Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Robert_Ellis1
Contributor
Jump to solution

Restricting Remote Access by IPv4 Address

Objective: 

Permit Chekpoint Endpoint Security VPN clients to establish a connection only if those clients are connecting from a known a selection of IPv4 addresses. 

Clients are secured using Certificates issued by the Checkpoint Appliance but we do not want them to be able to connect unless they are being used from specific locations (and therefore are using known public IP addresses).

Our methodology:

-Disabled the Implied Rule "Accept Remote Access Control Connections"

-Other Implied Rules for "Control Connections" remain Enabled

-Configured appliance for Remote Access using Office Mode 

-Configured an Explicit rule for RA Connections:

 SOURCE = (Known group of IP addresses)

 DEST = External interface of Appliance

 Service = ESP, TCP18231,500,264,443, UDP500,4500,259,2746

 Action = ACCEPT 

Expected Result: 

-Endpoint clients with a Certificate AND inside private networks NAT'd out from one of the Known IPs can establish the VPN connection

-Otherwise no connection possible

Actual Result:

-Any client with a Certificate can establish the VPN connection from any source IP address

For verification, we have disabled the Explicit Rule for RA Connections (described above) (and left the Implied Rule "Accept Remote Access Control Connections" disabled) and even then, any client with a Certificate can still establish a connection successfully. 

The Implied Rule "Accept Web and SSH connections" is Enabled

This is using GAIA R77.3

Any advice gratefully received.

0 Kudos
22 Replies
This widget could not be displayed.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events