Endpoint Security
January 9, 2008
Implementation Guide
Version NGX 7.0 GA
© 2008 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their
use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by
any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book,
Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change
without notice.
©2003–2008 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check
Point Endpoint Security, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing,
ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoreXL, CoSa,
DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX,
FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity
Clientless Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC,
OSFirewall, Pointsec, Pointsec Mobile, Pointsec PC, Pointsec Protector, Policy Lifecycle Management, Provider-1, PureAdvantage,
PURE Security, the puresecurity logo, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge,
SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Security
Management Portal, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter
UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal,
SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SMP, SMP On-Demand,
SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, UTM-1,
UTM-1 Edge, UTM-1 Edge Industrial, UTM-1 Total Security, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1
Express CI, VPN-1 Power, VPN-1 Power Multi-core, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1
SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm
Antivirus, ZoneAlarm ForceField, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router, Zone Labs,
and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm
is a Check Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered
trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668,
5,835,726, 5,987,611, 6,496,935, 6,873,988, 6,850,943, and 7,165,076 and may be protected by other U.S. Patents, foreign

patents, or pending applications.43, and 7,165,076 and may be protected by other U.S. Patents, foreign patents, or pending
applications.

Endpoint Security Implementation Guide 5
Contents
Preface
About this Guide ...................................................................... 9
Available Formats ........................................................................9
Obtaining the Correct Version .......................................................9
Obtaining New Issues of this Guide ...............................................9
About the Endpoint Security Documentation Set ....................... 10
Documentation for Administrators ...............................................10
Documentation for Endpoint Users ..............................................10
Feedback ............................................................................... 12
Chapter 1 Introduction
Using this Guide .................................................................... 13
Assumptions .......................................................................... 14
Basic Setup ..............................................................................14
Sample Configuration ................................................................14
Chapter 2 Endpoint Security Overview
Endpoint Security System Overview .......................................... 15
System Architecture ..................................................................15
Endpoint Security Server ............................................................16
Endpoint Security Clients ...........................................................17
Client Packages .........................................................................17
Gateways ..................................................................................17
Endpoint Security Communications .......................................... 18
Endpoint Security Ports .............................................................18
Endpoint Security Modes ........................................................ 18
Endpoint Security Views .......................................................... 18

Endpoint Security Feature Overview ......................................... 19
Policies ....................................................................................19
Firewall Rules, Zone Rules, and Program Control ..........................22
Firewall Rules ...........................................................................23
Zones .......................................................................................23
Program Control ........................................................................25
Enforcement .............................................................................26
Chapter 3 Planning
Using a Pilot Installation ......................................................... 27
Prerequisites .......................................................................... 27
Choosing Your Client Type ....................................................... 28
Choosing Your Enterprise Policy Types ...................................... 28
Choosing Your Security Model .................................................. 29
Endpoint Security Implementation Guide 6
Gathering Topology Information ............................................... 29
Planning User Support ............................................................ 30
Chapter 4 Installation
Running the Installer .............................................................. 32
Logging In ............................................................................. 35
Chapter 5 Configuring Policies
Policy Stages ......................................................................... 36
Distributing Your First Policy ................................................... 37
Default Policy ...........................................................................37
Distributing the Endpoint Security Client .....................................37
Chapter 6 Creating a Basic Policy
Configuring Zones ......................................................................40
Setting Program Observation .......................................................42
Configuring Program Advisor .......................................................43
Deploying the Policy ..................................................................44
Testing the Policy ......................................................................44

