Configuring per user IP assignment using ipassignment.conf in Check Point for remote access users

In order to assign individual IPs and ranges to certains remote access users, Check Point provides a configuration file allowing you to configure your gateway as required. This configuration file is :

$FWDIR/conf/ipassignment.conf

This article we will outline some of the possible gotcha`s and also run through the required steps.
Within this example we will provide a single user (certificate based) with a specific IP address and allow the rest of the subnet to be assigned to the rest of the users within this group.

Steps

  1. Edit the file $FWDIR/conf/ipassignment.conf with the required changes.
#
# file: ipassignment.conf
#
# This file is used to implement the IP-per-user feature.  It allows the
# administrator to assign specific addresses to specific users or specific
# ranges to specific groups when they connect using Office Mode or L2TP.
#
# The format of this file is simple:  Each line specifies the target
# gateway, the IP address (or addresses) we wish to assign and the user
# (or group) name as in the following examples:
#
# Gateway        Type   IP Address                                User Name
# =============  =====  ========================================  =========================================
# Paris-GW,             10.5.5.8,                                 Jean
# Brasilia,      addr   10.6.5.8, wins=(192.168.3.2,192.168.3.3)  Joao  # comments are allowed
# Miami,         addr   10.7.5.8, dns=(192.168.3.7,192.168.3.8)   CN=John,OU=users,O=cpmgmt.acme.com.gibeuu
# Miami          range  100.107.105.110-100.107.105.119/24        Finance
# Miami          net    10.7.5.32/28  suffix=(acct.acme.com)      Accounting
#
# Note that real records do not begin with a pound-sign (#), and the commas
# are optional.  Invalid lines are treated as comments.  Also, the
# user name may be followed by a pound-sign and a comment.
#
# The first item is the gateway name.  This could be a name, an IP
# address or an asterisk (*) to signify all gateways.  A gateway will
# only honor lines that refer to it.
#
# The second item is a descriptor.  It can be 'addr', 'range' or 'net'.
# 'addr' specifies one IP for one user.  This prefix is optional.
# 'range' and 'net' specify a range of addresses.  These prefixes are
# required.
#
# The third item is the IP address or addresses.  In the case of a single
# address, it is specified in standard dotted decimal format.
# ranges can be specified either by the first and last IP address, or using
# a net specification.  In either case you need to also specify the subnet
# mask length ('/24' means 255.255.255.0).  With a range, this is the subnet
# mask.  With a net it is both the subnet mask and it also determines the
# addresses in the range.
#
# After the third item come any of three keyword parameters.  These are
# specifications for WINS (or NBNS) servers, for DNS servers and a DNS
# suffix.  The parameters themselves are on the format 'keyword=(params)'
# where the params can be one address (such as "192.168.3.2"), several
# IP addresses (such as "192.168.3.2,192.168.3.3") or a string (only
# for the DNS suffix.  The relevant keywords are "dns", "wins" and
# "suffix" and they are not case-sensitive.
# Inside the keyword parameters there must be no spaces or any other
# extra characters.  These will cause the entire line to be ignored.
#
# The last item is the user name.  This can be a common name if the
# user authenticates with some username/password method (like hybrid
# or MD5-Challenge) or a DN if the user authenticates with a
# certificate.
#
firewall-object,       addr    192.168.1.254, dns=(192.168.2.2,192.168.2.3) wins=(192.168.2.2,192.168.2.3) CN=user1,OU=users,O=firewall-manager..5e2qan
firewall-object,       range   192.168.1.1-192.168.1.253/24, dns=(192.168.2.2,192.168.2.3) wins=(192.168.2.2,192.168.2.3)       Some-Usergroup
  1. Ensure you have selected the required option within the Check Point Object telling it to use the  ipassignment.conf file.
  2. Check the file using the command vpn ipafile_check ipassignment.conf detail‏
  3. Push the Policy to the Gateway and test that your changes have been successful.

Gotcha`s

  1. You cannot use the hostname of the gateway but can use the Gateway object name within the conf file.
  2. You must push the policy after making changes to the ipassignment.conf file.
  3. For users using certificate based authentication you will need to add the users DN.
  4. The vpn ipafile_check ipassignment.conf detail‏ command does not check the spelling of entries within the conf file nor does it check to see if the gateway/object/usernames exsist or are within the policy of the firewall gateway.
Rick Donato

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial