Checking client/server synchronisation
To check that a client is correctly synchronized with the Check Point Endpoint Management servers, you need to check that the PAT "Policy Assignment Table" versions on both the client PC and the Management Server.
- The PAT version on the server should always be higher that on the clients.
To check the PAT version on the management server run the following command:
uepm patver get
On the client check the following registery key
32bit OS
HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\Endpoint Security\Device Agent\PATVersion
64bit OS
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\CheckPoint\Endpoint Security\Device Agent\PATVersion
Using the command line you can use reg query to show this value:
32bit OS:
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\Endpoint Security\Device Agent" /v PATVersion
64bit OS
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\CheckPoint\Endpoint Security\Device Agent" /v PATVersion
If the PAT version on the server is lower than the PAT version on the client, the client will not download policy updates and will enter a disconnected state.
In case that the PAT version on the Management server should be increased.
The following formula should be used to calculate the new PAT version:
"new_PAT_version" = "client_PAT_version" + 100
Change the PAT version on the Endpoint Server:
- Logon to the CLI as either Administrator or Expert.
- Change the PAT version via the following command:
- Check the PAT version via uepm patver get command and make sure new PAT version was set
- Restart the Check Point services via the following command:
uepm patver set <Value_of_new_PAT_version> e.g. uepm patver set 150000
cpstop;cpstart