Checking client/server synchronisation

From Tech-Wiki
Jump to: navigation, search

Back to Endpoint


To check that a client is correctly synchronized with the Check Point Endpoint Management servers, you need to check that the PAT "Policy Assignment Table" versions on both the client PC and the Management Server.

  • The PAT version on the server should always be higher that on the clients.

To check the PAT version on the management server run the following command:

uepm patver get

On the client check the following registery key

32bit OS

HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\Endpoint Security\Device Agent\PATVersion

64bit OS

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\CheckPoint\Endpoint Security\Device Agent\PATVersion

Using the command line you can use reg query to show this value:

32bit OS:

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\Endpoint Security\Device Agent" /v PATVersion

64bit OS

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\CheckPoint\Endpoint Security\Device Agent" /v PATVersion

If the PAT version on the server is lower than the PAT version on the client, the client will not download policy updates and will enter a disconnected state.

In case that the PAT version on the Management server should be increased.




The following formula should be used to calculate the new PAT version:

"new_PAT_version" = "client_PAT_version" + 100


Change the PAT version on the Endpoint Server:

  1. Logon to the CLI as either Administrator or Expert.
  2. Change the PAT version via the following command:
  3. uepm patver set <Value_of_new_PAT_version>
    
    e.g. uepm patver set 150000
    
  4. Check the PAT version via uepm patver get command and make sure new PAT version was set
  5. Restart the Check Point services via the following command:
  6. cpstop;cpstart