Introduction

Harmony Endpoint requires access to the Internet (either directly, or via configured proxy).

The table below lists the relevant connectivity requirements for each blade,
as well as how to test it in order to verify the connectivity.

* Notes:

• Authenticated proxies which require username and password are not supported.
• The new tool CheckConnectivity.exe is supplied with client versions E85.10 and higher. It helps to determine that all the online services which are required by the Endpoint client are accessible. This tool is located under the Endpoint folder: C:\Program Files (x86)CheckPoint\Endpoint Security\Endpoint Common\bin.
• Kaspersky is also referred as E1 Anti-Malware engine.
• Sophos is also referred as E2 DHS Compliant Ant-Malware engine.  
  
   

Cloud Services/Infinity Portal URLs

#	Hostname/URL	Protocol	From	Used For (Version)	Verifying Connectivity (Run command listed below. You will get a response if connectivity is OK)
Harmony Endpoint Management - Infinity Portal
1	storage.googleapis.com/datatube-data-eu	https	Threat Hunting	Threat Hunting data upload	curl -v -k -X GET https://datatube-prod.azurewebsites.net/health
2	storage.googleapis.com/datatube-data-us
3	storage.googleapis.com/datatube-data-uk
4	europe-west1-datatube-240519.cloudfunctions.net
5	proddatatubedataeu.blob.core.windows.net
6	proddatatubedataeastus2.blob.core.windows.net
7	proddatatubedataaustraliaea.blob.core.windows.net
8	datatube-prod.azurewebsites.net
9	datatubeprodwesteurope.blob.core.windows.net
10	us-east4-chkp-gcp-rnd-threat-hunt-box.cloudfunctions.net/prod-gcp-contractprovider	https	Threat Hunting	Threat Hunting cloud function domain	curl -v -k -X GET https://us-east4-chkp-gcp-rnd-threat-hunt-box.cloudfunctions.net/prod-gcp-contractprovider/health
11	<Connection Token>.epmgmt.checkpoint.com For example: HEPDemo-d9e265f1-hap2.epmgmt.checkpoint.com	https	Harmony Endpoint Management Platform	Client-Server communication
12	s3-fips-r-w.us-east-1.amazonaws.com	https	Harmony Endpoint Management Platform	Client-Server communication
Threat Cloud
13	rep.checkpoint.com/file-rep/service	https	Threat Cloud Reputation Service	ThreatCloud File Reputation service	POST https://rep-cws.checkpoint.com/file-rep/SystemStatus/type/short
General Threat Prevention Services
14	a88-221-154-122.deploy.static.akamaitechnologies.com	https	General Threat Prevention Services	Client-Server communication
15	a2-22-93-83.deploy.static.akamaitechnologies.com	https	General Threat Prevention Services	Client-Server communication
16	a95-100-209-19.deploy.static.akamaitechnologies.com	https	General Threat Prevention Services	Client-Server communication
For Services In Europe Region
17	EU-vSEC-ASG-ALB-2115742625.eu-west-1.elb.amazonaws.com	https	Harmony Endpoint Management Platform	Client-Server communication
18	epm-gw-eu.epmgmt.checkpoint.com, mapped to IPs: 1. 34.249.245.65 2. 52.49.2.249 3. 52.18.12.155 4. 46.137.141.201 5. 54.220.66.248	Varies	Harmony Endpoint Management Platform	Client-Server communication
19	cloudinfra-gw.portal.checkpoint.com	https	Harmony Endpoint Management Platform	Client-Server communication	curl -v -k -X POST https://cloudinfra-gw.portal.checkpoint.com/auth/external (401 UNAUTHORIZED)
For Services In US Region
20	US-vSEC-ASG-ALB-448998794.us-east-1.elb.amazonaws.com	https	Harmony Endpoint Management Platform	Client-Server communication
21	epm-gw-us.epmgnt.checkpoint.com, mapped to IPs: 1.  34.206.248.183 2.  34.231.106.109	https	Harmony Endpoint Management Platform	Client-Server communication
22	cloudinfra-gw-us.portal.checkpoint.com	https	Harmony Endpoint Management Platform	Client-Server communication	curl -v -k -X POST https://cloudinfra-gw.portal.checkpoint.com/auth/external (401 UNAUTHORIZED)
For Services In APAC Region
23	cloudinfra-gw.ap.portal.checkpoint.com	https	Harmony Endpoint Management Platform	Client-Server communication	curl -v -k -X POST https://cloudinfra-gw.portal.checkpoint.com/auth/external (401 UNAUTHORIZED)
24	endpoint-management-prd-alb-1052683977.ap-southeast-2.elb.amazonaws.com	https	Harmony Endpoint Management Platform	Client-Server communication