Chapter 7 Creating a More Advanced Policy
Setting Firewall Rules ............................................................. 47
Program Control ..................................................................... 48
Setting Program Permissions ......................................................48
Configuring Enforcement Settings ............................................ 51
Setting Enforcement Rules .........................................................51
Deploying the Policy ............................................................... 54
Testing the Policy ................................................................... 55
Checking the Program Rule ........................................................55
Checking the Enforcement rule ...................................................55
Chapter 8 Assigning Policies
Workflow ............................................................................... 56
Switching Views ..................................................................... 58
Creating Catalogs ................................................................... 59
Choosing a Catalog Type ............................................................59
Creating an LDAP Catalog ..........................................................59
Creating an IP Catalog ...............................................................59
Creating a Custom Policy ............................................................60
Deploying the Custom Policy ................................................... 61
Assigning the Custom Policy .................................................... 62
Testing the Custom Policy ....................................................... 63
Checking the Custom Policy .......................................................63
Checking the Default Policy ........................................................63
Endpoint Security Implementation Guide 7
Chapter 9 Understanding Policy Lifecyles
Understanding Policy Lifecycles ............................................... 65
Suggested Policy Settings ....................................................... 66
Sample Policy Lifecycles ......................................................... 67
Low Threat Lifecycle ..................................................................67
High Threat Lifecycle .................................................................69

Policy Lifecycles for VPN ............................................................71
Chapter 10 Supporting the User
Educating the Endpoint User ................................................... 73
Inform Endpoint Users in Advance ..............................................74
Provide Information About Your Security Policy ............................74
Describe the Distribution Process ................................................75
Providing Remediation Resources ............................................ 75
Using Alerts for User Self-help ....................................................75
Using the Sandbox for User Self-Help ..........................................75
Preparing your Helpdesk Staff ................................................. 77
Documentation ..........................................................................77
Training ....................................................................................77
Endpoint Security Implementation Guide 8
Preface
In This Preface
About this Guide page 9
About the Endpoint Security Documentation Set page 10
Feedback page 12
Endpoint Security Implementation Guide 9
About this Guide
The Endpoint Security Implementation Guide provides an overview of Endpoint
Security features and concepts. Follow the steps in this guide to install and configure a
basic Endpoint Security system as part of a pilot program. This pilot installation will
help you understand the basic features and functionality of the Endpoint Security
system.
This guide also explains how to plan your security policies, and provide support to
endpoint users. Please use the version appropriate to your installation.
Once you have mastered these features, you will be able to use the Endpoint Security
Administrator guide to use other features and to set up an installation that is more
specific to your actual network needs.

Available Formats
This guide is available as a PDF. This document is available from the Check Point CD.
Updated editions of the document may be available on the Check Point Website after
the release of Endpoint Security. The version of this document on the Check Point
Website may be more up-to-date than the version on the CD.
Obtaining the Correct Version
Make sure that this document has the Version Number that corresponds to the version
of your Endpoint Security. The Version Number is printed on the cover page of this
document.
Obtaining New Issues of this Guide
New issues of this guide are occasionally available in PDF format from the Check Point
Website. When using the PDF version of this document, make sure you have the most
up-to-date issue available. The issue date is on the cover page of this document.
When obtaining updated PDF editions from the Check Point Website, make sure
they are for the same server version as your Endpoint Security. Do not attempt to
administer Endpoint Security using documentation that is for another version.
When obtaining the most up-to-date issue of the documentation, make sure that you
are obtaining the issue that is for the appropriate server.
Endpoint Security Implementation Guide 10
About the Endpoint Security Documentation Set
A comprehensive set of documentation is available for Endpoint Security, including the
documentation for the Endpoint Security clients. This includes:

“Documentation for Administrators,” on page 10

“Documentation for Endpoint Users,” on page 10
Documentation for Administrators
The following documentation is intended for use by Endpoint Security administrators.
Documentation for Endpoint Users
Although this documentation is written for endpoint users, Administrators should be

familiar with it to help them to understand the Endpoint Security clients and how the
policies they create impact the user experience.
Table 4-1: Server Documentation for Administrators
Title Description
Endpoint Security Installation
Guide
Contains detailed instructions for installing,
configuring, and maintaining Endpoint
Security. This document is intended for global
administrators.
Endpoint Security Administrator
Guide
Provides background and task-oriented
information about using Endpoint Security. It is
available in both a Multi and Single Domain
version.
Endpoint Security Administrator
Online Help
Contains descriptions of user interface
elements for each Endpoint Security
Administrator Console page, with cross-
references to the associated tasks in the
Endpoint Security Administrator Guide.
Endpoint Security System
Requirements
Contains information on client and server
requirements and supported third party devices
and applications.
Endpoint Security Gateway
Integration Guide

