- Products
- Learn
- Local User Groups
- Partners
- More
Access Control and Threat Prevention Best Practices
5 November @ 5pm CET / 11am ET
Ask Check Point Threat Intelligence Anything!
October 28th, 9am ET / 3pm CET
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
Spark Management Portal and More!
Hi,
for special internal reasons we currently use "Calculate per user name", whit this the algorithm is clear:
Take the <username> make MD5 hash and the first 12 chars is the MAC used for DHCP requests.
Example:
This gives us the opportunity to set static DHCP entries for every user.
Now we think about to give static VPN-IPs via DHCP to any connecting machine.
But we need to know the calculated MAC address before user connects.
Tried with 3 different machines and got those MAC addresses
I have no Idea how those MACs where calculated.
Any hints from you?
Thanks and best regards,
Sascha
Usually, user connect either using LAN Ethernet Adapter and its MAC or WLAN Adapter and its MAC - so i do not understand your question...
I don't know how it works for machine, so if it works the same, but for user you can use "vpn macutil".
# vpn macutil sascha
A6-24-A3-3F-35-01, "sascha"
This is explained in Mobile Access Administration Guide R80.30 p.87ff !
Nope in Admin Guide is only described how to enable the magic, but not how the magic is done.
In the end there is a unique MAC address for each connecting client.
I need to know the recipe and don't want to get surprised by any new client.
I need to configure any of our 800 clients in DHCP and IP pool is not allowed.
Works fine with username but in future we want to switch to machines (Same User should be able to login same time with different machines)
/BR
Sascha
Mobile Access Administration Guide R80.30 p.87f :
Automatically (Using DHCP) - Specify the machine on which the DHCP server is installed. In addition, specify the virtual IP address to which the DHCP server replies. The DHCP server allocates addresses from the appropriate address range and relates to VPN as a DHCP relay agent. The virtual IP address must be routable to enable the DHCP send replies correctly.
DHCP allocates IP addresses per MAC address. When VPN needs an Office Mode address, it creates a MAC address that represents the client and uses it in the address request. The MAC address can be unique per machine or per user. If it is unique per machine, then VPN ignores the user identity. If different users work from the same Remote Access client they are allocated the same IP address.
---> Looks like the machine MAC visible to the GW is used here...
i know vpn macutil and the algorithm is described above: MD5 the usernam and take the first 12 chars.
Need to know the algorithm for the "unique per machine" part.
Why not ask TAC on how to configure that ?
Hi, did you receive a response from TAC? I have a task similar to yours. I need to know the mac address calculation algorithm per machines. Please share the information.
Hello.
I'm trying to configure this "Unique per machine" but it changes UID every time machine restarts. So, it's more "Unique for boot".
Does yours do the same?
Do you know anything about it?
I'm using "Unique per user" and it's working and keeps same UID.
Best regards.
Nelson
Hello.
I don’t know about the UID, but with the option "Unique per machine" the MAC address generated by the CP did not change after a reboot. It changed, for example, if you reinstall the VPN client or rename the PC from which you are connecting.
The reply for C458715E I got was:
"...Regarding the MAC location, the MAC location is:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\CheckPoint\TRAC
The value will be taken from: "fixed_om_mac_address"="0000"
Please let me know if any further clarification is required..."
and
"...Configuring the Registry this is our only option. Regarding IOS, according to sk61866 ;
Note: In OS X, this feature is not supported..."
They won't let us look into their cards 😞
So I still use the good well reverse engineered "Calculate per user name" -> Take the <username>, make MD5 hash and the first 12 chars is the MAC used for DHCP requests.
Once we have same users with diferent devices we chosed the following workaround:
Remote-Access-Client (LDAP and RSA-SecurID) Users are written in lowercase
Capsule VPN Users are authenticated with Certificate and we only enroll UPPERCASE Usernames in Certs.
So I got 2 different MAC for same User and DHCP can provide different fixed IPs
So only thing we have to monitor: No Normal VPN User should ever write uppercase Username, we do this with simple rule:
No Capsule Client is connecting to Software deployment Server to the Port, so if some Capsule IP is connecting this must be a Normal Client and we got an alarm.
Same way vise versa we do for Remote-Access-Client-Range
Hope this will help someone for a workaround, as CP is not really willing to help.
Thanks for the answer. Our task is to separate the domain work laptops that connect to the network via VPN, and other home machines that also connect via VPN. We thought to solve it through a dhcp server, but today I realized that this can be achieved with much less effort through Identity Awareness.
Now I'm curious.
How can you separate company and home PCs with Identity Awareness.
Create an Access Role, in the Machines option set the OU Computers or Domain Computers Security Group, apply the Access Role in the rule and set the extended rights for PCs covered by this Access Role. For all other PCs that are not in the domain, make a rule with truncated rights by default.
Or am I misunderstanding something? I am new to this profession, and I will be glad to advice. So far we have not implemented this scheme, but we are just going to do it.
May I ask you if you managed to separate AD and non AD connected PCs, I am very interested if it is actually possible to achieve separation using the method you propose?
Thanks in advance.
Emil.
 
					
				
				
			
		
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count | 
|---|---|
| 6 | |
| 3 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | 
Tue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionThu 30 Oct 2025 @ 03:00 PM (CET)
Cloud Security Under Siege: Critical Insights from the 2025 Security Landscape - EMEAThu 30 Oct 2025 @ 11:00 AM (EDT)
Tips and Tricks 2025 #15: Become a Threat Exposure Management Power User!About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY