Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ShemHunter
Participant

Edited local.scv

I wrote a regular script to check the folder for updates (after launching, it checks and outputs to me the file at the endpoint, the date and time of the last update of the folder).

 

I entered the name of this script in the Script Run line, as well as in SCVGlobalParams.

 

However, the end client does not pass the verification, an error appears that it does not comply with the policy.

How do I add a parameter to local.scv so that it runs and checks with this script for the latest update in the folder?

 

That is, when the client connects, a script must be run, which, after execution, outputs information to a file (date + time).

I need to configure local.scv so that it runs the script first, and then accesses the folder and checks its latest update.

 

Or option 2, I need to configure local.scv to check the folder (also, for the date and time of the last update), how do I add a parameter to the file so that it checks the folder, and if everything is fine, it would allow the client to connect, if not, it would disable it, and output an error with the parameter "Update this folder, it has not been updated in the last 2 weeks."

 

I will add my entire local.scv file to the application to show what I did.

 

I would like to know if everything is written correctly or not.

 

An example of my file in attachments.

 

Thank's!

 

9 Replies
the_rock
Legend
Legend

I reviewed what you posted and looks right to me. I will download the file and double check later, but glancing at it quickly, looks good.

Andy

0 Kudos
ShemHunter
Participant

Hi @the_rock 
I'm glad that you answered me :)

I can download the script itself, and in it I just specified a random folder where I dropped the information so that this folder was updated What is the essence of my mission: I can't check my antivirus for database updates, so I want to specify the folder or folders where information about updated databases is uploaded.

Therefore, I need to do this either through a script (which will check the folder with updated information and will upload it to a separate folder and check it using local.scv)

Or just specify a folder that will be updated as information becomes available and I need local.scv to check this folder for updates, if it corresponds, then the client connection would take place, if not, then I would give him a signature, something like "your databases are not updated."

0 Kudos
the_rock
Legend
Legend

No problem 🙂

Btw, if you wish to run it as a script, you can simply move it to the fw, run chmod on it, then dos2unix to convert it and then ./filename as a script.

Andy

0 Kudos
ShemHunter
Participant

I didn't quite understand what you were talking about)

I have this script in my local machine where checkpoint mobile is installed and I check it using compliance rules (that is, I edit the local.scv file), in case we misunderstood each other 🙂

Here is my script, it is written for Powershell, I can rewrite it for bat

0 Kudos
the_rock
Legend
Legend

Sorry, I was more referring if you had txt file on the fw and wanted to run it as a script.

Andy

0 Kudos
ShemHunter
Participant

Still, I need help.

 

maybe I need to write some other script so that it checks? 

 

or is there some setting in the local.scv file that will allow me to check the folder for updates?

0 Kudos
PhoneBoy
Admin
Admin

The available SCV checks are here: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C...
To do what you're asking for likely requires a script.

You can also debug to see what is happening on the gateway side by following the kernel debug procedure: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityGateway_Guide/Conten...
For Step 8, the command to use is: fw ctl debug -m fw + scv

0 Kudos
ShemHunter
Participant

@PhoneBoy @the_rock 

Hello everyone

I managed to get rid of some errors thanks to the configuration in global parameters.

One mistake remains:Verification script has detemined that your configuration does not meet policy requirements.

I added the output to the script 0 - the folder has been updated, 1 - not updated.

If I run the script without scv, then it gives me 0 and in fact it should be checked and connect me, but it(local.scv) does not do this.

Where to look?

Even if the output was words like "folder updated", my compliance policy still did not let the user through.

Thank you in advance.

0 Kudos
PhoneBoy
Admin
Admin

We're looking for the exit code of the script, not the output.
In conditions where the script "fails" (i.e. it's not a user you want to let in), then the script should execute exit 1 (at least in bash, but I assume it's the same/similar in other shells).

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events