Endpoint Security functionality is based on secure communication between all Endpoint Security servers and clients.
Endpoint Security operations are implemented by different services on the Endpoint Security Management Server, Endpoint Policy Servers, SmartEndpoint console, and Endpoint Security clients.
Important - Make sure that
|
Communication between these elements uses the Check Point Secure Internal Communication (SIC) service. The elements authenticate each other using certificates. HTTPS (TCP/443) is used for sending events, for SmartEvent Views and Reports, from the Endpoint Policy Server to Primary Management.
Service (Protocol/Port) |
Communication |
Notes |
---|---|---|
SIC (TCP/18190 - 18193) |
SmartEndpoint console to Endpoint Security Management Servers |
|
|
Endpoint Policy Server to Endpoint Security Management Servers |
Endpoint Policy Server distribute and reduce the load of client-server communication between the clients and the Endpoint Security Management Server. |
SIC (TCP/18221) |
Endpoint Secondary to Primary Management |
|
HTTPS (TCP/443) |
Endpoint Policy Server to Primary Management |
Used for sending monitoring events. |
These services are used by the client to communicate with the Endpoint Policy Server or the Endpoint Security Management Server.
The client is always the initiator of the connections.
Service (Protocol/Port) |
Communication |
Notes |
---|---|---|
HTTPS (TCP/443) |
Most communication is over HTTPS TLSv1.2 encryption. |
These are two examples:
|
|
|
The policy files themselves are encrypted with AES. |
|
|
A periodic client connection to the server. The client uses this connection to inform the server about changes in the policy status and compliance. You can configure the Heartbeat Interval. |
|
|
These are queries for the reputation of unknown applications. |
|
|
These connections send logs to the server. |
|
For more sensitive services, the payload is encrypted using a proprietary Check Point protocol. |
These are the encrypted sensitive services:
|
HTTP (TCP/80) |
|
Verification is done by the engine before loading the signatures, and during the update process. |
|
|
The packages are signed and verified on the client before being installed. |
|
|
These connections send client policy updates and send status, and module updates to the server. These HTTP messages are encrypted using a proprietary Check Point encryption protocol. |
Endpoint clients send "heartbeat" messages to the Endpoint Security Management Server to check the connectivity status and report updates. The time between heartbeat messages is known as the heartbeat interval.
Note - The default heartbeat interval is 60 seconds. |
The endpoint computer Compliance state is updated at each heartbeat. The heartbeat interval also controls the time that an endpoint client is in the About to be restricted state before it is restricted.
It is possible to create restricted policies that will automatically be enforced once the endpoint client enters a restricted state
To configure the heartbeat interval and out-of-compliance settings:
The Connection Settings Properties window opens.
For R80 and higher clean installations, the management certificate is encrypted with SHA-256 encryption by default. In R77.x and lower environments, or upgrades from those versions, SHA-256 is not supported for the Root CA. You can use SHA-256 for renewed certificates after the previous certificate expires. See sk103840 for more information.
To configure a renewed certificate to use SHA-256:
On the Endpoint Security Management Server, run: cpca_client set_sign_hash sha256
After the management certificate expires, the renewed certificate will be signed with SHA-256 encryption.
By default, the Endpoint Security servers in this release support TLSv1.2 and TLSv1 for communication between clients and servers.
To configure servers to support TLSv1.2 only:
$UEPMDIR/apache/conf/ssl.conf.
cpstop
SSLProtocol +TLSv1 +TLSv1.2
to: SSLProtocol TLSv1.2
cpstart