This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Fredrik_Johanss
Employee Alumnus
Employee Alumnus
‎2020-03-17 01:41 AM

Lease time in ipassgment.conf?

Hi,

anyone aware if we can configure the lease time for ip assignments given out via ipassignment.conf on the gateway?

/Fredrik

0 Kudos
8 Replies
PhoneBoy
Admin
Admin
‎2020-03-17 07:57 PM

As the main use case for this file is assigning specific users a specific IP address, I don't believe this is possible.
0 Kudos
MartinTzvetanov
Advisor
‎2020-03-18 12:25 AM

Not sure if I get what you need. Do you mean that you want every single user and IP assigned to him via ipassignment.conf to have specific lease time?

I have few customers using mainly ipassignment.conf for their vpn clients and as far as we tested the functionality, the lease time for these addresses is the same configured in SmartConsole for all VPN users.

One main disadvantage I faced using ipassignment.conf is when the remote user got disconnected via poor Internet connection, CP doesn't know that (the client may also not notice that he was disconnected for few seconds because of lost connectivity to Internet), the new client connection (few seconds after the poor connectivity caused the disconnection) is given a new IP address which is not in the ipassignment.conf and of course if you have granular rules in the policy they are not met and the client has no access and start complain.

The workaround that me and the customer met is setting the lease time close to 10-15 minutes in the SmartConsole so if the client face such issue he has to wait no more than 10-15 minutes to have access to the resource. You have to know that the short lease time cause more vpn-test-tunnel packets crossing around and may have impact on the GW performance if you have hundreds of vpn clients connected. 10-15 minutes of lease time was a win-win situation in my case, yours may be different.

0 Kudos
Fredrik_Johanss
Employee Alumnus
Employee Alumnus
‎2020-03-18 12:31 AM
In response to MartinTzvetanov

Hi
the reason for asking is that we have a strange behavior with a client that gets a lease time of 136 years... Don't know what's causing it so wanted to try different options 🙂
0 Kudos
MartinTzvetanov
Advisor
‎2020-03-18 12:53 AM
In response to Fredrik_Johanss

Make a connection and the generation after us will check if the lease time was correct :-). Just a joke.

This is only for one user or random? Where do you see this lease - on the VPN client GUI or somewhere in the SmartConsole? You can set the lease time in SmartConsole to be something short and then make connection from the client and do nothing, when the time leases it should be disconnected or reconnected.
0 Kudos
Fredrik_Johanss
Employee Alumnus
Employee Alumnus
‎2020-03-18 02:24 AM
In response to MartinTzvetanov

Hi,

the configuration in the dashboard is not applied to ipassignments.conf or dhcp according to the text on the top of additional configuration.

ipassignment.png

MartinTzvetanov
Advisor
‎2020-03-18 04:06 AM
In response to Fredrik_Johanss

Good point! I just did few tests and this is the summary: In CP I have configured Primary DNS server, in ipassignment.conf there is only my username and an IP. When I connect I got the right IP address and the DNS which is configured in the SmartConsole, so I believe this exception is a bit confusing and maybe it should means If you have configured DNS, WINS, DNS suffix in ipassignment.conf, the following configuration is not applied. As far as I know in SmartConsole is the only place where you can set lease time, in ipassignment.conf there is no such option explained, so I believe this option applies to every configuration.
During my tests with the customer last year with R80.10, we have set the lease duration to 10 minutes and a reserved IP address for a user in ipassignment.conf, connect to VPN with a client, receive the right IP and then cut the connectivity to Internet; After 2-3 minutes connecting again to the VPN and receive the next free IP address from the pool of Office mode addresses (not the one configured in ipassignment.conf because the lease time is not expired and the old one is not free); Disconnect and after another approx 10 minutes (the total minutes are more than the lease time configured) connect again and receive the right IP from ipassignment.conf.

These are my observation and it works more than an year and I did not receive any complains about this.

It will be good if any other did something similar to share his experience with ipassignment.conf

Do some tests in a test environment and see how it works without touching a live infrastructure.

HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2020-03-18 07:39 AM
In response to MartinTzvetanov

As far as I know, the ipassignment.conf is only for assigning local users or LDAP users to a fixed office mode IP.

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Eldf
Explorer
‎2020-03-19 08:46 AM
In response to HeikoAnkenbrand

Lease Expires date displayed for Endpoint Virtual Network Adapter does not reflect configured Office Mode lease duration

sk112069

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events