Contains information on integrating your
gateway device with Endpoint Security.
Endpoint Security Client
Management Guide
Contains detailed information on the use of
third party distribution methods and command
line parameters.
Endpoint Security Agent for Linux
Installation and Configuration
Guide
Contains information on how to install and
configure Endpoint Security Agent for Linux.
Endpoint Security Implementation Guide 11
Table 4-2: Client documentation for endpoint users
Title Description
User Guide for Endpoint Security
Client Software
Provides task-oriented information about the
Endpoint Security clients (Agent and Flex) as
well as information about the user interface.
Introduction to Endpoint Security
Flex
Provides basic information to familiarize new
users with Endpoint Security Flex. This
document is intended to be customized by an
Administrator before distribution. See the
Endpoint Security Implementation Guide for
more information.
Introduction to Endpoint Security
Agent

Provides basic information to familiarize new
users with Endpoint Security Agent. This
document is intended to be customized by an
Administrator before distribution. See the
Endpoint Security Implementation Guide for
more information.
Endpoint Security Implementation Guide 12
Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please
help us by sending your comments to:

Chapter
Endpoint Security Implementation Guide 13
1
Introduction
In This Chapter
The Endpoint Security Implementation Guide is intended to help you understand basic
Endpoint Security functionality and plan your implementation.
It includes:

A description of basic Endpoint Security architecture

Information to help you plan your installation

Introductions to the most important Endpoint Security features

Instructions on how to perform a basic installation in a pilot environment

Instructions on how to create and deploy basic policies in a pilot environment


Information about planning policy lifecycles to enhance your security

Information about supporting endpoint users
Follow the steps in this guide to install and configure a basic Endpoint Security system as
part of a pilot program. This pilot installation will help you understand the basic features and
functionality of the Endpoint Security system. Once you have mastered these features, you
will be able to use the Endpoint Security Administrator guide to use other features and to set
up an installation that is more specific to your actual network needs.
Using this Guide
The instructions in this guide generally assume that you have performed all the previous
tasks. It is recommended that you perform all of the tasks in this guide in the exact order and
manner specified, unless a task is explicitly marked as only applying to certain
circumstances.
Using this Guide page 13
Assumptions page 14
Endpoint Security Implementation Guide 14
Assumptions
This guide does not cover all possible Endpoint Security setups and configuration
options. This guide will focus on a basic setup and a sample pilot configuration
described below. Even if you do not plan to use these specific setup and configuration
parameters in your production environment, you will find this pilot setup provides
useful information that is common to all setups. For specific installation and
configuration information, see the Endpoint Security Installation Guide.
Basic Setup
This guide assumes that you are creating a pilot Endpoint Security system with the
following parameters:

Windows environment

Non-clustered environment


Single Domain setup

LDAP with Microsoft Active Directory

No gateway device
Sample Configuration
Endpoint Security is extremely flexible, and will allow you to create many different
types of security policies. This guide will focus on setting up some sample policies for
your pilot system that contain common, recommended settings. These settings are only
meant to be representative samples of the types of options you may want to implement
in your system. The exact settings you will create for your production environment will
differ according to your security needs. Where appropriate, this guide will mention
some of the other configuration options that are available, but you should perform the
basic configuration steps described in this guide before attempting them.
For more information about additional configuration options and features, see the
following documents:

Endpoint Security System Requirements

Endpoint Security Installation Guide

Endpoint Security Administrator Guide

Endpoint Security Gateway Integration Guide

Endpoint Security Client Management Guide
Chapter
Endpoint Security Implementation Guide 15
2

