This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Gorbiabimanyu
Employee Alumnus
Employee Alumnus
‎2021-11-08 05:40 PM
Jump to solution

Block client's connection Upon verification failure not working

Hi,

 

I've set to block client's connection Upon verification failure in Global properties. then test to connect a non-compliant to gateway, but the vpn still able to connect.

Screenshot_5.png

here are my SCV global parameters :

:SCVGlobalParams (
:enable_status_notifications (false)
:status_notifications_timeout (10)
:disconnect_when_not_verified (false)
:block_connections_on_unverified (false)
:scv_policy_timeout_hours (168)
:enforce_ip_forwarding (false)
:not_verified_script ("")
:not_verified_script_run_show (false)
:not_verified_script_run_admin (false)
:not_verified_script_run_always (false)
:allow_non_scv_clients (false)
:skip_firewall_enforcement_check (false)
)

 

is value in SCV's global parameters overrides setting on SMS Global properties > Remote Access > Upon Verification failure?

 

 

0 Kudos
1 Solution

Accepted Solutions
Alex_Sazonov
Employee Alumnus
Employee Alumnus
‎2021-11-08 11:03 PM
Jump to solution

Hello @Gorbiabimanyu 

Do you have access rule which accept traffic to encryption domain with VPN column = "RemoteAccess"?

Screenshot 2021-11-09 at 09.42.33.png

As you can see this settings are relevant for Simplified mode FW policy:

Screenshot 2021-11-09 at 09.46.02.png

 

View solution in original post

0 Kudos
4 Replies
Alex_Sazonov
Employee Alumnus
Employee Alumnus
‎2021-11-08 11:03 PM
Jump to solution

Hello @Gorbiabimanyu 

Do you have access rule which accept traffic to encryption domain with VPN column = "RemoteAccess"?

Screenshot 2021-11-09 at 09.42.33.png

As you can see this settings are relevant for Simplified mode FW policy:

Screenshot 2021-11-09 at 09.46.02.png

 

0 Kudos
Gorbiabimanyu
Employee Alumnus
Employee Alumnus
‎2021-11-09 06:52 PM
In response to Alex_Sazonov
Jump to solution

thanks, now it worked just fine.

just to be clear, when a client is non-compliant.the VPN will still be connected, but the traffic will be blocked from the rule base?

0 Kudos
PhoneBoy
Admin
Admin
‎2021-11-09 09:46 PM
In response to Gorbiabimanyu
Jump to solution

Not from the rulebase.
You can configure in Global Properties (don't have a screenshot handy) what servers you can connect to when SCV fails.

0 Kudos
Alex_Sazonov
Employee Alumnus
Employee Alumnus
‎2021-11-09 10:31 PM
In response to Gorbiabimanyu
Jump to solution

@Gorbiabimanyu 

Traffic from such machines will be dropped by FW with the message "Client's configuration is not verified":

2021-11-10 09_23_46-SmartView.png

If you need to disconnect VPN you will need to set this to "true":

 

:disconnect_when_not_verified (true)

 

In this case users will not have access to ANY resources inside of encryption domain.

 

Exceptions mentioned by @PhoneBoy  should be configured in here and will not work if you drop VPN tunnel:

2021-11-10 09_17_34-SCV Enforcement Per Gateway (Not Global) - Check Point CheckMates.png

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events