- CheckMates
- :
- Products
- :
- Quantum
- :
- Remote Access VPN
- :
- Re: SCV Enforcement Per Gateway (Not Global)
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SCV Enforcement Per Gateway (Not Global)
Is there any chance for SCV enforcement per gateway and not global?
It's very problematic to have same rules for different gateways.
For example, I've a customer who has multiple security gateways managed by the same management server.
Now he wants to validate the PCs domain membership for one of the gateways but don't want this requirement to exist on another. I cannot find anyway to workaround this with support.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In R80.20? Not that I'm aware of.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Even in R80.70, or any other possible workaround would be appreciated.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've branched this into a new thread in the Remote Access section.
The workarounds I see are:
- Use a client that explicitly doesn't require SCV to connect to the relevant gateway and enable that option (see below)
- Exclude the hosts/services that are accessible from that gateway (see below)
- Put the gateways in different management domains
Can you describe the use case you're trying to support with this request?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
>> Can you describe the use case you're trying to support with this request?
The use case is pretty simple as described before:
I've a customer who has multiple security gateways managed by the same management server.
Now he needs to validate the PCs domain membership for one of the gateways (some kind of regulation demand), but don't want this requirement to exist on another. (On other gateway even local VPN authentication would be satisfactory.)
The SCV exceptions are not good enough for this, since they are only host and service based - even cannot add networks (adding hundreds of hosts doesn't seem to be a good option).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the hosts accessed from each gateway are different, then implement the exclusion workaround above.
It will do the SCV check on the other gateway but still permit access.
Otherwise, you'll have to manage the other gateway with a separate management domain to have different SCV settings at the moment.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The host are different, but I need to allow whole networks (the other gateway has also S2S VPN to additional gateways and the VPN clients should be able to access those networks too, via this site).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SVC can be configured in the SMS local.scv file (see sk41336 and sk38702 for details) that is transmitted to the GW during policy install. As a workaround, it would be possible to edit the file, install policy on the special GW and then undo the edits.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've thought of doing the same action described by https://community.checkpoint.com/people/g.alba066e051-da82-3e7a-84e6-2bcbff226984
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't think that this workaround is really usable.
Since it would require doing it again and again (with every change in policy, it would require full attention for this issue).
I'm wondering if there is someone out there who is really uses this SCV feature in a real work scenario.
Or if there is any other way to accomplish the task (of letting only domain joined computer to be able to connect via VPN)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The part that seems to be unique to your customer is having different gateways managed by the same domain with different SCV policies.
Most organizations that implement SCV do so for all their gateways, not just for specific ones.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, let's say that what you say that's the mainstream.
What about different policies for different users? Is that also something extraordinary?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are usually minimum standards to apply to all users who connect, regardless of who they are.
There might be some different standards based on who the user is and what they access.
Mobile Access Blade with Endpoint Security on Demand offers the kind of granularity you're looking for, but that's a different mechanism from SCV.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well I'm aware of the Mobile Access Blade and the Endpoint Security on Demand.
But my feeling is that the MOB is a product that is not being developed for years. It's even abandoned (not yet included) from the R80.10 GUI.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
While there are some features/functions of Mobile Access that require the old SmartDashboard in R80.x, we actually support unified policies that include Mobile Access in R80.10.
In terms of major features, we've developed Reverse Proxy functionality and there has been some work done to replace the need for Java for SNX (because browsers stopped supporting it).
So to say that Mobile Access Blade hasn't had development in years is not true.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @PhoneBoy,
Hope you are doing good.
Need assistance on SCV for R80.30 SMS and Gateway, as we are planning to implement Domain Membership Validation using SCV checks.
We have Checkpoint Gateways in Multiple Regions with Remote Access VPN on each gateway (all managed by the same SMS), the domain for machines in each region are different from each other.
So wanted to confirm if we have an option to deploy Domain Validation specific to each gateway.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That is described by this comment: https://community.checkpoint.com/t5/Remote-Access-VPN/SCV-Enforcement-Per-Gateway-Not-Global/m-p/214...
Or you could include a check for all relevant domains on all gateways?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you @PhoneBoy for your quick response as usual.
I tried to add all the domains to the Registry Monitor, but it does not work, could you confirm if the below script I am using is correct:
: (RegMonitor
:type (plugin)
:parameters (
:string ("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\MachineDomain=abc.domain")
:string ("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\MachineDomain=def.domain")
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("Your computer doesn't meet the domain membership requirements.")
:end (admin)
)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This condition can't possibly work because both conditions can't possibly be true at the same time.
Also, you don't need to include HKEY_LOCAL_MACHINE\ as that's assumed.
Probably something like:
: (RegMonitor
:type (plugin)
:parameters (
:begin_or(or1)
:string ("SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\MachineDomain=abc.domain")
:string ("SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\MachineDomain=def.domain")
:end(or1)
:begin_admin(admin)
:send_log(alert)
:mismatchmessage("Your computer doesn't meet the domain membership requirements.")
