Smart Card environment:
n Give all users a Smart Card.
n Get a Smart Card certificate for each user and put them in Active Directory.
n Learn which Smart Card driver and Reader driver is necessary for your Smart
Card.
2. Upgrade all endpoints to this version. Use Reporting reports to make sure all users are
successfully upgraded.
3. Open the Policy tab.
4. In a OneCheck User Settings rule, right-click the Authenticate users action and select
Edit:
n Select Smart Card (requires certificates).
n Select Change authentication method only after user successfully authenticates
with a Smart Card.
n Select the drivers required for your Smart Card.
5. In the Directory Scanner area, click Configure.
The Certificate Scanning Configuration window opens.
6. Select Scan user certificates from Active Directory.
Scenario
Your organization is preparing to install Check Point Endpoint Security for the first time. Most
users will use username and password Pre-boot authentication. Administrators with high
administrative privileges will use Smart Card authentication. Your organization does not use
Active Directory.
What to do:
1. Plan your Smart Card environment.
n Give a physical Smart Card to all users who will use a Smart Card.
n Get a Smart Card certificate for each user who will use a Smart Card.
n Learn which Smart Card driver and Reader driver is necessary for your Smart
Card.
2. Deploy the Endpoint Security client, including Full Disk Encryption on all endpoints. See
"Deploying Endpoint Security Clients" on page 119. Use Reporting reports to make sure
that Full Disk Encryption completes the deployment phase and the Full Disk Encryption
Status of each computer is Encrypted.
Note - You can put all Smart Card users in a virtual group so that it is easy to monitor
them and change their policies, if necessary.
4. Click OK.
5. Select File > Save.
Adding a Token
Dynamic Token Key Token key used for this account. DES: 14 characters
long
3DES: 42 characters
long
Contains digits 0-9 and
letters A-F
4. Click OK.
Removing a Token.
Importing Tokens
To import tokens:
1. In SmartEndpoint, go to Manage > Dynamic Token Management.
2. Click Import.
The Token Import Wizard window opens.
3. Select an .imp file.
You can navigate to the location of the file through a windows explorer, by typing in a full
path name, or drag and drop the file into the field in the wizard.
4. Click Next.
Tokens in the selected file show on the list.
Media Encryption & Port Protection rules also contain these Advanced action types:
n "Offline Access Actions" on page 281 - Controls access to devices that are connected a
non-protected computer
n "Device Scanning and Authorization Actions" on page 286 - Configures scanning of
storage devices for malware and unauthorized file types.
n "Log Actions" on page 289 - Controls when Media Encryption & Port Protection creates
log entries when a storage device is attached to an endpoint computer
n "UserCheck Actions" on page 291 - Controls when and how to tell users about policy
violations and optionally lets them override a policy.
n "Media Encryption Site Actions" on page 292 - Controls when to allow or prevent
access to drives encrypted by different Endpoint Security Management Servers
n "Global Automatic Access Action" on page 295 - Defines the default automatic action
that applies to all rules, unless overridden by a different rule or action.
Action Description
Allow reading any data Allow users to read encrypted and non-encrypted data from
from storage devices storage devices.
Allow reading only Allow users to read only encrypted data from storage devices.
encrypted data from Users cannot read unencrypted (Non-Business related) data.
devices
You can also create your own custom actions. Your new custom actions are always available
in addition to the default actions.
Action Description
Allow writing any data to Users can write all file types to storage devices.
storage devices
Encrypt business related data All Files that are defined as Business related data must
written to storage devices be written to the encrypted storage.
Non-business related data can be saved to the device
without encryption.
See "Configuring Business Related File Types" on
page 272.
Encrypt all data written to All files written to a storage device must be encrypted.
storage devices This includes both Business and Non-Business
Related data.
Do not allow writing any data to Users cannot write any file types to storage devices.
storage devices
Do not allow writing any data to By default, users cannot write any file types to storage
storage devices, allow user devices.
override But, UserCheck lets users override the policy and write
to a storage device, after entering justification for the
action.
You can define custom write actions as necessary. Your new custom actions are always
available in addition to the default actions.
6. If necessary, click Configure file types to define custom business related file types (see
"Configuring Business Related File Types" on the next page).
If you enable the Encrypt business-related data written to storage devices option, users
must encrypt all file types that are defined as business-related. Users can save non business-
related file types without encryption.
If you enable the Force encryption of all outgoing data option, all data, including Non-
Business related data, must be encrypted.
n Business Related data - Confidential data file types that must be encrypted on
removable media. Examples include: word processor files, spreadsheet files,
presentations and drawings.
n Business Related drive - The encrypted portion of a drive (up to 100% of the device). All
data that is stored on the Business Related portion is encrypted.
n Non-Business Related data or Plain - File types that are not confidential and do not
require encryption on storage devices.
n Non-Business Related drive - The unencrypted portion of a drive (if less than 100% is
encrypted). Data stored on the Non-Business Related portion is not encrypted.
There are predefined categories of similar file types. You cannot change the file types included
in these groups, but you can create your own custom groups. This list includes some of the
predefined file type groups:
These groups are defined as Business Related by default:
n Word - Word processor files, such as Microsoft Word.
n Spreadsheet - Spreadsheet files, such as Microsoft Excel.
n Presentation - Presentation files, such as Microsoft Power Point.
n Database - Database files, such as Microsoft Access or SQL files.
n Drawing - Drawing or illustration software files, such as AutoCAD or Visio.
n Graphic - Graphic software files such as Photoshop or Adobe Illustrator.
n Viewer - Platform independent readable files, such as PDF or Postscript.
n Archive - Compressed archive files, such as ZIP or SIT.
n Markup - Markup language source files, such as HTML or XML.
n Email - Email files and databases, such as Microsoft Outlook and MSG files.
n Text - Plain text files.
Groups defined as Non-Business Related by default
You can customize the text that shows in all sections of the user message window, including
the banner and the option buttons. You cannot change the Check Point logos. . This feature is
useful for translating user messages into different languages.
Action Description
Allow connecting all peripheral Access to all devices that cannot be encrypted or do
devices not contain storage is allowed.
You can also create and change your own custom actions.
2. In the Peripheral Device Access window, click Edit Name & Description and change
settings as necessary.
3. For each device in the list, change the Access Type as necessary (Allow or Block).
4. For each device in the list, change the Log settings as necessary:
n Log - Create log entries when a peripheral device is connected to an endpoint
computer (Action IDs 11 and 20)
n None - Do not create log entries
5. Optional: Add new devices as necessary.
n Allow encryption - Select this option if the device can be encrypted (storage devices
only).
n Can generate device arrival audit event - Select this option to create a log entry when
this device connects to an endpoint computer (Event ID 11 or 20 only).
2. In the Device Overrides section of the Edit Properties window, click Add device.
3. In the Device Override Settings window, select Create a new device.
4. Click Next.
5. Select Add discovered device from user logs.
6. Click Next.
7. Select a device from the list. If necessary, search or filter to find the device.
8. Click Next.
9. Optional: Edit the device details. See "Editing Device Details" on the previous page.
6. Click Next.
7. Enter the device details. "Editing Device Details" on page 276
8. Click Next.
9. Optional: Add this device to one or more device groups (storage devices only).
10. Define the behavior of the device. The options shown are based on which action you are
editing:
n For Storage Devices Write Access see "Configuring a Write Action" on page 270
n For Storage Device Read Access see "Configuring the Read Action" on page 269.
n For Peripheral device access:
l Access type: Block or Allow
l Log type: Log or None
11. Click Finish.
To change the access settings for existing devices from the Policy Rule Base:
1. Open the Storage Devices Read Access, Storage Devices Write Action, or Peripheral
Devices Access action.
2. In the Device Overrides area of the Edit Properties window, select a device or group
and click Edit device.
3. If you selected a group, Add or Remove objects until the Selected Objects list contains
all applicable devices.
4. Select or clear these options as applicable. The options that show are based on the
action you are working with.
n For Storage Devices Write Access see "Configuring a Write Action" on page 270.
n For Storage Device Read Access see "Configuring the Read Action" on page 269.
n For Peripheral device access:
l Access type: Block or Allow
l Log type: Log or None
5. Click OK.
6. Click OK.
To change the access settings for devices from the Reporting tab:
1. In the Reporting tab > Media Encryption & Port Protection, right-click a device and
select Add device as exception.
The Device Override Settings open.
2. Edit the device details as necessary. See "Editing Device Access Setting" on the
previous page
For example: If there are three physical devices with the serial numbers 1234ABC, 1234BCD,
and 1234EFG, enter 1234* as the serial number. The device definition applies to all three
physical devices. If you later attach a new physical device with the serial number 1234XYZ,
this device definition automatically applies the new device.
The valid wild card characters are:
The '*' character represents a string that contains one or more characters.
The '?' character represents one character.
Examples:
Because definitions that use wildcard characters apply to more endpoints than those without
wildcards, rules are enforced in this order of precedence:
1. Rules with serial numbers containing * are enforced first.
2. Rules with serial numbers containing ? are enforced next.
You can define custom offline access actions that include these settings:
Encryption Settings
Setting Description
Allow user to Lets users manually define the device owner before encryption. This lets
choose users create storage devices for other users. By default, the device owner
owner during is the user who is logged into the endpoint computer. The device owner
encryption must be an Active Directory user.
Allow user to Lets users change the percentage of a storage device that is encrypted,
change size not to be lower than Minimum percentage of media capacity used for
of encrypted encrypted storage or Default percentage of media capacity used for
media encrypted storage. Also see "Configuring Encryption Container Settings"
on page 283.
Setting Description
Allow user to Lets users upgrade storage devices that were encrypted by File Encryption
upgrade from version R73.
legacy drives
When Select one of these actions for existing data on a storage device upon
encrypting, encryption:
Non-
Business
n Copied to encrypted section - Non-Business Related data is
Related Data encrypted and moved to the Business Related (encrypted) storage
will be: device.
