fir3net
  • Home
  • Articles
  • Firewalls
  • Check Point
  • Configuring per user IP assignment using ipassignment.conf in Check Point for remote access users

Configuring per user IP assignment using ipassignment.conf in Check Point for remote access users

In order to assign individual IPs and ranges to certains remote access users, Check Point provides a configuration file allowing you to configure your gateway as required. This configuration file is :

        $FWDIR/conf/ipassignment.conf

This article we will outline some of the possible gotcha`s and also run through the required steps.
Within this example we will provide a single user (certificate based) with a specific IP address and allow the rest of the subnet to be assigned to the rest of the users within this group.

Steps

  1. Edit the file $FWDIR/conf/ipassignment.conf with the required changes. Please click here to view the configuration file with the required changes for this example.
  2. Ensure you have selected the required option within the Check Point Object telling it to use the  ipassignment.conf file.
  3. Check the file using the command vpn ipafile_check ipassignment.conf detail‏
  4. Push the Policy to the Gateway and test that your changes have been successful.

Gotcha`s

  • You cannot use the hostname of the gateway but can use the Gateway object name within the conf file.
  • You must push the policy after making changes to the ipassignment.conf file.
  • For users using certificate based authentication you will need to add the users DN.
  • The vpn ipafile_check ipassignment.conf detail‏ command does not check the spelling of entries within the conf file nor does it check to see if the gateway/object/usernames exsist or are within the policy of the firewall gateway.
    • About the Author

      RDonato

      R Donato

      Ricky Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

      You can find Ricky on Twitter @f3lix001