- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Why do Hackers Love IoT Devices so Much?
Join our TechTalk on Aug 17, at 5PM CET | 11AM EST
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hi.
I'm looking for an option to restrict VPN access only for laptops which are "domain members".
Is there a way to accomplish that? (All PCs/Part of them?)
Thanks,
Alex
Hi Konstantinos
I finally got this working with SCV by using the below option. Please note when we login to our machines, based on the GPO we are placed under Users Group which has a AD group for domain users called "ABC\Domain Users", where ABC is your company domain. Unfortunately there was not a lot of documentation and examples of groupmonitor in either the admin guides, endpoint guides etc, but is working fine with this option below. This is a pretty strong SCV check and hard to fake compared to reg keys or process monitor checks (my 2 cents...)
: (groupmonitor
:type (plugin)
:parameters (
:"builtin\Administrators" (false)
:"builtin\Users=YOURCOMPANY\Domain Users" (true)
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("Make sure you are logged on as an authorized user.")
:securely_configured_no_active_user (false)
:end (admin)
)
)
Make sure to add this in the end for it to be effective,
:SCVPolicy (
: (groupmonitor)
)
the group monitor syntax above is correct, however I noticed it was not giving consistent results since that setting gets updated/created when user logs in and was taking a while, in the mean time if the Checkpoint VPN is launched the compliance will fail. Instead of spending more time on it, I ended up with creating additional registry settings, one for domain check as below and few other "secret" entries that is unique to your company and custom which can be applied via GPO to all users. The logic will be true for all the entries.
:string ("SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Domain=your_company_domain")
:string ("SOFTWARE\ABC_COMPANY\Loadset\Global\Build\Version>=911")
etc etc......
In addition we did the LDAP integration for the gateway, where the VPN matching criteria in the access role is users=your_company_domain only. This way even if registry and process checks are spoofed via scv, the source identity will restrict network access, besides the VPN authentication to the gateway with or without MFA.
To summarize for a good overall secure solution :-),
a. scv checks based on registry and process (works perfectly fine for large number of users)
b. authentication to gateway using MFA
c. access role rule with source identity as domain users only matching remote access VPN criteria > in-line rules to grant specific network access
Yes, there's an option in the Endpoint Security VPN client called "Secure Configuration Verification" (SCV).
One of the checks you can configure is "Verifies that the user logged into the operating system and is a member of specified Domain User Groups."
That should meet your specific requirement.
Note this only applies to Windows PCs as the Mac VPN client does not support these checks.
Refer to: Remote Access VPN R80.10 (Part of Check Point Infinity)
Thanks.
Two additional questions:
1. Does that require specific VPN client license/flavor?
2. How do I enforce that only this type of client can connect?
TIA
It requires the Endpoint Security VPN client, which requires a remote access VPN license for each user that connects.
In terms of our current Endpoint licenses, this includes:
However, other legacy licenses may include this .
If you have questions about this, reach out to your Check Point account team or Partner.
The procedure for enforcing that only that client can connect includes:
This should be covered in the documentation I linked previously.
Apparently SCV policy is a global property, and if the customer has more than one gateway or more different policies for different type of users it's not possible, at least I couldn't find any documentation on this and support guys didn't also.
Anyone who has any field experience with the SCV policy, please comment.
Thanks
Hi Alex,
Did you manage to accomplish this in the end?
Hi Darran.
Unfortunately there was no workaround.
I was forced to implement this for all the gateways.
Regards,
Alex
Hi
can we restrict with windows domain member for example : allow the only machine which is in abc.com & sampla.com
Hi
By group monitor, we can restrict allow only based on domain member.At endpoint side, the secure client is enough or i need to install endpoint security.
HI
Can you please confirm below configuration for domain monitor in local.scv file.
: (groupmonitor
:type (plugin)
:parameters (
:begin_or (or1)
:begin_and (1)
:mydomian.com (true)
:end (1)
:end (or1)
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("You are using SecureClient with a non-authorized user.\nMake sure you are logged on as an authorized user.")
:securely_configured_no_active_user (false)
:end (admin)
)
)
Hi Konstantinos
I finally got this working with SCV by using the below option. Please note when we login to our machines, based on the GPO we are placed under Users Group which has a AD group for domain users called "ABC\Domain Users", where ABC is your company domain. Unfortunately there was not a lot of documentation and examples of groupmonitor in either the admin guides, endpoint guides etc, but is working fine with this option below. This is a pretty strong SCV check and hard to fake compared to reg keys or process monitor checks (my 2 cents...)
: (groupmonitor
:type (plugin)
:parameters (
:"builtin\Administrators" (false)
:"builtin\Users=YOURCOMPANY\Domain Users" (true)
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("Make sure you are logged on as an authorized user.")
:securely_configured_no_active_user (false)
:end (admin)
)
)
Make sure to add this in the end for it to be effective,
:SCVPolicy (
: (groupmonitor)
)
Hello
Thank you for your response 🙂 .We are in the same page.
It is not very hard to fake the domain if you create a domain controller and a same domain name with the corporate you want to "attack".
As concerns processes just a rename does the bypass..
As concerns registry key i don't know if there is a way to find somehow the "required" keys in order to connect and pass compliance "client side"
BR,
Kostas
i'm also struggling with ad scv at the moment. did you find any documentation on this topic, or where do you have your syntax from?
thanks in advance
thank you for your fast reply. i've already seen the domain check via registry. but i thought the check via the groupmonitor was a bit more secure.
the group monitor syntax above is correct, however I noticed it was not giving consistent results since that setting gets updated/created when user logs in and was taking a while, in the mean time if the Checkpoint VPN is launched the compliance will fail. Instead of spending more time on it, I ended up with creating additional registry settings, one for domain check as below and few other "secret" entries that is unique to your company and custom which can be applied via GPO to all users. The logic will be true for all the entries.
:string ("SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Domain=your_company_domain")
:string ("SOFTWARE\ABC_COMPANY\Loadset\Global\Build\Version>=911")
etc etc......
In addition we did the LDAP integration for the gateway, where the VPN matching criteria in the access role is users=your_company_domain only. This way even if registry and process checks are spoofed via scv, the source identity will restrict network access, besides the VPN authentication to the gateway with or without MFA.
To summarize for a good overall secure solution :-),
a. scv checks based on registry and process (works perfectly fine for large number of users)
b. authentication to gateway using MFA
c. access role rule with source identity as domain users only matching remote access VPN criteria > in-line rules to grant specific network access
Hi,
Other way of achieving your requirement (Only Domain users can connect remote VPN) is that you can enable Mobile access blade and create Native application for Domain check.
You need to enable Endpoint security scan check in Mobile access blade and create Native application for Domain check.
This is long process but it is very stable. I have enabled this scenario for one customer and it is working fine.
What I need to is to only allow domain users to connect to VPN who are using corporate machines. Mac and Linux machines would be great but I at least need to check the Windows machines which will be joined to our corporate domain.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY