topic Re: Restricting vpn user login, Static IP wise in SASE and Remote Access

Restricting vpn user login, Static IP wise

bcmario — Wed, 18 Jun 2025 06:44:49 GMT

Is it possible to restrict checkpoint vpn users login, static IP wise?

I have an environment where 5 vpn users are allowed to log into the office environment via checkpoint vpn. If I provide each of them with a broadband connection with static IPs, could I restrict them from connecting from any other connection?

If the answer is yes, what guide could I follow to configure this?

Re: Restricting vpn user login, Static IP wise

PhoneBoy — Wed, 18 Jun 2025 22:04:53 GMT

So you only want user X to connect via Remote Access from IP Y, correct?
As far as I know, this isn't possible.

You might be able to prevent Remote Access from working AT ALL from all but a few IPs by using dos rules similar to: https://community.checkpoint.com/t5/Security-Gateways/Block-VPN-Traffic-by-Country/m-p/172695#M31396
You'll need to read the SK there to get the exact syntax.

Re: Restricting vpn user login, Static IP wise

the_rock — Thu, 19 Jun 2025 01:44:10 GMT

The only possible way I can think of might be something like below:

src -> static IP address

dst -> as needed

service -> any

vpn -> remote access community

action -> drop

Andy

Re: Restricting vpn user login, Static IP wise

bcmario — Thu, 19 Jun 2025 03:30:52 GMT

"So you only want user X to connect via Remote Access from IP Y, correct?" yes correct

Regarding the geolocation block method (Block VPN Traffic by Country), I guess it makes no sense in my scenario, as all my users will be logging in from the same country. Unfortunately as mentioned I guess this is not possible to implement.

Re: Restricting vpn user login, Static IP wise

bcmario — Thu, 19 Jun 2025 03:34:17 GMT

In this method, I will have to block all public IPs barring the 5 static IPs I will provide my users, correct? Basically, at least all public IPs of my country barring the 5 given ones.

Re: Restricting vpn user login, Static IP wise

the_rock — Thu, 19 Jun 2025 11:01:33 GMT

You just block IPs needed to be blocked.

Andy

Re: Restricting vpn user login, Static IP wise

PhoneBoy — Mon, 23 Jun 2025 15:41:27 GMT

I said similar to not exactly the same as.
You wouldn't be allowing access to/from a country, but specific IPs.
The SK I was referring to was linked in the original: https://support.checkpoint.com/results/sk/sk112454
This refers to fwaccel dos commands, which I believe can be used to achieve what you're after.
More specifically, you'd have to do something like the following: (replace X.X.X.X with external gateway IP and Y.Y.Y.Y with source IPs, repeat for each source IP):

[Expert@R8120:0]# fwaccel dos rate add -a d -l a service 17/500 source Y.Y.Y.Y destination cidr:X.X.X.X/32 pkt-rate 100000

This command sets a rate limit on IKE traffic (UDP 500, needed to start a VPN negotiation) to 100000 IKE packets per second.
IKE Negotiations happen infrequently and don't require anywhere near this amount of packets.
However, you can now rate limit everything else IKE related to zero, effectively blocking the traffic:

[Expert@R8120-GA:0]# fwaccel dos rate add -a d -l a service 17/500 source any destination cidr:X.X.X.X/32 pkt-rate 0

Note the above merely blocks the IKE negotiation, which is needed to establish a VPN connection (Site to Site or Remote Access).
I believe that is sufficient to achieve your objective.

The above commands need to be entered in expert mode on each gateway in the cluster.
Read the SK linked above for more information.