https://community.checkpoint.com/t5/SASE-and-Remote-Access/Secure-Configuration-Verification/m-p/227191#M3164 <P>Hello<BR />Tell me how to correctly add the item about checking whether the device is in the domain or not to the Secure Configuration Verification file?<BR />I have it now and when I start the VPN it skips any device (below are two screenshots),&nbsp;the first is the parameters for checking whether the device is in the domain, the second is the parameters for checking and global parameters.<BR />I do all the settings through the terminal on the gateway, in the vi editor, so that nothing goes.<BR />And tell me, can there be only one policy file?<BR />If so, is it possible that several criteria for verification are set in one file?<BR />What's the point, in my organization there are several options for connecting to a VPN, from corporate devices and from personal devices to a VPN, so the result should be the following:<BR />1. The vpn-users, vtn-term, vpn-route, vpn-constructors group should be checked.<BR />2. If the user has a vpn-users group, then the domain computer is checked or not, if the domain computer is allowed, if the computer is not a domain computer, we do not let it.<BR />3.If the user has a vpn-term group, vpn-routes, vpn-constractors, then the domain comp is checked or not, if the domain comp is not allowed, if the computer is not domainy, we check the Windows, antivirus and the relevance of the antivirus database. If there is at least one discrepancy, we do not let him in.<BR />All groups and users are domain-specific.</P> Thu, 19 Sep 2024 11:20:59 GMT RAlexander 2024-09-19T11:20:59Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Secure-Configuration-Verification/m-p/227191#M3164 <P>Hello<BR />Tell me how to correctly add the item about checking whether the device is in the domain or not to the Secure Configuration Verification file?<BR />I have it now and when I start the VPN it skips any device (below are two screenshots),&nbsp;the first is the parameters for checking whether the device is in the domain, the second is the parameters for checking and global parameters.<BR />I do all the settings through the terminal on the gateway, in the vi editor, so that nothing goes.<BR />And tell me, can there be only one policy file?<BR />If so, is it possible that several criteria for verification are set in one file?<BR />What's the point, in my organization there are several options for connecting to a VPN, from corporate devices and from personal devices to a VPN, so the result should be the following:<BR />1. The vpn-users, vtn-term, vpn-route, vpn-constructors group should be checked.<BR />2. If the user has a vpn-users group, then the domain computer is checked or not, if the domain computer is allowed, if the computer is not a domain computer, we do not let it.<BR />3.If the user has a vpn-term group, vpn-routes, vpn-constractors, then the domain comp is checked or not, if the domain comp is not allowed, if the computer is not domainy, we check the Windows, antivirus and the relevance of the antivirus database. If there is at least one discrepancy, we do not let him in.<BR />All groups and users are domain-specific.</P> Thu, 19 Sep 2024 11:20:59 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Secure-Configuration-Verification/m-p/227191#M3164 RAlexander 2024-09-19T11:20:59Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Secure-Configuration-Verification/m-p/227263#M3165 <P>Did you install policy after making changes as described here?&nbsp;<A href="https://support.checkpoint.com/results/sk/sk38702" target="_blank">https://support.checkpoint.com/results/sk/sk38702</A><BR />SCV policy applies to all users equally, I believe.<BR />Don't believe you can make specific policies for specific groups of users.<BR />For more granular options, I suspect you'll have to use Endpoint Compliance features.</P> Thu, 19 Sep 2024 16:14:34 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Secure-Configuration-Verification/m-p/227263#M3165 PhoneBoy 2024-09-19T16:14:34Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Secure-Configuration-Verification/m-p/227381#M3166 <P>Thanks for the answer.<BR />Everything worked out,<BR />he was inattentive and ruled the policy on the gateway, not on SMS.<BR />But there is still a question with the implementation of my scenario. Are you saying to use Endpoint Compliance, is this when choosing Endpoint instead of Mobile when installing the agent?<BR /><BR /></P> Fri, 20 Sep 2024 13:48:42 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Secure-Configuration-Verification/m-p/227381#M3166 RAlexander 2024-09-20T13:48:42Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Secure-Configuration-Verification/m-p/227418#M3167 <P>For the client piece, yes.<BR />To use/manage such features, you need Harmony Endpoint and the appropriate licenses.</P> Fri, 20 Sep 2024 19:32:06 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Secure-Configuration-Verification/m-p/227418#M3167 PhoneBoy 2024-09-20T19:32:06Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Secure-Configuration-Verification/m-p/227432#M3168 <P>Definitely harmony endpoint, as Phoneboy said. Its way more robust and has bunch of more features.</P> Fri, 20 Sep 2024 22:39:53 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Secure-Configuration-Verification/m-p/227432#M3168 the_rock 2024-09-20T22:39:53Z