Endpoint Security Overview
In This Chapter
Use this chapter to familiarize yourself with the Endpoint Security system and its basic
features. Later in this guide you will be performing a pilot installation and configuration using
many of these features.
Endpoint Security System Overview
The Endpoint Security system allows you to centrally manage all of your endpoint security
functions.
System Architecture
The Endpoint Security system consists of two basic components: Endpoint Security Server,
and the Endpoint Security clients installed on your endpoint computers. You can also
optionally include other items in your system, such as gateways, RADIUS servers and LDAP
servers.
All Endpoint Security Installations include SmartPortal, which provides some of Endpoint
Security’s reporting functionality. Endpoint Security installations also include some other
Check Point components that function in the background. For more detailed information
about Endpoint Security system architecture, including integration with other Check Point
products, see the Endpoint Security Administrator Guide.
Endpoint Security System Overview page 15
Endpoint Security Communications page 18
Endpoint Security Modes page 18
Endpoint Security Views page 18
Endpoint Security Feature Overview page 19
Endpoint Security Implementation Guide 16
Endpoint Security Server
The Endpoint Security server allows you to centrally configure your Endpoint Security
enterprise policies. Endpoint Security uses its own embedded datastore to store
administrator, configuration, and security policy information.
This guide will show you how to perform a typical Endpoint Security installation
without clustering and using the embedded datastore. For more information about the

Endpoint Security server and how to install it, see the Endpoint Security Installation
Guide.
Administrator Console
The Endpoint Security Administrator Console is the graphical user interface you will
use to create your security policies and deploy them to your users. You can also use the
Administrator Console to pre-package Endpoint Security client executables with
configuration settings and policies before you deliver them to your users.
This document will show you how to use the Administrator Console to create, assign,
and deploy clients to users. It will also show you how to use the Administrator Console
to create policy packages.
Figure 2-1: Basic
Endpoint Security
Architecture
Endpoint Security Implementation Guide 17
Endpoint Security Clients
As part of the Endpoint Security system you will be installing Endpoint Security clients
on your endpoint computers. These clients monitor your endpoints and enforce your
security policies. The Endpoint Security system includes Endpoint Security Agent and
Endpoint Security Flex. It also includes versions of Endpoint Security Agent and
Endpoint Security Flex that contain VPN capabilities.
Endpoint Security Agent
Use Endpoint Security Agent when you want to centrally manage security at all times.
It has a limited interface and does not allow the user to control security settings. If you
use the version of Agent that also has VPN capability, the users are provided with an
interface to configure their VPN. It also provides an interface to manage some antivirus
and anti-spyware functions. Generally, use Agent for your less advanced users and for
computers that belong to your organization. Since Agent provides a simpler user
interface and fewer messages to the user, it is less confusing for endpoint users.
There is a Windows version of Agent and a Linux version of Agent. This pilot will
assume you are using the Windows version.

Endpoint SecurityFlex
Use Flex when you want the endpoint user to control his or her security settings some
of the time. Flex has a full user interface that allows the user to control security
settings under certain conditions. Generally, use Flex for expert users who are familiar
with security issues. Flex is also useful when you want to provide endpoint security for
computers you do not own, but are restricted by law from exercising too much control
over.
Client Packages
You can use client packages to pre-configure your Endpoint Security clients (Agent or
Flex) and pre-populate them with security policies. Client packages not only let your
endpoint users get policies and connect to Endpoint Security as soon as possible, but
also let you configure the client installation. Create client packages in the
Administrator Console, then use a distribution method to deliver client packages to
your endpoint computers.
Gateways
You can integrate Endpoint Security with supported gateways to enhance your security.
Gateway integration will not be covered in this guide. The Endpoint Security Systems
Requirements Document lists all the supported gateways. See the Endpoint Security
Gateway Integration Guide for information about configuring your gateway to work with
Endpoint Security.
Endpoint Security Implementation Guide 18
Endpoint Security Communications
Endpoint Security operations are implemented by separate Endpoint Security services.
An Apache httpd server proxies requests to these services from entities external to
Endpoint Security, such as Endpoint Security clients or administrators logging on to
Endpoint Security from remote computers. The Apache httpd server acts as a single
point of entry, managing requests using SSL, file caching, UDP, and/or TCP socket off-
loading functionality (see
page 18).
For more information about Endpoint Security communications, see the Endpoint

Security Administrator Guide.
Endpoint Security Ports
By default, Endpoint Security uses the ports listed below to communicate with
Endpoint Security Clients. Make sure these ports are all available on the Endpoint
Security Server:

