Table of Contents:

• Introduction
• Firewall and Application Control Blade Overview
  • Client-Server Architecture
  • Client Architecture
  • Firewall and Application Control Client UI
  • Viewing Logs
• Managing Firewall and Application Control Blade
  • Defining Firewall Policy
  • Defining Access Zones Policy
  • Defining Application Control Policy
  • Defining Other Firewall and Application Control Settings
• Troubleshooting and Debugging
  • Known problems and solutions for them
  • General troubleshooting Approaches
  • Collecting Debug Information

Note: Relevant for R81.

New in R81

• Application Control - Support of multiple versions per product / application to be added to the list of applications being imported using the AppScan tool. Refer to the R81 Endpoint Security Administration Guide.
•  Application Control - Developer Protection. Helps prevent leakage of sensitive information (such as API keys), protects against the usage of vulnerable packages and updates the known vulnerabilities database regularly. Refer to the R81 Endpoint Security Administration Guide.
•  Application Control - Disabling or enabling Windows Subsystem for Linux (WSL). Refer to the R81 Endpoint Security Administration Guide.
• Firewall Blade - Endpoint Host Isolation via Push Operations. Refer to sk169758 - Endpoint Host Isolation.

 

Introduction

This article describes the main aspects of the Endpoint Security Firewall and Application Control Blade.

Both Firewall and Application Control are protecting computers from Internet threats. Firewall is focused on Connections, while Application Control is focused on Applications.

Understanding Firewall Protection

The firewall guards the "doors" to computers, that is, the ports through which Internet traffic comes in and goes out. It examines all the network traffic and application traffic arriving at your computer, and asks these questions:

• Where did the traffic come from and what port is it addressed to?
• Do the firewall rules allow traffic through that port?
• Does the traffic violate any global rules?

The answers to these questions determine whether the traffic is allowed or blocked.

Understanding Application Control

Application Control restricts network access for specified applications. These applications are defined in the Policy that is set by the administrator.

The Administrator defines policies and rules that allow, block, or terminate applications and processes.

Firewall and Application Control Blade Overview

This section gives the architectural and functional overview of the Firewall and Application Control Blade and describes its common flows.

Client-Server Architecture

From the Firewall and Application Control perspective, the Endpoint Security Client gets the following information from the Endpoint Security Server:

• Policy definitions
• Applications Reputation Updates (on demand, when an unknown application is first discovered) 

The Endpoint Security Client sends the following Firewall-related information to the Endpoint Security Server:

• Logs (from the other blades as well). Log upload process can be customized in the Client Settings policy
• Information about new discovered applications  

To reduce the load to the Endpoint Security Server, additional servers can be deployed. These servers are called Policy Servers. Policy Servers provide the same functionality to Clients. However, they cannot be used to manage policies with SmartConsole.

Client Architecture

On the client-side, there are several important components that communicate one with another, as described in the figure above.

These components are:

• Check Point Endpoint Agent service: performs all communications with the Endpoint Security Server, including Policies download, log upload, etc.
• Check Point Device Auxiliary Framework service: performs all communications with the installed Endpoint Security Blades and UI.
• Check Point Client UI service and Client UI process: perform user actions handling, and show blades status and messages.
• Check Point Network Protection service: performs Firewall, Access Zones and Application Control policy maintenance and execution.
• Service DLLs: subcomponents of Network Protection service needed for it to run properly
• Firewall driver: low-level kernel driver that performs actual packet processing.
• Other infrastructure components: other modules, for example, appscan utility and Log Viewer utility.

Firewall and Application Control Client UI

Firewall and Application Control Client UI allows viewing Policies and their information and seeing the current status of the blade.

It shows a summary of the Firewall and Application Control activity and the list of blocked programs with details. 

Viewing Logs

An Endpoint Security activity, including Firewall and Application Control events, is recorded in logs. This information is uploaded to the Server and can be viewed by administrators. Upload is configured in Client Policy.

This information can be useful in the following cases:

• To identify the cause of technical problems.
• To monitor traffic more closely. 
• To make sure that all features function as they should  

Log Viewer is installed together with the client. It can be opened by navigating to 'Endpoint Security Client UI Main Page > Advanced > View Logs'.

