Endpoint Security Server and Client Communication

Endpoint Security functionality is based on secure communication between all Endpoint Security servers and clients.

Endpoint Security operations are implemented by different services on the Endpoint Security Management Server A Security Management Server that manages your Endpoint Security environment. Includes the Endpoint Security policy management and databases. It communicates with endpoint clients to update their components, policies, and protection data., Endpoint Policy Servers, SmartEndpoint A Check Point GUI application which connects to the Endpoint Security Management Server, to manage your Endpoint Security environment - to deploy, monitor and configure Endpoint Security clients and policies. console, and Endpoint Security clients.

Important - Make sure that HTTP (TCP/80) and HTTPS (TCP/443) services and ports are allowed by Firewall or Application Control Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI. rules. There is routing between the Endpoint Security elements.

SmartEndpoint Console and Server to Server Communication

Communication between these elements uses the Check Point Secure Internal Communication (SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server.) service. The elements authenticate each other using certificates. HTTPS (TCP/443) is used for sending events, for SmartEvent Views and Reports, from the Endpoint Policy Server Endpoint Policy Server improves performance in large environments by managing most communication with the Endpoint Security clients. Managing the Endpoint Security client communication decreases the load on the Endpoint Security Management Server, and reduces the bandwidth required between sites. The Endpoint Policy Server handles heartbeat and synchronization requests, Policy downloads, Anti-Malware updates, and Endpoint Security client logs. to Primary Management.

Service (Protocol/Port)	Communication	Notes
SIC (TCP/18190 - 18193)	SmartEndpoint console to Endpoint Security Management Servers
	Endpoint Policy Server to Endpoint Security Management Servers	Endpoint Policy Server distribute and reduce the load of client-server communication between the clients and the Endpoint Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server..
SIC (TCP/18221)	Endpoint Secondary to Primary Management
HTTPS (TCP/443)	Endpoint Policy Server to Primary Management	Used for sending monitoring events.

Client to Server Communication

These services are used by the client to communicate with the Endpoint Policy Server or the Endpoint Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

The client is always the initiator of the connections.

Service (Protocol/Port)	Communication	Notes
HTTPS (TCP/443)	Most communication is over HTTPS TLSv1.2 encryption.	These are two examples: Endpoint registration New file encryption key retrieval
	Policy downloads	The policy files themselves are encrypted with AES.
	Heartbeat Endpoint clients send "heartbeat" messages to the Endpoint Security Management Server to check the connectivity status and report updates.	A periodic client connection to the server. The client uses this connection to inform the server about changes in the policy status and compliance. You can configure the Heartbeat interval. See The Heartbeat Interval
	Application Control queries	These are queries for the reputation of unknown applications.
	Log uploads	These connections send logs to the server.
	For more sensitive services, the payload is encrypted using a proprietary Check Point protocol.	These are the encrypted sensitive services: Full Disk Encryption A component on Endpoint Security Windows clients. This component combines Pre-boot protection, boot authentication, and strong encryption to make sure that only authorized users are given access to information stored on desktops and laptops. Acronym: FDE. Recovery Data Upload Media Encryption & Port Protection A component on Endpoint Security Windows clients. This component protects data stored on the computers by encrypting removable media devices and allowing tight control over computers' ports (USB, Bluetooth, and so on). Acronym. MEPP. Key Exchange Full Disk Encryption User Acquisition & User credentials.
HTTP (TCP/80)	Anti-Malware A component on Endpoint Security Windows clients. This component protects clients from known and unknown viruses, worms, Trojan horses, adware, and keystroke loggers. signature updates	Verification is done by the engine before loading the signatures, and during the update process.
	Client package downloads	The packages are signed and verified on the client before being installed.
	Synchronization	These connections send client policy updates and send status, and module updates to the server. These HTTP messages are encrypted using a proprietary Check Point encryption protocol.

The Heartbeat Interval

Endpoint clients send "heartbeat" messages to the Endpoint Security Management Server to check the connectivity status and report updates. The time between heartbeat messages is known as the heartbeat interval.

Note - The default heartbeat interval is 60 seconds. A shorter heartbeat interval can cause additional load on the management. A longer heartbeat interval may lead to less up-to-date logs and reports.

The endpoint computer Compliance Check Point Software Blade on a Management Server to view and apply the Security Best Practices to the managed Security Gateways. This Software Blade includes a library of Check Point-defined Security Best Practices to use as a baseline for good Security Gateway and Policy configuration. state is updated at each heartbeat. The heartbeat interval also controls the time that an endpoint client is in the About to be restricted state before it is restricted.

It is possible to create restricted policies that will automatically be enforced once the endpoint client enters a restricted state

To configure the heartbeat interval and out-of-compliance settings:

1. Click Manage > Endpoint Connection Settings.

   The Connection Settings Properties window opens.

2. In the Connection Settings section, set the Interval between client heartbeats.

3. In the Out-Of-Compliance section, configure when a client is restricted. Configure the number of heartbeats in Client will restrict non compliant endpoint after. The default is 5 heartbeats.

4. Click OK.

SHA-256 Certificate Support

For R80 and higher clean installations, the management certificate is encrypted with SHA-256 encryption by default. In R77.X and lower environments, or upgrades from those versions, SHA-256 is not supported for the Root CA. You can use SHA-256 for renewed certificates after the previous certificate expires. See sk103840 for more information.

To configure a renewed certificate to use SHA-256:

On the Endpoint Security Management Server, run: cpca_client set_sign_hash sha256

After the management certificate expires, the renewed certificate will be signed with SHA-256 encryption.

TLSv1.2 Support

By default, the Endpoint Security servers in this release support TLSv1.2 and TLSv1 for communication between clients and servers.

To configure servers to support TLSv1.2 only:

On each Endpoint Security server:

1. Run:

   cpstop

2. Edit:

   $UEPMDIR/apache/conf/ssl.conf

3. Change the value of the SSLProtocol attribute

   from:

   SSLProtocol +TLSv1 +TLSv1.2

   to:

   SSLProtocol TLSv1.2

4. Save the changes.

5. Run:

   cpstart