topic Limiting concurrent user authentication in Firewall and Security Management

Limiting concurrent user authentication

Fabz — Tue, 24 Jan 2023 15:46:48 GMT

Hello Checkpoint Checkmates Forum,

Im new in this solution, but have similar experience with another firewall product.

According to my topic, I recently had a question from a customer about the Checkpoint Firewall's ability to restrict concurrent user authentication, whether local users or AD integration are used. Does Checkpoint Firewall support this?

The use case is similar with this for other product : https://community.fortinet.com/t5/FortiGate/Technical-Tip-Limiting-concurrent-user-authentication/ta-p/199277

For example : we have user "CheckPoint", so this user only permitted to use a maximum of 5 devices for a captive portal or vpn.

Thank you 🙂

Re: Limiting concurrent user authentication

the_rock — Tue, 24 Jan 2023 17:28:21 GMT

Excellent question! Honestly, I never thought about it in all these years, but now that you mentioned it, Im also cusious to see if there is a way. I looked everywhere in global properties, gateway settings and cant find setting related to number or re-authentications.

I also checked guidbedit as well, but not sure if there is something there, but will keep looking.

Re: Limiting concurrent user authentication

Fabz — Tue, 24 Jan 2023 23:42:12 GMT

Hi @the_rock

Yes i also looked at sk document, but found nothing. May this feature will be available on the next new OS?

Re: Limiting concurrent user authentication

Fabz — Tue, 24 Jan 2023 23:43:59 GMT

hi @the_rock

Yes i also looked at sk document, but found nothing. May this feature will be available on the next new OS? Thanks!

Re: Limiting concurrent user authentication

the_rock — Wed, 25 Jan 2023 01:11:29 GMT

Hopefully @_Val_ or @PhoneBoy may know...they are CP encyclopedias.

Re: Limiting concurrent user authentication

PhoneBoy — Wed, 25 Jan 2023 05:42:13 GMT

In what precise context are we discussing authentication?
For example, in Remote Access, there's a Global Property that specifically disallows a user from connecting to the gateway more than once.

In other contexts...not sure.
@Royi_Priov do we have some way to prevent a single user from showing up on multiple IPs?

Re: Limiting concurrent user authentication

the_rock — Wed, 25 Jan 2023 05:54:23 GMT

Hm, totally missed that option today in my lab, will verify again tomorrow.

Re: Limiting concurrent user authentication

Fabz — Wed, 25 Jan 2023 13:27:16 GMT

Hi @PhoneBoy is it alao applicable for Captive Portal?

Re: Limiting concurrent user authentication

PhoneBoy — Wed, 25 Jan 2023 19:39:36 GMT

Captive Portal is part of Identity Awareness, and the above only applies to Remote Access VPN.
While we have mechanisms to filter out users that appear on multiple computers, that requires R81.20.
This doesn't "restrict" a user to, say, 5 logins, but it invalidates ALL sessions for any user that exceeds whatever you've configured the threshholds for.
This is also not the specific use case for this feature (it's designed for Service accounts specifically), so it may not work for that purpose.

Assuming you're using an external identity source like Active Directly, it should be possible to configure such login limits there.
For locally defined users where the password is defined in the Check Point management, there is no way to prevent them from logging in multiple times; this would be an RFE.