Working with Log Viewer

Log Viewer can show details for each log entry (log entry should be double-clicked). It also supports filtering logs, exporting them to some file, sorting them and other operations.

Using the Event Filter

The Event Filter lets you filter the logs to see the information that is relevant to you.

You can filter by:

• Event types: Select or clear the checkboxes that relate to the different Endpoint Security features.
• Time period: Select a Start date and time and End date and time.
• Number of events: Select the maximum number of events that will show in results.
  • Show Newest or Oldest first: Select which logs should be at the top of the list.

To use the Event Filter:

1. Open the Event Filter pane: Click the "View Event Filter" window icon and select 'View > Event Filter'.
2. Click the black arrows to open and close the sections of the Events Filter pane.
3. Make selections to filter the log results.
4. Click "Filter". The results of the filter are displayed in the Log Viewer.

To export the logs:

1. From the Log Viewer window: Click the "Export" icon and select 'Edit > Export to File'.
2. In the "Save As" window, select the location where you want the file to be saved, enter a File name, and click "Save". The logs are saved in a text file.

Managing Firewall and Application Control Blade

This section describes the SmartEndpoint Policy Rules that are related to the Firewall and Application Control Blade and gives recommendations about configuring them.

There are three main Rules related to the Firewall and Application Control Blade, together with some additional settings controlled in the Common Client Settings Rule:

• Access Zones: Defines the topology of the organizational network, separating it into Trusted and Internet domains. This rule affects Windows and MacOS machines with the Firewall Blade installed.
• Firewall: Blocks or allows network traffic, based on attributes of network connections. This rule also affects Windows and MacOS machines.
• Application Control: Controls network access on a per-application basis, letting you restrict application network access. This blade is supported only on Windows workstation (It is not supported on MacOS and on Windows Servers).
• Client Settings: Controls common client behavior. There are settings related to the Firewall Blade - log upload and the possibility to disable network protection on demand.

Defining Firewall Policy

Firewall rules allow or block network traffic to endpoint computers, based on connection information, such as IP addresses, ports, and protocols. There are two types of firewall rules:

• Inbound rules: Rules that allow or block incoming network traffic to the endpoint computer.
• Outbound rules: Rules that allow or block outgoing network traffic from the endpoint computer.

Planning Firewall Policy

When you plan a Firewall Policy, think about the security of your network and convenience for your users. A policy should permit users to work as freely as possible, but also reduce the threat of attack from malicious third parties.

The defined Actions in the Firewall rules make it easy to create the Firewall policy that you choose. Select an Action for Inbound traffic and an Action for Outbound traffic. The required rules are automatically added to the Firewall Inbound and Outbound Rule Bases.

You can add more rules to each Rule Base, and edit rules, as necessary.

On the client, the Firewall rules are evaluated in the same order as they are defined in the Firewall Policy. If two rules match the same traffic, the first one will be applied. 

Therefore, typically, the last rule is the "Cleanup" rule that matches to all traffic, and applies a default action (blocks or allows) all traffic that was not matched to the previous rules. 

Changes are enforced after the Policy is installed.

Inbound Traffic Rules

Inbound traffic rules define which network traffic can reach endpoint computers (known as localhost).

There are two default actions:

• Allow inbound traffic: Allows all incoming traffic to the endpoint computer.
• Allow inbound traffic from trusted zones and connectivity services: Allows all incoming traffic from trusted zones and IP address obtaining traffic from the internet. All other traffic is blocked.

The rules required for the selected Action are automatically added to the "Inbound Firewall Rules" Rule Base.

Right-click an Action to see the "Inbound Firewall Rules" Rule Base. You can add, delete, and change rules, as necessary.

Note that there is no Destination column in the Inbound Rule Base because the destination of all traffic is the endpoint computer.

Outbound Traffic Rules

Outbound traffic rules define which outgoing network traffic is allowed from endpoint computers.

There are two default actions:

• Allow any outbound traffic: Allows all outgoing traffic from the endpoint computer.
• Allow outbound traffic to trusted zones and common internet protocols: Allow all traffic to trusted zones and traffic of common Internet protocols to the Internet.

