In order to assign individual IPs and ranges to certains remote access users, Check Point provides a configuration file allowing you to configure your gateway as required. This configuration file is :
$FWDIR/conf/ipassignment.conf
This article we will outline some of the possible gotcha`s and also run through the required steps.
Within this example we will provide a single user (certificate based) with a specific IP address and allow the rest of the subnet to be assigned to the rest of the users within this group.
Steps
- Edit the file $FWDIR/conf/ipassignment.conf with the required changes.
# # file: ipassignment.conf # # This file is used to implement the IP-per-user feature. It allows the # administrator to assign specific addresses to specific users or specific # ranges to specific groups when they connect using Office Mode or L2TP. # # The format of this file is simple: Each line specifies the target # gateway, the IP address (or addresses) we wish to assign and the user # (or group) name as in the following examples: # # Gateway Type IP Address User Name # ============= ===== ======================================== ========================================= # Paris-GW, 10.5.5.8, Jean # Brasilia, addr 10.6.5.8, wins=(192.168.3.2,192.168.3.3) Joao # comments are allowed # Miami, addr 10.7.5.8, dns=(192.168.3.7,192.168.3.8) CN=John,OU=users,O=cpmgmt.acme.com.gibeuu # Miami range 100.107.105.110-100.107.105.119/24 Finance # Miami net 10.7.5.32/28 suffix=(acct.acme.com) Accounting # # Note that real records do not begin with a pound-sign (#), and the commas # are optional. Invalid lines are treated as comments. Also, the # user name may be followed by a pound-sign and a comment. # # The first item is the gateway name. This could be a name, an IP # address or an asterisk (*) to signify all gateways. A gateway will # only honor lines that refer to it. # # The second item is a descriptor. It can be 'addr', 'range' or 'net'. # 'addr' specifies one IP for one user. This prefix is optional. # 'range' and 'net' specify a range of addresses. These prefixes are # required. # # The third item is the IP address or addresses. In the case of a single # address, it is specified in standard dotted decimal format. # ranges can be specified either by the first and last IP address, or using # a net specification. In either case you need to also specify the subnet # mask length ('/24' means 255.255.255.0). With a range, this is the subnet # mask. With a net it is both the subnet mask and it also determines the # addresses in the range. # # After the third item come any of three keyword parameters. These are # specifications for WINS (or NBNS) servers, for DNS servers and a DNS # suffix. The parameters themselves are on the format 'keyword=(params)' # where the params can be one address (such as "192.168.3.2"), several # IP addresses (such as "192.168.3.2,192.168.3.3") or a string (only # for the DNS suffix. The relevant keywords are "dns", "wins" and # "suffix" and they are not case-sensitive. # Inside the keyword parameters there must be no spaces or any other # extra characters. These will cause the entire line to be ignored. # # The last item is the user name. This can be a common name if the # user authenticates with some username/password method (like hybrid # or MD5-Challenge) or a DN if the user authenticates with a # certificate. # firewall-object, addr 192.168.1.254, dns=(192.168.2.2,192.168.2.3) wins=(192.168.2.2,192.168.2.3) CN=user1,OU=users,O=firewall-manager..5e2qan firewall-object, range 192.168.1.1-192.168.1.253/24, dns=(192.168.2.2,192.168.2.3) wins=(192.168.2.2,192.168.2.3) Some-Usergroup
- Ensure you have selected the required option within the Check Point Object telling it to use the ipassignment.conf file.
- Check the file using the command vpn ipafile_check ipassignment.conf detail
- Push the Policy to the Gateway and test that your changes have been successful.
Gotcha`s
- You cannot use the hostname of the gateway but can use the Gateway object name within the conf file.
- You must push the policy after making changes to the ipassignment.conf file.
- For users using certificate based authentication you will need to add the users DN.
- The vpn ipafile_check ipassignment.conf detail command does not check the spelling of entries within the conf file nor does it check to see if the gateway/object/usernames exsist or are within the policy of the firewall gateway.
- How to Configure a BIND Server on Ubuntu - March 15, 2018
- What is a BGP Confederation? - March 6, 2018
- Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018
Want to become an IT Security expert?
Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial