In order to assign individual IPs and ranges to certains remote access users, Check Point provides a configuration file allowing you to configure your gateway as required. This configuration file is :<\/p>\n
$FWDIR\/conf\/ipassignment.conf<\/strong><\/p>\n This article we will outline some of the possible gotcha`s and also run through the required steps. Steps<\/strong><\/p>\n
\nWithin this example we will provide a single user (certificate based) with a specific IP address and allow the rest of the subnet to be assigned to the rest of the users within this group.<\/p>\n\n
#\r\n# file: ipassignment.conf\r\n#\r\n# This file is used to implement the IP-per-user feature. It allows the\r\n# administrator to assign specific addresses to specific users or specific\r\n# ranges to specific groups when they connect using Office Mode or L2TP.\r\n#\r\n# The format of this file is simple: Each line specifies the target\r\n# gateway, the IP address (or addresses) we wish to assign and the user\r\n# (or group) name as in the following examples:\r\n#\r\n# Gateway Type IP Address User Name\r\n# ============= ===== ======================================== =========================================\r\n# Paris-GW, 10.5.5.8, Jean\r\n# Brasilia, addr 10.6.5.8, wins=(192.168.3.2,192.168.3.3) Joao # comments are allowed\r\n# Miami, addr 10.7.5.8, dns=(192.168.3.7,192.168.3.8) CN=John,OU=users,O=cpmgmt.acme.com.gibeuu\r\n# Miami range 100.107.105.110-100.107.105.119\/24 Finance\r\n# Miami net 10.7.5.32\/28 suffix=(acct.acme.com) Accounting\r\n#\r\n# Note that real records do not begin with a pound-sign (#), and the commas\r\n# are optional. Invalid lines are treated as comments. Also, the\r\n# user name may be followed by a pound-sign and a comment.\r\n#\r\n# The first item is the gateway name. This could be a name, an IP\r\n# address or an asterisk (*) to signify all gateways. A gateway will\r\n# only honor lines that refer to it.\r\n#\r\n# The second item is a descriptor. It can be 'addr', 'range' or 'net'.\r\n# 'addr' specifies one IP for one user. This prefix is optional.\r\n# 'range' and 'net' specify a range of addresses. These prefixes are\r\n# required.\r\n#\r\n# The third item is the IP address or addresses. In the case of a single\r\n# address, it is specified in standard dotted decimal format.\r\n# ranges can be specified either by the first and last IP address, or using\r\n# a net specification. In either case you need to also specify the subnet\r\n# mask length ('\/24' means 255.255.255.0). With a range, this is the subnet\r\n# mask. With a net it is both the subnet mask and it also determines the\r\n# addresses in the range.\r\n#\r\n# After the third item come any of three keyword parameters. These are\r\n# specifications for WINS (or NBNS) servers, for DNS servers and a DNS\r\n# suffix. The parameters themselves are on the format 'keyword=(params)'\r\n# where the params can be one address (such as \"192.168.3.2\"), several\r\n# IP addresses (such as \"192.168.3.2,192.168.3.3\") or a string (only\r\n# for the DNS suffix. The relevant keywords are \"dns\", \"wins\" and\r\n# \"suffix\" and they are not case-sensitive.\r\n# Inside the keyword parameters there must be no spaces or any other\r\n# extra characters. These will cause the entire line to be ignored.\r\n#\r\n# The last item is the user name. This can be a common name if the\r\n# user authenticates with some username\/password method (like hybrid\r\n# or MD5-Challenge) or a DN if the user authenticates with a\r\n# certificate.\r\n#\r\nfirewall-object, addr 192.168.1.254, dns=(192.168.2.2,192.168.2.3) wins=(192.168.2.2,192.168.2.3) CN=user1,OU=users,O=firewall-manager..5e2qan\r\nfirewall-object, range 192.168.1.1-192.168.1.253\/24, dns=(192.168.2.2,192.168.2.3) wins=(192.168.2.2,192.168.2.3) Some-Usergroup\r\n<\/pre>\n