Secure Run a secure format before encrypting the storage device. Select the
format media number of format passes to do before the encryption starts.
before
encryption
Change When selected, after the device is encrypted, the name of the non-
device name encrypted drive changes to Non Business Data and the icon changes to
and icon after an open lock.
encryption When cleared, the name of the non-encrypted drive and the icon do not
change after the device is encrypted.
Setting Description
Password protect Lets users assign a password to access a storage device from a
media for access in computer that is not connected to an Endpoint Security
offline mode Management Server. Users can also access the storage device
with this password from a non-protected computer
Setting Description
Copy utility to media Copies the Explorer utility to the storage device. This utility lets
to enable media users access the device from computers that are not connected to
access in non- an Endpoint Security Management Server.
protected
environments
Protect media with Lets users assign a different password that gives read-only access
password for read- to a storage device.
only access in
offline mode
Or set the Minimum percentage and Default percentage of media capacity -how much
of the device's total capacity can be used.
In the Properties of the Offline Access action, click Configure password constraints to set the
requirements for password used to access encrypted devices.
These Actions define the requirements for user passwords for Media Encryption & Port
Protection:
Action Description
Use custom If you select this, select the requirements for which type of
password characters the password must contain or not contain.
complexity
Option Description
Use custom If you select this, select the requirements for which type of
requirements characters the password must contain or not contain:
n Consecutive identical characters, for example, aa or 33
n Require special characters. These can be: ~ = + - _ ( )
' $ @ , .
n Require digits, for example 8 or 4.
n Require lower case characters, for example g or t.
n Require upper case characters, for example F or G.
n Password must not contain user name or full name.
Minimum length of Enter the minimum number of characters for a valid password.
password
Password can be Enter the minimum number of days that a password must be valid
changed only after before the user can change it.
Password expires Enter the maximum number of days that a password can be valid
after before the user must change it.
You can configure Media Encryption & Port Protection to lock a device after a specified
number of unsuccessful login attempts:
n Temporarily - If a device is locked temporarily, users can try to authenticate again after a
specified time.
n Permanently - If the device is locked permanently, it stays locked until an administrator
unlocks it.
Select one of these Actions to define if and when user accounts are locked:
Action Description
Do not lock out storage device Users are not locked out of a device if they try to log
upon failed authentication. on unsuccessfully. This setting is not recommended.
Temporarily lock storage device After a configured amount of failed log on attempts
upon failed authentication (the default is 5), the device is temporarily locked.
attempts
Permanently lock storage device After a configured amount of failed log on attempts
upon failed authentication (the default is 10), the device is permanently locked.
attempts
Right-click an Action to edit the properties. You can also create custom device Lock actions.
Action Description
Require storage devices to Scan the device when inserted. If this option is selected,
be scanned and users can scan the storage device manually or
authorized. Allow self- automatically. If this setting is cleared, users can only insert
authorization. an authorized device.
Require storage devices to Scan the device when inserted. Specified administrators
be scanned and must authorize the device after a successful scan.
authorized. Do not allow
self-authorization.
Do not scan storage Storage devices are not scanned when inserted and no
devices authorization is necessary.
You can configure which file types can or cannot be on storage devices.
n Unauthorized - Configure the file types that are blocked. All other file types are
allowed.
n Authorized - Configure the file types that are allowed. All other file types are
blocked.
The default is unauthorized with all file types allowed.
4. Click Add to add file types to the list.
5. Select file types from the Available Objects list and click Add to move them to the
Selected Objects list.
If you selected Unauthorized mode, select the file types that are not blocked from
storage devices.
If you selected Authorized mode, select the file types that are allowed on storage
devices.
6. Optional:
n Click New to create a new file type.
n Click Remove to remove a group from the list.
7. Click OK.
8. Click OK.
1. In a Media Encryption & Port Protection rule, click a device scanning and authorization
action and select Edit Properties.
2. In the Device Overrides area:
n To disable scans, select Exclude optical media from scan.
n To enable scans, clear Exclude optical media from scan.
3. Click OK.
You can create custom actions that have different requirements for authorization and the
media scan. You can let users connect storage devices without a scan or delete unauthorized
file types from the storage device.
Parameter Description
Scan storage Select to scan the device when inserted. Clear to skip the
devices and scan.
authorize them for
access
Enable self- If this option is selected, users can scan the storage device
authorization manually or automatically. If this setting is cleared, users can
only insert an authorized device.
Allow user to delete The user can delete unauthorized files detected by the scan.
unauthorized files. This lets the user or administrator authorize the device after
the unauthorized files are deleted.
Allow user to skip The user can optionally skip the scan when a device is
media scan connected to a client.
Log Actions
This setting defines when Media Encryption & Port Protection creates log entries when a
storage device is attached to an endpoint computer. You can select one of these predefined
log actions:
Action Description
Log only critical events Create log entries only for events that are classified as critical.
Log critical and security Create log entries only for events that are classified as critical
events or security events.
Event
Description Classification
ID
22 A users does not follow the Ask User procedure to override a Critical
rule
Event
Description Classification
ID
You can define different log settings for "Defining Exceptions for Devices " on page 276.
Log entries are initially stored on client computers and then uploaded to the server at
predefined intervals.
UserCheck Actions
UserCheck for Media Encryption & Port Protection tells users about policy violations and
shows them how to prevent unintentional data leakage. When a user tries to do an action that
is not allowed by the policy, a message shows that explains the policy.
You can optionally let users write to a storage device even though the policy does not allow
them to do so. In this case, users are prompted to give justification for the policy exception.
This justification is sent to the security administrator, who can monitor the activity.
You can use the default UserCheck messages or define your own custom messages.
You can optionally add text comments and select a display color.
3. Do steps 2 through 5 in the above procedure as necessary.
This table shows what occurs when you insert an encrypted device into a client that is
connected to an Endpoint Security Management Server the policy allows read- access. The
Endpoint Security Management Server that the device was encrypted with is referred to as
"the encrypting Endpoint Security Management Server".
A different trusted Endpoint Security User can enter a password for access.
Management Server
Media Encryption Site actions are part of the Media Encryption & Port Protection Policy. This
predefined action is enabled by default. You can change this action or create your own custom
actions.
Action Description
To allow access to devices encrypted on this Endpoint Security Management Server from
other Endpoint Security Management Servers:
1. Right-click a Media Encryption Site action and select Edit.
2. The Edit Properties window opens.
3. Select Endpoint client will allow access to encrypted media that was encrypted by an
endpoint client connected to any management server.
4. Click Copy to Clipboard and then save the current Endpoint Security Management
Server UUID to a text file.
5. Add the current Endpoint Security Management Server, using the saved UUID, to the
Media Encryption Action to each trusted Endpoint Security Management Server.
6. Select Endpoint Client will allow access to encrypted media which was encrypted by
an endpoint client connected to any management server.
7. Click OK.
When Media Encryption Sites is disabled, Endpoint Security clients can access storage
devices that were encrypted by all Endpoint Security Management Servers.
Media Encryption & Port Protection comes with these predefined actions:
Action Description
Encrypted storage devices are fully All users can read and change all encrypted
accessible by all users content.
All users in the organization can All users can read encrypted files on storage
read encrypted data, only owners devices. Only the media owner has can change
can modify encrypted content.
Only owners can access encrypted Only media owners read and/or change encrypted
data content.
Access to encrypted data requires Users must enter a password to access the device.
password authentication Automatic access in not allowed.
2. Click Add.
3. In the Encrypted Media Owner field, click the arrow and select one of these options:
n Any - This action applies to any media owner
n Choose User/Group/OU from your organization - Select the applicable user,
group or OU that this action applies to
4. In the Encrypted Media User field, click the arrow and select one of these options:
n Any - This action applies to any user
n Media owner - The media owner is also defined as the user
n Choose User/Group/OU from your organization - Select the applicable user,
group or OU that this action applies to
Capsule Docs
The Capsule Docs component, managed by an on-premises Security Management Server,
lets organizations protect and share documents safely within the organization and with
business partners, and manage the organizational Capsule Docs policy, monitoring, and
deployment through SmartEndpoint.
Protect data stored on untrusted servers and shared via untrusted channels
n Each protected document remains protected even on untrusted servers.
n Prevent forwarding to unauthorized parties.
n Secure all created documents automatically.
n Set a document expiration date
l Protected document are accessed from mobile devices that do not have
To share protected documents externally, you must have an SMTP server and configure a
Reverse Proxy.
To configure the Active Directory server as the primary DNS server in Gaia:
a. In the Portal, Network Management navigation tree menu, select Hosts and
DNS.
b. Enter the IP address of the Active Directory server as the Primary DNS Server.
c. Click Apply.
To configure the Active Directory server as the primary DNS server in Windows:
a. In the Control Panel window, go to Network and Internet > Network and
Sharing Center > Change adapter settings.
b. Right-click the server network interface and select Properties.
See "Active Directory Scanner" on page 110 for instructions on how to configure the
Directory Scanner.
The Reverse Proxy makes sure that requests from mobile devices and Capsule Docs
clients that do not have internal network access reach the Endpoint Security Server.
If you use a Security Gateway as the Capsule Docs Reverse Proxy, do the procedures
in this section. Alternatively, you can configure a third party server, for example an
Apache Server, as a Reverse Proxy Server. See sk102973 to use a third party server
as a Reverse Proxy Server.
To prepare the Security Gateway for the Capsule Docs Reverse Proxy you must:
c. Click Cancel, if you want to use the Security Gateway as a reverse proxy only.
The Mobile Access Policy is created, but has no rules in it.
d. Click OK.
e. In the main menu, go to Policy > Install.
f. Select the Security Gateway to install policy only on the Security Gateway.
During policy installation, a warning shows: The Mobile Access Policy does not
contain any rules. You can ignore this.
g. Click OK.
