Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
RemoteUser
Advisor

PAM

Hi Mates,

Is there any documentation available regarding PAM (Privileged Access Management) on Check Point?

Thanks in advance!

4 Replies
simonemantovani
MVP Platinum
MVP Platinum

What is your needs about PAM?

0 Kudos
RemoteUser
Advisor

The customer authenticates to the firewall using both HTTPS and SSH.

However, the challenge is that when the customer initiates a connection through the PAM to access the firewall, a different set of credentials is used.

0 Kudos
simonemantovani
MVP Platinum
MVP Platinum

But I suppose you can store admin credential in your PAM solution, and when the user logs into PAM, when it connects to the firewall the admin credentials are used. 

0 Kudos
jorgeluiznim
Contributor

 

Hello, @RemoteUser 

Regarding your question about integrating a Privileged Access Management (PAM) solution with Check Point, we reviewed the current product documentation (R82) to verify how administrator authentication is handled and how user identities are recorded during administrative sessions.

Based on the official documentation, Check Point does not provide a native PAM integration that preserves or records the identity of the original user authenticated by a third-party PAM solution (such as CyberArk, BeyondTrust, Delinea, Wallix, etc.) when establishing administrative connections over SSH, HTTPS (WebUI), or the Management API.

How Authentication Works

Check Point always authenticates the credentials that are presented during the connection.

In a typical PAM deployment, the administrator first authenticates against the PAM platform using their corporate identity (for example, Active Directory credentials with MFA). After successful authentication, the PAM solution retrieves a privileged account from its secure vault and uses that account to establish the administrative session with the Check Point device.

Administrator
      │
      ▼
PAM Solution
(CyberArk / BeyondTrust / Delinea / etc.)
      │
      │ User authenticates with corporate credentials
      ▼
PAM retrieves privileged credentials
      │
      ▼
SSH / HTTPS / API
      │
      ▼
Check Point Gateway or Security Management Server

From the Check Point perspective, the authenticated identity is the privileged account that actually connects to the system (for example admin, cpadmin, or another administrative account).

Since the original corporate identity is authenticated only by the PAM platform and is not transmitted as part of the standard SSH or HTTPS authentication process, Check Point has no native mechanism to associate that identity with the administrative session.

Audit and Logging

This behavior is expected and aligns with the responsibilities of each component.

  • Check Point authenticates and authorizes the privileged account used to establish the connection.
  • The PAM solution authenticates the end user, retrieves the privileged credentials, records session information, and maintains the correlation between the end user and the privileged account.

As a result:

  • Check Point audit logs will show the privileged account that authenticated to the firewall or management server.
  • The mapping between the original user and the privileged account is maintained within the PAM solution's audit logs.
  • If the customer needs to determine which user accessed the firewall through a shared privileged account, this information should be obtained from the PAM platform rather than from Check Point logs.
Example

User: john.smith
Privileged account stored in PAM: admin

The PAM authenticates john.smith, retrieves the admin credentials from its vault, and connects to the Check Point gateway.

Consequently, Check Point records the login as admin, while the PAM solution records that john.smith used the admin account.

Supported Administrator Authentication Methods

According to the official R82 Security Management Administration Guide, administrator authentication can be configured using supported authentication mechanisms such as:

  • Check Point Password
  • Operating System Password
  • RADIUS
  • SAML Identity Providers
  • Certificate-based Authentication
  • API Keys

The documentation does not describe a native authentication mechanism capable of receiving, preserving, or displaying the original identity authenticated by an external Privileged Access Management solution during SSH, HTTPS, or API administrative sessions.

Conclusion

Based on the official Check Point documentation, the behavior observed in your environment is the expected behavior.

When an administrative session is initiated through a third-party PAM solution, Check Point authenticates only the privileged account presented during the connection. The original user identity remains managed by the PAM platform, which is responsible for maintaining the complete audit trail and correlating the end user with the privileged account used during the session.

If preserving end-user identity inside Check Point audit logs is a business requirement, this functionality is currently not documented as a native capability of Check Point Security Management. The recommended approach is to rely on the auditing and session recording features provided by the PAM solution itself.

Official References

1. Managing Administrator Accounts (R82)
Describes administrator accounts, authentication methods, permission profiles, and administrator login behavior.

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_SecurityManagement_AdminGuide/Cont...
2. R82 Security Management Administration Guide (Complete Guide)
Complete administration guide covering administrator management, authentication methods, authorization, SmartConsole administration, and Security Management configuration.

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_SecurityManagement_AdminGuide/CP_R...
3. R82 Security Management Administration Guide - Documentation Portal
Official entry point for the complete R82 Security Management documentation.

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_SecurityManagement_AdminGuide/Defa...

We hope this clarifies the expected behavior. If you have additional questions regarding your specific PAM implementation or would like to discuss possible deployment alternatives, please let us know and we'll be happy to assist.

Best regards,
Jorge Dias Junior.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events