Endpoint devices communicate with NGFW via port 4045 using the HTTPS protocol.
An endpoint device is registered after establishing a VPN connection to NGFW. At the first connection, the endpoint device checks the validity of the SSL connection certificate specified in NGFW, remembers this certificate, and uses it for subsequent verification.
After the registration, each new endpoint device is assigned a unique ID that is stored in the NGFW's database. The activity timeout for endpoint devices is 2 minutes, meaning that if NGFW receives no data from a device for 2 minutes, the device is considered inactive. After three inactivity periods have elapsed, the entry for the endpoint device is deleted from the database. On a reconnection, the device will be registered. If the endpoint device reconnects before this time elapses, its entry will be updated.
After connecting to a different VPN server, the endpoint device will be registered on the new NGFW.
HIP Checking by NGFW
Compliance checking is carried out as follows:
The endpoint device sends the following data to the NGFW:
-
the user information;
-
the system data (version, edition, netbios name);
-
the list of running processes;
-
the list of running services;
-
the list of installed software (name, vendor, version);
-
the registry keys used in HIP objects;
-
the list of system updates;
-
the startup items;
-
the information about system security (antimalware, firewall, BitLocker, etc.);
-
the information about system restore points.
The data received from the endpoint device is decrypted and forwarded for subsequent comparison with HIP profiles. The result is passed along for use in firewall rules. If the endpoint device matches all conditions of a firewall rule, that rule becomes active for the device.