This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Joe_Kanaszka
Advisor
‎2024-01-04 02:29 PM
Jump to solution

ipassignment.conf and LDAP grop

Hello again.

 

Continuation of a previous post but the old post is marked as resolved (because it was) to allow contributor to receive credit.  😊

In a nutshell - we need to limit access to a network host to a small group of 5 individuals.  The solution has to work with NAT (Identity Awareness is out as it doesn't work with NAT).  This solution will be used for WFH users - the current OM IP pool is Nat'd to the internal interface of the Check Point.  

My solution:

I'd like to configure the ipassignment.conf file to assign a range of IPs to my already existing AD group - then limit access to the resource based on the static IPs. (This will be used for WFH users).

 

What I've done:

  • Created a draft of my ipassignment.conf file

 

Here is how my ipassignment.conf file will look referencing SK:  sk33422 

#Gateway             Type             IP Address                User Name

==================================================

IP of gateway        range          10.0.0.0-10.0.0.5       Test Group  (AD group)

 

  • Created an LDAP Account Unit that points directly to my AD group - so the UID is my group. 
  • Trying to create an LDAP Group Object that the ipassignment.conf file can reference.  The Group's scope is the first option - "All Account-Unit's Users"

 

Questions:

  1. Unfortunately, my AD security group contains a space in the name.  When I try and create the LDAP group, I'm receiving the error "Object name contains space..."  How can I get around this?  
  2. Will this plan work?  🙄

 

Thank you, and as always - any help is always much appreciated!

 

Best Regards,

 

Joe

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2024-01-04 02:42 PM
Jump to solution

Even if you could get past the UI validation in SmartConsole, I suspect that space will be problematic in ipassignment.conf as well.
Change the name to something without a space.
Otherwise, this should work.

View solution in original post

6 Replies
PhoneBoy
Admin
Admin
‎2024-01-04 02:42 PM
Jump to solution

Even if you could get past the UI validation in SmartConsole, I suspect that space will be problematic in ipassignment.conf as well.
Change the name to something without a space.
Otherwise, this should work.

Joe_Kanaszka
Advisor
‎2024-01-04 03:09 PM
In response to PhoneBoy
Jump to solution

Ok cool. Thank you!  

0 Kudos
DAKad
Explorer
‎2024-09-24 01:11 AM
In response to PhoneBoy
Jump to solution

Hello,

we have configured the file for an LDAP user but the user is not receiving the ip.

as you can see on both screenshots, we pushed the file on both gateways of the cluster

 

 

 

 

fw1.PNG
Preview file
21 KB
fw2.PNG
Preview file
21 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2024-09-25 10:08 AM
In response to DAKad
Jump to solution

Please refer to https://support.checkpoint.com/results/sk/sk33422 for what exactly to use based on how the user authenticates.

0 Kudos
DAKad
Explorer
‎2024-09-25 10:22 AM
In response to PhoneBoy
Jump to solution

Hello PhoneBoy,

see the screenshot of the line added at the end of the file.

user log to the vpn through LDAP with the AD account , his name is on capital letter from active directory but when he wants to connecte on the VPN client, he use small letter like i wrote on the file and it works but still taking the ip from the pool instead of the ipassignment file

Also after checking with vpn ipafile_check $FWDIR/conf/ipassignment.con detail , i get the  output on the second screenshot

fw3.PNG
Preview file
20 KB
fw_ch.PNG
Preview file
98 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2024-09-25 10:34 AM
In response to DAKad
Jump to solution

It's user/password authentication, right?
What if you put it in as it is in AD (i.e. with a Capital)?
If this doesn't work, suggest involving TAC.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top