Re: Real World local.scv Example

Kevin_Orrison · ‎2020-04-08

As I am looking through the Remote Access Client admin guide and sk38702, I'm wondering if anyone is willing to share their local.scv files in production. The syntax isn't crazy easy to understand, but I'm most interested in the following if it's supported.

Checking if Windows 10 is >= 1903
Check if AV process is running - This looks supported
Check if client computer is joined to company domain

PhoneBoy · ‎2020-04-10

Under OsMonitor, you'd need something like:

:major_os_version_number_10 (10)
:minor_os_version_number_10 (0)
:os_version_operand_10 ("==")

And yes, this should be in the documentation somewhere, but it's not.

AV is definitely supported, see example here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

As for checking if domain-registered, this registry key seems to be the one to check for: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\MachineDomain
However, you can also check for a specific registry entry that you add via GPO or similar.

Kevin_Orrison · ‎2020-04-13

What does the minor version correspond to? Is there a way to reference the Windows 10 build? Like 1903 being 18362.753. Ultimately, it would be nice to do build >= 18362.753 is compliant and allowed to connect.

PhoneBoy · ‎2020-04-13

Minor version in this case is most likely zero (as in Windows version 10.0).
Hotfix Monitor is probably what you want to use here, but not sure of the exact syntax.

MrSaintz · ‎2021-02-09

This GPO check sounds cleverly neat to use, specially the tip on more specific registry entries we can makeup, thanks! TCPIP Parameter, sounds sneaky, as it's a dns suffix record that, non-domain devices can add it easily to cope with at not cost of the device regular functionality, no?

Carlos Santos

AndreiMe · ‎2020-04-14

Windows version information can be found in the registry on
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Open this key in regedit and you'll see a lot of information.
Therefore, the check for version, build and whatever else can be done with RegMonitor.

Kevin_Orrison · ‎2020-04-14

Thanks for all the input.

Jean-Francois_G · ‎2020-04-16

Were you able to make this work im trying to do it and nothing seem to work

Im on Gaia R80.30 on both MGMT and Firewall

Thanks !

Kevin_Orrison · ‎2020-04-16

No, I haven't got around to trying this yet.

Jean-Francois_G · ‎2020-04-16

ok thanks

AndreiMe · ‎2020-04-17

And here is an example of the Windows build check. Here we require Windows 10 version 1903 or newer:

		: (RegMonitor
			:type (plugin)
			:parameters (
				:begin_and (1)
					:string ("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentVersion=6.3")
					:string ("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ReleaseId>=1903")
				:end (and1)
				:begin_admin (admin)
					:send_log (alert)
					:mismatchmessage ("Windows 10 version 1903 or newer is required.")
				:end (admin)
			)
		)

As an alternative, you can compare CurrentMajorVersionNumber with 10. In this case, replace

:string ("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentVersion=6.3")

with

:value ("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentMajorVersionNumber=10")

Do not forget to include RegMonitor in SCVPolicy section:

	:SCVPolicy (
		: (RegMonitor)
	)

Save the local.scv file and install policy. If a separate gateway/management configuration is used, the local.scv file has to be configured on the management. I assume, you have SCV check turned on.

Jean-Francois_G · ‎2020-04-17

That's this part that was missing

Do not forget to include RegMonitor in SCVPolicy section:

	:SCVPolicy (
		: (RegMonitor)
	)

Thanks for your help !

AndreiMe · ‎2020-04-17

Refer to sk65267 for an example of how to check for the domain. In short, add a check to RegMonitor section, e.g.:

:string ("SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Domain=your_company_domain")

Here we check string value "Domain" in the key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters"

Ruan_Kotze · ‎2020-04-18

I was not even aware SCV was a thing in Checkpoint, always thought you needed the full endpoint security client to do stuff like domain checks. There's always something to learn:-)

Anyhow - this thread inspired me to build this up in my lab and test with just the Check Point Mobile client.

I got it working very nicely after a couple of false starts. I will post a full writeup on the forum also when I have a bit of time. In the meantime, here is my local.scv lab file (had to change extension otherwise I cannot upload to the forum) which checks for domain membership (lab domain is checkpoint.root).

These sources were very helpful:

sk65267
sk147416
https://community.checkpoint.com/t5/Remote-Access-Solutions/White-Paper-Check-Point-Compliance-Check...

PhoneBoy · ‎2020-04-18

SCV has been around since before Check Point offered a full Endpoint Security client.
While the Compliance checks in Endpoint Security are the preferred approach, SCV is still useful in cases where the full Endpoint client isn't needed.
Note that SCV is only applicable for Windows clients, it is not supported on Mac or on other platforms.

Kevin_Orrison · ‎2020-04-22

It was my understanding that the full endpoint client still uses the local.scv file for its posture checks. Is this not the case? If so, how does the full endpoint client accomplish its posture checks?

PhoneBoy · ‎2020-04-22

The full Endpoint client can use SCV, the configuration file for which is stored on the relevant gateway.
Compliance checks are configured in SmartEndpoint and stored on the Endpoint Management server.

Jean-Francois_G · ‎2020-04-22

With the compliance check with the local.scv file or the SmartEndpoint server there is an option to check if a file exist. Ive create a dummy file and i would like to insert it in the MSI im giving to external user so they can install the VPN without knowing they need this file to connect to our server. How can i add this file to the EPS.MSI or the E82.50_CheckPointVPN.msi

Thanks for your help !

PhoneBoy · ‎2020-04-23

An MSI is basically an archive.
Which means, you should be able to add a file to one of the folders that gets installed from the MSI.
Now whether that will actually work or not is a separate question.

There are better ways to check if the system is a trusted asset or not (e.g. registry checks).

Jean-Francois_G · ‎2020-04-23

I know we can do this with registry too but it will still be the same thing i will need to add a registry key in the MSI because we have external user that are not part of the company that have VPN access to maintain some software. So i would prefer to keep the registry or file secret from them

Thanks !

stuart2020 · ‎2021-06-30

Hi Ruan,

I am using the Mobile VPN client and would like to deploy a basic SCV policy primarily to remove the "No security policy is configured" warning in the VPN client. I wanted to check, do you need to install the Policy server blade, configure and push the "Desktop" policy even when only using the Mobile VPN client (not Endpoint Security client)?

Did you get chance to upload a full write up of your lab setup / configuration?

Thank you.

AndreiMe · ‎2021-06-30

Hi stuart2020,

Yes, you should install the Policy server on gateways. Desktop policy should be configured for SCV to work.

If you have separate gateways and management, configure local.scv on the management server. "Check Point Mobile" flavor of the VPN client does not include firewall, so you may prefer to set :skip_firewall_enforcement_check (true) in SCVGlobalParams section (see sk73600).

Ruan_Kotze · ‎2021-06-30

Sure did - the writeup is on my blog - https://namitguy.blogspot.com/2020/04/implementing-secure-client-verification.html

Are you a member of CheckMates?

Real World local.scv Example