The rules required for the selected Action are automatically added to the "Outbound Firewall Rules" Rule Base.

Right-click an Action to see the "Outbound Firewall Rules" Rule Base. You can add, delete, and change rules, as necessary.

Note that there is no Source column in an Outbound Rule Base because the source of all traffic is the endpoint computer.

Creating Firewall Rules

Create Firewall rules that relate to inbound traffic in the "Inbound Firewall Rules" Rule Base and rules that relate to outbound traffic in the "Outbound Firewall Rules" Rule Base.

To create a Firewall rule:

1. In the Firewall rule in the Policy tab, right-click the inbound or outbound traffic Action and select "Edit Properties".
2. Click one of the "Add Rule" icons from above the Rule Base.
3. Fill in the columns of the rule. Right-click the column to select an option. 

Column	Description
NO	Rule priority number. Rule priority is important because a client checks firewall rules based on its sequence in the Rule Base. Rules are enforced from the top to the bottom. The last rule is usually a Cleanup Rule that says to drop traffic that does not match any of the previous rules.
Name	Name of the Firewall Rule.
Source/ Destination	Source: Source location of the network traffic. For an outbound rule, the source is always the local computer. Destination: Destination location of network traffic. For an inbound rule, the destination is always the local computer. Source and Destination can be any of the Network Objects defined in the Access Zones policy, or the Trusted/Internet Zone.
Service	Network protocol or service used by traffic.
Action	What is done to traffic that matches the rule: Accept or Drop.
Track	Tracking when the rule is enforced: Log: Record rule enforcement in the Endpoint Security Client Log Viewer. Alert: Show a message on the endpoint computer and record rule enforcement in the Endpoint Security Client Log Viewer. None: Log and alert messages are not created.

Notes on configuring Tracking:

• If you have a rule that drops or accepts all traffic, do not enable logging.
• To use logs and alerts, you must configure options in the "Client Settings" rules:
  • In the Log Upload action, "Enable log upload" must be selected.
  • In the "Users Disabling Network Protection" action, under "Network Protection Alerts", in the "Firewall" row, select "Allow Alert". 

Firewall Rules and Domain Controllers

When creating Firewall Rules for endpoint clients, create explicit rules that allow all endpoints to connect to all of the domain controllers on the network.

Services and Network Objects

The same Network Objects and Services are used throughout SmartEndpoint and in SmartDashboard. When you create a new object, it is also available in SmartDashboard. If you change an object in SmartEndpoint or SmartDashboard, it is changed everywhere that the object is used.

To create a Network Object:

1. In the Inbound or Outbound Firewall Rule Base, open the 'Network Objects" tab.
2. Click "New".
3. Select the type of object from the "New Object Type" list.
4. Click "OK".
5. In the Properties window, enter the required information.
6. Click "OK".

To create a Service:

1. In the Inbound or Outbound Firewall Rule Base, open the "Services" tab.
2. Click "New".
3. Select the type of service from the "New Object Type" list.
4. Click "OK".
5. In the Properties window, enter the required information.
6. Optional: If you create a Group, In the Group Properties window, add "Available Services" to a group.
7. Click "OK". 

Disabling and Deleting Rules

When you delete a rule, it is removed from the Rule Base and not enforced in the policy.

When you disable a rule, the rule is not enforced in the policy. The rule stays in the Rule Base with an X showing that it is disabled. Select "Disable rule" again to make the rule active.

To delete or disable a rule:

1. Right-click in the NO column of a rule.
2. Select "Delete Rule" or "Disable Rule".
3. Install policy.

The rule is not physically deleted or disabled until you install the policy.

Advanced Firewall Settings

There are other actions besides Firewall Rules that control the network on machines.

Wireless Connection Settings

These actions define if users can connect to wireless networks while on your organization's LAN.

This protects your network from threats that can come from wireless networks.

• Allow connecting wireless to LAN: Users can connect to wireless networks, while connected to the LAN
• Do not allow connecting wireless to LAN: Users cannot connect to wireless networks, while connected to the LAN.

