The two types of Integrity Check failures in AppGate SDP are caused by:
Unverified routes being populated (or verified routes in the Clients being replaced) in the Client routing table.
A firewall rule on the Client being changed without SDP's permission while Ring Fencing is enabled.
IC Failures Due to Routes
Integrity check failures due to route changes occur:
When a route is expected to be added by the SDP Client and the route is no longer there.
or
When it cannot be verified that a route was added by SDP because the route existed on the machine prior to the Client starting, and therefore was not added by SDP (and was potentially added by another app).
For example, an Entitlement could be attempting to add an IP address that already exists, so when the Client checks the routes later, an Integrity Check error is generated because the route was not added, and the tunnels are then closed.
Alternately, the Integrity Check may be enabled by the "Tamper Proofing" feature, which is set in the Policy configuration. If you deselect the "Enable Tamper Proofing" checkbox for all Policies from which the affected user gets their Entitlements, the Integrity Check will no longer be performed, which should resolve the issue.
In the audit logs, the "authorization_succeeded" logs will reveal whether Tamper Proofing is assigned to the Client. The following example from the driver logs illustrates an IC failure due to a missing route detected, caused by a third-party app deleting a route:
"Site 1": {"gw-id": "gateway_example_com", "status": "down", "error": "Integrity check failed - could not find route 10.1.2.6/32", "code": 0},
Integrity Check Failures Due to Ring Fence Rules
Ring Fence rules are firewall rules which are set on the Client when connected. Integrity check failures due to Ring Fence rules being changed on the SDP Client without the Client's permission (i.e., Ring Fence rules that were not changed by SDP) are usually caused by another application on the Client machine changing the firewall rules when SDP is connected.
When connected, the SDP Client should be the only application that has the ability to change the firewall rules. Occasionally, other applications (e.g., built-in firewalls or third-party security apps) may try to change these rules back to a previous value, or block them. These IC failures can be found in the Client driver logs, as illustrated in the following example:
[2021-06-30T10:45:59.785Z] Info : Closing VPNs: Integrity check failed - FW rules have been modified
[2021-06-30T10:45:59.968Z] Info : [site1] [gateway-site1] Closing (Integrity check failed - FW rules have been modified)