Gotcha @PhoneBoy. Is there a better way to enforce such king of checks since it's an old feature?

Since SCV only works on Windows, do you know how is possible to prevent any computer that is not Windows (such as Mac) to log-in on my checkpoint vpn?

The SCV check would fail on anything that can't run SCV and you can configure (in Global Properties, I believe) whether that would be allowed or not.
The other way to do it would be Endpoint Compliance, which requires Endpoint licensing (or legacy ACCESS licenses).

@PhoneBoythank you for answer.

Before asking questions I tried to configure SCV to fail on anything that can't run SCV, but I failed miserable. Can you please give me more details?

Below is my scv config to test



and my global properties



my windows fail because it's not compliant

but my mac always work, no matter what i do it connect

The Mac is showing compliant because it's using Endpoint Compliance and not SCV.
Can the Mac actually connect to the relevant resources?
If so, I recommend a TAC case for further troubleshooting.

thanks @PhoneBoy 

Is there  a way to ignore endpoint compliance and force that any client that doesn't support SCV will not log on my vpn?

I tried to create a endpoint compliance to test (the default high) and there is no AV on this  mac but it still connects fine.

Yes, the mac is able to access my internal file share via this vpn

Sorry for ignorance, what is a TAC case? I'm not a customer...I use the lab to learn Checkpoint amazing tools

An alternative could be to allow only computers (Windows) to log on my vpn and have SCV pass, all other clients  (Linux, Mac) I want to deny directly. Is it possible?

Even a non-compliant computer is allowed to connect to the VPN.
However, they would only be permitted access to the specific items allowed in the screenshot (i.e. for remediation purposes).
All make sure local.scv is configured to not allow non-SCV clients to connect.
Basically the opposite of: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

Yes, TAC requires having a support agreement.

Got it @PhoneBoy 

I think that I can't see the screenshot (where to define what resources are allowed to remediation purpose). Do you have it anywhere else? Restrict to  only one server or maybe none could be an solution...

Mine is configured as :allow_non_scv_clients (false)

It's actually in the screenshots you've already provided (Secure Configuration Verification Exceptions)

Thanks @PhoneBoy. I played a  lot with that screen and  no matter what I do, Mac clients are allowed to connect at VPN and reach  any internal server. 😞

Any guess?

What version/JHF of gateway is involved?

Hey, did you already tried to do?

:disconnect_when_not_verified (true)
:block_connections_on_unverified (true)

as well as

:allow_non_scv_clients (false)

In the global Properties i didnt have to anything in mine.

This is will make if you are not compliant it will block the connection, even tho the VPN can Log in, after 20 seconds you will be dropped

Best Regards,
Perdro Filipe

Hi @pfilipe,

I  tried it  and many combinations, just to make sure I tried again now...

:SCVGlobalParams (
:enable_status_notifications (false)
:status_notifications_timeout (10)
:disconnect_when_not_verified (true)
:block_connections_on_unverified (true)
:scv_policy_timeout_hours (168)
:enforce_ip_forwarding (false)
:not_verified_script ("")
:not_verified_script_run_show (false)
:not_verified_script_run_admin (false)
:not_verified_script_run_always (false)
:allow_non_scv_clients (false)
:skip_firewall_enforcement_check (false)

I connect on my Windows and it works as expected. On Mac with last endpoint security client no matter what I do, I keep connected and  can reach any internal server 😞

Have you tried it with the last mac client?

Do you use CheckMate Labs? I'm asking because I'm using it and I'm  not sure if there is anything different there.

In theory I see that people claim that it works, but I'm ashamed that I can't make it work.

https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eve...

Hello @afranklin 

By " it works as expected" you mean if Windows client is not compliant it is not able to access encryption domain and when compliance status is changed access is restored?

Also in the Access Control -> Policy do you have "Remote Access" community configured in VPN  column for the rules allowing  traffic from RA users to encryption domain?