Hotspot Settings

These actions define if users can connect to your network from hotspots in public places, such as hotels or airports.

• Allow hotspot registration: Bypass the firewall to let users connect to your network from a hotspot.
• Do not allow hotspot registration: Do not let users connect to your network from a hotspot.

IPv6 Traffic

You can select one of these actions to allow or block IPv6 traffic to endpoint computers.

• Allow IPv6 network traffic: Allows all traffic going through IPv6 protocols.
• Block IPv6 network traffic: Blocks all traffic going through IPv6 protocols.

Note: If IPv6 traffic is going through IPv4-based tunnels, service packets encapsulating this tunnel will be evaluated with IPv4 rules.

Choose a Firewall Policy to Enforce

By default, the Firewall policy enforced is the Endpoint Security Firewall Policy.

If your environment used Endpoint Security VPN, and then moved to the complete Endpoint Security solution, you might want to continue to use the Desktop Policy from SmartDashboard.

Select which Firewall policy to enforce:

• Enforce the above Firewall policy: Use the Endpoint Security Firewall Policy
• Enforce Desktop Policy from SmartDashboard: Use the Desktop Policy from SmartDashboard

To activate the Desktop Policy from SmartDashboard:

1. Select Enforce Desktop Policy from SmartDashboard.
2. Install Policy.
3. Restart all computers included in the rule.

Defining Access Zones Policy

Access Zones lets you create security zones for use in Firewall. Configure Access Zones before configuring Firewall.

There are two predefined Access Zones:

• The Internet Zone
• The Trusted Zone

Network locations not placed in the Trusted Zone automatically belong to the Internet Zone.

Note that Access Zones rules are computer-centric (and not user-centric).

Trusted Zone

The Trusted Zone contains network objects that are trusted. Configure the Trusted Zone to include only those network objects with which your programs must interact.

Note: Objects not placed in the Trusted Zone are placed automatically in the Internet Zone.

SmartEndpoint contains an initial Access Zones policy. In the initial policy, these network elements are included in the Trusted Zone:

• All_Internet
  

  This object represents all legal IP addresses. In the initial policy, all IP addresses on the Internet are trusted. However, the Access Zones policy is not a policy that is enforced by itself, but only as a component of the Firewall policy.

• LocalMachine_Loopback
  

  Endpoint computer's loopback address: 127.0.0.1.
  The Endpoint must always have access to its own loopback address.
  Note: Endpoint users must not run software that changes, or hides the local loopback address, for example personal proxies that enable anonymous Internet surfing.

Objects in the Trusted Zone

Think about adding these objects to your Trusted Zone:

• Remote host computers accessed by your programs (if not included in the subnet definitions for the corporate network)
• Corporate WANs accessed by your programs
• Endpoint Security Management Server
• Domain Name Servers
• Mail servers
• Domain controllers
• File servers and Print servers
• VPN gateway address range
• Internet gateways
• Local subnets
• Security servers (for example, RADIUS, ACE, or TACACS servers)
• Other IP addresses, or IP ranges, to which access is allowed or denied.

Changing the Access Zones Policy

The main component of the Access Zones policy rule is the definition of the Trusted Zone.

All objects that are not in the Trusted Zone are automatically in the Internet Zone. If necessary, you can create new Trusted Zone objects to use in different policy rules.

You can add and remove network objects from a Trusted Zone.

Note: A computer can have only one Trusted Zone. This means that if the Access Zones policy has more than one rule, and more than one Trusted Zone applies to a computer, only the last Trusted Zone is enforced.

To define the Trusted Zone:

1. In the 'Policy tab > Access Zones rule', double-click "Corporate Trusted Zones", or right-click it and select "Edit Shared Action". The Edit Properties - Access Zones window opens.
2. To add an existing object to the Trusted Zone Locations list:
   1. Select a network object from "Available Network Objects".
   2. Click "Add".
3. To remove an existing object:
   1. Select the network object from the list.
   2. Click the "Remove" arrow.
4. To delete an existing object, select the object and click "Delete".
5. To create a new Network Object, click "New". The "Select New Object Type" window opens.
   1. Select an object type from the list.
   2. Click "OK". The Properties window for the selected object opens.
   3. Enter the required data.
6. Click "OK".

