This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
scher
Participant
‎2025-09-24 01:18 AM
Jump to solution

2FA Configuration For Remote VPN Users

Hi,

Here we are using CP R81.20 GW Cluster and R81.20 CP Management (Open Server). There is a request to configure VPN users from Checkpoint with the 2FA (Email Notifications). Following tasks need to be achieved from our side.

  • User Base Policies (Group wise or User Wise)
  • User Idle timeout
  • Preventing Geo Locations For VPN Users (Country Wise)
  • 2FA should be enabled (Email Notification - Already has on-prem Email Relay)

Currently we have enabled below blades.

 

VPN CLIENT CONFIGURATION - 01.png

VPN CLIENT CONFIGURATION - AUTHENTICATION.png

VPN CLIENT CONFIGURATION - CLIENTLESS VPN.png

VPN CLIENT CONFIGURATION - OFFICE MODE.png

VPN CLIENT CONFIGURATION - REMOTE ACCESS.png

VPN CLIENT CONFIGURATION - SAML PORTAL SETTINGS.png

ENABLED BLADES.png

       

Thanks

remote-access Remote Access VPN 

remote-access
remote-access
Remote Access VPN
Remote Access VPN
Quantum
0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2025-09-24 03:10 PM
Jump to solution

For email MFA, the features is called DynamicID
https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_MobileAccess_AdminGuide/Cont... 

User based policies require Access Roles to be defined.
Access Roles are required to have user-specific policies, which generally requires enabling/configuring Identity Awareness, though I believe this can be done with local users as well.
See: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuid... 
You can then create rules that permit access to the various roles.

There isn't an "idle" timer, but there is a reauthentication timer set in Global Properties > Remote Access > Endpoint Connect

To restrict (or allow) only specific countries for Remote Access: https://community.checkpoint.com/t5/Security-Gateways/Block-VPN-Traffic-by-Country/m-p/172695#M31396 

View solution in original post

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2025-09-24 03:10 PM
Jump to solution

For email MFA, the features is called DynamicID
https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_MobileAccess_AdminGuide/Cont... 

User based policies require Access Roles to be defined.
Access Roles are required to have user-specific policies, which generally requires enabling/configuring Identity Awareness, though I believe this can be done with local users as well.
See: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuid... 
You can then create rules that permit access to the various roles.

There isn't an "idle" timer, but there is a reauthentication timer set in Global Properties > Remote Access > Endpoint Connect

To restrict (or allow) only specific countries for Remote Access: https://community.checkpoint.com/t5/Security-Gateways/Block-VPN-Traffic-by-Country/m-p/172695#M31396 

0 Kudos
the_rock
MVP Gold
MVP Gold
3 weeks ago
Jump to solution

Hey @scher ...hopefully what Phoneboy provided worked for you.

Best,

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events