CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. Come to CPUG CON 2008 EUROPE in Switzerland on September 8th - 9th!
    Two days full of technical content for Check Point administrators in the beautiful Swiss Alps!
    We already have 72 attendees signed up from 20 countries!
2. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 10/6, 11/3, 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8, 7/6, 8/3, 9/7.
3. Corrent S3500 SecureXL Turbocards For Sale - Last Six Remaining - Get Your Spares!
4. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Internal Security > Endpoint Security (Formerly Integrity)
Reload this Page How to Restrict Non-Compliant Clients
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2007-03-27
arifkm786 arifkm786 is offline
Junior Member
  
Join Date: 2006-05-03
Posts: 18
Rep Power: 0
arifkm786 has an average reputation (10+)
Default How to Restrict Non-Compliant Clients
All,
My current Env:
Integrity SecureClient 6.5;
Integrity Adavnced Server 6.5;
CheckPoint NGX R62.

When a vpn client becomes non-complaint , which setting actually decides that the end user would be "Restricted" from accessing the internal resources.

The possible settings which would do these i think are.

Setting on the Integrity Server.
a) In the Enforcement Rule Action "Restrict clients that dont comply"


or

Setting in local.scv

b) block_connections_on_unverified(true) in the SCVGlobalParams section in local.scv file


or

c) Global Properties--->RemoteAccess-->SecureConfigurationVerification(SCV)--->Block Client Connection on Verification failure.


or which of these override each other or in what order.....

When i turn on setting (a) and turn off setting (c) , the integrity client says Integrity Policy is Restricted but iam still able to access the internal resources.

I would really appreciate if someone can shed light on this please.


Thanks
Reply With Quote
  #2 (permalink)  
Old 2007-03-27
aussie_in aussie_in is offline
Junior Member
  
Join Date: 2006-09-21
Posts: 10
Rep Power: 0
aussie_in has an average reputation (10+)
Default Re: How to Restrict Non-Compliant Clients
Hi,

I am runing Integrity sever 6.0.0.657 and in that (a) option works fine.

Aussie
Reply With Quote
  #3 (permalink)  
Old 2007-03-28
arifkm786 arifkm786 is offline
Junior Member
  
Join Date: 2006-05-03
Posts: 18
Rep Power: 0
arifkm786 has an average reputation (10+)
Default Re: How to Restrict Non-Compliant Clients
Hello Aussie, Thanx for your reply.

For me enabling option(a) on Integrity Server Enforcement Rule doesnt block any connections unless i enable option(c) on my Firewall Gateway..


Enabling option(a) , my integrity client says "Active Policy is Restricted" and Secure Client says "configuration unverified" but iam still able to access the internal resources..

Can you please confirm if thats the case in your case...

To me this is still not clear and any help from the communtity experts would be well appreciated.


Thnx
Reply With Quote
  #4 (permalink)  
Old 2007-04-26
arifkm786 arifkm786 is offline
Junior Member
  
Join Date: 2006-05-03
Posts: 18
Rep Power: 0
arifkm786 has an average reputation (10+)
Default Re: How to Restrict Non-Compliant Clients
Hi, This works now ,
After setting option a) , I wasnot setting the "Restriction Firewall Rules" that block the connection on scv failure.

Thnx
Reply With Quote
  #5 (permalink)  
Old 2008-04-22
amjadali88 amjadali88 is offline
Junior Member
  
Join Date: 2008-04-22
Posts: 1
Rep Power: 0
amjadali88 has an average reputation (10+)
Default Re: How to Restrict Non-Compliant Clients
Hi Everyone:

I am using checkpoint Endpoint Security Version 7.2

The issue we have currently is that the User( VPN/ Local LAN) will get the warning Alert and after 1~2 minutes he will be blocked . We want to enforce the policy in such a way that as soon as the user is non-compliant then he will be blocked immediately without any warning.


Summary:

User is non-compliant and when he connect to our network then he will be blocked within 1 seconds. ( We don't want the Policy Server to wait for Heart beat and Client Settings).

Is it a doable option with this product?

Thanks
Reply With Quote
  #6 (permalink)  
Old 2008-04-22
chillyjim chillyjim is offline
Senior Member
  
Join Date: 2005-08-29
Location: Upstate NY
Posts: 1,637
Rep Power: 5
chillyjim has an average reputation (10+)
Send a message via AIM to chillyjim Send a message via Skype™ to chillyjim
Default Re: How to Restrict Non-Compliant Clients
No its not, you must wait at least one HB.

Please recheck your version, there is no 7.2 of CPES-SA.
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -7. The time now is 20:39.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.2
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
LinkBacks Enabled by vBSEO 3.0.0