Where:
n <public_server_name> is the Capsule Docs Server public name,
configured in SmartEndpoint. This hostname should be resolved to the
Reverse Proxy Gateway (for example:
capsuledocs.externalsite.com).
n <capsule_docs_server> is the Capsule Docs Server internal
hostname OR IP address(for example:
capsuledocs.internalsite.com OR 1.1.1.1).
b. Follow the on-screen instructions.
Make sure that the output of Please wait.. Calculating your internal Host (host)
IP addresses is the IP address of the internal server and that no warnings are
shown.
c. Run:
You can also enable Single Sign-On for Capsule Workspace with Capsule Docs
users.
e. Click New.
The Web Application window opens.
f. In the General Properties screen, enter the Name of the new Capsule Docs
Web Application
g. In the Authorized Locations screen, select the Host name or the DNS name of
the Endpoint Security Management Server.
If it does not show in the drop-down menu, click Manage > New, select Host or
DNS Name, and configure the new Endpoint Security Management Server.
h. In the Directories section of the Authorized Locations screen, select Allow
access to specific directories, and add new directories:
i. Click New.
ii. In the window that opens, type in the directory path.
The new directories are:
n /eps/client/services/DirectoryService
n /eps/client/services/EpsCommonService
n /eps/mobile/getDocumentcKey
n /eps/mobile/login
n /policy
iv. In the Tooltip field, enter the external name of the Endpoint Security
Management Server exactly as it is configured on the Endpoint Security
Management Server.
k. In the Additional Settings > Single Sign-On screen, configure these settings:
vii. In the window that opens, select The users of this application belong to
the following Windows domain, and enter the users' domain name.
To send protected documents to external users, you must configure your email server.
Two types of email servers are supported:
n SMTP (default)
n FileSystem
d. If the email server requires an SSL connection, select Enable SSL Encryption.
e. If email server authentication is necessary, select User authentication is
required and enter the credentials.
f. Click Send Test Email to make sure that you can successfully access the email
server.
g. In the window that opens, enter an email address that the test will be sent to and
click Send.
n If the verification succeeds, an email is sent to the email address entered
and a Success message shows in the Email Server Settings window.
n If the verification fails, an Error message shows in the Email Server
Settings window. Correct the parameters errors or resolve network
connectivity issues. Stand on the Error message to see a description of
the issue.
h. Click OK to save the email server settings and close the window.
c. Save.
d. In SmartEndpoint, Policy tab, in the Capsule Docs policy rules, select Allow
Single Sign-On with Active Directory.
e. Install policy in SmartEndpoint.
Note - The Favorites lists can be used across the supported applications, to
share the documents with different sets of users.
To learn more, see the Capsule Docs User Guide for your client release in sk117536.
Organization Settings
The Organization Settings define the name of the organization and the name of the Public or
External Server. This is the domain name that leads to the reverse proxy server or Security
Gateway.
Note - The Public Server Name should be configured one time and not changed.
Active Classifications
Define the Capsule Docs classifications in use and the permissions associated with them.
Also define the permissions of document Authors. By default the permissions are set to be
based on the classifications assigned to individual documents or higher. However, you can
change them as necessary. A document can have multiple authors. Classification based
means that the setting for the Author is the same as what is defined for the Classification.
To delete a classification:
n Click Revoke Classification.
To change the order of the classifications that end-users see in the Capsule Docs menu:
n Select a classification from the table and click the up and down arrows
For each Classification, define its properties and permissions in the table. For more details
about the options see sk105076.
Column Description
Applied On n All Users - The same definitions of the classification apply to All
Users.
n Separate Internal and External Users - There are different
permissions for each classification, one for Internal and one for
External users. When you select this, a second row opens for the
classification.
Encrypted n Yes - Documents with this classification are encrypted and marked
with a pink lock.
n No - Documents are classified but not encrypted. There is no user
list and all users can access the document. All permissions except
Unprotect and Change Classification are changed to Yes
automatically.
Modify Users Can users add or remove users and groups: Yes or No.
Unprotect Can users make a document unprotected: Ask, Yes, or No. If Ask is
selected, users must give a reason if they choose to unprotect a
document.
Mobile Access Can the document be accessed through Capsule Docs on mobile
devices: Yes or No.
Column Description
Screen Capture Can users take screenshots of the document: Ask, Yes, or No. If Ask is
selected, users must give a reason that they require screenshots.
Copy Paste Can users copy from the document and paste in their device: Yes or No.
Automatic Protection
Define the default encryption behavior for new documents:
n Enforce automatic protection for new documents
n Do not enforce automatic protection
n Suggest document protection when saving document
You can also manually select or clear these options in the Properties of the Action:
n Protect new documents created by internal users
n Suggest to protect when user saves document
n Suggest to protect when user performs Save As
To add and remove user groups that show in newly protected documents:
1. Click the arrow and select Manage Groups to open the organizational tree and select
one or more groups to add to the list.
2. Select one or more groups from the list. These groups are added to the initial protection
list that is automatically assigned to a document.
All groups that show in the Protection Setting window are assigned to the document.
3. To remove a group or user, select it from the list and click the X.
Inviting Users
Set permissions for the ability to add new users to a document if they are not yet invited or
registered. By default, all users in the internal domains have permission to the documents and
do not require invitations.
The options are:
n Invited - A user added the external user to a document but the new user did not register
yet.
n Registered - The user downloaded the Capsule Docs client and registered with an email
address.
n Revoked - The administrator revoked the user and the user cannot log in to Capsule
Docs or see documents. Revoked users are in the Revoked Users folder. Administrators
can Restore or Delete users from there.
An administrator can give an external user or domain internal permissions.
Anti-Malware
Check Point Anti-Malware protects your network from all kinds of malware threats, ranging
from worms and Trojans to adware and keystroke loggers. Use Anti-Malware to centrally
manage the detection and treatment of malware on your endpoint computers.
The Endpoint Security Management Server regularly updates Anti-Malware definitions from a
Check Point update server.
Note - Delete the # character from the beginning of each row that you edit.
Property Example
2. Configure the Firewall Gateway to accept traffic from Anti-Malware signature update
servers and Cloud Reputation services
After configuring the proxy server, configure the Firewall Gateway to accept the traffic
to the Anti-Malware update servers.
a. In your Firewall Gateway, allow outbound internet connectivity.
b. In your Firewall Gateway, allow outbound connectivity to the Anti-Malware
update server.
3. Configure the Firewall Gateway to allow the Endpoint Security server to access ports 80
and 443
The Endpoint Security server must have access to ports 80 and 443 on the Anti-
Malware Signature Update Server to retrieve the latest malware definitions. Make
sure that your Firewall Gateway allows this traffic.
The Endpoint Security Management Server gets the Malware signatures from the
central Malware definition server. Endpoint Security clients with the Anti-Malware
component get Malware signature updates either from the Endpoint Security
Management Server or from their Endpoint Policy Server.
By default, the Endpoint Security Management Server and the Endpoint Policy
Servers do not have the Malware update engine installed. You must install the
Malware update engine on:
n The Endpoint Security Management Server - From SmartEndpoint.
n Endpoint Policy Servers - By installing a hotfix using CPUSE .
You can configure Trusted Processes as exceptions. When a trusted process accesses a file,
the file is not scanned. Exclude a process only if you fully trust it and are sure it is not malware.
You can also select or clear these options:
n Detect Unusual Activity - Use behavior detection methods to protect computers from
new threats whose information has not been added to the databases yet. It does not
monitor trusted processes.
n Enable Cloud Reputation Services For Files, Web Resources, and Processes - Use
cloud technologies to improve precision of scanning and monitoring functions. If you
enable or disable this setting, it takes affect after the client computer restarts.
l Connection Timeout - Change the maximum time to get a response from
Reputation Services (in milliseconds).
Note - If you decrease this value, it can improve the performance of the Anti-
Malware component but reduces security, as clients might not get a reputation
status that shows an item to be zero-day malware.
n Enable Web Protection - Prevents access to suspicious sites and execution of
malicious scripts. Scans files, and packed executables transferred over HTTP, and alerts
users if malicious content is found.
n Mail Protection - Enable or disable scans of email messages when they are passed as
files across the file system.
n C:\Program Files\MyTrustedDirectory\MyTrustedProgram.exe
n %programdata%\MyTrustedProgram.exe
3. Click OK.
The trusted program shows in the Trusted Processes list.
Action Description
Check for malware signature Signature updates occur every 4 hours from the Endpoint
updates every 4 hours Policy Server and Check Point server.
Check for malware signature Signature updates occur every 2 hours from the Endpoint
updates every 2 hours Policy Server and Check Point server.
l If second update fails - Set a second fallback update source to use if the other
sources fail.
Note - If only Update from Local Endpoint Servers is selected, clients that are
disconnected from an Endpoint Security server cannot get updates.
Anti-Ransomware Files
Anti-Ransomware creates honeypot files on client computers. It stops the attack immediately
after it detects that the ransomware modified the files.
The Anti-Ransomware creates the honeypot files in these folders:
n C:\Users\Public\Music
n C:\Users\<User>\Music (MyMusic)
n C:\Users\Public\Documents
n C:\Users\<User>\Documents (MyDocuments)
n C:\Users\Public\Videos
n C:\Users\<User>\Videos (MyVideos)
n C:\Users\Public\Pictures
n C:\Users\<User>\Pictures (MyPictures)
n C:\Program Files (x86)
n C:\ProgramData
n C:\Users\<User>\AppData\Roaming
n C:\Users\<User>\AppData\Local
n C:\Users\<User>\Downloads
You can identify these folders by the lock icon that is associated with the name of the folder.
For example:
n Sandblast Zero-Day
n Endpoint
You can open and look at the files. They are real documents, images, videos, and music.
If a file is deleted, it is automatically recreated after the next system boot.
The Shared Signature Server (3) gets the latest signatures from one of these sources:
n An Endpoint Security Management Server or Endpoint Policy Server (5).
n Over the Internet from the Check Point Signature server (6). The domain name of that
server is kav8.checkpoint.com.