To create a new Trusted Zone object:

1. In the 'Policy tab > Access Zones rule', double-click "Corporate Trusted Zones", or right-click it and select "Edit Properties". The Properties window opens.
2. In the "Select action" field, select "New".
3. Edit the Name and Description of the Zone.
4. Click "OK".
5. Edit the network locations in the zone, as described in the procedure above.

Network Objects

Access Zones are made up of network objects.

You define network objects by specifying one or more:

• Host
• IP address range
• Network
• Site

Create network objects for areas that programs must have access to, or areas that programs must be prevented from accessing.

Define objects for each policy, or define objects before you create a policy. After defining an object, the object can be reused in other policies.

The same Network Objects and Services are used throughout SmartEndpoint and in SmartDashboard. When you create a new object, it is also available in SmartDashboard. If you change an object in SmartEndpoint or SmartDashboard, it is changed everywhere that the object is used.

Note: The Trusted Zone and the Internet Zone can also be used as objects in a firewall policy. These objects are resolved dynamically by the client, based on Access Zones policy assignment to the client.

Configuring a Host as a Network Object

Enter data that defines the network object:

• Name: A name for the network object. The name must start with a letter and can include capital and small letters, numbers and '_'. All other characters are prohibited.
• IP Address: The IP address of the host you want to use as a network object.
• Color: Select a color to be used for the icon for this network object.
• Comment: A description of the network object.

Configuring an Address Range as a Network Object

Enter data that defines the network object:

• Name: A name for the network object. The name must start with a letter and can include capital and small letters, numbers and '_'. All other characters are prohibited.
• First IP Address / Last IP Address: The first and last IP addresses for the network object.
• Color: Select a color to be used for the icon for this network object.
• Comment: A description of the network object.

Configuring a Network as a Network Object

Enter data that defines the network object:

• Name: A name for the network object. The name must start with a letter and can include capital and small letters, numbers and '_'. All other characters are prohibited.
• Network Address: The network address you want to use as a network object.
• Net Mask: The net mask.
• Color: Select a color to be used for the icon for this network object.
• Comment: A description of the network object.

Configuring a Site as a Network Object

Enter data that defines the network object:

• Name: A name for the network object. The name must start with a letter and can include capital and small letters, numbers and '_'. All other characters are prohibited.
• Host Name: The full LDAP name of the host of the site you want to use as a network object.
  For example, www.example.com.
  Note: Sub-sites must be added separately, if you want to apply the rule to them, as well. Wildcard symbols like * are not allowed.
  Note: www.example.com and example.com may have different IP addresses. In such cases, both domain names should be added.
• Color: Select a color to be used for the icon for this network object.
• Comment: A description of the network object.

Configuring a Group as a Network Object

Enter data that defines the network object:

• Name: A name for the network object. The name must start with a letter and can include capital and small letters, numbers and '_'. All other characters are prohibited.
• Color: Select a color to be used for the icon for this network object.
• Comment: A description of the network object.

After this, select from the "Available Objects" column, or create new objects.

Configuring a Site Group as a Network Object

Enter data that defines the network object:

• Name: A name for the network object. The name must start with a letter and can include capital and small letters, numbers and '_'. All other characters are prohibited.
• Color: Select a color to be used for the icon for this network object.
• Comment: A description of the network object.

After this, select an object from the Available Objects column, or create a new object of the following types:

• Site
• Site Group

Defining Application Control Policy

The Application Control blade restricts network access for specified applications.

The Endpoint Security administrator defines policies and rules that allow, block, or terminate applications and processes.

Applications are blocked once they first try to get network access. Applications that should be terminated are terminated once they are open.

If specified in an Application Control rule, an alert shows which application was blocked or terminated.

You can also enable the Reputation Service (previously called the Program Advisor) to recommend applications to allow or block.

Firewall Blade can be installed on Windows Server machines in the same way as on workstation. Application Control is not supported on Windows Server.

