topic Re: Block client's connection Upon verification failure not working in SASE and Remote Access

Block client's connection Upon verification failure not working

Gorbiabimanyu — Tue, 09 Nov 2021 01:41:35 GMT

Hi,

I've set to block client's connection Upon verification failure in Global properties. then test to connect a non-compliant to gateway, but the vpn still able to connect.

here are my SCV global parameters :

:SCVGlobalParams (
:enable_status_notifications (false)
:status_notifications_timeout (10)
:disconnect_when_not_verified (false)
:block_connections_on_unverified (false)
:scv_policy_timeout_hours (168)
:enforce_ip_forwarding (false)
:not_verified_script ("")
:not_verified_script_run_show (false)
:not_verified_script_run_admin (false)
:not_verified_script_run_always (false)
:allow_non_scv_clients (false)
:skip_firewall_enforcement_check (false)
)

is value in SCV's global parameters overrides setting on SMS Global properties > Remote Access > Upon Verification failure?

Re: Block client's connection Upon verification failure not working

Alex_Sazonov — Tue, 09 Nov 2021 07:03:22 GMT

Hello @Gorbiabimanyu

Do you have access rule which accept traffic to encryption domain with VPN column = "RemoteAccess"?

As you can see this settings are relevant for Simplified mode FW policy:

Re: Block client's connection Upon verification failure not working

Gorbiabimanyu — Wed, 10 Nov 2021 02:52:32 GMT

thanks, now it worked just fine.

just to be clear, when a client is non-compliant.the VPN will still be connected, but the traffic will be blocked from the rule base?

Re: Block client's connection Upon verification failure not working

PhoneBoy — Wed, 10 Nov 2021 05:46:49 GMT

Not from the rulebase.
You can configure in Global Properties (don't have a screenshot handy) what servers you can connect to when SCV fails.

Re: Block client's connection Upon verification failure not working

Alex_Sazonov — Wed, 10 Nov 2021 10:13:55 GMT

@Gorbiabimanyu

Traffic from such machines will be dropped by FW with the message "Client's configuration is not verified":

If you need to disconnect VPN you will need to set this to "true":

:disconnect_when_not_verified (true)

In this case users will not have access to ANY resources inside of encryption domain.

Exceptions mentioned by @PhoneBoy should be configured in here and will not work if you drop VPN tunnel: