Hello, @RemoteUser
Regarding your question about integrating a Privileged Access Management (PAM) solution with Check Point, we reviewed the current product documentation (R82) to verify how administrator authentication is handled and how user identities are recorded during administrative sessions.
Based on the official documentation, Check Point does not provide a native PAM integration that preserves or records the identity of the original user authenticated by a third-party PAM solution (such as CyberArk, BeyondTrust, Delinea, Wallix, etc.) when establishing administrative connections over SSH, HTTPS (WebUI), or the Management API.
How Authentication Works
Check Point always authenticates the credentials that are presented during the connection.
In a typical PAM deployment, the administrator first authenticates against the PAM platform using their corporate identity (for example, Active Directory credentials with MFA). After successful authentication, the PAM solution retrieves a privileged account from its secure vault and uses that account to establish the administrative session with the Check Point device.
Administrator
│
▼
PAM Solution
(CyberArk / BeyondTrust / Delinea / etc.)
│
│ User authenticates with corporate credentials
▼
PAM retrieves privileged credentials
│
▼
SSH / HTTPS / API
│
▼
Check Point Gateway or Security Management ServerFrom the Check Point perspective, the authenticated identity is the privileged account that actually connects to the system (for example admin, cpadmin, or another administrative account).
Since the original corporate identity is authenticated only by the PAM platform and is not transmitted as part of the standard SSH or HTTPS authentication process, Check Point has no native mechanism to associate that identity with the administrative session.
Audit and Logging
This behavior is expected and aligns with the responsibilities of each component.
- Check Point authenticates and authorizes the privileged account used to establish the connection.
- The PAM solution authenticates the end user, retrieves the privileged credentials, records session information, and maintains the correlation between the end user and the privileged account.
As a result:
- Check Point audit logs will show the privileged account that authenticated to the firewall or management server.
- The mapping between the original user and the privileged account is maintained within the PAM solution's audit logs.
- If the customer needs to determine which user accessed the firewall through a shared privileged account, this information should be obtained from the PAM platform rather than from Check Point logs.
Example
User: john.smith
Privileged account stored in PAM: admin
The PAM authenticates john.smith, retrieves the admin credentials from its vault, and connects to the Check Point gateway.
Consequently, Check Point records the login as admin, while the PAM solution records that john.smith used the admin account.
Supported Administrator Authentication Methods
According to the official R82 Security Management Administration Guide, administrator authentication can be configured using supported authentication mechanisms such as:
- Check Point Password
- Operating System Password
- RADIUS
- SAML Identity Providers
- Certificate-based Authentication
- API Keys
The documentation does not describe a native authentication mechanism capable of receiving, preserving, or displaying the original identity authenticated by an external Privileged Access Management solution during SSH, HTTPS, or API administrative sessions.
Conclusion
Based on the official Check Point documentation, the behavior observed in your environment is the expected behavior.
When an administrative session is initiated through a third-party PAM solution, Check Point authenticates only the privileged account presented during the connection. The original user identity remains managed by the PAM platform, which is responsible for maintaining the complete audit trail and correlating the end user with the privileged account used during the session.
If preserving end-user identity inside Check Point audit logs is a business requirement, this functionality is currently not documented as a native capability of Check Point Security Management. The recommended approach is to rely on the auditing and session recording features provided by the PAM solution itself.
Official References
We hope this clarifies the expected behavior. If you have additional questions regarding your specific PAM implementation or would like to discuss possible deployment alternatives, please let us know and we'll be happy to assist.
Best regards,
Jorge Dias Junior.