Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Gorbiabimanyu
Employee Alumnus
Employee Alumnus
Jump to solution

Block client's connection Upon verification failure not working

Hi,

 

I've set to block client's connection Upon verification failure in Global properties. then test to connect a non-compliant to gateway, but the vpn still able to connect.

Screenshot_5.png

here are my SCV global parameters :

:SCVGlobalParams (
:enable_status_notifications (false)
:status_notifications_timeout (10)
:disconnect_when_not_verified (false)
:block_connections_on_unverified (false)
:scv_policy_timeout_hours (168)
:enforce_ip_forwarding (false)
:not_verified_script ("")
:not_verified_script_run_show (false)
:not_verified_script_run_admin (false)
:not_verified_script_run_always (false)
:allow_non_scv_clients (false)
:skip_firewall_enforcement_check (false)
)

 

is value in SCV's global parameters overrides setting on SMS Global properties > Remote Access > Upon Verification failure?

 

 

0 Kudos
1 Solution

Accepted Solutions
Alex_Sazonov
Employee
Employee

Hello @Gorbiabimanyu 

Do you have access rule which accept traffic to encryption domain with VPN column = "RemoteAccess"?

Screenshot 2021-11-09 at 09.42.33.png

As you can see this settings are relevant for Simplified mode FW policy:

Screenshot 2021-11-09 at 09.46.02.png

 

View solution in original post

0 Kudos
4 Replies
Alex_Sazonov
Employee
Employee

Hello @Gorbiabimanyu 

Do you have access rule which accept traffic to encryption domain with VPN column = "RemoteAccess"?

Screenshot 2021-11-09 at 09.42.33.png

As you can see this settings are relevant for Simplified mode FW policy:

Screenshot 2021-11-09 at 09.46.02.png

 

0 Kudos
Gorbiabimanyu
Employee Alumnus
Employee Alumnus

thanks, now it worked just fine.

just to be clear, when a client is non-compliant.the VPN will still be connected, but the traffic will be blocked from the rule base?

0 Kudos
PhoneBoy
Admin
Admin

Not from the rulebase.
You can configure in Global Properties (don't have a screenshot handy) what servers you can connect to when SCV fails.

0 Kudos
Alex_Sazonov
Employee
Employee

@Gorbiabimanyu 

Traffic from such machines will be dropped by FW with the message "Client's configuration is not verified":

2021-11-10 09_23_46-SmartView.png

If you need to disconnect VPN you will need to set this to "true":

 

:disconnect_when_not_verified (true)

 

In this case users will not have access to ANY resources inside of encryption domain.

 

Exceptions mentioned by @PhoneBoy  should be configured in here and will not work if you drop VPN tunnel:

2021-11-10 09_17_34-SCV Enforcement Per Gateway (Not Global) - Check Point CheckMates.png

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events