Blade Specific Services

#	Hostname/URL	Protocol	From	Used For (Version)	Verifying Connectivity (Run command listed below. You will get a response if connectivity is OK)
Threat Emulation
1	te.checkpoint.com	https	Threat Emulation	Interaction with Threat Emulation cloud	curl_cli [--proxy <IP_or_HostName:Port>] -v -k te.checkpoint.com
2	threat-emulation.checkpoint.com	https	Threat Emulation	Interaction with Threat Emulation cloud	curl_cli [--proxy <IP_or_HostName:Port>] -v -k threat-emulation.checkpoint.com
3	gwevents.checkpoint.com	https	Threat Emulation	Statistics collection	curl_cli [--proxy <IP_or_HostName:Port>] -v -k gwevents.checkpoint.com
Anti-Malware
4	teadv.checkpoint.com/Sophos/	https	Anti-Malware	Sophos (E2 DHS Compliant Anti-Malware engine) additionally uses this site.	curl_cli [--proxy <IP_or_HostName:Port>] -v https://teadv.checkpoint.com/Sophos/
5	kav8.zonealarm.com	http	Anti-Malware	Signatures database updates	curl_cli [--proxy <IP_or_HostName:Port>] -v http://kav8.zonealarm.com/v6/index/u1313g.xml
6	dnl-*.geo.kaspersky.com	http	Anti-Malware	Signatures database updates	curl_cli [--proxy <IP_or_HostName:Port>] -v http://dnl-01.geo.kaspersky.com/index/u1313g.xml
7	Domain Templates *.kaspersky.com *.kaspersky-labs.com More specific ... ksn*.kaspersky-labs.com ksn-crypto-file-geo.kaspersky-labs.com ksn-crypto-url-geo.kaspersky-labs.com ds.kaspersky.com ds1.kaspersky.com ksn-a-stat-geo.kaspersky-labs.com dc1-st.ksn.kaspersky-labs.com ksn-file-geo.kaspersky-labs.com dc1-file.ksn.kaspersky-labs.com ksn-url-geo.kaspersky-labs.com ksn-verdict-geo.kaspersky-labs.com dc1.ksn.kaspersky-labs.com ksn-cinfo-geo.kaspersky-labs.com ksn-a-p2p-geo.kaspersky-labs.com ksn-info-geo.kaspersky-labs.com file.ks*.kaspersky-labs.com url.ks*.kaspersky-labs.com verdict.ks*.kaspersky-labs.com pp.ks*.kaspersky-labs.com cinfo.ks*.kaspersky-labs.com info.ks*.kaspersky-labs.com	https Custom Protocol  1443 is fallback port that is used if 443 is unavailable	Anti-Malware	Cloud Reputation Services	telnet ksn-crypto-file-geo.kaspersky-labs.com 443
Anti-Bot
8	cws.checkpoint.com	http	Anti-Bot	Bot Detection	curl_cli [--proxy <IP_or_HostName:Port>] -v http://cws.checkpoint.com/Malware/SystemStatus/type/short
9	malw-cws.checkpoint.com	http	Anti-Bot	Bot Detection	curl_cli [--proxy <IP_or_HostName:Port>] -v http://malw-cws.checkpoint.com/Malware/SystemStatus/type/short
10	secureupdates.checkpoint.com	http	Anti-Bot	Signatures database updates	curl_cli [--proxy <IP_or_HostName:Port>] -v -k http://secureupdates.checkpoint.com/AMW/Version
11	sc1.checkpoint.com	http	Anti-Bot	Retrieve URL for bot detection server	curl_cli [--proxy <IP_or_HostName:Port>] -v -k http://sc1.checkpoint.com/EPcws/TCUrlsFormat.txt
Forensics
12	sba-data-collection.iaas.checkpoint.com	https	Data Collection service	Forensic reports upload	POST https://sba-data-collection.iaas.checkpoint.com/upload
SBA Signature Updates
13	updates.checkpoint.com	https	Updater process	SBA Signature updates	curl_cli [--proxy <IP_or_HostName:Port>] -v -k updates.checkpoint.com
14	dl3.checkpoint .com	https	Updater process	SBA Signature updates	curl_cli [--proxy <IP_or_HostName:Port>] -v -k dl3.checkpoint .com
Browser Extension/Harmony Browse
15	www.google.com/chrome/ clients2.googleusercontent.com clients2.google.com	https	Browser Extension/Harmony Browse	Google services
16	microsoftedge.microsoft.com edge.microsoft.com	https	Browser Extension/Harmony Browse	Microsoft Store
Infrastructure
17	endpoint-cdn.epmgmt.checkpoint.com	https	Infrastructure	During HEP upgrades Source of files
18	teadv.checkpoint.com/epupdates	http	Infrastructure	Updates for endpoint	curl -v -k -X GET http://teadv.checkpoint.com/epupdates/86.50/0190/v1.xml
19	ep-repo.epmgmt.checkpoint.com	https	Infrastructure	Server Profiles Feature

References

• Harmony Endpoint product page
• sk108695 - Check Point SandBlast Agent for Browsers
• sk83520 - How to verify that Security Gateway and/or Security Management Server can access Check Point servers?