TCP/80 HTTP

TCP/443 HTTPS (for clients with versions less than 7.0)

TCP/2100 HTTPS (for 7.0 and later clients)

UDP/6054 (If used)
Endpoint Security Modes
There are two modes for Endpoint Security:

Single Domain

Multi Domain
You choose the domain mode when you install Endpoint Security. Having multiple
domains is useful for Internet Service Providers and large companies that want local
administration for locations and business units. This book assumes you are using the
Single domain mode.
Endpoint Security Views
Single Domain has two views:

Simple view

Advanced view
When you first log into a single domain Endpoint Security server, the system is in

simple view. Simple view offers a simplified User Interface and feature set. This allows
Endpoint Security Implementation Guide 19
you to become familiar with the core features of Endpoint Security more easily. When
following the processes in this book, you will begin administering Endpoint Security in
simple view. Later, when you have created your first policies and become familiar with
the basic features, you will switch Endpoint Security to advanced view and use some of
the more advanced features.
Endpoint Security Feature Overview
Endpoint Security is a flexible system with many powerful features to help secure your
network. This document will explain the basic functionality of some of the most
important features. You can find out more about these features and about other
features in the Endpoint Security Administrator Guide.
This section describes the following features:

“Policies,” on page 19

“Firewall Rules,” on page 23

“Zones,” on page 23

“Program Control,” on page 25

“Enforcement,” on page 26
Policies
Policies are how you deliver security rules to your endpoint users. Administrators create
enterprise policies using the Endpoint Security Administrator Console and assign them
to endpoint users or groups of endpoint users. Endpoint Security deploys these
enterprise policies to endpoint computers, where the Endpoint Security clients receive
and enforce them. You can create connected and disconnected enterprise policies for
your users. If your users have Flex, they may also configure a personal policy for

themselves.
Connected Policies
The connected enterprise policy is the policy that is enforced when the endpoint
computer is connected to your network. Generally, this is a fairly restrictive policy. This
policy is used not only to protect the endpoint computer from threats, but also to
protect other computers on your network and to enforce your corporate policies. For
example, a connected policy might have very restrictive firewall rules, require a
particular antivirus program, or block programs that violate your company’s ethics
policies, such as Kazaa.
Disconnected Policies
The disconnected enterprise policy is enforced when the endpoint computer is not
connected to your network. Usually this policy is less restrictive, but provides a
minimum level of security that you can then depend upon at all times. The goal of this
Endpoint Security Implementation Guide 20
policy is usually to protect the endpoint computer from the worst threats while allowing
the user more freedom. For example, a disconnected policy might require that the
endpoint have antivirus protection, but not be as strict about which brand or version. It
might also allow users to run entertainment programs that they are not allowed to run
while connected to your network.
If you do not want to control an endpoint computer’s security when it is disconnected,
you can omit the disconnected policy. In the absence of a disconnected policy, Flex
enforces the personal policy and Agent enforces the connected policy.
If you use disconnected policies, it is highly recommended that you use the Office
Awareness feature. If you do not configure Office Awareness, your Endpoint Security
clients will use the disconnected policy whenever they lose contact with the Endpoint
Security server. For more information about Office Awareness, see the Endpoint
Security Administrator Guide.
Personal Policies
Flex users can create their own security policies. How these policies are arbitrated with
conflicting enterprise policies depends on what settings you choose in the enterprise

