What is a Super-Node?
A Super Node is a machine running a specially configured Endpoint Security Client that also consists of server-like and proxy-like capabilities. Currently, Super Node serves as an Anti-Malware signature proxy.
- Reduces site bandwidth usage.
- Reduces server workload.
- Reduces customer expense on server equipment.
Super-Node is available in both Domain and Workgroup environments.
Super Node flows
Super Node runs a light-weight web-server named Nginx that listens in on port 4434 and responds to requests. When the Anti-Malware blade is installed on a Super Node, it:
- Downloads signatures from sources defined in an Anti-Malware policy.
- Creates a local mirror of signatures that is used as a signature source for other Endpoint clients.
If the Endpoint Security Firewall blade is installed on a Super Node machine, the currently enforced firewall policy is overridden to allow inbound traffic on port 4434.
- Starting in version E85.30, Harmony Endpoint Client also attempts to download EPS.msi files using Super Node. Super Node attempts to cache the requested files in the local folder, depending on available free space and cache size configuration.
- Starting in E85.40, Harmony Endpoint Client also attempts to download dynamic package zip files, Behavioral Guard signatures and Static Analysis models using Super Node locations.
- Starting in E86.10, Harmony Endpoint Client supports downloading policy files using a Super Node location.
If the client that is configured to use Super Node is older than the above listed version it will download the files from the "fallback" location directly as if Super Node is not configured. If the Client is from the version that supports new file types downloads but SuperNode endpoint is older then the Super Node will return 404 response to the client trying to download file and client will use the "fallback" location as if Super Node is not configured.
Non-Super Node flows
When an Endpoint Security client launches an update, it ﬁrst checks the "Common Client Settings" policy for a "Super Node" list. If such a list is found, a random Super Node is selected for update. If update of the selected node fails, the next entry is taken from the list. Sources deﬁned in the Anti-Malware policy are only
used if all the Super Node options have failed.
Starting with E85.30 client uses "Super Node List" global policy when it is available on server in combination with "Common Client Settings" policy to determine if current computer is Super Node or if it should use one of configured "Super Nodes" as a download location for supported file type.Note:
An update is considered to be successful if the local signatures are newer than the remote signatures. Make sure all Super Nodes are continuously updated. Policy and Software Deployment features in E85.30 and newer Endpoint Security clients require a connection to the Endpoint Manager to process sync requests regarding policy and software deployment changes.
How to Configure a Super Node
For Management Servers supporting "Manage Super Nodes" capability:
1. Navigate to Policy page-> Client Settings-> Manage Super Nodes.
2. Click “+” and search for a device or devices that you want to define as Super Nodes in your environment.
3. When required devices are added, click “Save”.
To revert all changes, click “Discard”.
4. Navigate to Client Settings-> Select the required rule-> General tab-> Super Nodes.
Super Node settings are rule dependent. It means that Super Nodes defined in the General tab will be applied only to devices which are related to a specific rule.
Click “+” and add Super Nodes with all its specific devices to the relevant Client Settings rule. Save and install the rule.
For older and on-premises servers, use the following approach:
Super Nodes are defined by adding a Base64 encrypted Unicode (Little Endian) string into the "Comment" field of the "Common Client Settings" policy.
A single "Super Node" Endpoint client is defined using two properties:
Example of a string that defines four Super Nodes
fqdn - mandatory property that should normally contain a full computer name. The name must be resolvable on an Endpoint client performing an update. Usage of IPv4 or IPv6 addresses in
fqdn requires an additional
epguid property. IPv6 addresses must be enclosed in square brackets.
epguid - optional property that is used to uniquely identify an Endpoint client that serves as a Super Node. The value of
epguid can be taken from the "Endpoint Connectivity" report in SmartEndpoint (navigate to the "Reporting" tab, expand "Activity Reports", select "Endpoint Connectivity", right-click on a column name in the "Endpoint Connectivity" table and select "Show/Hide Columns", and make the "NID" column visible).
(Note that the first computer is a member of Windows Domain. Consequently, its name includes a domain suffix):
<AdditionalFeatures>In the above example:
The "AdditionalFeatures" xml tag encloses a
string, where each row that contains an
property corresponds to one Super Node.
In order to convert an xml string into a Base64 representation, use a tool that allows you to specify a destination character set . The destination character set must be UCS2-LE or UTF-16LE.
Follow this link
to download a simple tool that helps create a "Super Node" policy by adding
), one by one. The tool performs Base64 encoding as well.
Determining whether a Client is a Super Node
To check whether an Endpoint Security Client has been configured as a Super Node, open the Windows Task Manager. There should be two instances of the
process, running as a
Starting with E85.30 version you can also use following registry entries:
HKLM\SOFTWARE\WOW6432Node\CheckPoint\Endpoint Security\Device Agent\SuperNode - if this REG_DWORD value exists and is set to 1 then current Endpoint is successfully configured as Super Node.
HKLM\SOFTWARE\WOW6432Node\CheckPoint\Endpoint Security\Device Agent\SuperNodeLocations - this REG_SZ entry contains list of available Super Node download locations. When this list is empty Client will not use download from Super Node feature.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.