Yes, but not native support.
per CP marketing - I do see support for PATs in the CP marketing. This page (https://www.checkpoint.com/cyber-hub/network-security/what-is-multi-factor-authentication-mfa/) says Yubikeys are supported. Physical Authentication Tokens: Physical authentication tokens like a smartcard, Yubikey, etc. provide possession-based authentication.
These devices may generate an OTP or connect to a device via USB, Bluetooth, or NFC to provide a second authentication factor.
Per TAC
- Check Point does not offer native support for Yubikey integration.
- Yubikeys are generally used for OTP (One-Time Password) or FIDO2/U2F authentication.
- Our products support external authentication methods such as RADIUS, TACACS, and SecurID (RSA).
- Integration with Yubikey is possible by using an external authentication manager (e.g., RADIUS, TACACS, or SecurID) that supports Yubikey.
My break down is that for:
RE: RADIUS, set up a RADIUS server or use
https://rublon.com/doc/checkpoint/
RADIUS - Update username in accept? - Check Point CheckMates
RE: TACACs set up an internal TACACS server from open source
TACACS open sources RHEL
While there isn't a single "TACACS open source RHEL" package, you can use open-source TACACS+ daemons like tac_plus from GitHub, or tacquito, also from GitHub, on Red Hat Enterprise Linux (RHEL) distributions. You'll need to compile and configure them, potentially using tools like yum and rpmbuild.
Here's a more detailed breakdown:
RE: SecureID - per phoneboy, most of the recent securID implementations use RADIUS
https://community.checkpoint.com/t5/Management/RSA-secure-ID-authentication-for-checkpoint-gateways-...
Maybe, another option with SAML
https://community.checkpoint.com/t5/Remote-Access-VPN/SAML-with-Yubikey-on-Remote-Access-VPN/td-p/22...