The Shared Signature Server must run on a persistent virtual machine, preferably on the same
VDI host storage (4) as the clients.
In SmartEndpoint you need to configure two Anti-Malware policy rules. One rule for the Shared
Signature Server and one rule for the non-persistent virtual desktops.
Note - Here you can learn how to use SmartEndpoint to configure the Shared
Signature Server for Anti-Malware. To learn how to set up all the other requirements
for Endpoint Security in VDI environments, see the Endpoint Security VDI
Administration Guide.
Configure one Computer Group for the Shared Signature Server, and one Computer Group for
the clients. Then, define one Anti-Malware policy rule for the Shared Signature Server, and
one rule for the clients.
1. Define a Computer Group that contains the Endpoint Security computer that is the Shared
Signature Server
1. In the Users and Computers tree, click Global Actions > New Virtual Group.
2. Define a Computer Group that contains all the Endpoint Security clients on non-persistent
desktops
2. In the Select Entities window, select all the non-persistant virtual desktops with
Endpoint Security, that are created with the Golden Image.
1. In the Anti-Malware policy, right-click the rule Default Anti-Malware settings for the
entire organization and select Clone Rule.
2. The Create Rule Wizard opens.
3. Click Next.
4. In the Select Entities page, select the Computer Group of the Shared Signature
Server.
5. Click Next.
6. In the Change Rule Action page, click Signature Update and select Edit Shared
Action.
7. In Signature Source, select one of the following:
n Local Endpoint Servers - Get updates from the Endpoint Security Management
Server or an Endpoint Policy Server.
n Other External source - Get updates over the Internet. For example, to get
updates from the Check Point Signature server, enter kav8.checkpoint.com
8. In Set as Shared Signature Server, enter the path of the shared folder, for example
C:\temp\Signatures
9. Click Next.
10. In the Name and comment page, enter a descriptive Name for the rule.
11. Click Finish.
1. Right-click the rule Default Anti-Malware settings for the entire organization and
select Clone Rule.
2. The Create Rule Wizard opens.
3. Click Next
4. In the Select Entities page, select the Computer Group of the clients on non-
persistent desktops.
5. Click Next.
6. In the Change Rule Action page, click Signature Update and select Edit Shared
Action.
7. In Signature Source, select Shared Signature Server.
8. Enter the shared location of the signatures on the server, in the format
\\<client name or IP address>\folder
For example \\192.168.18.5\Signatures
9. Click Next.
10. In the Name and comment page, enter a descriptive Name for the rule.
11. Click Finish.
2. Click Install
Action Description
Perform periodic anti-malware A scheduled scan occurs every day at the time shown
scan every day in the Properties.
Perform periodic anti-malware A scheduled scan occurs every week at the day and
scan every week time shown in the Properties.
Perform periodic anti-malware A scheduled scan occurs every month at the date and
scan every month time shown in the Properties.
Action Description
Periodically scan The scheduled scan scans system critical areas, for example: the
system critical operating system, processes, and memory. These are the targets of
areas only most malicious programs.
Periodically scan The scheduled scan scans system critical areas and local drives.
local hard-drives
Periodically scan The scheduled scan scans system critical areas and local and
local and removable drives.
removable drives
Note - Files that a user scans with Contextual scan are always scanned, even if
they are excluded by type, or size, or are in this list of excluded files and folders.
A contextual scan is a scan that the user runs from the right-click menu of the
file that the user wants to scan: The user does a right-click on a file and selects
Scan with Check Point Anti-Malware.
l Skip archives and non executables - When selected, these types of files are not
scanned.
l Do not scan files larger than - Select the maximum size of files to be scanned.
This option applies to On Demand scans and Scheduled scans. It does not apply to
On Access scans.
l Configure files and folders exclusions - Click to configure specified file or
extensions to exclude.
You can exclude the contents of trusted directories or files and specified trusted program
executables from the Anti-Malware schedules scan. You can also exclude all files of a
specified file extension.
For example, you might exclude these types of directories or programs from the scan:
Notes -
n All directory paths must end with a backslash, for example:
driveletter:\folder\.
Filenames do not end with a backslash.
n You cannot use environment variables to exclude folders and file paths.
4. In the Path Exclusions window, click Browse and go to the trusted directory.
Alternatively, you can:
n Enter a directory path.
Example: C\Program Files\MyTrustedDirectory\
n Enter a specific file
Example: C:\Program Files\excludeMe.txt
n Enter a file type
Example: *.txt
5. Click OK.
The trusted directory shows in the Scan exclusions list.
Scan Optimization
The scan optimization options let you do malware scan quickly and with less impact on
performance and system resources.
Scan priority is lower than other running processes by default.
The options are:
Do not optimize malware scan - Scan optimization is disabled.
Optimize malware scan:
n Perform scan optimizations - Optimize the scan by storing file checksums and NTFS file
system data during the first scan. NTFS cluster size, file name, and folder structure are
cached. During subsequent scans, only new files or files whose checksum, file size,
name, or structure has changed are scanned.
Malware Treatment
The malware treatment options let you choose what happens to malware that is detected on a
client computer.
Double-click an Action to edit the Properties.
You can change the settings for malware and riskware. The options are:
n Malware Treatment - Malware is software that is definitely dangerous.
l Quarantine file if cure failed - If Endpoint Security cannot repair the file, it is
deleted and put in a secure location from where it can be restored if necessary.
l Delete file if cure failed - If Endpoint Security cannot repair the file, it is deleted.
n Riskware Treatment - Riskware is legal software that might be dangerous.
l Treat as malware - Use the option selected for Malware.
l Skip file - Do not treat riskware files.
You can get the virus names of threats detected in your organization from one of these
sources:
n In SmartEndpoint > Users and Computers, select a computer and click Anti-Malware.
The list of infections for that computer show.
n The Top Infections report.
n Anti-Malware infection logs in SmartLog
4. Click OK.
5. Click OK.
If Endpoint Security servers do not have internet connectivity, Forensics information is stored
and sent for evaluation immediately when a server connects to the internet.
Anti-Ransomware Files
Anti-Ransomware creates honeypot files on client computers. It stops the attack immediately
after it detects that the ransomware modified the files.
The Anti-Ransomware creates the honeypot files in these folders:
n C:\Users\Public\Music
n C:\Users\<User>\Music (MyMusic)
n C:\Users\Public\Documents
n C:\Users\<User>\Documents (MyDocuments)
n C:\Users\Public\Videos
n C:\Users\<User>\Videos (MyVideos)
n C:\Users\Public\Pictures
n C:\Users\<User>\Pictures (MyPictures)
n C:\Program Files (x86)
n C:\ProgramData
n C:\Users\<User>\AppData\Roaming
n C:\Users\<User>\AppData\Local
n C:\Users\<User>\Downloads
You can identify these folders by the lock icon that is associated with the name of the folder.
For example:
The confidence level is how sure Endpoint Security is that a file is malicious. High confidence
means that it is almost certain that a file is malicious. Medium confidence means that it is very
likely that a file is malicious.
n Forensics Analysis - When Forensics analysis occurs.
n File Quarantine - When files are quarantined for Threat Emulation and Anti-Bot.
n Machine Quarantine - When machines are quarantined. If a computer is quarantined,
the Firewall restricts network access.
n Attack Remediation - When Remediation occurs for components that are part of an
attack.
Backup Settings
Anti-Ransomware automatically backs up files before they are affected by a Ransomware
attack. You can add files, processes, and certificates to the exclusion list to exclude them from
backups.
n Anti-Ransomware Maximum backup size on disk - Set the maximum amount of
storage for Anti-Ransomware backups. Best practice is to allow 1 GB.
n Backup Time Interval - Within this time interval, each file is only backed up one time,
even if it is changed multiple times.
n Change default file types to be backed up - Click this to see a list of file types that are
included in the Anti-Ransomware backup files. You can add or remove file types from the
list and change the Maximum Size of files that are backed up.
n Folder - To exclude all files in a folder, enter the Folder Name or browse to it.
l Optional: Select Include all sub folders to exclude all files contained in all
sub folders.
n Process - To exclude an executable. You can also include Certificate information.
l In Process name, enter the name of the executable.
l Optional: Enter more information in the fields shown Signer is the company
that signs the certificate. The more information you enter, the more specified
the exclusion will be.
n Certificate - To exclude processes based on the company that signs the certificate,
for example, Google.
l In Certificate Data, enter a name of company that signs certificates, or
browse to add a certificate file.
4. Click OK.
5. The exclusion is added to the Exclusions list.
If you select Automatic restore and remediate in the Anti-Ransomware Backup Settings
Action, Anti-Ransomware automatically starts Remediation after a Ransomware attack.
If you do NOT select Automatic restore and remediate, end-users must start restoration
manually on the client computer after a Ransomware attack.
Best practice is to guide users through the process and instruct them what to select when there
is more than one option.
Anti-Ransomware Restoration
In the Harmony Endpoint Forensics Analysis Report (see "Forensics" on page 350), you can
see details of which files restored and deleted during the restoration.
n See which files were restored in the Business Impact section.
n See which files were deleted in the Remediation section.
Note - Some third party vendors do not automatically send information to the
Windows Event Log. To use third party vendor integration, make sure that your
vendor is configured to send information to the Windows Event Log.
Events are detected when the client is online or offline.
Parameter Description
-q, -quarantine Enter the machine to restricted mode based on policy configuration.
[Optional]
Examples:
1. C:\Program Files (x86)\CheckPoint\Endpoint
Security\EFR\cpefrcli.exe file:c:\test\test.doc url:www.test.com
-r
2. C:\Program Files (x86)\CheckPoint\Endpoint
Security\EFR\cpefrcli.exe file:test.doc -r -q
3. C:\Program Files (x86)\CheckPoint\Endpoint
Security\EFR\cpefrcli.exe ip:170.12.1.180 file:test.doc
Notes:
1. All combination between optional parameters are allowed, the order is not important.
2. Backup option does not require Mandatory parameters (example 5).
To use Forensics Push Operations from the Endpoint Security Management Server CLI:
For complete information about a dedicated tool and integration with third party Anti-Malware
solutions, see sk105122.
