topic Block "IP Changed" Remote Access VPN in Firewall and Security Management

Block "IP Changed" Remote Access VPN

fabionfsc — Wed, 04 Jun 2025 14:17:37 GMT

Hello everyone, how are you?

We are trying to restrict access to the VPN to only a few countries. We have done a procedure to remove the Accept from the Implied Rule for port 80/443 (sk105740), allowing access only to a specific country, as follows:

After that, a kernel parameter is required (fw ctl set int fw_ignore_before_drop_rules 1). The change is working, port 443 is used to create the connection on the Endpoint, if it is blocked in a country, the connection is not successful, great.

However, we came across an employee who uses a commercial VPN (ProtonVPN; UrbanVPN etc.) to go out with an IP from an allowed country, and so she connects to the Check Point VPN, and then she disconnects from the commercial VPN and Check Point maintains the connection via NAT-T (IPSec) and shows information in the logs of "IP Changed". We did this test in the lab:

My question is, do you know of any way to block reconnection when an IP is changed? For example, make Check Point FW not maintain the connection as soon as the client's IP is changed.

Re: Block "IP Changed" Remote Access VPN

fabionfsc — Wed, 04 Jun 2025 14:24:40 GMT

I really think there should be an option within SmartConsole (for example in Global Properties) to control this behavior, if there is no way to control it. I opened a ticket with TAC about it.

Re: Block "IP Changed" Remote Access VPN

the_rock — Wed, 04 Jun 2025 14:32:26 GMT

Hey bro,

Long time no talk, how are you?

I thought about this and to me, logically, sounds like the only reasonable way to do it would be to block whatever app that perosn is using, because once they connect and get an IP that belongs to country thats allowed, not sure how would fw be able to block it, if that country is allowed by the rule.

Andy

Re: Block "IP Changed" Remote Access VPN

fabionfsc — Wed, 04 Jun 2025 14:41:26 GMT

Hey bro, how long, are you okay?

The Firewall even identifies this IP exchange, the issue is that it allows it, by some parameter that I don't know (maybe something in trac_client_1.ttm or in Control Connections Remote Access).

We also thought about this alternative that you suggested, a SCV (Secure Configuration Validation), which identifies VPN programs, the problem is that there are several VPNs of this kind, there are many software available to verify...)

Re: Block "IP Changed" Remote Access VPN

the_rock — Wed, 04 Jun 2025 14:44:59 GMT

See if the post I made about it last year helps?

Andy

https://community.checkpoint.com/t5/Remote-Access-VPN/Geo-VPN-blocking/m-p/214040#M10593

Re: Block "IP Changed" Remote Access VPN

PhoneBoy — Wed, 04 Jun 2025 20:43:37 GMT

I'm trying to understand the flow here, so please confirm:

End user connects with commercial VPN to get an IP in allowed country
End user connects with Check Point VPN and connection is allowed (because it appears they are in an allowed country)
End user disconnects from commercial VPN and connection is still permitted (from a different country IP)

I can see how that would be problematic.
I would engage with TAC on this.

Meanwhile, as a workaround, you might try using: https://community.checkpoint.com/t5/Security-Gateways/Block-VPN-Traffic-by-Country/m-p/172695#M31396

Re: Block "IP Changed" Remote Access VPN

fabionfsc — Wed, 04 Jun 2025 21:28:42 GMT

Exactly! The VPN user connects to a commercial VPN to exit with an allowed IP in the 80/443 rules, then she connects to Check Point VPN; a tunnel in Visitor Mode (443) is created. The VPN user then disconnects from the commercial VPN, as there is a blocking rule on port 443, Check Point passes the connection to NAT-T and maintains the connection, with a "Reconnect" and an "IP Changed" information in the Logs & Monitor.

Thank you very much for sharing this information, indeed with fwaccel dos rate it can be a viable solution, I will test it right now, I hope it blocks the NAT-T port also for the countries I specify.

Re: Block "IP Changed" Remote Access VPN

fabionfsc — Wed, 04 Jun 2025 21:41:12 GMT

Rules with country code are no longer supported... I tried to create a rule with Bypass for US and BR (Brazil), traffic is still blocked, the rule is no longer effective when it is made by country code. I can't see any other alternatives...

Re: Block "IP Changed" Remote Access VPN

the_rock — Wed, 04 Jun 2025 21:45:32 GMT

I believe buddy that using updatable objects is the way to go...

Andy