Customizing Checkpoint to accept VPN connection from domain joined computers and users only

0 0 Edit this post
Filtering domain joined users was straightforward to configure.
What I have done to accept a certain user group for VPN was,
  • Create a security group for VPN users in AD
  • Create LDAP Group from Checkpoint SmartConsole
Checkpoint - Creating LDAP group

  • Fill in desired information, I selected Only Group in branch (DN prefix) option from Group's Scope section and added AD group created above.
Checkpoint - LDAP group creation

  • Add the LDAP group created above to RemoteAccess group under VPN Communities.
Checkpoint - VPN community

Now you have user control to accept VPN connection. What you need to do is add required users in AD group you created. Problem is users can install Checkpoint VPN client to their personal computers which may contain nasty virus/malware. Providing right user credential will be accepted from any computers. Therefore we need computer control to accept VPN connection.

Googling gave me brief ideas but not exactly what I wanted. Especially dealing with computer name was the worst scenario as user can change their computer name to one of domain joined computers. I tested and it was accepted. 

Well my method is not 100% secured as users can change this registry value on their personal computer but I hope no one wicked in the organization and believe this is slightly more secured than dealing with computer name. I found a couple of registry key value of joined domain from,
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Domain
HKEY_CURRENT_USER\Volatile Environment\USERDNSDOMAIN
I chose a registry value from Volatile Environment. This registry value will be used for compliance.
Checkpoint VPN client

Now we need to edit SCV(Secure Configuration Verification) to set a policy which will be applied before establishing the connection.
Here are the steps,
  • open SSH connection to the server which has Network Policy Management Blade
  • Go to expert mode
  • open up local.scv file using vi
    • vi $FWDIR/conf/local.scv
  • Scroll down and find the section starting with :  (RegMonitor
  • Press Insert key to go into edit mode and edit as required.
: (RegMonitor
    :type (plugin)
    :parameters (
        :string ("HKEY_CURRENT_USER\Volatile Environment\USERDNSDOMAIN=your domain name here")
        :begin_admin (admin)
            :send_log (alert)
            :mismatchmessage ("Access Denied: Please contact your system administrator.")
        :end (admin)
    )
)

  • And enable RegMonitor policy by adding the policy name. It's nearly at the bottom of file.
:SCVPolicy (
    : (RegMonitor)
)
  • Now press ESC key to exit edit mode and type :x to save
  • Open SmartConsole and Publish and Install Policy. Make sure Desktop Security is selected.

Checkpoint Install policy

It will check the registry key value every time user attempts to connect VPN connection. You can add your own error code under mismatchmessage for easy debugging if you want.

Now we check user name from AD group and domain joined computer for secured VPN connection,

Labels:

SHARE:

Twitter Facebook Google Pinterest

COMMENTS

BLOGGER
Name

Checkpoint,3,Dynamics,7,IT Trends,1,Unifi,2,Windows,4,
ltr
item
wideBIOS: Customizing Checkpoint to accept VPN connection from domain joined computers and users only
Customizing Checkpoint to accept VPN connection from domain joined computers and users only
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTEuQjP1IMbSL4h-GiCVmI9EXTmo4FrE8vgKX1SqRp9HH0ylLiiOvVaUL3XIORiukULYrpgAXwlEQ7wbzPO9XRVG49mMxoaTr5nebckCBiFoWVD_SW72wC6V191lw_yIb7jxGr6VFn6zrG/w625-h561/Image+11.png
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTEuQjP1IMbSL4h-GiCVmI9EXTmo4FrE8vgKX1SqRp9HH0ylLiiOvVaUL3XIORiukULYrpgAXwlEQ7wbzPO9XRVG49mMxoaTr5nebckCBiFoWVD_SW72wC6V191lw_yIb7jxGr6VFn6zrG/s72-w625-c-h561/Image+11.png
wideBIOS
https://widebios.blogspot.com/2020/06/customizing-checkpoint-to-accept-vpn.html
https://widebios.blogspot.com/
https://widebios.blogspot.com/
https://widebios.blogspot.com/2020/06/customizing-checkpoint-to-accept-vpn.html
true
5252627484289329280
UTF-8
Loaded All Posts Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS PREMIUM CONTENT IS LOCKED STEP 1: Share to a social network STEP 2: Click the link on your social network Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy Table of Content