Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
scher
Participant
Jump to solution

2FA Configuration For Remote VPN Users

Hi,

Here we are using CP R81.20 GW Cluster and R81.20 CP Management (Open Server). There is a request to configure VPN users from Checkpoint with the 2FA (Email Notifications). Following tasks need to be achieved from our side.

  • User Base Policies (Group wise or User Wise)
  • User Idle timeout
  • Preventing Geo Locations For VPN Users (Country Wise)
  • 2FA should be enabled (Email Notification - Already has on-prem Email Relay)

Currently we have enabled below blades.

 

VPN CLIENT CONFIGURATION - 01.png

VPN CLIENT CONFIGURATION - AUTHENTICATION.png

VPN CLIENT CONFIGURATION - CLIENTLESS VPN.png

VPN CLIENT CONFIGURATION - OFFICE MODE.png

VPN CLIENT CONFIGURATION - REMOTE ACCESS.png

VPN CLIENT CONFIGURATION - SAML PORTAL SETTINGS.png

ENABLED BLADES.png

       

Thanks

remote-access Remote Access VPN 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

For email MFA, the features is called DynamicID
https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_MobileAccess_AdminGuide/Cont... 

User based policies require Access Roles to be defined.
Access Roles are required to have user-specific policies, which generally requires enabling/configuring Identity Awareness, though I believe this can be done with local users as well.
See: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuid... 
You can then create rules that permit access to the various roles.

There isn't an "idle" timer, but there is a reauthentication timer set in Global Properties > Remote Access > Endpoint Connect

To restrict (or allow) only specific countries for Remote Access: https://community.checkpoint.com/t5/Security-Gateways/Block-VPN-Traffic-by-Country/m-p/172695#M31396 

View solution in original post

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

For email MFA, the features is called DynamicID
https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_MobileAccess_AdminGuide/Cont... 

User based policies require Access Roles to be defined.
Access Roles are required to have user-specific policies, which generally requires enabling/configuring Identity Awareness, though I believe this can be done with local users as well.
See: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuid... 
You can then create rules that permit access to the various roles.

There isn't an "idle" timer, but there is a reauthentication timer set in Global Properties > Remote Access > Endpoint Connect

To restrict (or allow) only specific countries for Remote Access: https://community.checkpoint.com/t5/Security-Gateways/Block-VPN-Traffic-by-Country/m-p/172695#M31396 

0 Kudos
the_rock
MVP Gold
MVP Gold

Hey @scher ...hopefully what Phoneboy provided worked for you.

Best,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events