Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
afranklin
Participant

How to enable Secure Client Verification?

I'm using the checkmates to learn, my interest is in the VPN service that I was able to replicate. I used with an workstation running the last Check Point Endpoint security client and it connects fine. I want to test secure client verification to validate for example if my antivirus is running and my machine is on my domain. I saw compliance options inside Mobile Web Access, at the rules dashboard there is a link to open a new dashboard that allows me to create a new rule or edit the 3 defaults (high, medium and low), however it never runs on my client.

I searched and my guess is that it only works with mobile vpn client and not Check Point Endpoint Security (that if I understood properly is stronger -so I prefer use it to test). I found this article (https://namitguy.blogspot.com/2020/04/implementing-secure-client-verification.html) suggesting that I have to enable a special feature at Remote access -> Secure Configuration Verification. However I don't see it on the CheckMate labs. Maybe is it a feature on old version? Doesn't exist anymore?

Also, it says to enable IPSEC and Policy Server  feature, and than a policy named desktop security. All fine, except that the rules at desktop security appears to be related  with inbound and outbound rules and not process checks for example. What am I missing?

Also, once it's enable the  only way to create the rules is editing the file mentioned with vi (command-line)?

The official pdf looks more or less the same https://community.checkpoint.com/t5/Remote-Access-VPN/White-Paper-Check-Point-Compliance-Checking-wi...

I could not find, is there any command (command line) to verify if secure client verification is enabled and my checkpoint is using the current local.csv file?

All help is very welcome!

0 Kudos
14 Replies
PhoneBoy
Admin
Admin

SCV is definitely an older feature, however customers still use it both with Check Point Mobile and Endpoint Security VPN.
SCV is also limited to Windows clients currently.

The Desktop Policy is actually firewall rules for the client, yes.
And yes, it is required to utilize SCV.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

afranklin
Participant

 

Gotcha @PhoneBoy. Is there a better way to enforce such king of checks since it's an old feature?

Since SCV only works on Windows, do you know how is possible to prevent any computer that is not Windows (such as Mac) to log-in on my checkpoint vpn?

PhoneBoy
Admin
Admin

The SCV check would fail on anything that can't run SCV and you can configure (in Global Properties, I believe) whether that would be allowed or not.
The other way to do it would be Endpoint Compliance, which requires Endpoint licensing (or legacy ACCESS licenses).

0 Kudos
afranklin
Participant

@PhoneBoythank you for answer.

Before asking questions I tried to configure SCV to fail on anything that can't run SCV, but I failed miserable. Can you please give me more details?

Below is my scv config to test

Screen Shot 2021-10-27 at 22.46.46.png

and my global properties

Screen Shot 2021-10-27 at 22.49.16.pngScreen Shot 2021-10-27 at 22.49.24.png

my windows fail because it's not compliant

 

Screen Shot 2021-10-27 at 22.52.23.png

but my mac always work, no matter what i do it connect

Screen Shot 2021-10-27 at 22.53.51.png

0 Kudos
PhoneBoy
Admin
Admin

The Mac is showing compliant because it's using Endpoint Compliance and not SCV.
Can the Mac actually connect to the relevant resources?
If so, I recommend a TAC case for further troubleshooting.

0 Kudos
afranklin
Participant

thanks @PhoneBoy 

Is there  a way to ignore endpoint compliance and force that any client that doesn't support SCV will not log on my vpn?

I tried to create a endpoint compliance to test (the default high) and there is no AV on this  mac but it still connects fine.

Yes, the mac is able to access my internal file share via this vpn

Sorry for ignorance, what is a TAC case? I'm not a customer...I use the lab to learn Checkpoint amazing tools

An alternative could be to allow only computers (Windows) to log on my vpn and have SCV pass, all other clients  (Linux, Mac) I want to deny directly. Is it possible?

PhoneBoy
Admin
Admin

Even a non-compliant computer is allowed to connect to the VPN.
However, they would only be permitted access to the specific items allowed in the screenshot (i.e. for remediation purposes).
All make sure local.scv is configured to not allow non-SCV clients to connect.
Basically the opposite of: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

Yes, TAC requires having a support agreement.

0 Kudos
afranklin
Participant


Got it @PhoneBoy 

I think that I can't see the screenshot (where to define what resources are allowed to remediation purpose). Do you have it anywhere else? Restrict to  only one server or maybe none could be an solution...

Mine is configured as :allow_non_scv_clients (false)

0 Kudos
PhoneBoy
Admin
Admin

It's actually in the screenshots you've already provided (Secure Configuration Verification Exceptions)

0 Kudos
afranklin
Participant

 

Thanks @PhoneBoy. I played a  lot with that screen and  no matter what I do, Mac clients are allowed to connect at VPN and reach  any internal server. 😞

Any guess?

0 Kudos
PhoneBoy
Admin
Admin

What version/JHF of gateway is involved?

0 Kudos
pfilipe
Participant

Hey, did you already tried to do?

:disconnect_when_not_verified (true)
:block_connections_on_unverified (true)

as well as

:allow_non_scv_clients (false)

In the global Properties i didnt have to anything in mine.

This is will make if you are not compliant it will block the connection, even tho the VPN can Log in, after 20 seconds you will be dropped

 

Best Regards,
Perdro Filipe

 

 

afranklin
Participant

 

Hi @pfilipe,

I  tried it  and many combinations, just to make sure I tried again now...

:SCVGlobalParams (
:enable_status_notifications (false)
:status_notifications_timeout (10)
:disconnect_when_not_verified (true)
:block_connections_on_unverified (true)
:scv_policy_timeout_hours (168)
:enforce_ip_forwarding (false)
:not_verified_script ("")
:not_verified_script_run_show (false)
:not_verified_script_run_admin (false)
:not_verified_script_run_always (false)
:allow_non_scv_clients (false)
:skip_firewall_enforcement_check (false)

I connect on my Windows and it works as expected. On Mac with last endpoint security client no matter what I do, I keep connected and  can reach any internal server 😞

Have you tried it with the last mac client?

Do you use CheckMate Labs? I'm asking because I'm using it and I'm  not sure if there is anything different there.

In theory I see that people claim that it works, but I'm ashamed that I can't make it work.

https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eve...

0 Kudos
Alex_Sazonov
Employee
Employee

Hello @afranklin 

By " it works as expected" you mean if Windows client is not compliant it is not able to access encryption domain and when compliance status is changed access is restored?

Also in the Access Control -> Policy do you have "Remote Access" community configured in VPN  column for the rules allowing  traffic from RA users to encryption domain? 

0 Kudos