This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kevin_Orrison
Collaborator
‎2020-04-08 03:10 PM

Real World local.scv Example

As I am looking through the Remote Access Client admin guide and sk38702, I'm wondering if anyone is willing to share their local.scv files in production. The syntax isn't crazy easy to understand, but I'm most interested in the following if it's supported. 

Checking if Windows 10 is >= 1903
Check if AV process is running - This looks supported
Check if client computer is joined to company domain

0 Kudos
22 Replies
PhoneBoy
Admin
Admin
‎2020-04-10 04:20 PM

Under OsMonitor, you'd need something like:

:major_os_version_number_10 (10)
:minor_os_version_number_10 (0)
:os_version_operand_10 ("==")

And yes, this should be in the documentation somewhere, but it's not.

AV is definitely supported, see example here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

As for checking if domain-registered, this registry key seems to be the one to check for: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\MachineDomain
However, you can also check for a specific registry entry that you add via GPO or similar.
Kevin_Orrison
Collaborator
‎2020-04-13 07:26 AM
In response to PhoneBoy

What does the minor version correspond to? Is there a way to reference the Windows 10 build? Like 1903 being 18362.753. Ultimately, it would be nice to do build >= 18362.753 is compliant and allowed to connect.
0 Kudos
PhoneBoy
Admin
Admin
‎2020-04-13 07:40 AM
In response to Kevin_Orrison

Minor version in this case is most likely zero (as in Windows version 10.0).
Hotfix Monitor is probably what you want to use here, but not sure of the exact syntax.
0 Kudos
MrSaintz
Contributor
‎2021-02-09 11:37 AM
In response to PhoneBoy

This GPO check sounds cleverly neat to use, specially the tip on more specific registry entries we can makeup, thanks! TCPIP Parameter, sounds sneaky, as it's a dns suffix record that, non-domain devices can add it easily to cope with at not cost of the device regular functionality, no?

Carlos Santos
0 Kudos
AndreiMe
Employee
Employee
‎2020-04-14 05:52 AM

Windows version information can be found in the registry on
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Open this key in regedit and you'll see a lot of information.
Therefore, the check for version, build and whatever else can be done with RegMonitor.
0 Kudos
Kevin_Orrison
Collaborator
‎2020-04-14 10:39 AM
In response to AndreiMe

Thanks for all the input.
0 Kudos
Jean-Francois_G
Explorer
‎2020-04-16 10:50 AM

Were you able to make this work im trying to do it and nothing seem to work 

Im on Gaia R80.30 on both MGMT and Firewall

Thanks !

0 Kudos
Kevin_Orrison
Collaborator
‎2020-04-16 11:44 AM
In response to Jean-Francois_G

No, I haven't got around to trying this yet.
0 Kudos
Jean-Francois_G
Explorer
‎2020-04-16 12:23 PM
In response to Kevin_Orrison

ok thanks 

0 Kudos
AndreiMe
Employee
Employee
‎2020-04-17 05:01 AM
In response to Jean-Francois_G

And here is an example of the Windows build check. Here we require Windows 10 version 1903 or newer:

		: (RegMonitor
			:type (plugin)
			:parameters (
				:begin_and (1)
					:string ("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentVersion=6.3")
					:string ("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ReleaseId>=1903")
				:end (and1)
				:begin_admin (admin)
					:send_log (alert)
					:mismatchmessage ("Windows 10 version 1903 or newer is required.")
				:end (admin)
			)
		)

As an alternative, you can compare CurrentMajorVersionNumber with 10. In this case, replace

:string ("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentVersion=6.3")

with

:value ("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentMajorVersionNumber=10")

Do not forget to include RegMonitor in SCVPolicy section:

	:SCVPolicy (
		: (RegMonitor)
	)

Save the local.scv file and install policy. If a separate gateway/management configuration is used, the local.scv file has to be configured on the management. I assume, you have SCV check turned on.

Jean-Francois_G
Explorer
‎2020-04-17 01:35 PM
In response to AndreiMe

That's this part that was missing 

 

Do not forget to include RegMonitor in SCVPolicy section:

	:SCVPolicy (
		: (RegMonitor)
	)

Thanks for your help ! 