Parameters:
Parameter Description
Parameter Description
-a <activity_ 'f' if detailed activity logs should not be generated, default is 't'
event>
-c <case_ 'f' if case analysis report should not be generated, default is 't'
analysis_
event>
Forensics
Harmony Endpoint Forensics analyzes attacks detected by other detection features like Anti-
Ransomware or Behavioral Guard, the Check Point Security Gateway and some third party
security products. On detection of a malicious event or file, Forensics is informed and a
Forensics analysis is automatically initiated. After the analysis is completed, the entire attack
sequence is then presented as a Forensics Analysis Report.
The Forensics Analysis Report provides full information on attacks and suspicious behavior
with an easy interface. The report includes:
n Entry Point - How did the suspicious file enter your system?
n Business Impact - Which files were affected and what was done to them?
n Remediation - Which files were treated and what is their status?
n Suspicious Activity - What unusual behavior occurred that is a result of the attack?
n Incident Details - A complete visual picture of the paths of the attack in your system.
Use the Forensics Analysis Report to prevent future attacks and to make sure that all affected
files and processes work correctly.
2. Connect with Database Tool (GuiDBEdit Tool) (see sk13009) to Endpoint Security
Management Server.
3. Search for: enable_efr_updatability
4. Right-click and select Edit.
5. To change the value:
n true - enabled (default)
n false - disabled
6. Save the changes.
7. Close Database Tool (GuiDBEdit Tool).
Recommendations:
1. From the Forensics, Threat Emulation, or Anti-Bot log, open the Forensics Analysis
Report.
2. Open the Remediation tab to see the components of the attack and how they were
treated.
3. Delete all files that were created by the attack.
4. Open the Business Impact tab to see files that might be affected.
5. Open the Entry Point tab to see the path of the attack. Update your security policy to
prevent similar attacks in the future.
Recommendations:
1. From the Forensics log, open the Forensics Analysis Report.
2. Open the Remediation tab to see the components of the attack and how they were
treated.
3. If Automatic restore and remediate is selected in the Anti-Ransomware Backup
Settings, restoration and Remediation was triggered and occurs automatically.
Quarantine Management
When Harmony Endpoint components (Forensics and Anti-Ransomware, Anti-Bot, and Threat
Extraction and Threat Emulation), detect malicious files, they can quarantine those files
automatically based on policy. All components use the same Remediation service, that:
n Receives the request to quarantine a file.
n Terminates the file's process, if running.
n Encrypts the file and stores it compressed along with metadata in a protected folder.
Two utilities let administrators and end-users manage quarantined files.
Best practice is to configure Copy quarantine files to a central location in the "File
Quarantine Settings" on page 341. Then you can use the Quarantine Manager for
Administrators to import all files related to an incident from one location that you can access.
From the Quarantine Manager for Administrators you can:
n Restore files in a protected location to test them.
n Collect all malicious files related to an attack for research.
3. Click Delete.
2. Click Import.
3. In the window that opens, browse to select the quarantined file to import.
The file, with its metadata, is imported to the quarantine database from where the utility
is run.
Select actions for High Confidence, Medium Confidence, and Low Confidence bots:
n Prevent - Blocks bots.
n Detect - Logs information about bots, but does not block them.
n Inactive - Ignores bots (does not prevent or detect them).
2. Click OK.
3. Select Allow detection exclusions for following trusted entities.
4. Click Add exclusion.
5. In the window that opens, select the Object Type.
Click OK.
Enter the name of the new exclusion:
n Process - Name of an executable
n URL - Website URL
n Domain - Full domain name
n Protection Name - Predefined malware signature
n IP Range - Internal or External IP addresses
6. Click OK.
7. Click OK.
Configure the settings in the Harmony Endpoint Threat Extraction and Threat Emulation rule
of in the SmartEndpoint Policy tab.
2. Expand the list for the type of file that you choose:
n Files that can be extracted and emulated (such as documents and pictures).
n Files that can only be emulated (such as executables and scripts).
n When neither Extraction nor Emulation is supported (such as videos).
3. Select an option for emulation and access to the original file from the options shown.
Different options show for different file types.
n Extract and suspend original file until emulation completes - Send files for
emulation. While a file is tested, the user receives a copy of it with all suspicious
parts removed.
n Emulate and suspend original file until emulation completes - Send files for
emulation. Users only receive the files after the emulation finishes and the file was
found to be safe.
n Emulate original file without suspending access - Send files for emulation. Users
can download and access the file while it is tested. The administrator is notified if
files are found to be malicious.
n Allow Download - No emulation or extraction. The download is allowed.
n Block Download - No emulation or extraction. The download is blocked.
4. If files are extracted, select the Extract Mode, which is the format of the extracted
document that users can see during the emulation.
n Extract potentially malicious elements -The file is sent in its original file type but
without malicious elements.
n Convert to PDF - When relevant, files are converted to PDF.
5. Click OK.
To change the setting for a specified file type, such as.zip or .pdf:
1. In a Harmony Endpoint Threat Extraction and Threat Emulation rule, right-click the Web
Download Protection Action and select Edit Shared Action.
2. Click Override default file action per file type.
3. Select a file type.
4. Click in the File Action column to select a different action for that file type.
5. Click in the Extraction Mode column to select a different extraction mode for the file type.
6. Click OK.
To define the maximum size of files that are sent for emulation:
1. In a Harmony Endpoint Threat Extraction and Threat Emulation rule, right-click the
Harmony Environment Settings Action and select Edit Shared Action.
2. Change the value for Upload to emulation files less than X Megabytes. The default is
that file less than 10 MB are sent for emulation.
domain.com n https://www.domain.com -
n http://www.domain.com
n https://domain.com
n http://domain.com
n https://sub.domain.com
n http://sub.domain.com
SHA1 exclusions -
n File Reputation exclusions are set by SHA1.
Phishing Prevention
n Phishing Protection - Select an option:
l Prevent Access and Log (default) - If Harmony Endpoint determines that the site
is phishing, users cannot access the site. A log is created for each malicious site.
l Off - Phishing prevention is disabled.
l Log Only - When a user uses a malicious site, a log is created.
l Prevent Access Only - Users cannot access malicious sites. No logs are created.
n Send log on each scanned site - Send logs for each site that users visit, if it is malicious
or not. By default, it is not selected.
n Allow user to dismiss the phishing alert and continue to access the site - Users can
choose to use a site that was found to be malicious.
n Allow user to abort phishing scans - Users can stop the phishing scan before it is
completed.
Password Reuse
n Password Reuse Protection - Select an option:
l Alert User and Log (default) - If a user enters a corporate passwords in a non-
corporate site, the user gets an alert and a log is created.
l Off - Password Reuse Prevention is disabled.
l Log Only - If a user enters a corporate passwords in a non-corporate site, a log is
created.
l Alert User Only - If a user enters a corporate passwords in a non-corporate site,
the user gets an alert.
n Protected Domains - Add domains for which Password Reuse Protection is enforced.
Harmony Endpoint keeps a cryptographic secure hash of the passwords used in these
domains and compares them to passwords entered outside of the protected domains.
Firewall
Firewall rules allow or block network traffic to endpoint computers based on connection
information, such as IP addresses, ports, and protocols. There are two types of Firewall rules:
n Inbound rules - Rules that allow or block incoming network traffic to the endpoint
computer.
n Outbound rules - Rules that allow or block outgoing network traffic from the endpoint
computer.
Action Description
Allow inbound traffic Allows all incoming traffic to the endpoint computer,
Allow inbound traffic from Allows all incoming traffic from trusted zones and IP
trusted zones and connectivity obtaining traffic from the internet. All other traffic is
services blocked.
The rules required for the selected Action are automatically added to the Inbound firewall
rules Rule Base.
Right-click an Action to see the Inbound firewall rules Rule Base. You can add, delete, and
change rules as necessary.
Note - There is no Destination column in the Inbound Rule Base because the
destination of all traffic is the endpoint computer.
Action Description
Allow any outbound traffic Allows all outgoing traffic from the endpoint
computer.
Allow outbound traffic to trusted zones Allow all traffic to trusted zones and traffic of
and common internet protocols common internet protocols to the internet.
The rules required for the selected Action are automatically added to the Outbound firewall
rules Rule Base.
Right-click an Action to see the Outbound firewall rules Rule Base. You can add, delete, and
change rules as necessary.
Note - There is no Source column in an Outbound Rule Base because the source of
all traffic is the endpoint computer.
Column Description
Action What is done to traffic that matches the rule: Accept or Drop.
Viewer.
n Alert -Show a message on the endpoint computer and record
n If you have a rule that drops or accepts all traffic, do not enable logging.
n To use logs and alerts, you must configure options in the Client Settings rules:
l In the Log Upload action, Enable log upload must be selected.
l In the Users Disabling Network Protection action, under Network Protection
Alerts, in the Firewall row, select Allow Alert.
Firewall Rules and Domain Controllers
Important - When creating Firewall Rules for endpoint clients, create explicit rules
that allow all endpoints to connect to all of the domain controllers on the network.
To create a Service:
1. In the Inbound or Outbound Firewall Rule Base, open the Services tab.
2. Click New.
3. Select the type of service from the New Object Type list.
4. Click OK.
5. In the Properties window, enter the required information.
6. Optional: If you create a Group, In the Group Properties window, add Available
Services to a group.
7. Click OK.
Action Description
Hotspot Settings
These actions define if users can connect to your network from hotspots in public places, such
as hotels or airports.
Action Description
Allow hotspot registration Bypass the Firewall to let users connect to your network
from a hotspot.
