This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Geomix7
Collaborator
‎2020-05-07 05:49 AM
Jump to solution

IP POOL - STATIC IP

Do we have the possibility to assign some static IP address from VPN pool (office mode) R80.20 ?

0 Kudos
2 Solutions

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion
‎2020-05-07 08:10 AM
Jump to solution

Remote Access VPN clients are assigned their static IP addresses configured in $FWDIR/conf/ipassignment.conf file.

More read here:

sk33422: Office Mode IP and ipassignment.conf file

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

G_W_Albrecht
Legend Legend
Legend
‎2020-05-08 03:17 AM
In response to Geomix7
Jump to solution

The user has to be present in Dashboard, either as local or LDAP user. The SK gives reference to the following detailed explanations and examples: https://sc1.checkpoint.com/documents/R80.10_andhigher/WebAdminGuides/EN/CP_RemoteAccessVPN_AdminGuid...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

8 Replies
HeikoAnkenbrand
Champion Champion
Champion
‎2020-05-07 08:10 AM
Jump to solution

Remote Access VPN clients are assigned their static IP addresses configured in $FWDIR/conf/ipassignment.conf file.

More read here:

sk33422: Office Mode IP and ipassignment.conf file

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Geomix7
Collaborator
‎2020-05-08 12:35 AM
In response to HeikoAnkenbrand
Jump to solution

Thanks a lot , Do you know that for every user that i will have static IP do i have to create an obkject on FW ?
0 Kudos
Geomix7
Collaborator
‎2020-05-08 12:57 AM
Jump to solution

We have some more questions because it is not clear on the SK . Do we have to create a specific LDAP group fro the login users? Do we have to create an object for each assigned static IP? This questions have been raised from the notes where it mentions "Objects referenced within the ipassignment.conf MUST exist within SmartConsole."
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2020-05-08 03:17 AM
In response to Geomix7
Jump to solution

The user has to be present in Dashboard, either as local or LDAP user. The SK gives reference to the following detailed explanations and examples: https://sc1.checkpoint.com/documents/R80.10_andhigher/WebAdminGuides/EN/CP_RemoteAccessVPN_AdminGuid...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Albert_Wilkes
Collaborator
‎2020-07-08 03:35 AM
Jump to solution

Fun fact, it seems you can't "reserve" an IP from the OfficeMode pool - at least not in R80.30 JHF 196 and I couldn't find this documented neither in the SK nor in the VPN guide but I asked for the SK to be amended. We found out the hard way, see these vpnd.elg logs:
[vpnd 11166 4092880800]@FW1[6 Jul 16:34:44] registerAssignedIP: registering non-protected IP c0a8f80b to user user2 for 900 seconds in kernel instance 0
[vpnd 11166 4092880800]@FW1[6 Jul 16:34:44] registerAssignedIP: IP c0a8f80b already belongs to user user1. User user2 registration must fail.

CP support confirmed that the assigned IP should be outside the pool.

 

Kaloyan_Kirchev
Contributor
‎2020-08-21 04:05 AM
In response to Albert_Wilkes
Jump to solution

Can we assign IP based on source and based on user?

Or just one.

$Fwdir\conf\user.def keep getting me syntax errors.

Any help? I want to specify just a single source public IP and assign exactly one Office mode IP.

0 Kudos
_Val_
Admin
Admin
‎2020-08-25 12:39 AM
In response to Kaloyan_Kirchev
Jump to solution

According to sk30919, you can do that per range. 

0 Kudos
Albert_Wilkes
Collaborator
‎2020-08-25 08:26 AM
In response to Albert_Wilkes
Jump to solution

Correction: I mentioned the above based on first hand information from the logs and a chat with support. Fortunately the guys from the SK team are very thorough when working on SK documentation and they imply that this is actually a bug and that using IPs from the pool SHOULD be possible.

Thank you for providing your feedback to SecureKnowledge on sk33422, titled "Office Mode IP and ipassignment.conf file". 


Your feedback was:

------------------
Neither of the documentation mentions the fact that the IP used in ipassignment.conf MUST NOT be part of the pool. We found out the hard way, see these logs:
[vpnd 11166 4092880800]@FW1[6 Jul 16:34:44] registerAssignedIP: registering non-protected IP c0a8f80b to user user2 for 900 seconds in kernel instance 0
[vpnd 11166 4092880800]@FW1[6 Jul 16:34:44] registerAssignedIP: IP c0a8f80b already belongs to user user1. User user2 registration must fail.
------------------

After checking with RnD, they verified in the code that upon Policy install, the ipassignment.conf file is parsed and save the specified OMs in a local hash table, and during the negotiations, there is a check if the OM is already in the on_assigned_ips kernel table.

There might be a limitation in the code, however to investigate this we will need the vpnd logs from the time of the issue.

 In case the issue will happen again please  open a new service request with the logs.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events