policy. Generally, the more restrictive policy rule is the one that is enforced.
VPN Policies
If you use gateways, you can specify a VPN policy for your users. This policy is
enforced when users connect via a gateway, no matter what other policies the user may
be assigned.
Policy Packages
Policy packages are bundles of policies that can be assigned together. Using packages,
you can specify which policy to enforce as the connected policy and which to enforce
as the disconnected policy.
Policy Assignment
For Endpoint Security to apply your security policy to an endpoint computer, you must
indicate which users it applies to. This is called ‘policy assignment.’ Policy assignment
determines which policy is enforced for a given user under what circumstances. Use
policy assignment to give different policies to your users according to your
organization’s needs. Generally, it is recommended that you assign policies according
to a user’s domain or entity, rather than individual users. If a user is not a member of a
domain or catalog and is also not assigned a policy as an individual, he or she receives
the default policy.
In some cases, you may want to have the disconnected policies be more
restrictive than the connected policies. This is useful if you want to prohibit
recreational use of computers outside of work. If you have restrictive
disconnected policies, it is essential that you configure Office Awareness.
Endpoint Security Implementation Guide 21
Domains
One way of assigning policies is to assign them to domains. If you have the Multiple
Domain version of Endpoint Security, you can divide your organization into functional
units known as domains. This is particularly useful for companies such as Internet
Service Providers, who want to have a domain for each customer. Domains can have
their own administrators and can be assigned a policy or policy package. That policy
then applies to all the members of the domain unless it is overridden by a more

specific policy, such as one assigned to a catalog, gateway, or user.
In Single Domain mode, which is what you will use in this pilot, there is only one
domain.
Catalogs
Domains (and organizations using the Single Domain version of Endpoint Security) can
be divided into catalogs. Catalogs are user catalogs or IP ranges. Users can be grouped
according to their function in the company, their department, their rank, their location,
etc. Catalogs can be assigned a security policy. This policy applies to all the members
of the catalog, unless overridden by a user-specific policy.
Gateways
Users can be grouped according to the VPN gateway they use. This allows you to assign
a different policy. This policy only applies to users when they are using VPN to connect
to your network.
Users
You can also assign policies directly to specific users. As this is not scalable, it is
recommended that you use this only to make a temporary exception to your usual
policy assignment practices.
Assignment Priority
You can assign policies directly to a particular user or to an entire entity or domain.
The assignment priority you select determines which policy assignment takes priority
when a user belongs to more than one entity.
For example, a user may be assigned one policy because he connected via a particular
VPN gateway, but he may also be assigned another policy because he belongs to a
RADIUS catalog. The security policy tells Endpoint Security which of these policies to
enforce in these situations.
Note that Endpoint Security Domains are not equivalent to NT Domains or network
domains.
Endpoint Security Implementation Guide 22
Policy Inheritance
Users inherit policies through the hierarchy of domains and entities and according to

the security model you choose. The diagram,
“Policy Inheritance,” on page 22, shows
an example of policy assignment and inheritance. Policies are assigned as follows:

User 1 receives Policy A, which it inherits from Domain 1.

User 2 receives either Policy A from Domain 1 or Policy B from the Custom
catalog, depending on the assignment priority.

User 3 is assigned policy C directly, which overrides any other policy assignment.

User 4 receives Policy D, which it inherits from the Radius catalog it belongs to.

User 5 receives the Default Policy from the System Domain because policies
assigned to or inherited by a gateway always have priority.

User 6 receives the Default Policy, which it inherits from the System domain.
Firewall Rules, Zone Rules, and Program Control
Endpoint Security uses three major features to provide security: Firewall Rules, Zone
Rules, and Program Control. This section provides and overview of these features. It is
important to note that while some aspects of these features may seem similar, they
provide security in three different ways.
Firewall Rules control traffic using packet data. Zone Rules allow or deny traffic based
on security locations you define. Program Control protects your network by controlling
program access.
Figure 2-2: Policy Inheritance
Endpoint Security Implementation Guide 23
Firewall Rules
Implementing Firewall Rules achieves the same level of security as standard perimeter
firewalls by restricting or allowing network activity based on connection information,

such as IP addresses, ports, and protocols, regardless of which program sends or
receives the packet.
You can also specify Firewall Rules within Program Rules to restrict access to and from
programs or, within Enforcement Rules, to restrict a non-compliant user to a particular
area of your network.
Firewall Rules block or allow network traffic based on the attributes of communication
packets. You can use Firewall rules to block or allow traffic based on the following
three attributes:

