Introduction
SMS Configuration
Ensure "Apply Secure Configuration...." is selected
Gateway Configuration
This allows us to add the desktop policy to our policy package, which in turn allows the magic to happen. Go to Security Policies -> Manage policies and layers. Ensure "Desktop Security" is ticked.
Publish your changes and navigate to the policy package you just edited. You'll see you have a brand new "Desktop Policy" in your Access Control section. Click "Open Desktop Policy in SmartDashboard", making sure to select Read-Write mode.
Navigate to the "Desktop" tab. We will need to create a rule here, otherwise the policy will fail to install (it's the policy installation that transfers the local.scv file to the gateway, but more on that later).
If you are just running the Check Point Mobile client then whatever you do here will have no impact, as this client does not have a firewall component. That said, click "Add Rule at the Bottom" and add a rule, anything will do.
If you're running the full client then obviously don't do a rule which puts you at risk, but then you would probably also have rules in place already which obviates the need for this step.
Update the SMS with your changes and exit SmartDashboard
local.scv file details
You can either edit the local.scv file in place using the vi editor, or transfer to your workstation and upload the edited file. Here are the relevant edited sections:
: (RegMonitor
:type (plugin)
:parameters (
:string ("SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Domain=checkpoint.root")
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("Your computer doesn't meet the domain membership requirements.")
:end (admin)
)
)
:SCVPolicy (
: (RegMonitor)
:SCVGlobalParams (
:enable_status_notifications (false)
:status_notifications_timeout (10)
:disconnect_when_not_verified (true)
:block_connections_on_unverified (false)
:scv_policy_timeout_hours (168)
:enforce_ip_forwarding (false)
:not_verified_script ("")
:not_verified_script_run_show (false)
:not_verified_script_run_admin (false)
:not_verified_script_run_always (false)
:allow_non_scv_clients (false)
:skip_firewall_enforcement_check (true)
)
Client Output
Conclusion
1. Not as fully featured as the checks that can be done with the full Check Point endpoint solution
2. You cannot have granular SCV rule (i.e. Check Y for UserA, Check Z for UserB)
3. It's a Global setting enforced from your SMS, so you cannot have separate checks for separate gateways
Having said that, it's an awesome feature that for some reason is not very well-known among Check Point admins.
I found the following resources very helpful when first building this out in my lab:
Check Point sk65267
Check Point sk147416
https://community.checkpoint.com/t5/Remote-Access-Solutions/White-Paper-Check-Point-Compliance-Checking-with-Secure/m-p/57123#M1737