Monday, July 12, 2010

Symantec Endpoint Protection and Checkpoint R70

ISSUE:  There was a Windows 2003 server running Symantec Antivirus and Checkpoint R70 suite working just fine.  When the customer upgraded from SAV to SEP it broke Checkpoint Smartview Tracker.

SOLUTION:  Install Symantec Endpoint Protection (Antivirus Only no Firewall) then create exclusions for the Checkpoint applications.  To test:
  • Open Symantec Endpoint Protection.
  • Click 'Change Settings', Next to Antivirus and Antispyware Protection click 'Configure Settings'.
  • Click the 'File System Auto-Protect' tab, then click 'Centralized Exceptions' at the bottom of that tab.
  • Click Add, Security Risk Exception -> Folder, navigate to 'C:\WINDOWS\FW1\' and click add.
  • Click Add, TrueScan Proactive Threat Scan Exception, navigate to 'C:\WINDOWS\FW1\R70\fw1\bin' and create an exception for both fwd.exe and fwm.exe.
  • Then Reboot - fwm.exe should trigger fwd.exe and all is well.

NOTES:  We used tcpview (from sysinternals) to monitor which .exe files were listening on which ports.  We noticed that after the install and reboot, FWM.EXE would start but FWD.EXE would not start.  When we tried to start fwd.exe we saw messages in the fwd.elg log located here: C:\WINDOWS\FW1\R70\fw1\log\fwd.elg.

cplog_log_server_init: failed to init: Unknown Winsock error (10013)
Cannot establish fwd service on port 256.: Address already in use
  • fwd.exe listens on TCP/256 & TCP/257 for receiving logs from the Gateways.
  • If fwd.exe is active and listening on those ports but SmartView Tracker isn't showing any new logs, simply push policy and it will resume logging.
  • Don't forget to use remote file management to download your logs from the gateways (they log locally when they can't access the policy server)