Do not allow hotspot Do not let users connect to your network from a hotspot.
registration
IPv6 Traffic
You can select one of these actions to allow or block IPv6 traffic to endpoint computers.
n Allow IPv6 network traffic
n Block IPv6 network traffic
Action Description
Enforce Endpoint Firewall policy Use the Endpoint Security Firewall Policy
Rules
Enforce Desktop Policy from Use the Desktop Policy from SmartConsole
SmartConsole
Compliance
The Compliance component of Endpoint Security makes sure that endpoint computers comply
with security rules that you define for your organization. Computers that do not comply show
as non-compliant and you can apply restrictive policies to them.
The Compliance component makes sure that:
n All assigned components are installed and running on the endpoint computer.
n Anti-Malware is running and that the engine and signature databases are up to date.
n Required operating system service packs and Windows Server updates are installed on
the endpoint computer.
n Only authorized programs are installed and running on the endpoint computer.
n Required registry keys and values are present.
Note - Registry and File Version checks are not relevant for macOS
If an object (for example an OU or user) in the organizational tree violates its assigned policy,
its compliance state changes, and this affects the behavior of the endpoint computer:
n The compliant state is changed to non-compliant.
n The event is logged, and you can monitor the status of the computer and its users.
n Users receive warnings or messages that explain the problem and give a solution.
n Policy rules for restricted computers apply. See "Connected, Disconnected and
Restricted Rules" on page 156.
4. Define rule alerts and login policies to enforce the rules after deployment.
Action Description
Restrict if assigned Software Restrict network access if one or more Endpoint Security
Blade are not running components are not running.
Monitor if assigned Software Create log entries if one or more Endpoint Security
Blades are not running components are not running. No messages are sent.
Note - Endpoint Security clients on Mac always get their compliance status from
Endpoint Security Compliance, even if VPN Client verification process will use
VPN SCV Compliance is selected.
Action Definition
Observe Log endpoint activity without further action. Users do not know that they
are non-compliant. Non-compliant endpoints show in the Observe state
in the Reporting tab.
Warn Alerts the user about non-compliance and automatically does the
specified Remediation steps.
Send a log entry to the administrator.
Restrict Alerts the user about non-compliance and automatically does the
specified Remediation steps.
Send a log entry to the administrator.
Changes applicable polices to the restricted state after a pre-defined
number of heartbeats (default =5). Before this happens, the user is in
the about to be restricted state. On the monitoring tab, the user is shown
as pre-restricted.
The Compliance component runs the rules. If it finds violations, it runs the steps for
Remediation and does the Action in the rule.
Some Action Rules are included by default. You can add more rules for your environment.
1. In the Edit Properties window of a Compliance Action, click View Objects List.
2. Click New to create a new Check object, or Edit to change an existing one.
3. For Required applications and files only: When you create a new Check object, select
an Object Type:
n Required Entity Check - Add one specified file Check object.
n Required Entity Group - Add a group of Check objects that must all be on the
computer.
4. In the Compliance Check Properties window, fill in these fields.
Option Description
Operating Select the operating system that this Check object is enforced on.
System
Check Select one of these options to enable the registry check or clear to
Registry disable it:
Registry key and value exist - Find the registry key and value.
If the registry key exists, the endpoint computer is compliant for the
required file.
Registry key and value do not exist - Make sure the registry key and
value do not exist.
If the key does not exist, the endpoint computer is compliant for an
application that is prohibited.
Option Description
File Name Enter the name of the file or executable to look for. To see if this file is
running or not, you must enter the full name of the executable,
including the extension (either .exe or .bat).
Match File Make sure that a specific version or range of versions of the file or
Version application complies with the file check.
Match MD5 Find the file by the MD5 Checksum. Click Calculate to compare the
Checksum checksum on the endpoint with the checksum on the server.
File is not Select this option and enter the maximum age, in days, of the target
older than file. If the age is greater than the maximum age, the computer is
considered to be compliant. This parameter can help detect recently
installed, malicious files that are disguised as legitimate files.
5. Optional: You can select or define a Remediation action for this Check object.
The Remediation action applies only to this Check object and overrides the Remediation
action specified in the rule. To define a Check object Remediation action, select a
Remediation action from the list or click Remediation tab > New to define a new one.
Option Description
Operations
Run Custom File Run the specified program or script when an endpoint computer
is not compliant.
URL n Enter the URL of an HTTP or file share server where the file
is located.
n Enter the full path that includes the actual file with one of the
supported extensions (*.bat or *.exe).
n This field can be left empty.
n Make sure the file share is not protected by a username or
password.
Option Description
Run as System Apply system rights for running the executable file. Not all
processes can run with user rights. System rights may be
required to repair registry problems and uninstall certain
programs.
Run as User Apply user rights and local environment variables for running the
executable file.
Messages
Execute Run the executable file only after a user message opens and the
operation only user approves the Remediation action. This occurs when Warn
after user or Restrict is the selected action on a compliance check.
notification
Use same Select that the same text be used for both messages.
message for A Non-Compliant message tells the user that the computer is not
both Non- complaint and shows details of how to become compliant.
Compliant and A Restricted message tells the user that the computer is not
Restricted compliant, shows details of how to achieve compliance, and
messages restricts computer use until compliance is achieved.
2. Select one of the following preset actions. An action happens if Windows updates have
not been installed on the Endpoint Security client computer for a specified number of
days (90 days by default):
Restrict if Windows Server Updates are Restrict the network access of the user.
not installed
Monitor Windows Server Update Create a log. The user is not notified.
Services
Do not check Windows Server Update No compliance check. This is the default.
Services
3. Optional: The compliance check makes sure that the Windows updates have been
installed within a specified number of days (90 by default). To change the number of
days,
a. Right-click the Windows Server Update Services action.
b. Select Edit Shared Action.
c. Change the number of days in Windows updates must be installed within.
Note - The default heartbeat interval is 60 seconds. A shorter heartbeat interval can
cause additional load on the management. A longer heartbeat interval may lead to
less up-to-date logs and reports
The endpoint computer Compliance state is updated at each heartbeat. The heartbeat interval
also controls the time that an endpoint client is in the About to be restricted state before it is
restricted.
It is possible to create restricted policies that will automatically be enforced once the endpoint
client enters a restricted state
To configure the time period that users have before an endpoint computer is restricted:
1. Click Manage > Endpoint Connection Settings.
The Connection Settings Properties window opens.
2. In the Out of Compliance section, enter the number of heartbeats.
3. Click OK.
When you configure this time period, we recommend that you give users sufficient opportunity
to:
n Save their data.
n Correct the compliance issues.
n Make sure that the endpoint computer is compliant.
The formula for converting the specified time period to minutes is:
<number of heartbeats > * <heartbeat interval (in seconds)> * 60.
Application Control
The Application Control component of Endpoint Security restricts network access for specified
applications. The Endpoint Security administrator defines policies and rules that allow, block
or terminate applications and processes. The administrator can also configure that an
application will be terminated when it tries to access the network, or as soon as the application
starts. .
You can also enable the Reputation Service (previously called the Program Advisor).The
Reputation Service recommends whether to approve or not approve an application, and the
Endpoint Security client uses that recommendation , together with the permission setting for
that application in the Application Control policy to decide whether to Allow or block the
application.
5. Optional: In the Application Control Policy, review the permission that was automatically
configured for each application and application version. You can configure which
applications are allowed, blocked, or terminated.
6. Optional: Enable the Reputation Service. This is an online service that recommends
whether to approve or not approve an application. The Endpoint Security client uses the
recommendation of the Reputation Service, together with the permission setting for that
application in the Application Control policy to decide whether to Allow or Block the
application.
7. Install the Application Control policy.
To generate the list of applications, run, the Appscan command on the reference computer.
This generates an XML file that contains the details of all the applications and operating
system files on the computer. In the XML file, each application, and each application version,
is uniquely identified by a checksum. A checksum is a unique identifier for programs that
cannot be forged. This prevents malicious programs from masquerading as other, innocuous
programs.
Description
Scans the host computer and creates an XML file that contains a list of executable programs
and their checksums. This XML file is used by the Check Point Reputation Service to create
recommended rules to block or allow common applications. The administrator imports the
XML file to theEndpoint Security Management Server using SmartEndpoint.
Syntax
Parameters
Parameter Description
Examples
n appscan /o scan1.xml
This scan, by default, includes .exe files in the current directory and is saved as
scan1.xml.
This scan includes all .exe and .dll files on drive C and is saved as scan2.xml.
n appscan /o scan3.xml /x ".dll" /s c:\program files
This scan included all .dll files in c:\program files and all its subdirectories. It is
saved as scan3.xml.
n appscan /s "C:\program files" /e
This scan includes all executable files in c:\program files and all its subdirectories.
It is saved as the default file name scanfile.xml.
Permission Explanation
Unidentified The application is allowed because the setting for applications that
(Allow) are imported from the Appscan XML.is
Allow unidentified applications, and the application has not been
configured by the administrator as Allow or Block.
Unidentified The application is allowed because the setting for applications that
(Block) are imported from the Appscan XML.is
Block unidentified applications, and the application has not been
configured by the administrator as Allow or Block.
The Versions for Application section shows the details for each version of the
application, including a unique hash value that identifies the signer of the application
version.You can block or allow specific versions of the same program. Each version has
a unique Version number, Hash, and Created On date.
Users can only use applications that are included in the Allowed Applications List. Those are
applications with the status Unidentified (Allow) and Allow.
1. Configure the Endpoint Security clients and the Compliance policy to make it possible to
terminate applications on the clients. See sk141692.
2. In the Policy tab > Application Control rule, right-click the Blocked Applications Action
and select Manage All Applications .
3. To terminate an application when the application tries to access the network, right click
the application and select Move product to Terminate. Applications that you select but
do not communicate with the network (for example, Windows Notepad and Calculator)
are not terminated.
4. Click Close.
5. Optional: To make sure that all terminated applications terminate immediately when they
run:
http.proxy.password=<password>
Make sure that you delete (or do not insert) the '#' character at the beginning of these
lines. If you do not do this, all applications are blocked when trying to access the Internet.
