This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Alex-
Leader Leader
Leader
2 weeks ago

GAIA Multi-Factor authentication after upgrade to R81.20 Take 99

I've upgraded an appliance from R81.20 Take 98 to R81.20 Take 99 and connected with an MFA-enabled local administrator.

Since then, it doesn't ask the code anymore for clish (simple username/password), while it still asks it for the WebUI.

I've reset the MFA code as I'm testing the feature before larger deployment but the behaviour stays the same.

WebUI: MFA

clish, with user-matching Expert password: username/password

Expected behaviour or TAC?

0 Kudos
4 Replies
Alex-
Leader Leader
Leader
2 weeks ago

Similar behaviour with another appliance. I created a new administrator with MFA on Take 98, WebUI + Clish ask for MFA.

After Take 99, only WebUI asks the MFA code, Clish is username + password.

0 Kudos
Alex-
Leader Leader
Leader
2 weeks ago
In response to Alex-

I met another issue after enabling MFA for an account.

Upon clicking the option to generate the code on the login page after turning on the option, there was a delay and got the following notification, approximately: "Failed to generate code, you asked for a code but this is not necessary. You will be redirected to the WebUI". The message isn't entirely correct, I didn't screenshot it.

After trying to log in again, that user was presented with MFA code entry, which of course couldn't be completed as we had no codes, temporal or recovery generated. Another admin account had to be used to reset MFA on that account, which enrolled correctly afterwards.

0 Kudos
Alex-
Leader Leader
Leader
2 weeks ago
In response to Alex-

Turning it off doesn't work apparently. If I uncheck the value in the WebUI, or set it to "no" in Clish, the WebUI will still ask the MFA code.

After trying both UI/Clish MFA deactivation, "show user <user> two-factor-authentication-state" still shows it as enabled.

Minor point: most activation keywords in clish are "on/off".

For "set user <user> force-two-factor-authentication" this is "yes/no".  So we have to make changes in scripted value matching. 😀

Also, "show configuration" doesn't display the MFA status per user in the global output, the "show user" commands have to be run.

0 Kudos
Alex-
Leader Leader
Leader
2 weeks ago
In response to Alex-

Seems to be related to the upgrade process and not Take 99.

I installed R81.20 on a VM, upgraded it directly to Take 99 and both WebUI and Clish work with MFA.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 20 May 2025 @ 11:30 AM (PDT)

    Las Vegas: Check Point Hybrid Mesh
    In-Person

    Wed 21 May 2025 @ 11:30 AM (MST)

    Tempe, AZ: Check Point Hybrid Mesh
    In-Person

    Tue 03 Jun 2025 @ 09:00 AM (CEST)

    CheckMates LIve France - Workshop Check Point Quantum
    In-Person

    Tue 03 Jun 2025 @ 06:00 PM (EDT)

    Montreal: CPX Recap
    In-Person

    Tue 10 Jun 2025 @ 06:00 PM (EDT)

    Quebec City: CPX Recap
    CheckMates Events