Permit Chekpoint Endpoint Security VPN clients to establish a connection only if those clients are connecting from a known a selection of IPv4 addresses.
Clients are secured using Certificates issued by the Checkpoint Appliance but we do not want them to be able to connect unless they are being used from specific locations (and therefore are using known public IP addresses).
-Disabled the Implied Rule "Accept Remote Access Control Connections"
-Other Implied Rules for "Control Connections" remain Enabled
-Configured appliance for Remote Access using Office Mode
-Configured an Explicit rule for RA Connections:
SOURCE = (Known group of IP addresses)
DEST = External interface of Appliance
Service = ESP, TCP18231,500,264,443, UDP500,4500,259,2746
Action = ACCEPT
-Endpoint clients with a Certificate AND inside private networks NAT'd out from one of the Known IPs can establish the VPN connection
-Otherwise no connection possible
-Any client with a Certificate can establish the VPN connection from any source IP address
For verification, we have disabled the Explicit Rule for RA Connections (described above) (and left the Implied Rule "Accept Remote Access Control Connections" disabled) and even then, any client with a Certificate can still establish a connection successfully.
The Implied Rule "Accept Web and SSH connections" is Enabled
This is using GAIA R77.3
Any advice gratefully received.