To enable or disable Windows Subsystem for Linux (WSL) on Endpoint Security client
computers:
1. In the SmartEndpoint Policy tab, open the Application Control rule.
Option Explanation
3. Install the Application Control Policy. See "Installing the Application Control Policy " on
page 411.
2. Click Install
Client Settings
In a large organization, creating a common policy for multiple clients eases deployment and
reduces maintenance tasks.
Size of
Item Description
Image
Pre-boot Background Legacy resolution image for the Pre- 800 x 600
Image Legacy boot screen behind the smaller logon pixels
Resolution (800 x 600) window
Pre-boot Banner Image The banner image on the smaller logon 447 x 98
window pixels
Log Upload
The components upload logs to the Endpoint Policy Server
The default log upload Action is Allow log upload to Endpoint Policy Servers.
You can change these settings:
Item Description
Enable Log Upload Select to enable log upload. Clear to disable log upload. (Default=
Selected)
Log upload interval Frequency in minutes between logged event uploads. The clients
upload logs only if the number of logs is more than the Minimum
number of events before attempting an upload. (Default = 20
minutes)
Minimum number of Upload logged events to the server only after the specified number
events before of events. (Default = 10)
attempting an
upload
Maximum number Maximum number of logged events to upload to the server. (Default
of events to upload = 100)
Maximum age of Optional: Upload only logged events that are older than the
event before specified number of days. (Default=5 days)
upload
Discard event if Optional: Do not upload logged events if they are older than the
older than specified number of days. (Default = 90 days)
Maximum interval Log Upload are operations that the Endpoint Security Management
between status Server pushes directly to client computers with no policy installation
updates of Push required. (Default = 5 minutes)
Operations
Item Description
Default reminder Set the time, in minutes, after which users are reminded to install the
interval client.
Force Installation Set the time, in hours, after which the installation starts
and automatically automatically.
restart after
Client Uninstall Set a password that the end user must enter before uninstalling the
Password client. It can contain only English alphabets (upper or lower case),
digits and these special characters: ~ = + - _ ( ) ' $ @ , .
The Endpoint Security client has an uninstall password to ensure
that only authorized personnel can uninstall the client. The default
uninstall password is "secret".
Best Practice - For security reasons, we strongly recommend that
you change the default uninstall password.
Legacy Client Set a password that the end user must enter before uninstalling a
Uninstall Password legacy client.
The Endpoint Security client has an uninstall password to ensure
that only authorized personnel can uninstall the client. The default
uninstall password is "secret".
Best Practice - For security reasons, we strongly recommend that
you change the default uninstall password.
Important - If users disable network protection, their computers will be less secure
and vulnerable to threats.
If the policy does not allow users to disable network protection, administrators can
assign permissive policies to temporarily disable network protection for specified
users.
Item Description
Allow users to disable network A Disable Network Protection option shows in the
protection on their computers right-click menu of the client icon from the
notification area.
Do not allow users to disable Only an administrator can disable a user's network
network protection on their protection.
computers
3. In the Network Protection section, select or clear these options for each component:
n Allow Log - To generate logs for events.
n Allow Alert - To generate alerts for events. You must also select this to use Alert in
the Track column of Firewall rules.
Note - Check Point does not share any private information with third parties.
b. On the endpoint, open the Reconnect folder, and run the ReRegister.exe file.
Access Zones
Access Zones lets you create security zones for use in Firewall. Configure Access Zones
before configuring Firewall.
There are two predefined Access Zones:
n The Internet Zone
n The Trusted Zone
Network locations not placed in the Trusted Zone automatically belong to the Internet Zone.
Note:?Access Zones rules are computer-centric (and not user-centric).
Trusted Zone
The Trusted Zone contains network objects that are trusted. Configure the Trusted Zone to
include only those network objects with which your programs must interact.
Note - Objects not placed in the Trusted Zone are placed automatically in the
Internet Zone
SmartEndpoint contains an initial Access Zones policy. In the initial policy, these network
elements are included in the Trusted Zone:
n All_Internet
This object represents all legal IP addresses. In the initial policy, all IP addresses on the
Internet are trusted. However, the Access Zones policy is not a policy that is enforced by
itself but only as a component of the Firewall policy.
n LocalMachine_Loopback
Endpoint computer's loopback address: 127.0.0.1. The Endpoint must always have
access to its own loopback address.
Note - Endpoint users must not run software that changes or hides the local loopback
address, for example personal proxies that enable anonymous internet surfing.
Note - A computer can have only one Trusted Zone. This means that if the Access
Zones policy has more than one rule, and more than one Trusted Zone applies to a
computer, only the last Trusted Zone is enforced.
1. In the Policy tab > Access Zones rule, double click Corporate Trusted Zones or right-
click it and select Edit Shared Action.
The Edit Properties - Access Zones window opens.
2. To add an existing object to the Trusted Zone Locations list:
n Select a network object from Available Network Objects.
n Click Add.
3. To remove an existing object:
n Select the network object from the list
n Click the Remove arrow
4. To delete an existing object, select the object and click Delete.
5. To create a new Network Object, click New.
Network Objects
Access Zones are made up of network objects. You define network objects by specifying one
or more:
n Host
n IP address range
n Network
n Site
Create network objects for areas that programs must have access to, or areas that programs
must be prevented from accessing.
Define objects for each policy or define objects before you create a policy. After defining an
object, the object can be reused in other policies.
The same Network Objects and Services are used throughout the SmartEndpoint and in
SmartConsole. When you create a new object, it is also available in SmartConsole. If you
change an object in the SmartEndpoint or SmartConsole, it is changed everywhere that the
object is used.
Note - The Trusted Zone and the Internet Zone can also be used as objects in a
Firewall policy. These objects are resolved dynamically by the client based on Access
Zones policy assignment to the client.
Object
Description
Information
Name A name for the network object. The name must start with a letter and can
include capital and small letters, numbers and '_'. All other characters are
prohibited.
IP Address The IP address of the host you want to use as a network object.
Color Select a color to be used for the icon for this network object.
Object
Description
Information
Name A name for the network object. The name must start with a letter and can
include capital and small letters, numbers and '_'. All other characters are
prohibited.
First IP The first and last IP addresses for the network object.
Address / Last
IP Address
Color Select a color to be used for the icon for this network object.
Object
Description
Information
Name A name for the network object. The name must start with a letter and can
include capital and small letters, numbers and '_'. All other characters are
prohibited.
Color Select a color to be used for the icon for this network object.
Rule
Description
Condition
Name A name for the network object. The name must start with a letter and can
include capital and small letters, numbers and '_'. All other characters are
prohibited.
Rule
Description
Condition
Host Name The full LDAP name of the host of the site you want to use as a network
object. For example, hostname.acme.com.
Color Select a color to be used for the icon for this network object.
Fields:
Rule
Description
Condition
Name A name for the network object. The name must start with a letter and can
include capital and small letters, numbers and '_'. All other characters are
prohibited.
Color Select a color to be used for the icon for this network object.
Rule
Description
Condition
Name A name for the network object. The name must start with a letter and
can include capital and small letters, numbers and '_'. All other
characters are prohibited.
Color Select a color to be used for the icon for this network object.
2. Select an object from the Available Objects column, or create a new object of the type:
n Site
n Site Group
Remote Help
Users can be denied access to their Full Disk Encryption-protected computers or Media
Encryption & Port Protection-protected devices for many different reasons. They might have
forgotten their password or entered the incorrect password too many time. In the worst case
scenario, a hacker might have tried access the computer or device.
Remote Help can help users in these types of situations. The user contacts the Help Desk or
administrator and follows the recovery procedure.
Note - An Endpoint Security administrator can give Remote Help only if you enable
Remote Help in the OneCheck User Settings policy.
Administrators can supply Remote Help through SmartEndpoint or through an online web
portal.
n To use the SmartEndpoint - Select Tools > Remote Help
n To use the web portal - Go to https://<Endpoint Security Management
Server IP>/webrh
5. Install Database.
When you turn on or turn off the Web Remote Help, the Endpoint Security Management Server
restarts and all connections with client computers and SmartEndpoint sessions get
disconnected.
3. In the Advanced Pre-boot Settings window, Remote Help area, select a Remote Help
response length.
4. Click OK.
5. Click OK.
6. Install policy.
Password Login is the default method and shows when you first connect to the portal. The link
in the right bottom corner of the Endpoint Security Web Remote Help window lets you toggle
between the two login methods.
Notes -
n You can set the user name in UPN format, for example:
UserName@ExampleCompany.com
n Domain name for the internal users is internal-users
2. Click Next.
3. Enter the Challenge string into your token.
4. Enter the Response generated by the X.99 Token.
5. Click Login.
d. If you have to reset the SIC, click Reset, reset the SIC on the Remote Help server,
then click Initialize.
e. Click Next.
10. Install Database on all servers.
Endpoint Security
Management Server
listens for RADIUS traffic
on UDP port 1812. This is
the standard port for
RADIUS authentication,
as defined by the IETF in
RFCs 2865 and 2866.
However, by default,
many access servers use
ports 1645 for
authentication requests.
n TACACS+: By default, the
Endpoint Security
Management Server
listens for TACACS traffic
on TCP port 49. TACACS
is defined in RFC 1492,
and uses either TCP or
UDP port 49 by default.
i. In the Secret Key field, enter
the secret key
j. Click OK.
6. Click Next.
7. Set the expiration date (optional):
a. Select Expiration.
b. Select a Start Date.
c. Select an Expiration Date.
8. Set the location, if necessary:
a. In the Account Details section, click Add.
b. Enter a location or select one from the list.
9. Click Finish.
Select Disable remote help account. When you create a new account, it is enabled by
default.
Note - Web Remote Help works with LDAPS or LDAP authentication only. Mixed
mode is not supported.
To give Full Disk Encryption Remote Help assistance from the SmartEndpoint:
1. Select Tools > Remote Help > User Logon Preboot Remote Help.
The User Logon Preboot Remote Help window opens.
