This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
tmorgan
Contributor
‎2024-02-22 01:31 PM
Jump to solution

VPN Client Enforcing Settings Not Configured in Gateway

 

The first experience I am getting is this....

The gateway is configured to perform "Single Authentication" / "Compatibility with Older clients". The authentication method is RADIUS and is not configured to ask for password as first challenge. There is no "MultiAuthenicaiton client settings" configured. All fairly standard stuff.

If you take a clean installer it will connect to the gateway and the ask for the username but the password field will be greyed out (as i would expect). You click next enter the RADIUS prompt and the client throws a wobbly that the password is wrong. Slightly less standard stuff!

If I install the customers customised installer then the client will ask me for the username and the password move onto the RADIUS token then let me login.

So obviously the client has been configured at some point in this environments long and distant past to require the user to provide the password regardless... but what gives with the gateway? Where is the setting requiring the password... but not requiring the password is some strange setting in the gateway I just cant find? Is this a 'feature'? What am I missing?

The second strange experience I am getting is...

You try and connect to the Gateway using a domain machine you are let in without issue. You try and connect using a non-domain machine and you can connect but get a message in the client isnt a member of the domain and you can access internal resources. However if you add a registry entry with the domain name under System\CurrentControlSet\Services\Tcpip\Parameters\Domain then you can get in without issue.

So you think maybe Mobile Access is configured to perform compliance Checking. You look at the Gateway Properties -> Mobile Access -> Endpoint compliance but its disabled. So you open up the local.scv file on the gateway but this is a completely standard unedited file.

Facts and Figures

  • OS/version of the client PC = Windows 10 / Windows 11
  • Version of Remote Access client = It looks like this experience has been the same for years, current version 87.30.
  • Exact version/JHF take level of gateway = Its been configured like this since R77 days. Current version is R81.10.
  • For Endpoint/Remote Access, please include the client versions = eh?
  • A simplified network diagram is always appreciated = Fairly standard Internet -> Gateway -> Internal network, not sure its required for this post.
  • References to precise documentation you followed, the results you were expecting, and the results = None
  • Relevant screenshots are helpful = Not sure these are too helpful at this point this is all fairly standard messages.
0 Kudos
1 Solution

Accepted Solutions
tmorgan
Contributor
‎2024-04-04 12:38 PM
In response to the_rock
Jump to solution

So a quick update on this one. After a lot of back an forwards with TAC I am starting to suspect that whoever did the last major upgrade on this firewall copied the state files on the gateways instead of the config files on the SMS eg $FWDIR/state/ instead of $FWDIR/conf/.

 I have been given the below advice from TAC. However, to a number of issues in this environment I suspect I am going to recommend a clean install to R81.20 in the hope to move us to a known, and soon to be documented, condition.

SCV configuration is incomplete without enabling "policy server" blade on the FW.


After making the changes on the $FWDIR/conf/local.scv file in the MGMT server.
During policy installation, $FWDIR/conf/local.scv file in the MGMT is copied to following locations:
$FWDIR/state/<Name_of_GW_Object>/PS ------- of the MGMT server
$FWDIR/state/local/PS/ -------- of the Security Gateway

In our case, 
$FWDIR/state/ - files are not default 
$FWDIR/conf/ - files are default

We believe that those are have become corrupt.

I'm attaching $FWDIR/conf/local.scv file from my Lab MGMT server (R81.10 take 130) in the outgoing folder of SFTP server.

>Backup the files:
$FWDIR/state/<Name_of_GW_Object>/PS ------- of the MGMT server
$FWDIR/state/local/PS/ -------- of the Security Gateway

>Download the local.scv file from the SFTP server
>Load it in $FWDIR/conf/ of the MGMT server.
>Install the database
>Install the policy

This should resolve your issue.

 

View solution in original post

0 Kudos
4 Replies
the_rock
Legend
Legend
‎2024-02-22 07:08 PM
Jump to solution

I would definitely see if you can do remote with TAC for this...sounds like it may need some more investigation.

Best,

Andy

0 Kudos
tmorgan
Contributor
‎2024-02-23 07:01 AM
In response to the_rock
Jump to solution

Yeah I had a feeling that was the case. I just wanted to see if there was any obvious points I had missed. I tend to try and avoid CP TAC as it tends to be a bit... abrasive... in the UK.

(1)
the_rock
Legend
Legend
‎2024-02-23 07:02 AM
In response to tmorgan
Jump to solution

I hear ya. Lets see if others will have some ideas.

Best,

Andy

0 Kudos
tmorgan
Contributor
‎2024-04-04 12:38 PM
In response to the_rock
Jump to solution

So a quick update on this one. After a lot of back an forwards with TAC I am starting to suspect that whoever did the last major upgrade on this firewall copied the state files on the gateways instead of the config files on the SMS eg $FWDIR/state/ instead of $FWDIR/conf/.

 I have been given the below advice from TAC. However, to a number of issues in this environment I suspect I am going to recommend a clean install to R81.20 in the hope to move us to a known, and soon to be documented, condition.

SCV configuration is incomplete without enabling "policy server" blade on the FW.


After making the changes on the $FWDIR/conf/local.scv file in the MGMT server.
During policy installation, $FWDIR/conf/local.scv file in the MGMT is copied to following locations:
$FWDIR/state/<Name_of_GW_Object>/PS ------- of the MGMT server
$FWDIR/state/local/PS/ -------- of the Security Gateway

In our case, 
$FWDIR/state/ - files are not default 
$FWDIR/conf/ - files are default

We believe that those are have become corrupt.

I'm attaching $FWDIR/conf/local.scv file from my Lab MGMT server (R81.10 take 130) in the outgoing folder of SFTP server.

>Backup the files:
$FWDIR/state/<Name_of_GW_Object>/PS ------- of the MGMT server
$FWDIR/state/local/PS/ -------- of the Security Gateway

>Download the local.scv file from the SFTP server
>Load it in $FWDIR/conf/ of the MGMT server.
>Install the database
>Install the policy

This should resolve your issue.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events