Endpoint Firewall - Deployment for Remote Attack Containment
Recommendation
Deploy the Endpoint Firewall capability using Software Deployment rules.
Description
Endpoint Firewall supports endpoint self-isolation and network-level containment as part of automated and on-demand response actions. This capability is used by on-demand Push Operations, XDR response actions, and Playblocks automations.
Endpoint Firewall is also required to automatically stop remotely executed ransomware attacks over the SMB protocol.
In scenarios where file encryption is performed remotely from another compromised computer in the same network, no malicious process runs locally on the target endpoint. Behavioral Guard detects the ransomware activity, and Endpoint Firewall blocks inbound SMB connections to stop the attack and prevent further data damage.
In these cases, process termination is not applicable. Automatic self-isolation using Endpoint Firewall is the recommended response.
Operational Guidance
-
Endpoint Firewall is included in all Check Point Endpoint Security subscriptions.
-
Deploy the Endpoint Firewall capability to endpoints using Software Deployment rules.