:end(admin)
)
Refer to the E80.60 / E80.61 / E80.62 / E80.64 Remote Access Clients for Windows OS Administration Guide for additional syntax on SCV.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @PhoneBoy,
I tried using the above lines in the local.scv file but the the policy install failed, error message "Failed to merge SCV policies. Local SCV file may be corrupt".
Attached the screenshot for your reference.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Correct line endings are present ? Compare it with the original files copy to be sure...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @G_W_Albrecht ,
Yes I have verified the config with the original file and it looks fine, attached the local.scv file.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would double check this with the TAC as it's entirely possible I got the syntax wrong on that.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
Could you help me, please?
I am using the syntax below
however, in the mismatchmessage line, only the second one is being validated.
I need all quoted strings to be monitored.
)
:(RegMonitor
:type (plugin)
:parameters (
:begin_or (or1)
:keynexist("SOFTWARE\Microsoft\Windows NT\CurrentVersion")
:string ("SOFTWARE\Microsoft\Windows NT\CurrentVersion\DisplayVersion=20H2")
:begin_or (and1)
:string ("SOFTWARE\Microsoft\Windows NT\CurrentVersion\DisplayVersion=19H2")
:string ("SOFTWARE\Microsoft\Windows NT\CurrentVersion\DisplayVersion=22H2")
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("The operating system version does not comply with Sascar standards.")
:end (admin)
:end_and (and1)
:end_or (or1)
:begin_and (and2)
:keynexist("SOFTWARE\Microsoft\Windows NT\CurrentVersion\Update\TargetingInfo\Installed\Client.OS.rs2.amd64")
:string ("SOFTWARE\Microsoft\Windows NT\CurrentVersion\Update\TargetingInfo\Installed\Client.OS.rs2.amd64\Version=10.0.19044.3086")
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("The operating system compilation does not comply with Sascar standards.")
:end (admin)
:end_and (and2)
)
)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
Could you help me, please?
I am using the syntax below
however, in the mismatchmessage line, only the second one is being validated.
I need all quoted strings to be monitored.
)
:(RegMonitor
:type (plugin)
:parameters (
:begin_or (or1)
:keynexist("SOFTWARE\Microsoft\Windows NT\CurrentVersion")
:string ("SOFTWARE\Microsoft\Windows NT\CurrentVersion\DisplayVersion=20H2")
:begin_or (and1)
:string ("SOFTWARE\Microsoft\Windows NT\CurrentVersion\DisplayVersion=19H2")
:string ("SOFTWARE\Microsoft\Windows NT\CurrentVersion\DisplayVersion=22H2")
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("The operating system version does not comply with Sascar standards.")
:end (admin)
:end_and (and1)
:end_or (or1)
:begin_and (and2)
:keynexist("SOFTWARE\Microsoft\Windows NT\CurrentVersion\Update\TargetingInfo\Installed\Client.OS.rs2.amd64")
:string ("SOFTWARE\Microsoft\Windows NT\CurrentVersion\Update\TargetingInfo\Installed\Client.OS.rs2.amd64\Version=10.0.19044.3086")
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("The operating system compilation does not comply with Sascar standards.")
:end (admin)
:end_and (and2)
)
)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, I want to enable SCV for allowed only computers domain. However, we have partnert that have their computers or their laptops and they arent in the domain. Is possible do that the exclusions?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SCV applies to everyone that connects.
How would you determine the computer is that of a partner versus an employee using a computer not in the domain?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK. I understand that SCV apply for all computers that connect to the VPN. However, I have two client that have providers that using their computers personal of their organization. When I see exceptions is it not possible?
Or I need give a ip address of office mode static for allowed? I think SCV is a good options, however if it not allowed exclusiones is not enough
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What this screen shows you is what systems can be connected to with the VPN can be connected to if the SCV check fails.
The original use case for this was to allow access to remediation servers so your future SCV checks would succeed.
I suppose you could also use it for third party access.
It's possible to exempt the SCV check for certain client types that don't support (also in this screen), but it's not possible to exclude specific users.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
found no doc for my workaround.
Seems remote access with more than 1 gateway needs an extra manager due to the design contraints, right ?
Contraints I am aware of: scv and VPN communities and maybe more due to no docs found on these contraints.
Our workaround:
- edit the scv file on the gateway and do not configure the SmartConsole>Global properties Secure Configuration Verification (checkpoint.com)
- edit the local.scv on the gatway $FWDIR/policy/local.scv (example for regmonitor) it is not located in conf directory!
: (RegMonitor
:type (plugin)
:parameters (
:string ("HKEY_LOCAL_MACHINE...)
<other config>
)
)
:SCVPolicy (
: (RegMonitor)
)
:SCVGlobalParams (
:disconnect_when_not_verified (true)
:skip_firewall_enforcement_check (true)
)