AnsweredAssumed Answered

Restricting Remote Access by IPv4 Address

Question asked by Robert Ellis on Mar 16, 2018
Latest reply on Mar 19, 2018 by Dameon Welch Abernathy

Objective: 

Permit Chekpoint Endpoint Security VPN clients to establish a connection only if those clients are connecting from a known a selection of IPv4 addresses. 

Clients are secured using Certificates issued by the Checkpoint Appliance but we do not want them to be able to connect unless they are being used from specific locations (and therefore are using known public IP addresses).

 

Our methodology:

-Disabled the Implied Rule "Accept Remote Access Control Connections"

-Other Implied Rules for "Control Connections" remain Enabled

-Configured appliance for Remote Access using Office Mode 

-Configured an Explicit rule for RA Connections:

 SOURCE = (Known group of IP addresses)

 DEST = External interface of Appliance

 Service = ESP, TCP18231,500,264,443, UDP500,4500,259,2746

 Action = ACCEPT 

 

Expected Result: 

-Endpoint clients with a Certificate AND inside private networks NAT'd out from one of the Known IPs can establish the VPN connection

-Otherwise no connection possible

 

Actual Result:

-Any client with a Certificate can establish the VPN connection from any source IP address

 

For verification, we have disabled the Explicit Rule for RA Connections (described above) (and left the Implied Rule "Accept Remote Access Control Connections" disabled) and even then, any client with a Certificate can still establish a connection successfully. 

 

The Implied Rule "Accept Web and SSH connections" is Enabled

This is using GAIA R77.3

 

Any advice gratefully received.

 

Outcomes