Thanks Joe, I am however just a tad confused, I simply cannot get the thing
to work. I create a local.scv file with the bare minimum, just a check for
browser version) I install the policy with no problems, connect my secure
client machine and I get SmartTracker entry on the firewall that says
"Message_info: Clients configuration is not verified" REJECT. And every
subsequent packet is rejected. These are the actions that I have followed
1)Enabled SCV checking on Smart_Dashboard in global properties
2) I have been using the default local.scv file from $FWDIR/conf (
C:\winnt\fw1\NG\conf\local.scv) When I run SecureClient on the laptop I get
the above log entry (and subsequently cant get anywhere on the network)
3) I tried to then remove most of the default checks ie processmonitor and
OSMonitor (using the SCVEditor ) (backing up the original of course ) so as
to get the local.scv file down to 1 or 2 checks only but I get the same
result
It seems that the error message "Clients configuration is not verified" is
suggesting that rather than passing or failing the checks, the checks aren't
even taking place in the first place!!!, why would that be ??
PS: I have tried downloading all the different versions of SecureClient and
all have the same issue
Here is my currently installed local.scv file ......................
(SCVObject
:SCVNames (
: (user_policy_scv
:type (plugin)
:parameters ()
)
: (BrowserMonitor
:type (plugin)
:parameters (
:browser_major_version (5)
:browser_minor_version (0)
:browser_version_operand (">=")
:browser_version_mismatchmassage ("A newer
Internet Explorer version is required. Upgrade your Internet Explorer.")
:send_log (alert)
)
)
)
:SCVPolicy (
: (user_policy_scv)
)
:SCVGlobalParams (
:block_connections_on_unverified (false)
:scv_policy_timeout_hours (24)
:enforce_ip_forwarding (true)
)
)
Any help on this would be greatly appreciated
Cheers
Gary
-----Original Message-----
From: Joe Pope [mailto:[EMAIL PROTECTED]
Sent: 22 July 2004 16:05
To: [EMAIL PROTECTED]
Subject: Re: [FW-1] SCV questions
I would suggest backing up your present C:\winnt\fw1\NG\conf\local.scv (in
case the local.scv get corrupted!) and then
insert your new local.scv file. Then you have to install the policy. If
you get an error that the local.scv is corrupt,
you can fall back on the original file.
I am not using a Nokia, but two SecurePlatforms (clustered) and two Win 2000
management stations. I only update my
local.scv file on my primary management station and install the policy. The
new local.scv is pushed automatically to
my secondary management station. I have never had any problems "syncing" the
local.scv on other servers.
I would try a test with a SCV you know a SecureClient will fail and see if
it works. The only problem I have had (R55 HFA03) is erratic logging for
SCV failures (sometimes it logs an alert, other times nothing is logged).
I have found that you must be very careful with the format of local.scv, it
is easy to corrupt the file. I always
make a backup of the running local.scv file before editing, just in case.
Joe
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Brett, Gary
Sent: Thursday, July 22, 2004 8:13 AM
To: [EMAIL PROTECTED]
Subject: Re: [FW-1] SCV questions
Thanks for that but may I ask, $FWDIR/conf on my management station
(c:\winnt\fw1\NG\conf) already has a local.scv file that is 6kb, I presume
this is the default file that is created upon installation, Do I replace
this file completely with the Mcaffee one (which incidentally is a lot
smaller) or do I have to integrate the code from macfee into the already
present file. ??
Secondly, I searched my primary Nokia IP350 for local.scv and it produced
the 4 locations below, which one of these does it push out to ?? or will it
push to all 4
# find / -name local.scv
/var/opt/CPfw1-50-03/conf/local.scv
/var/opt/CPfw1-50-03/state/local/PS/local.scv
/var/opt/CPfw1-50-03/state/wallington/PS/local.scv
/opt/CPfw1-50-03/policy/local.scv
Thanks
Gary
-----Original Message-----
From: Hendriks, D. [mailto:[EMAIL PROTECTED]
Sent: 21 July 2004 19:41
To: [EMAIL PROTECTED]
Subject: Re: [FW-1] SCV questions
Some answers:
>2) Due to my Nokia HA solution (2 IP350's and a management box), where
>exactly do i put the configured local.scv file ?, does it go on both
Nokias?
>if so in which location ?, or does it reside only on the management
>box?
Put it in the $FWDIR/conf on the management module
Upon the installation of the Desktop Policy it gets pushed to the FW
modules..
>3) What do i need to do in Smart Dashboard, the only thing i can find
>is to enable SCV in global properties > remote access > secure
>configuration verfiaction. I have ticked all 5 checkboxes. Is there
>anything i need to do in the rulebases or anywhere else ?
You need the policy server.
>4) one more question, if i enable SCV in the dashboard and install the
>policy, will it just ignore the setting if no local.scv files are
>present
?.
>I was just concerned that ive enabled SCV checking in the GUI and as
>yet
ive
>not configured a local.scv file but all of my secureclient connections
>are getting in fine, is this normal, will it only kick in when i create
>the local.scv file
What isn't there can't be checked....;-)
Hope this helps,
Dion
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
This electronic message contains information from Cetelem UK Credit Ltd
which may be privileged or confidential. The information is intended to be
for the use of the individual(s) or entity named above. If you are not the
intended recipient be aware that any disclosure, copying, distribution or
use of the contents of this information is prohibited. If you have received
this electronic message in error, please notify us by telephone or email (to
the numbers or address above) immediately.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
This electronic message contains information from Cetelem UK Credit Ltd
which may be privileged or confidential. The information is intended to be
for the use of the individual(s) or entity named above. If you are not the
intended recipient be aware that any disclosure, copying, distribution or
use of the contents of this information is prohibited. If you have received
this electronic message in error, please notify us by telephone or email (to
the numbers or address above) immediately.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