Source and/or destination locations

Protocol and/or port

Time
Zones
In addition to Firewall Rules, you can also control network traffic through the use of
Access Zones and Zone Rules. Access Zones are groups of locations to which you
assign the same network permissions.
Figure 2-3: Features and how they control network traffic
Endpoint Security Implementation Guide 24
Locations
Zones are made up of locations. Locations refer to network locations that you define.
Locations can be defined by specifying any of the following:

Host

Site

IP address


IP range

IP subnet and mask
You should create locations in Endpoint Security for areas you want to:

Allow access to or from

Restrict access to or from
You can use locations as sources and destinations for creating Access Zones and
Firewall Rules. You can either define locations as you need to use them in your
policies, or you can define them before you create you policies. Once you have defined
a location you can use it in any policy.
Access Zones
Access Zones are groups of locations. Access Zones make it easy to apply the same
rule to a group of locations. There are three types of Access Zones: Trusted, Blocked,
and Internet.
Trusted
Your Trusted Zone should only include those locations you believe are safe and to
which you want to provide more permissive network access. Usually the Trusted Zone
contain your Domain Name Server, Mail Server, Domain Controller, file sharing servers,
print servers, your VPN gateway range, etc.
Figure 2-4: Locations, Zones, and Zone Rules
Endpoint Security Implementation Guide 25
Blocked
Your Blocked Zone should include those locations that you want to restrict access to or
from. For example, you may wish to block access from certain external sites or even
sites within your organization, such as sensitive human resources servers for non
human-resources employees.
Internet
The Internet Zone consists of all the areas on both your internal network and on the

Internet that you have not explicitly added to the Trusted or Blocked Zones. You do not
need to define the contents of this Zone.
Security Rules
Security Rules control network activity to and from your Zones. Generally, you will want
to set permissive rules for your Trusted Zone and moderate rules for your Internet Zone.
Security Rules allow you to set rules for an entire Zone of locations, instead of having
to set rules for each location individually.
Program Control
Program rules restrict network access on a per-program basis. Whereas Classic Firewall
Rules restrict access according to package content, and Zone Rules according to
location, Program Control allows you to restrict network access between a particular
program and either your Trusted or Internet Zone. You can also further refine program
access by adding firewall rules to your program rules.
When planning your program control, consider both your security goals and your
endpoint users’ needs. By configuring program control to block all programs except
those you explicitly allow you achieve a high level of security, at the expense of
endpoint user productivity. By configuring program control to allow all programs except
those you explicitly forbid, you achieve a lower level of security, but cause less
disruption to your endpoint users.
Program Observation
Program Observation allows you to record which programs are used by your endpoint
computers. Once programs are observed, you can choose how to control them. It is
highly recommended that you use Program Observation in your initial policies to gather
program information.
Program Permissions
Use program permissions to control whether a program can act as a server or a client to
your Trusted and Internet Zones.
Endpoint Security Implementation Guide 26
Program Advisor
Program Advisor is a service provided by Check Point that gives program permission

recommendations for programs. Use Program Advisor to get professional
recommendations from Check Point security professionals about which permissions to
assign to common programs. This reduces your workload while improving security and
usability.
Enforcement
Enforcement controls which computers may access your network. You may wish to
restrict the access of endpoint computers that do not meet your anti-virus
requirements or that are running prohibited software.
Enforcement Rules
Use Enforcement Rules to require or prohibit software. If a user does not comply with
your Enforcement Rules, you can warn them that they are not compliant before
allowing them into your network or restrict them to a particular area on your network.
Restriction Firewall Rules
Restriction Firewall Rules control what parts of your network a user can access when
they are out of compliance with Enforcement Rules that are set to restrict. You may
wish to allow your users limited access when they are not compliant.
Cooperative Enforcement
If you are using a supported gateway device, you can use the Cooperative Enforcement
feature to restrict or disconnect noncompliant users at the gateway level.
Remediation Resources
To help your users become compliant with your enforcement rules, you should provide
them with remediation resources. These include instructions and links to download
sites that will help them to comply. Remediation resources are particularly important
when you create enforcement rules that restrict a user.
Note that Program Control determines what a program on an endpoint computer can
do. Enforcement Rules determine what software an endpoint computer must and
must not have when connecting to your network.