In order to assign individual IPs and ranges to certains remote access users, Check Point provides a configuration file allowing you to configure your gateway as required. This configuration file is :
$FWDIR/conf/ipassignment.conf
This article we will outline some of the possible gotcha`s and also run through the required steps.
Within this example we will provide a single user (certificate based) with a specific IP address and allow the rest of the subnet to be assigned to the rest of the users within this group.
Steps
- Edit the file $FWDIR/conf/ipassignment.conf with the required changes. Please click here to view the configuration file with the required changes for this example.
- Ensure you have selected the required option within the Check Point Object telling it to use the ipassignment.conf file.
- Check the file using the command vpn ipafile_check ipassignment.conf detail
- Push the Policy to the Gateway and test that your changes have been successful.
Gotcha`s
- You cannot use the hostname of the gateway but can use the Gateway object name within the conf file.
- You must push the policy after making changes to the ipassignment.conf file.
- For users using certificate based authentication you will need to add the users DN.
- The vpn ipafile_check ipassignment.conf detail command does not check the spelling of entries within the conf file nor does it check to see if the gateway/object/usernames exsist or are within the policy of the firewall gateway.