- CheckMates
- :
- Products
- :
- Quantum
- :
- Remote Access VPN
- :
- VPN - Limit specific vendors to specific IPs on Ch...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VPN - Limit specific vendors to specific IPs on Checkpoint Vpn
We just implemented Checkpoint VPN. We have several vendors that have access to specific systems. When they use CP VPN, is there a way to limit their access to specific IP addresses based on their user group?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you use site-to-site or client-to-site VPN?
If client-to-site, do you use local users or AD/LDAP?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have client to site via CP Mobile and have LDAP groups setup currently for the main office users who need to connect remotely.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming it's AD as you suggest below, then yes, you can create an Access Role for the relevant user groups and set up the appropriate access policy rules.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the response. I'm going to spell this out a bit as I don't see any step by steps for the new folks to checkpoint. If you have a specific vendor that VPNs into your network and has to connect to a specific IP or host on your network, this is what you do...or the way I did it.
1. To keep my AD clean, I created a single OU for vendors in AD. Then later referenced that single OU and the applicable vendor IDs in my CP object creation in the following steps.
2. Create the Vendor account in the OU that you created in step 1
3. Create the objects for the vendor, the network or hosts that the vendor needs to connect to in Checkpoint. **When creating the object for the vendor in CP, you will need the full Distinguished name.**
4. Our VPN subnet for CP is housed in the firewalls, so I added the vendor account to the group authorized to access the VPN subnet.
5. Created a rule that allowed our vendor, which has was added to the VPN subnet, as the source.
6. I added the IP address / host name that the vendor was trying to access as the destination. When adding the Host name of the destination, I had to add the primary/secondary DC (dns) to the destination or it would not allow access by host name.
7. Specify any specific protocols required for the connection,
8. Set CP to accept and log.
9. Install & Publish
10. Test
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am in the same boat. I was just fixing to post this question. I have about 40 different vendors that have access to different proprietary systems. From what I found, you have to setup a rule for each different vendor with the information you provided above. I was hoping their would be an easier way to do it. Is there any issue with have a ton of rules? How much does that affect the processing of data?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This sort of configuration is required to ensure only the relevant vendor(s) can access the relevant systems.
While the number of rules may have been an issue in R77.x and earlier releases, it s less relevant in R8x due to how the rulebase matching works (column-based).
The fact you can put all "vendor" rules in their own inline layer also helps substantially in terms of the processing and manageability of these rules.