2. Select the type of assistance the end-user needs:
a. One Time Login - Gives access as an assumed identity for one session without
resetting the password.
b. Remote password change - This option is for users who have forgotten their fixed
passwords.
3. In the User Name field, click Browse and select the user in the Select a Node window.
4. Select the locked computer in the Device Name list.
5. Click Generate Response.
6. Tell the user to enter the Response One (to user) text string in the Remote Help window
on the locked computer.
To give Full Disk Encryption Remote Help assistance from the web portal:
1. Go to https://<IP Address of Endpoint Security Management Server>/webrh.
2. Enter your User Name and Password to log in to the portal. Administrators must have
permission to provide Remote Help.
3. Select FDE.
To recover a Media Encryption & Port Protection password with Remote Help assistance
from the SmartEndpoint:
1. Select Tools > Remote Help > Media Encryption Remote Help.
The Media Encryption & Port Protection Remote Help window opens.
2. In the User Logon Name field, select the user.
3. In the Challenge field, enter the challenge code that the user gives you. Users get the
Challenge from the Endpoint Security client.
4. Click Generate Response.
Media Encryption & Port Protection authenticates the challenge code and generates a
response code.
5. Give the response code to the user.
6. Make sure that the user can access the storage device successfully.
To recover a Media Encryption & Port Protection password with Remote Help assistance
from the web portal:
Note - User-bound Remote Help is less secure than regular Remote Help because
the same key for Remote Help is distributed to all machines assigned to the specified
user account.
2. In the Client Settings policy rule, in the Actions column, double-click Default installation
and upgrade settings.
3. Select Uninstall client using challenge-response to allow users to uninstall their
Endpoint Security clients using a challenge-response procedure.
4. Set the number of digits of the Response length. The default setting is 30 digits (High
Security).
To allow a user to uninstall their Endpoint Security client using Challenge-Response:
1. The user starts the process to uninstall the Endpoint Security client:
a. On the Windows computer, go to the Add or remove programs system setting,
select the Endpoint Security, and click Uninstall.
b. Give the Challenge number to the administrator. This can be by phone, text
message, email, or in some other way.
2. The administrator generates a Response and gives it to the user:
a. In the SmartEndpoint main Menu, select Tools > Remote Help > Client Uninstall
Remote Help.
The Client Uninstall Remote Help window opens.
b. In User Logon Name, select the name of the user who wants to uninstall the
Endpoint Security client.
c. In User Device, select the computer of the user.
d. In Challenge from user, type the challenge number that the user gave you.
Offline Mode
Offline Mode lets users get policies and updates from a shared folder, without a connection to
an Endpoint Security server. Policies for the following Endpoint Security client components are
supported in Offline Mode:
n Full Disk Encryption
n OneCheck User Settings
n Client Settings
Each Offline Group defines the location for its files and the included policies.
Computers that install the package do not show in the tree on the Users and
Computers tab.
For each group you configure a root path of the shared location where files for the
group are stored, and sub-paths for each type of file. You must manually create each
sub-path. Folders for these files are required. The default location is under the root
path:
n Updates - Policy updates.
n Client Logs - The location where logs from clients in this group are stored.
n Recovery Files - Full Disk Encryption recovery files.
n Upgrades - Upgrades to new client versions.
n Installation - Complete installation packages.
a. In the Users and Computers tab navigation tree, right-click on Offline Groups
and select New Offline Group.
The New Offline Group wizard opens
d. Select a Category. Each category has a default path under the defined root
path. Keep the default or click Add, Edit, or Remove to change the path or add a
new one.
e. Click OK.
f. Select a value for each of the Synchronization Settings:
n Clients sync with shared location every X minutes
n After a failed connection, clients retry to sync with shared locations
every X minutes
n Clients stop trying to sync with shared location after X failed attempts -
This is only active when selected.
Note - Removing a user from the Authorized Pre-boot user list will not remove
the user from an already installed client. Use the Blocked Users feature to
remove users on clients.
n Click Show all users to show the complete list
n Enter text in the Search field to search the list of users
n Click Blocked Users to create a list of users who are blocked from all computers
in the offline group
Note - Smart Card authentication is not supported for Offline Pre-boot users. Select
password or dynamic token as the authentication method.
Export the required packages and put them in the configured shared locations.
To export packages:
In the Users and Computers tab, right-click on the Offline Group and select an option.
Get Update Exports a file with policy updates. This file has CPPOL
Policy File extension. You must
put the CPPOL file in
the Updates folder.
Get Offline Exports a CPOMF file that contains This is for a help desk
Management definitions that you can use to log in to or contractor
File (cpomf) the Endpoint Offline Management environment that
Tool. needs access to the
Tool for Remote Help
and creation of
recovery media
without access to an
Endpoint Security
server.
Full Disk When installed, the computer You must put the
Encryption > bypasses Pre-boot based on the policy CPPOL file in the
Get Bypass configured in the Pre-boot Protection Updates folder.
Pre-boot File > Temporary Pre-boot Bypass
settings of the Offline group.
Full Disk Returns the computer to the regular You must put the
Encryption > Pre-boot policy. CPPOL file in the
Get Revert Pre- Updates folder.
boot to Policy
Configuration
File
Deployment > Exports a file that converts an offline You must put the
Get Offline to client to an online client. After CPPOL file in the
Online File installation, the client will connect to Updates folder.
the server that the file was exported For best practices,
from. see "Moving from
Offline to Online
Mode" on page 457
b. Replace the installation policy located in the local Work folder on the client.
The Work folder with the policy is located in:
n On x64 client:
%PROGRAMFILES(X86)%\CheckPoint\Endpoint
Security\Endpoint Common\Work\
n On x86 client:
%PROGRAMFILES%\CheckPoint\Endpoint Security\Endpoint
Common\Work\
Instruct users to install the packages from the sub-paths. Make sure they have the
required access.
To deploy packages:
Automatically deploy the offline client on computers or give users instructions to get
the packages they require.
If the client finds an update policy in the Work folder, the client makes sure that the
update is new, imports it, and deletes the update from the Work folder.
The client then continues to use the normal update interval as configured.
Update
Directory
Recovery
Files
Directory
Client Log
Directory
An X icon indicates offline administrators that cannot be imported. See the error
message next to it.
n Remove User - Removes an offline administrator. Select the administrator in the
table.
4. Click Import to import the administrators.
5. Click OK.
5. Click OK.
Note - The move from offline to online Mode is permanent. It is not possible for an
online client to move to offline Mode.
Password Assistance
To help a user log in to a locked computer click Password Assistance.
n Select Recovery Mode - Select the type of Full Disk Encryption Remote Help that is
necessary:
l One Time Logon - Lets users access using an assumed identity for one session,
without resetting the password. Users who lose their Smart Cards must use this
option.
l Password Change - This option is applicable for users with fixed passwords who
are locked out.
n Select Recovery File - The recovery file is a CPREC file that is uploaded from each
client computer. The files are located in the Recovery Files shared folder.
Click Browse to locate the file for the computer in the offline group that requires recovery.
n Click Next.
Note - Each offline group is cryptographically independent. The CPOMF file for one
group does not work for a different group.
Selecting a User
n Select a user that has Pre-boot permissions on the computer. You can enter the
username manually in the format domain\username.
n Click Next.
Response to User
n Response Two - Tell the user to enter the Response Two text string in the Remote Help
window on the locked computer.
Make sure that the user changes the password or has one-time access to the computer
before ending the Remote Help session.
n Try Again - Click this to start the password recovery process again for a different user.
Disk Recovery
To help a user un-encrypt a disk click Disk Recovery.
n Select Recovery File - The recovery file is a CPREC file that is uploaded from each
client computer. The files are located in the Recovery Files shared folder.
Click Browse to locate the file for the computer in the offline group that requires recovery.
n Click Next.
Note - Each offline group is cryptographically independent. The recovery file for one
group does not work for a different group.
n Click Next.
Select Media
n Select the type of recovery media to generate:
l ISO file
l REC file
l USB media
If you select ISO or REC, select the storage location.
If you select USB, choose the drive to use.
n Click Create Media.
Note - To create USB media, the tool must run with administrator privileges and the
Media Encryption & Port Protection must be disabled.
Configure the Client Setting policy one-time only, for all users:
1. In the SmartEndpoint Users and Computers tab, go to the Offline Group.
2. Click Edit rule.
3. In the Client Settings, edit the Installation rule, and select Uninstall client using
challenge-response.
4. Optional: Set the number of digits of the Response length. The default setting is 30
digits (High Security).
5. In the main toolbar, click Save rule , and Install the Policy
6. In the offline group, click Get Update Policy File and save it to the Updates folder in the
Offline location (the shared location where files for the Offline Group are stored).
7. After saving the policy file to Updates folder, the policy on the client is automatically
updated. To update the policy immediately, tell the user to click Update now in the
Endpoint Security client UI.
3. In Select Status File, select the .cpsts file of the client in the Client Logs folder in the
Offline location.
4. Click Next.
a. Start the process of uninstalling the Endpoint Security client. On the Windows
computer, go to the Add or remove programs system setting, select the Endpoint
Security client, and click Uninstall.
A Check Point Endpoint Security challenge-response window opens. The window
has a Challenge field that contains a number with many digits, and a Response
field that is blank.
b. Give the Challenge number to the administrator. This can be by phone, text
message, email, or in some other way
6. In the CHALLENGE FROM USER page of the Endpoint Offline Management Tool, in
the Challenge field, type the number that the user gave you
7. Click Next.
A Response number shows in RESPONSE TO USER page.
8. Give the Response number to the user. This can be by phone, text message, email, or in
some other way
9. Give these instructions to the user:
a. Uninstall the Endpoint Security client. Type the Response number into the Check
Point Endpoint Security Challenge-Response window.
b. Click OK.
The Endpoint Security client is uninstalled.
Glossary