SCV issue with Integrity

jameshill · #1 (**permalink**) 2005-11-22

Not sure if anyone has experienced this issue, but I thought that I would ask. I have configured a firewall for SecureClient and I have setup my local.scv file to check for the Integrity client. I have also modified my Global Properties to not allow connectivity to the VPN if the SCV check fails. In order that the
SecureClient can communicate with the Integrity Server, there
has to be a rule on the FW that allows unverified communication between
the Client and the Server in order to recieve policy etc.
I created 3 new services for unverified http, https and Zoneprotocol as
described in the guide.
The new services look like this:

- Service of type other
- protocol 6
- match dport=80, r_scvres=SCV_DONT_VERIFY

The same was done for https - dport=443
and the service for zoneprotocol has protocol 17 and dport=6054.

When I try to install the policy, however, I get the following errors:

"/opt/CPfw1-R55p/conf/Standard_11_18_2005_1.pf", line 3136: ERROR: cannot find <http_wo_scv> anywhere

"/opt/CPfw1-R55p/conf/Standard_11_18_2005_1.pf", line 2623: ERROR: syntax error

Has anyone seen this before?

arifkm786 · #2 (**permalink**) 2006-05-04

what version of checkpoint are you running? FYI,checkpoint NG R55 AI doesnt work with Integrity Server 6.0.

cettinger · #3 (**permalink**) 2006-05-09

Hi James,

we ran into the same problem using NGX R60, wasting quite some time following the instructions in the documentation. Finally we discovered that there's a button under Policy/Global Properties/Remote Access/Secure Configuration Verification (SCV) right behind the "Apply SCV on Simplified mode ..." checkbox called "Exceptions...". Pressing this button and entering your Integrity Server as a host with the services http, https and ZSP should do the trick. The rules mentioned in the documentation are not required. My guess is that for this feature the documentation isn't up-to-date.

Hope that helps, Christian

jameshill · #4 (**permalink**) 2006-05-10

Yeah, this Exceptions tab didn't exist under R55.

Thanks guys

Uriel · #5 (**permalink**) 2006-06-20

Hi,

In older version i dont know, but in R61, in match field, if you put:
dport=80, set r_scvres SCV_DONT_VERIFY
It works.

Hope that helps, and i will try the sugestion of cettinger.

Steve · #6 (**permalink**) 2006-09-05

if you use the combined install of secure client and integrity - do you still have to configure your scv checks on the checkpoint gateway?

thanks.

chillyjim · #7 (**permalink**) 2006-09-05

Yes you do.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode