SV: SCV policy

Why would you be sure of that?  ;)

I modified the local.scv file the Policy Server and not on
the SmartCenter.

It looked more logical to modify it directly on the Policy
Server because that file was much bigger with much more
parameters already included than the one on the SmartCenter.

But you say that it's the local.scv on the SmartCenter that
should be edited and then it will push to the Policy Server
when I push policy or something?

-Torkel

-----Opprinnelig melding-----
Fra: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM]
På vegne av Ray
Sendt: 22. november 2006 16:26
Til: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
Emne: Re: [FW-1] SV: [FW-1] SCV policy

You are modifying the copy on the SmartCenter and pushing
the policy 
afterwards, right? I'm sure you are, but i thought I'd ask.


How often are your topology updates set for? I have mine set
for one hour to 
assure changes like these are downloaded quickly. Check the
copy on the 
laptop after you connect and make sure the changes you made
are present.

As an alternative to allowing it to be disabled, you could
set up a "all 
usersany" inbound and outbound rule with
any-any-accept. That would give 
the same effect, but you could add rules remotely when
needed and not have 
to worry about the firewall being disabled.

Ray


>From: Torkel Mathisen <torkel.mathisenBBS.NO>
>Reply-To: Mailing list for discussion of Firewall-1     
        
><FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM>
>To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
>Subject: [FW-1] SV: [FW-1] SCV policy
>Date: Wed, 22 Nov 2006 12:15:12 +0100
>
> > Hi,
> > there are much more parameters to configure, but
not with
> > SmartDashboard. As you write, you can modify
userc.C, so e.g. users
> > cannot stop SecureClient.
> > Additionally, at the SmartCenter you have the file
>$FWDIR/conf/local.scv
> > which deals with SCV. As an example: If the
parameter
> > "disconnect_when_not_verified" is set to
"true", it will not only be
> > checked if the client is compliant when starting
the session. Maybe
>the
> > SCV Editor
> >
>(http://www.checkpoint.com/downloads/quick
links/utilities/downloadsng/ut
>il
> > ities/sc_scv_tools.html)
> > helps modifying local.scv.
> > Hope it helps,
> > best regards,
> > Matthias
>
>I tried to modify local.scv also. I modified:
>
>         :SCVGlobalParams (
>                 :disconnect_when_not_verified (true)
>                 :block_connections_on_unverified (true)
>         )
>
>Modifised from false to true.
>
>It looks right to me, but he still didn't get blocked.
>
>Anything else?
>
>
>Regards,
>Torkel
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to LISTSERVamadeus.us.checkpoint.com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http:
//www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>fw-1-ownerts.checkpoint.com
>=================================================

____________________________________________________________
_____
Get free, personalized commercial-free online radio with MSN
Radio powered 
by Pandora http://rad
io.msn.com/?icid=T002MSN03A07001

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Yes. Or rather, that's the way I do it and my changes work.


The ipassignment.conf file is one of the very few I know of
that must be 
modified on the gateway and not the SmartCenter.

Ray


>From: Torkel Mathisen <torkel.mathisenBBS.NO>
>Reply-To: Mailing list for discussion of Firewall-1     
        
><FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM>
>To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
>Subject: [FW-1] SV: [FW-1] SV: [FW-1] SCV policy
>Date: Thu, 23 Nov 2006 09:43:17 +0100
>
>Why would you be sure of that?  ;)
>
>I modified the local.scv file the Policy Server and not
on the SmartCenter.
>
>It looked more logical to modify it directly on the
Policy Server because 
>that file was much bigger with much more parameters
already included than 
>the one on the SmartCenter.
>
>But you say that it's the local.scv on the SmartCenter
that should be 
>edited and then it will push to the Policy Server when I
push policy or 
>something?
>
>-Torkel
>
>-----Opprinnelig melding-----
>Fra: Mailing list for discussion of Firewall-1 
>[mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM]
På vegne av Ray
>Sendt: 22. november 2006 16:26
>Til: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
>Emne: Re: [FW-1] SV: [FW-1] SCV policy
>
>You are modifying the copy on the SmartCenter and
pushing the policy
>afterwards, right? I'm sure you are, but i thought I'd
ask. 
>
>How often are your topology updates set for? I have mine
set for one hour 
>to
>assure changes like these are downloaded quickly. Check
the copy on the
>laptop after you connect and make sure the changes you
made are present.
>
>As an alternative to allowing it to be disabled, you
could set up a "all
>usersany" inbound and outbound rule with
any-any-accept. That would give
>the same effect, but you could add rules remotely when
needed and not have
>to worry about the firewall being disabled.
>
>Ray
>
>
> >From: Torkel Mathisen <torkel.mathisenBBS.NO>
> >Reply-To: Mailing list for discussion of Firewall-1
> ><FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM>
> >To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
> >Subject: [FW-1] SV: [FW-1] SCV policy
> >Date: Wed, 22 Nov 2006 12:15:12 +0100
> >
> > > Hi,
> > > there are much more parameters to configure,
but not with
> > > SmartDashboard. As you write, you can modify
userc.C, so e.g. users
> > > cannot stop SecureClient.
> > > Additionally, at the SmartCenter you have the
file
> >$FWDIR/conf/local.scv
> > > which deals with SCV. As an example: If the
parameter
> > > "disconnect_when_not_verified" is
set to "true", it will not only be
> > > checked if the client is compliant when
starting the session. Maybe
> >the
> > > SCV Editor
> > >
> >(http://www.checkpoint.com/downloads/quick
links/utilities/downloadsng/ut
> >il
> > > ities/sc_scv_tools.html)
> > > helps modifying local.scv.
> > > Hope it helps,
> > > best regards,
> > > Matthias
> >
> >I tried to modify local.scv also. I modified:
> >
> >         :SCVGlobalParams (
> >                 :disconnect_when_not_verified
(true)
> >                 :block_connections_on_unverified
(true)
> >         )
> >
> >Modifised from false to true.
> >
> >It looks right to me, but he still didn't get
blocked.
> >
> >Anything else?
> >
> >
> >Regards,
> >Torkel
> >
> >=================================================
> >To set vacation, Out-Of-Office, or away messages,
> >send an email to LISTSERVamadeus.us.checkpoint.com
> >in the BODY of the email add:
> >set fw-1-mailinglist nomail
> >=================================================
> >To unsubscribe from this mailing list,
> >please see the instructions at
> >http:
//www.checkpoint.com/services/mailing.html
> >=================================================
> >If you have any questions on how to change your
> >subscription options, email
> >fw-1-ownerts.checkpoint.com
> >=================================================
>
>________________________________________________________
_________
>Get free, personalized commercial-free online radio with
MSN Radio powered
>by Pandora http://rad
io.msn.com/?icid=T002MSN03A07001
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to LISTSERVamadeus.us.checkpoint.com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http:
//www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>fw-1-ownerts.checkpoint.com
>=================================================
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to LISTSERVamadeus.us.checkpoint.com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http:
//www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>fw-1-ownerts.checkpoint.com
>=================================================

____________________________________________________________
_____
Get the latest Windows Live Messenger 8.1 Beta version. Join
now. 
http://ideas.live.com

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================