This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
RAlexander
Explorer
a week ago
Jump to solution

Secure Configuration Verification

Hello
Tell me how to correctly add the item about checking whether the device is in the domain or not to the Secure Configuration Verification file?
I have it now and when I start the VPN it skips any device (below are two screenshots), the first is the parameters for checking whether the device is in the domain, the second is the parameters for checking and global parameters.
I do all the settings through the terminal on the gateway, in the vi editor, so that nothing goes.
And tell me, can there be only one policy file?
If so, is it possible that several criteria for verification are set in one file?
What's the point, in my organization there are several options for connecting to a VPN, from corporate devices and from personal devices to a VPN, so the result should be the following:
1. The vpn-users, vtn-term, vpn-route, vpn-constructors group should be checked.
2. If the user has a vpn-users group, then the domain computer is checked or not, if the domain computer is allowed, if the computer is not a domain computer, we do not let it.
3.If the user has a vpn-term group, vpn-routes, vpn-constractors, then the domain comp is checked or not, if the domain comp is not allowed, if the computer is not domainy, we check the Windows, antivirus and the relevance of the antivirus database. If there is at least one discrepancy, we do not let him in.
All groups and users are domain-specific.

Preview file
29 KB
Preview file
42 KB
0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
a week ago
Jump to solution

Did you install policy after making changes as described here? https://support.checkpoint.com/results/sk/sk38702
SCV policy applies to all users equally, I believe.
Don't believe you can make specific policies for specific groups of users.
For more granular options, I suspect you'll have to use Endpoint Compliance features.

View solution in original post

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
a week ago
Jump to solution

Did you install policy after making changes as described here? https://support.checkpoint.com/results/sk/sk38702
SCV policy applies to all users equally, I believe.
Don't believe you can make specific policies for specific groups of users.
For more granular options, I suspect you'll have to use Endpoint Compliance features.

0 Kudos
RAlexander
Explorer
Friday
In response to PhoneBoy
Jump to solution

Thanks for the answer.
Everything worked out,
he was inattentive and ruled the policy on the gateway, not on SMS.
But there is still a question with the implementation of my scenario. Are you saying to use Endpoint Compliance, is this when choosing Endpoint instead of Mobile when installing the agent?

0 Kudos
PhoneBoy
Admin
Admin
Friday
In response to RAlexander
Jump to solution

For the client piece, yes.
To use/manage such features, you need Harmony Endpoint and the appropriate licenses.

the_rock
Legend
Legend
Friday
In response to RAlexander
Jump to solution

Definitely harmony endpoint, as Phoneboy said. Its way more robust and has bunch of more features.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events