Application Control can be disabled in the policy, or uninstalled from a machine together with the Firewall Blade.

To disable Application Control:

1. In an Application Control Rule, select an action that disables Application Control.
2. Install the policy on all clients that run Windows Server.

Working with the Application Control Policy

Configure which applications are allowed, blocked, or terminated and what happens when applications are not identified.

To configure the allowed applications:

1. In the 'Policy tab > Application Control rule', right-click the "Allowed Apps" Action, and select "Manage Allowed Apps List".
2. To add more applications, click "Add", and select applications from the "Search Applications" window.
3. Click "OK".

To configure the blocked applications:

1. In the 'Policy tab > Application Control rule', right-click the "Block Apps" Action, and select "Manage Blocked Apps List".
2. To add more applications, click "Add", and select applications from the "Search Applications" window.
3. Click "OK".

To configure terminated applications:

1. In the 'Policy tab > Application Control rule', right-click the "Terminated Apps" Action, and select "Manage Terminated Apps List".
2. To add more applications, click "Add", and select applications from the "Search Applications" window.
3. Click "OK".

If you "block unidentified applications", users can only access applications that are included in the "Allowed Apps List".

If you "allow unidentified applications", users can access all applications that are not on the "Blocked" or "Terminated" Lists.

If you "allow unidentified applications", make sure your "Blocked" and "Terminated" Lists are complete.

To configure what happens to unidentified applications:

In the 'Policy tab > Application Control rule', select "Block Unidentified Applications", or right-click and select "Allow Unidentified Applications".
 

Note: Terminated applications are not allowed to pass through the firewall. 

Reputation Service

The Check Point Reputation Service is an online service that automatically creates recommended rules that block or allow common applications.

These rules are based on the recommendations of Check Point security experts.

Note: Your Endpoint Security Management Server must have Internet access (on ports 80 and 443) to connect to the Check Point Reputation Service Server.

Note: Make sure that your firewall allows this traffic. It is recommended to add the Reputation Service Server to your Trusted Zone.

To see the recommendations of the Reputation Service for safe applications:

1. In the "Application Control" rule, right-click the "Allow Whitelisted Apps" action and select "Manage Allowed Apps List".
2. In the "Allow Applications List", select "Good Reputation" from the options menu. A list of applications with a good reputation, generated by the "Reputation Service", opens. You can move applications to the "Block" or "Terminate" lists.

To see the recommendations of the Reputation Service for malicious applications:

1. In the "Application Control" rule, right-click the "Terminated Apps" action and select "Manage Terminated Apps List".
2. In the "Terminate Application List", select "Known Malware Apps" from the options menu. A list of malicious applications, generated by the "Reputation Service", opens. You can move applications to the "Block" or "Allow" lists.

Using the Reputation Service with a Proxy

If your environment includes a proxy server for Internet access, perform the configuration steps below to let the Endpoint Security Management Server connect to the Check Point Reputation Service Server via the proxy server. Note that all configuration entries are case-sensitive.

If your organization uses a proxy server for HTTP and HTTPS traffic, you must configure the Endpoint Security Management Server to work with the proxy server.

To configure use of a proxy server:

1. From the Endpoint Security Management Server command line, run: cpstop.
2. Go to $UEPMDIR/engine/conf and open the local.properties file in a text editor.
3. Add a line for these properties:
   • The proxy server IP address: http.proxy.host=<ipaddress>
   • The proxy server listening port (typically 8080): http.proxy.port=<port>
   • If authentication is enabled on the proxy server, add these lines:
     • (Do not add these lines, if authentication is not required.)
     • http.proxy.user=<username>
     • http.proxy.password=<password>
     • Make sure that you delete (or do not insert) the '#' character at the beginning of these lines.
4. Save $UEPMDIR/engine/conf/local.properties and then close the text editor.
5. Run: cpstart.

Importing Program References

The Appscan command lets you automatically create Application Control rules for common applications and operating system files on an endpoint computers network.

Note: This is especially useful when you have a clean standard image.

You can import a list of programs identified by their checksums, instead of by filename. Checksums are unique identifiers for programs that cannot be forged. This prevents malicious programs from masquerading as other, innocuous programs.

