cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

SCV Enforcement Per Gateway (Not Global)

Is there any chance for SCV enforcement per gateway and not global?

It's very problematic to have same rules for different gateways.

For example, I've a customer who has multiple security gateways managed by the same management server.

Now he wants to validate the PCs domain membership for one of the gateways but don't want this requirement to exist on another. I cannot find anyway to workaround this with support.

14 Replies
Admin
Admin

Re: SCV Enforcement Per Gateway (Not Global)

In R80.20? Not that I'm aware of.

0 Kudos

Re: SCV Enforcement Per Gateway (Not Global)

Even in R80.70, or any other possible workaround would be appreciated.

0 Kudos
Admin
Admin

Re: SCV Enforcement Per Gateway (Not Global)

I've branched this into a new thread in the Remote Access‌ section.

The workarounds I see are:

  • Use a client that explicitly doesn't require SCV to connect to the relevant gateway and enable that option (see below)
  • Exclude the hosts/services that are accessible from that gateway (see below)
  • Put the gateways in different management domains

Can you describe the use case you're trying to support with this request?

Re: SCV Enforcement Per Gateway (Not Global)

>> Can you describe the use case you're trying to support with this request?

The use case is pretty simple as described before:

I've a customer who has multiple security gateways managed by the same management server.

Now he needs to validate the PCs domain membership for one of the gateways (some kind of regulation demand), but don't want this requirement to exist on another. (On other gateway even local VPN authentication would be satisfactory.)

The SCV exceptions are not good enough for this, since they are only host and service based - even cannot add networks (adding hundreds of hosts doesn't seem to be a good option).

0 Kudos
Admin
Admin

Re: SCV Enforcement Per Gateway (Not Global)

If the hosts accessed from each gateway are different, then implement the exclusion workaround above.

It will do the SCV check on the other gateway but still permit access.

Otherwise, you'll have to manage the other gateway with a separate management domain to have different SCV settings at the moment.

0 Kudos

Re: SCV Enforcement Per Gateway (Not Global)

The host are different, but I need to allow whole networks (the other gateway has also S2S VPN to additional gateways and the VPN clients should be able to access those networks too, via this site).

Re: SCV Enforcement Per Gateway (Not Global)

SVC can be configured in the SMS local.scv file (see sk41336 and sk38702 for details) that is transmitted to the GW during policy install. As a workaround, it would be possible to edit the file, install policy on the special GW and then undo the edits.

0 Kudos

Re: SCV Enforcement Per Gateway (Not Global)

I've thought of doing the same action described by https://community.checkpoint.com/people/g.alba066e051-da82-3e7a-84e6-2bcbff226984 

0 Kudos

Re: SCV Enforcement Per Gateway (Not Global)

I don't think that this workaround is really usable.
Since it would require doing it again and again (with every change in policy, it would require full attention for this issue).

I'm wondering if there is someone out there who is really uses this SCV feature in a real work scenario.

Or if there is any other way to accomplish the task (of letting only domain joined computer to be able to connect via VPN)

0 Kudos
Admin
Admin

Re: SCV Enforcement Per Gateway (Not Global)

The part that seems to be unique to your customer is having different gateways managed by the same domain with different SCV policies.

Most organizations that implement SCV do so for all their gateways, not just for specific ones. 

Re: SCV Enforcement Per Gateway (Not Global)

Ok, let's say that what you say that's the mainstream.

What about different policies for different users? Is that also something extraordinary?

0 Kudos
Admin
Admin

Re: SCV Enforcement Per Gateway (Not Global)

There are usually minimum standards to apply to all users who connect, regardless of who they are.

There might be some different standards based on who the user is and what they access.

Mobile Access Blade with Endpoint Security on Demand offers the kind of granularity you're looking for, but that's a different mechanism from SCV.

0 Kudos

Re: SCV Enforcement Per Gateway (Not Global)

Well I'm aware of the Mobile Access Blade and the Endpoint Security on Demand.

But my feeling is that the MOB is a product that is not being developed for years. It's even abandoned (not yet included) from the R80.10 GUI.

0 Kudos
Admin
Admin

Re: SCV Enforcement Per Gateway (Not Global)

While there are some features/functions of Mobile Access that require the old SmartDashboard in R80.x, we actually support unified policies that include Mobile Access in R80.10.

In terms of major features, we've developed Reverse Proxy functionality and there has been some work done to replace the need for Java for SNX (because browsers stopped supporting it).

So to say that Mobile Access Blade hasn't had development in years is not true.

0 Kudos