SCV policy

Email lists > CheckPoint Firewall-1 discussion

Thread: SCV policy

Search this list only Search all lists
SCV policy
	2006-11-21 14:45:21
Hi, I want to start using SCV on our home-office users to make sure that they won't be able to disable policy when they are connected to our VPN. I still want them to be able to disable policy when they are not connected, so disabling this in the SecureClient package is not a solution. I understand this should be possible with SCV though. I have already enabled SCV in Global Properties, but I can still disable the policy on my SecureClient when I'm connected to our VPN. My configuration in Global Properties are: Apply SCV on Simplified mode Security Policies are checked Upon verification failure: Block client's connection Basic configuration verification on client's machine: Policy is installed on all interfaces Configuration Violation Notification on client's machine: Generate log Notify the user What more do I need to do to accomplish this? Regards, Torkel ================================================= To set vacation, Out-Of-Office, or away messages, send an email to LISTSERVamadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http: //www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ownerts.checkpoint.com =================================================

SCV policy
	2006-11-22 00:24:50
How long are you waiting? I think SCV checks occur every fifteen seconds. You won't be able to keep them from disabling the policy, but their connections should eventually block. Why do you want them to be able to disable the policy? We don't allow it and we've rarely had a complaint in 3+ years, and none of them were for business-related reasons. Ray >From: Torkel Mathisen <torkel.mathisenBBS.NO> >Reply-To: Mailing list for discussion of Firewall-1 ><FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM> >To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM >Subject: [FW-1] SCV policy >Date: Tue, 21 Nov 2006 15:45:21 +0100 > >Hi, > >I want to start using SCV on our home-office users to make sure that >they won't be able to disable policy when they are connected to our VPN. > >I still want them to be able to disable policy when they are not >connected, so disabling this in the SecureClient package is not a >solution. > >I understand this should be possible with SCV though. > >I have already enabled SCV in Global Properties, but I can still disable >the policy on my SecureClient when I'm connected to our VPN. > >My configuration in Global Properties are: > >Apply SCV on Simplified mode Security Policies are checked > >Upon verification failure: >Block client's connection > >Basic configuration verification on client's machine: >Policy is installed on all interfaces > >Configuration Violation Notification on client's machine: >Generate log >Notify the user > > >What more do I need to do to accomplish this? > > >Regards, >Torkel > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to LISTSERVamadeus.us.checkpoint.com >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http: //www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >fw-1-ownerts.checkpoint.com >================================================= ____________________________________________________________ _____ MSN Shopping has everything on your holiday list. Get expert picks by style, age, and price. Try it! http:/ /shopping.msn.com/content/shp/?ctId=8000,ptnrid=176,ptnr data=200601&tcode=wlmtagline ================================================= To set vacation, Out-Of-Office, or away messages, send an email to LISTSERVamadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http: //www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ownerts.checkpoint.com =================================================

SCV policy
	2006-11-22 06:15:54
Torkel Mathisen wrote: > Hi, > > I want to start using SCV on our home-office users to make sure that > they won't be able to disable policy when they are connected to our VPN. > > I still want them to be able to disable policy when they are not > connected, so disabling this in the SecureClient package is not a > solution. > > I understand this should be possible with SCV though. > > I have already enabled SCV in Global Properties, but I can still disable > the policy on my SecureClient when I'm connected to our VPN. > > My configuration in Global Properties are: > > Apply SCV on Simplified mode Security Policies are checked > > Upon verification failure: > Block client's connection > > Basic configuration verification on client's machine: > Policy is installed on all interfaces > > Configuration Violation Notification on client's machine: > Generate log > Notify the user > > > What more do I need to do to accomplish this? > > > Regards, > Torkel > Hi, there are much more parameters to configure, but not with SmartDashboard. As you write, you can modify userc.C, so e.g. users cannot stop SecureClient. Additionally, at the SmartCenter you have the file $FWDIR/conf/local.scv which deals with SCV. As an example: If the parameter "disconnect_when_not_verified" is set to "true", it will not only be checked if the client is compliant when starting the session. Maybe the SCV Editor (http://www.check point.com/downloads/quicklinks/utilities/downloadsng/utiliti es/sc_scv_tools.html) helps modifying local.scv. Hope it helps, best regards, Matthias -- AERAsec Network Services and Security GmbH Wagenberger Strasse 1 D-85662 Hohenbrunn, Germany http://www.aerasec.de http://www.fw-1.eu ================================================= To set vacation, Out-Of-Office, or away messages, send an email to LISTSERVamadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http: //www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ownerts.checkpoint.com =================================================

[1-3]

about | contact Other archives ( Real Estate discussion Medical topics )

Mailing lists