Who rated this post

cancel
Showing results for 
Search instead for 
Did you mean: 
zsszlama
Contributor
Contributor

Secure Configuration Verification

Hello Guys,

One of our customer wants to have a demo about host compliance check when they are connecting via RA VPN. They are using only hard clients. So I thought to create a demo environment with Secure Configuration Verification (SCV). As I read it's a legacy solution but I'm not aware of a different solution as they don't have Check Point Endpoint Security.

During my tests I run into two issues. I hope you can help me where should I search for a solution.

Issue1:

I cannot create an easy check where the SCV check says the client is compliant. I tried the following checks:

(SCVObject
	:SCVNames (
		: (BrowserMonitor
			:type (plugin)
			:parameters (
				:browser_major_version (5)
				:browser_minor_version (0)
				:browser_version_operand (">=")
				:browser_version_mismatchmassage ("Please upgrade your Internet browser.")
			)
		)
		: (OsMonitor
			:type (plugin)
			:parameters (
			:begin_or (or1)
			:begin_and (and1)
				os_build_number_10 (0)
				:os_build_operand_10 ("==")
			:end (and1)
			:begin_and (and2)
				:os_build_number_11 (0)
				:os_build_operand_11 ("==")
			:end (and2)
			:end (or1)
			:begin_admin (admin)
				:send_log (alert)
				:mismatchmessage ("update os")
			:end (admin)
			)
		)
		: (ProcessMonitor
			:type (plugin)
			:parameters (
				:explorer.exe (true)
				:begin_admin (admin)
					:send_log (alert)
					:mismatchmessage ("explorer.exe is not running")
				:end (admin)
			)
		)
		: (AntiVirusMonitor
			:type (plugin)
			:parameters (
				:type ("Windows Defender")
				:begin_admin (admin)
					:send_log (alert)
					:mismatchmessage ("Please update your AntiVirus (use the LiveUpdate option).")
				:end (admin)
			)
		)
	)
	:SCVPolicy (
		:(I tried all abow individually)
	)
	:SCVGlobalParams (
		:enable_status_notifications (true)
		:status_notifications_timeout (10)
		:disconnect_when_not_verified (false)
		:block_connections_on_unverified (false)
		:scv_policy_timeout_hours (168)
		:enforce_ip_forwarding (false)
		:not_verified_script ("")
		:not_verified_script_run_show (false)
		:not_verified_script_run_admin (false)
		:not_verified_script_run_always (false)
		:allow_non_scv_clients (false)
		:skip_firewall_enforcement_check (false)
	)
)

 

Issue2:

I rolled back the changes with copying back the original $FWDIR/conf/local.scv file. At this point the policy change worked. When I did a change by modifying $FWDIR/conf/local.scv the policy install failed with the following:

Policy: ##Standard
Status: Failed
- Failed to merge SCV policies. Local SCV file may be corrupt
- Desktop policies will not be installed on Policy Servers
- Failed to merge SCV policies. Local SCV file may be corrupt
- Desktop policies will not be installed on Policy Servers

I've restored again $FWDIR/conf/local.scv the policy install worked and after another config modification the install failed again.

Can you guys give me some helping hand with this issues?

Please let me know if you need more details.

Thanks in advance!

Zsolt

(1)
Who rated this post