Create an Appscan for each disk image used in your environment. You can then create rules that will apply to those applications. You can create Appscan files by running the appscan.exe utility on a computer with a tightly-controlled disk image, then importing the file into Endpoint Security.

Creating an Appscan XML File

Before you can use Appscan, set up a Windows computer with the typical applications used on protected computers in your organization.

If you have several different configurations, perform these steps for each one.

Important: The computer you scan to create an Appscan must be free of all malware.

To run Appscan from the command line:

1. Download the appscan tool from sk108536 to the root directory (typically c:\) of the baseline reference source computer.
2. From the target computer command prompt, go to the root directory, or to a specific directory to scan (for example, c:\program files).
3. Run appscan with the applicable parameters. When the scan is complete, an output file (Default = scanfile.xml) is created in the specified directory.

Appscan Command Syntax

The Appscan utility scans the host computer and creates an XML file that contains a list of executable programs and their checksums. This XML file is used by the Check Point Reputation Service to create recommended rules to block or allow common applications.

Syntax

appscan [/o <filename>] [/s <target directory>] [/x <extension string>]
[/e] [/a] [/p] [/verbose] [/warnings] [/?] [/help]

Parameters

<filename>: Output file name and path.
/o: Sends output to the specified file name. If no file name is specified, Appscan uses the default file name (scanfile.xml) in the current folder.
/s: Specifies the directory, including all subdirectories, to scan.

• You must enclose the directory/path string in double quotes.
• If no directory is specified, the scan runs in the current directory only.

/x: Specifies the file extension(s) to include in the scan.

• The extension string can include many extensions, each separated by a semi-colon.
• You must put a period before each file extension.
• You must enclose full extension string in double quotes.
• You must specify a target directory using the /s switch.
• If you do not use the /x parameter, only .exe executable files are included in the scan

/e: Include all executable files in the specified directory regardless of the extension.
      Do not use /e together with /x.
/a: Includes additional file properties for each executable.
/p: Shows progress messages during the scan.
/verbose: Shows progress and error messages during the scan.
/warnings: Shows warning messages during the scan.
/? or /help: Shows the command syntax and help text.

Examples

• appscan /o scan1.xml
  

  This scan, by default, includes .exe files in the current directory and is saved as scan1.xml.

• appscan /o scan2.xml /x ".exe;.dll" /s "C:\"
  

  This scan includes all .exe and .dll files on drive C and is saved as scan2.xml.

• appscan /o scan3.xml /x ".dll" /s c:\program files
  

  This scan included all .dll files in c:\program files and all its subdirectories. It is saved as scan3.xml.

• appscan /s "C:\program files" /e
  

  This scan includes all executable files in c:\program files and all its subdirectories. It is saved as the default file name scanfile.xml.

Importing Appscan XML Files

After you generate the Appscan XML file, you can import it to the Endpoint Security Management Server.

Note: You must remove all special characters, such as trademarks or copyright symbols, from the XML file before importing it.

To import an Appscan XML file:

1. In the 'Policy tab > Application Control rule', right-click the "Allowed Apps List".
2. Select "Import Programs".
3. In the "Import Programs" window, go to and select the applicable Appscan XML file.
4. Click "Import".

Note: When applications, included in the imported file, are found on endpoint computers, they are automatically added to the Allowed or Block applications group.

Defining Other Firewall and Application Control Settings

Disable Network Protection

Network Protection is a term meaning Firewall and Application Control Blade.
You can let users disable network protection on their computers.

Warning: If users disable network protection, their computers will be less secure and vulnerable to threats.

Note: If the policy does not allow users to disable network protection, administrators can assign permissive policies to temporarily disable network protection for specified users.

These are the actions in the Client Settings Policy:

• Allow users to disable network protection on their computers: New option (Disable Network Protection) shown in the right-click menu of the client icon from the notification area.
• Do not allow users to disable network protection on their computers: Only administrators can disable user's network protection. 

Allow Network Protection Alerts

Alerts are notifications shown to users after some events happen on machines.
Firewall Blade can show alerts, when it identifies some packets according to the Firewall Policy.

