This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
fabionfsc
Contributor
‎2025-06-04 07:15 AM
Jump to solution

Block "IP Changed" Remote Access VPN

Hello everyone, how are you?

We are trying to restrict access to the VPN to only a few countries. We have done a procedure to remove the Accept from the Implied Rule for port 80/443 (sk105740), allowing access only to a specific country, as follows:

1.png

After that, a kernel parameter is required (fw ctl set int fw_ignore_before_drop_rules 1). The change is working, port 443 is used to create the connection on the Endpoint, if it is blocked in a country, the connection is not successful, great.

However, we came across an employee who uses a commercial VPN (ProtonVPN; UrbanVPN etc.) to go out with an IP from an allowed country, and so she connects to the Check Point VPN, and then she disconnects from the commercial VPN and Check Point maintains the connection via NAT-T (IPSec) and shows information in the logs of "IP Changed". We did this test in the lab:

2.png

My question is, do you know of any way to block reconnection when an IP is changed? For example, make Check Point FW not maintain the connection as soon as the client's IP is changed.

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2025-06-04 01:43 PM
Jump to solution

I'm trying to understand the flow here, so please confirm:

  1. End user connects with commercial VPN to get an IP in allowed country
  2. End user connects with Check Point VPN and connection is allowed (because it appears they are in an allowed country)
  3. End user disconnects from commercial VPN and connection is still permitted (from a different country IP)

I can see how that would be problematic.
I would engage with TAC on this.

Meanwhile, as a workaround, you might try using: https://community.checkpoint.com/t5/Security-Gateways/Block-VPN-Traffic-by-Country/m-p/172695#M31396 

View solution in original post

0 Kudos
8 Replies
fabionfsc
Contributor
‎2025-06-04 07:24 AM
Jump to solution

I really think there should be an option within SmartConsole (for example in Global Properties) to control this behavior, if there is no way to control it. I opened a ticket with TAC about it.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-06-04 07:32 AM
In response to fabionfsc
Jump to solution

Hey bro,

Long time no talk, how are you?

I thought about this and to me, logically, sounds like the only reasonable way to do it would be to block whatever app that perosn is using, because once they connect and get an IP that belongs to country thats allowed, not sure how would fw be able to block it, if that country is allowed by the rule.

Andy

fabionfsc
Contributor
‎2025-06-04 07:41 AM
In response to the_rock
Jump to solution

Hey bro, how long, are you okay?

The Firewall even identifies this IP exchange, the issue is that it allows it, by some parameter that I don't know (maybe something in trac_client_1.ttm or in Control Connections Remote Access).

We also thought about this alternative that you suggested, a SCV (Secure Configuration Validation), which identifies VPN programs, the problem is that there are several VPNs of this kind, there are many software available to verify...)

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-06-04 07:44 AM
In response to fabionfsc
Jump to solution

See if the post I made about it last year helps?

Andy

https://community.checkpoint.com/t5/Remote-Access-VPN/Geo-VPN-blocking/m-p/214040#M10593

0 Kudos
PhoneBoy
Admin
Admin
‎2025-06-04 01:43 PM
Jump to solution

I'm trying to understand the flow here, so please confirm:

  1. End user connects with commercial VPN to get an IP in allowed country
  2. End user connects with Check Point VPN and connection is allowed (because it appears they are in an allowed country)
  3. End user disconnects from commercial VPN and connection is still permitted (from a different country IP)

I can see how that would be problematic.
I would engage with TAC on this.

Meanwhile, as a workaround, you might try using: https://community.checkpoint.com/t5/Security-Gateways/Block-VPN-Traffic-by-Country/m-p/172695#M31396 

0 Kudos
fabionfsc
Contributor
‎2025-06-04 02:08 PM
In response to PhoneBoy
Jump to solution

Exactly! The VPN user connects to a commercial VPN to exit with an allowed IP in the 80/443 rules, then she connects to Check Point VPN; a tunnel in Visitor Mode (443) is created. The VPN user then disconnects from the commercial VPN, as there is a blocking rule on port 443, Check Point passes the connection to NAT-T and maintains the connection, with a "Reconnect" and an "IP Changed" information in the Logs & Monitor.

Thank you very much for sharing this information, indeed with fwaccel dos rate it can be a viable solution, I will test it right now, I hope it blocks the NAT-T port also for the countries I specify.

0 Kudos
fabionfsc
Contributor
‎2025-06-04 02:41 PM
In response to PhoneBoy
Jump to solution

Rules with country code are no longer supported... I tried to create a rule with Bypass for US and BR (Brazil), traffic is still blocked, the rule is no longer effective when it is made by country code. I can't see any other alternatives...

1.png

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-06-04 02:45 PM
In response to fabionfsc
Jump to solution

I believe buddy that using updatable objects is the way to go...

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events