https://community.checkpoint.com/t5/SASE-and-Remote-Access/Checkpoint-VPN-MFA/m-p/251995#M1823 <P>As far as I know the situation with this has not changed.<BR />Recommend engaging your local Check Point office on this requirement.</P> Wed, 25 Jun 2025 20:58:53 GMT PhoneBoy 2025-06-25T20:58:53Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Checkpoint-VPN-MFA/m-p/251761#M1815 <P><SPAN>Checkpoint VPN 2 factor authentication has been setup successfully, but now there is a requirement where the&nbsp;</SPAN><STRONG>MFA (multi factor&nbsp;authentication) needs to be enforced on certain users and NOT all users</STRONG><SPAN>.</SPAN></P><P>Ex : - If there are 10 users, 8 of them will be enforced with MFA and the other 2 will not be enforced with MFA.</P><P><SPAN>Is this possible?</SPAN></P> Mon, 23 Jun 2025 10:03:33 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Checkpoint-VPN-MFA/m-p/251761#M1815 bcmario 2025-06-23T10:03:33Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Checkpoint-VPN-MFA/m-p/251762#M1816 <P>From what Im aware of, its not possible. I asked this exact question while via TAC case and they responded saying escalation team told them it was not feasible. This was back in 2023, but I have not heard otherwise since.</P> <P>The only way I can see this working would be if you create local users in smart console and assign them specific auth method.</P> <P>Maybe someone else can confirm.</P> <P>Andy</P> Mon, 23 Jun 2025 10:13:39 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Checkpoint-VPN-MFA/m-p/251762#M1816 the_rock 2025-06-23T10:13:39Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Checkpoint-VPN-MFA/m-p/251929#M1817 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;any idea whether this is still not possible or is there a workaround this now?</P> Wed, 25 Jun 2025 03:30:39 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Checkpoint-VPN-MFA/m-p/251929#M1817 bcmario 2025-06-25T03:30:39Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Checkpoint-VPN-MFA/m-p/251934#M1818 <P>Not sure if this classifies as a workaround but we managed to accomplish this. The catch is we're doing it through MS Authenticator via Entra Conditional Access Policies.</P> Wed, 25 Jun 2025 05:48:18 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Checkpoint-VPN-MFA/m-p/251934#M1818 Ruan_Kotze 2025-06-25T05:48:18Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Checkpoint-VPN-MFA/m-p/251935#M1819 <P>Hi,</P><P>I believe this depends on how you setup the MFA as what I understand as well, make sure to untick legacy authentication method. Let me know if it works</P><P>&nbsp;</P> Wed, 25 Jun 2025 05:57:01 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Checkpoint-VPN-MFA/m-p/251935#M1819 garrod 2025-06-25T05:57:01Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Checkpoint-VPN-MFA/m-p/251950#M1820 <P>How did you set up auth methods in smart console gateway object?</P> <P>Andy</P> Wed, 25 Jun 2025 10:13:21 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Checkpoint-VPN-MFA/m-p/251950#M1820 the_rock 2025-06-25T10:13:21Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Checkpoint-VPN-MFA/m-p/251956#M1821 <P>Hi,</P> <P>It depends on how you configure IDP. For example, Microsoft azure AD is your IDP then you can enforce 2FA setting in Azure AD. Firewall just forward request to azure AD and it will decide whether to enforce 2FA or not.</P> Wed, 25 Jun 2025 11:35:30 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Checkpoint-VPN-MFA/m-p/251956#M1821 Gaurav_Pandya 2025-06-25T11:35:30Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Checkpoint-VPN-MFA/m-p/251958#M1822 <P>Right, but thats generally how it works, not to exclude few users though.</P> <P>Andy</P> Wed, 25 Jun 2025 11:46:15 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Checkpoint-VPN-MFA/m-p/251958#M1822 the_rock 2025-06-25T11:46:15Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Checkpoint-VPN-MFA/m-p/251995#M1823 <P>As far as I know the situation with this has not changed.<BR />Recommend engaging your local Check Point office on this requirement.</P> Wed, 25 Jun 2025 20:58:53 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Checkpoint-VPN-MFA/m-p/251995#M1823 PhoneBoy 2025-06-25T20:58:53Z