To configure the Network Protection Alerts:

1. In the "Policy" tab, "Client Settings" rule, double-click the "Network Protection" Action.
2. Click "Edit Properties".
3. In the "Network Protection" section, select or clear these options for each Software Blade:

•  
  • Allow Log: Generate logs for events.
  • Allow Alert: Generate alerts for events.

You must also set "Alert" in the "Track" column of Firewall rules.

Enforcing Rules According to States

Endpoint Security can enforce policy rules on computers and users, based on their connection and compliance state.

When you create a policy rule, you can select the state or states, during which this policy is enforced. By default, policies apply when the client is Connected.

States are not applicable for all blades. For example, Full Disk Encryption rules always apply and cannot change based on state. The option to create rules, based on state, is only displayed for applicable blades.

If there is no applicable rule for the "Disconnected" or "Restricted" states, the "Connected" policy applies.

• The "Connected" state policy is enforced, when a compliant endpoint computer connects to the Endpoint Security Management Server.
• The "Disconnected" state policy is enforced, when an endpoint computer is not connected to the Endpoint Security Management Server. For example, you can enforce a more restrictive policy, if users are working from home and are not protected by organizational resources.
• The "Restricted" state policy is enforced, when an endpoint computer is not in compliance with the enterprise security requirements. Its compliance state is moved to "Restricted". In the "Restricted" state, you usually choose to prevent users from accessing some, if not all, network resources.

To configure conditions when "Restricted" policy is applied, check the Compliance Policy section in the Endpoint Security Administration Guide.

Restricted state policies can be configured for the following blades:

• Firewall
• Access Zones
• Application Control
• Media Encryption & Port Protection

Troubleshooting and Debugging

This section describes known problems and general troubleshooting recommendations.

Known problems and solutions for them

Wireshark is not showing outgoing packets

Other tools can be used: npcap instead of winpcap driver, or Microsoft Network Monitor instead of Wireshark.

Communication between VMWare Host and VM fails

This is a known issue and can be resolved with a special utility. See sk104622 for more information.

No network access when some 3rd party network software is installed

This is a known issue in some specific cases. These cases can be resolved with a special package. See sk99065 for more information.

Wireless adapter is disabled when virtual LAN adapter is enabled

This is a known issue and can be resolved with a special utility. See sk123318 for more information.

General troubleshooting Approaches

Traffic is dropped

Typically, this happens because of some misconfigured rule in the Firewall Rules.

The following actions can be performed:

1. Assigning an all-allowing policy can confirm that traffic is blocked by the Firewall Blade.
2. Firewall Rules can be set up to log blocked actions. After this, Firewall logs in SmartViewTracker, or in Local Log Viewer Utility, can be examined to find the blocking rule.

Contact Check Point Support if the above steps do not help.

Application is blocked

A full list of blocked applications can be found in the Firewall and Application Control Blade Client UI and in Logs.

The Administrator can move the application to the "Allowed Application" List, if it is blocked by policy.

Also note that applications can be blocked by other (3rd party) software, or by other Endpoint Security Software Blades (for example, Anti-Malware, Anti-Bot).

Contact Check Point Support if the above steps do not help.

Firewall and Application Control Blade is not running

Usually, this means that one of the corresponding services is not running.

Examine their status via the  Control Panel Services utility.

Try to manually run services, if some of them are not running.

Contact Check Point Support if the above steps do not help.

Collecting Debug Information

CPinfo Utility

On all systems installed with Endpoint Security there is a debug log collector, accessible via the Endpoint Security Client Application. The tool is called CPInfo. Refer tosk90445 for more information.

CPInfo can be executed in Basic, General and Extended modes. For faster investigation, always select Extended mode, as it contains more information.

Other Debugging Tools

In some cases, Check Point Support may use some other debugging tools. It can be common troubleshooting tools like Wireshark or Process Monitor, or can be some Check Point-specific tools.

These Check Point-specific tools either control and check some internal settings, and states of Firewall and Application Control Blade components, or enable additional logging.

Check Point Support will provide explanations about performed tests and used tools, if needed.