0 Kudos
AndreiMe
Employee
Employee
‎2020-04-17 05:56 AM

Refer to sk65267 for an example of how to check for the domain.  In short, add a check to RegMonitor section, e.g.:

:string ("SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Domain=your_company_domain")

Here we check string value "Domain" in the key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters"

Ruan_Kotze
Advisor
‎2020-04-18 06:27 AM
In response to AndreiMe

I was not even aware SCV was a thing in Checkpoint, always thought you needed the full endpoint security client to do stuff like domain checks.  There's always something to learn:-)

Anyhow - this thread inspired me to build this up in my lab and test with just the Check Point Mobile client.

I got it working very nicely after a couple of false starts.  I will post a full writeup on the forum also when I have a bit of time.  In the meantime, here is my local.scv lab file (had to change extension otherwise I cannot upload to the forum) which checks for domain membership (lab domain is checkpoint.root).

These sources were very helpful:

sk65267
sk147416
https://community.checkpoint.com/t5/Remote-Access-Solutions/White-Paper-Check-Point-Compliance-Check...

Preview file
8 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2020-04-18 07:53 PM
In response to Ruan_Kotze

SCV has been around since before Check Point offered a full Endpoint Security client.
While the Compliance checks in Endpoint Security are the preferred approach, SCV is still useful in cases where the full Endpoint client isn't needed.
Note that SCV is only applicable for Windows clients, it is not supported on Mac or on other platforms.
0 Kudos
Kevin_Orrison
Collaborator
‎2020-04-22 06:35 AM
In response to PhoneBoy

It was my understanding that the full endpoint client still uses the local.scv file for its posture checks. Is this not the case? If so, how does the full endpoint client accomplish its posture checks?
0 Kudos
PhoneBoy
Admin
Admin
‎2020-04-22 09:54 AM
In response to Kevin_Orrison

The full Endpoint client can use SCV, the configuration file for which is stored on the relevant gateway.
Compliance checks are configured in SmartEndpoint and stored on the Endpoint Management server.
0 Kudos
Jean-Francois_G
Explorer
‎2020-04-22 12:59 PM
In response to PhoneBoy

With the compliance check with the local.scv file or the SmartEndpoint server there is an option to check if a file exist.  Ive create a dummy file and i would like to insert it in the MSI im giving to external user so they can install the VPN without knowing they need this file to connect to our server.  How can i add this file to the EPS.MSI or the E82.50_CheckPointVPN.msi

 

Thanks for your help !

0 Kudos
PhoneBoy
Admin
Admin
‎2020-04-23 10:39 AM
In response to Jean-Francois_G

An MSI is basically an archive.
Which means, you should be able to add a file to one of the folders that gets installed from the MSI.
Now whether that will actually work or not is a separate question.

There are better ways to check if the system is a trusted asset or not (e.g. registry checks).
0 Kudos
Jean-Francois_G
Explorer
‎2020-04-23 10:42 AM
In response to PhoneBoy

I know we can do this with registry too but it will still be the same thing i will need to add a registry key in the MSI because we have external user that are not part of the company that have VPN access to maintain some software.  So i would prefer to keep the registry or file secret from them 

 

Thanks !

0 Kudos
stuart2020
Participant
‎2021-06-30 01:10 AM
In response to Ruan_Kotze

Hi Ruan,

I am using the Mobile VPN client and would like to deploy a basic SCV policy primarily to remove the "No security policy is configured" warning in the VPN client. I wanted to check, do you need to install the Policy server blade, configure and push the "Desktop" policy even when only using the Mobile VPN client (not Endpoint Security client)? 

Did you get chance to upload a full write up of your lab setup / configuration?

Thank you.

 

0 Kudos
AndreiMe
Employee
Employee
‎2021-06-30 01:44 AM
In response to stuart2020

Hi stuart2020,

Yes, you should install the Policy server on gateways.  Desktop policy should be configured for SCV to work.

If you have separate gateways and management, configure local.scv on the management server. "Check Point Mobile" flavor of the VPN client does not include firewall,  so you may prefer to set :skip_firewall_enforcement_check (true) in SCVGlobalParams section (see sk73600).

Ruan_Kotze
Advisor
‎2021-06-30 01:48 AM
In response to stuart2020

Sure did - the writeup is on my blog - https://namitguy.blogspot.com/2020/04/implementing-secure-client-verification.html