topic Re: 2FA Configuration For Remote VPN Users in Endpoint

2FA Configuration For Remote VPN Users

scher — Wed, 24 Sep 2025 08:18:27 GMT

Hi,

Here we are using CP R81.20 GW Cluster and R81.20 CP Management (Open Server). There is a request to configure VPN users from Checkpoint with the 2FA (Email Notifications). Following tasks need to be achieved from our side.

User Base Policies (Group wise or User Wise)
User Idle timeout
Preventing Geo Locations For VPN Users (Country Wise)
2FA should be enabled (Email Notification - Already has on-prem Email Relay)

Currently we have enabled below blades.

Thanks

Re: 2FA Configuration For Remote VPN Users

PhoneBoy — Wed, 24 Sep 2025 22:10:14 GMT

For email MFA, the features is called DynamicID
https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_MobileAccess_AdminGuide/Content/Topics-MABG/DynamicID.htm

User based policies require Access Roles to be defined.
Access Roles are required to have user-specific policies, which generally requires enabling/configuring Identity Awareness, though I believe this can be done with local users as well.
See: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuide/Content/Topics-SECMG/Access-Roles.htm
You can then create rules that permit access to the various roles.

There isn't an "idle" timer, but there is a reauthentication timer set in Global Properties > Remote Access > Endpoint Connect

To restrict (or allow) only specific countries for Remote Access: https://community.checkpoint.com/t5/Security-Gateways/Block-VPN-Traffic-by-Country/m-p/172695#M31396

Re: 2FA Configuration For Remote VPN Users

the_rock — Fri, 03 Oct 2025 15:21:39 GMT

Hey @scher ...hopefully what Phoneboy provided worked for you.

Best,

Andy