Implementing Secure Client Verification (SCV) on Check Point gateways

Introduction

This post was written whilst organisations were coping with the fallout from the Corona / COVID-19 pandemic.  Organisations were faced with the task of enabling the workforce to work remotely, and to do so securely.  Apart from implementing MFA, device posturing or compliance checking your endpoints is arguably one of the more effective ways of helping to address the risks associated with granting your users access into your network.

Check Point allows us to do this in multiple ways by utilizing a feature called Secure Client Verification (SCV).  In very simple terms, this allows us to perform numerous checks (Is AV running, is the OS supported, is it patched, is it a member of the corporate domain etc.) on an endpoint before we allow it to access our network via a VPN.

SMS Configuration

Go to Global Properties - Secure Configuration Verification
Ensure "Apply Secure Configuration...." is selected

Gateway Configuration

On your Cluster / gateway object, ensure that IPSec Policy Server is selected.

This allows us to add the desktop policy to our policy package, which in turn allows the magic to happen.  Go to Security Policies -> Manage policies and layers.  Ensure "Desktop Security" is ticked.

Publish your changes and navigate to the policy package you just edited.  You'll see you have a brand new "Desktop Policy" in your Access Control section.  Click "Open Desktop Policy in SmartDashboard", making sure to select Read-Write mode.

Navigate to the "Desktop" tab.  We will need to create a rule here, otherwise the policy will fail to install (it's the policy installation that transfers the local.scv file to the gateway, but more on that later).

If you are just running the Check Point Mobile client then whatever you do here will have no impact, as this client does not have a firewall component.  That said, click "Add Rule at the Bottom" and add a rule, anything will do.

If you're running the full client then obviously don't do a rule which puts you at risk, but then you would probably also have rules in place already which obviates the need for this step.

Update the SMS with your changes and exit SmartDashboard

local.scv file details

Now comes the slightly archaic bit.  Your actual compliance rules in this instance are controlled by a text file called "local.scv" that resides on your SMS inside the $FWDIR/conf folder.  I'll include links to more extensive documentation at the end of the post, for this example I'll show how to check for domain membership (checkpoint.root in this example).  The desired outcome will be that if the VPN client is not a member of the checkpoint.root domain, then it will be denied access.

You can either edit the local.scv file in place using the vi editor, or transfer to your workstation and upload the edited file.  Here are the relevant edited sections:



: (RegMonitor
:type (plugin)
:parameters (
:string ("SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Domain=checkpoint.root")
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("Your computer doesn't meet the domain membership requirements.")
:end (admin)
)
)



:SCVPolicy (
: (RegMonitor)



:SCVGlobalParams (
:enable_status_notifications (false)
:status_notifications_timeout (10)
:disconnect_when_not_verified (true)
:block_connections_on_unverified (false)
:scv_policy_timeout_hours (168)
:enforce_ip_forwarding (false)
:not_verified_script ("")
:not_verified_script_run_show (false)
:not_verified_script_run_admin (false)
:not_verified_script_run_always (false)
:allow_non_scv_clients (false)
:skip_firewall_enforcement_check (true)
)

Client Output

Once the updated file is saved on your SMS, you can push policy to your gateways, making sure the "Desktop Security" is ticked.  When policy installation is done you can attempt to establish a VPN connection to your gateway.  If you are not compliant you will get an error message similar to the below (you can edit the actual error message with the local.scv file)

Conclusion

The advantages to building and configuring Secure Compliance Verification is that you do not need to purchase any additional licenses or install any software beyond the Mobile Client.  The drawbacks, in my opinion is:
1.  Not as fully featured as the checks that can be done with the full Check Point endpoint solution
2.  You cannot have granular SCV rule (i.e. Check Y for UserA, Check Z for UserB)
3.  It's a Global setting enforced from your SMS, so you cannot have separate checks for separate gateways

Having said that, it's an awesome feature that for some reason is not very well-known among Check Point admins.

I found the following resources very helpful when first building this out in my lab:

Check Point sk65267
Check Point sk147416

https://community.checkpoint.com/t5/Remote-Access-Solutions/White-Paper-Check-Point-Compliance-Checking-with-Secure/m-p/57123#M1737