Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Matlu
Advisor

2FA for administrator connections

Hello, everyone.

A question, is there any "free" option to work with 2FA, for administrator access to SMS (SmartConsole) and Gaia Portal for GWs?

The idea is that, the current administrators, both in the access to the SMS and the Gaia of all the GW we have, go through a 2FA filter (For the moment, we are looking for a free option).

Also, we want that for each connection event of an administrator, we can send an alert by email.

Are these options possible?

We have version R81.10

Greetings.

0 Kudos
7 Replies
PhoneBoy
Admin
Admin

0 Kudos
the_rock
Legend
Legend

Hey bro,

I doubt CP would offer anything free for something like that, unless maybe if you connect with your Sales person, they might be able to get you something for 30 days as a try out.

Andy

0 Kudos
Timothy_Hall
Legend Legend
Legend

Yes, administrators can use a free certificate issued by the ICA to authenticate into the SmartConsole.  The first factor is possession of the certificate, and the second factor is knowing the pass phrase to decrypt the certificate for use which is encrypted at rest.  Another alternative is via RADIUS you can set up some kind of OTP/code to be texted to administrator's known cell phone number as detailed in another post.

Edit: As far as alerts you could set up a SmartTask with a "Before Login" trigger to send an email to an alias whenever someone logs in.  You can also have a SmartTask fire an email whenever a policy is reinstalled to a gateway if you like.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Alex-
Leader Leader
Leader

You can use the following guide to set up a free RADIUS + Google Authenticator OTP. 

https://community.checkpoint.com/t5/General-Topics/MFA-with-Google-Authenticator/m-p/39456

I never used it for the SC but for a small-scale VPN deployment but since SC console support RADIUS it should work.

Check Point recently proposed PlayBlocks which allows automated reactions to events. For this, you need to create an Infinity account and link your SMS to that account. You have then access to a catalog of automations and can link them to various methods of notifications like E-mail, SMS, Teams and so on.

 

 

Screenshot 2023-08-26 at 18.24.35.png

0 Kudos
the_rock
Legend
Legend

To add to what @Timothy_Hall mentioned, below is what it would look like.

Andy

Screenshot_1.png

Also, great suggestion by @Alex- 

0 Kudos
Matlu
Advisor

Hello,

 

My customer now tells us that he wants the integration through TACACS, for the 2FA (both SmartConsole and access to the Gaia OS WebUI).

 

The access to both "consoles" is independent, correct?

Cheers. 🙂

0 Kudos
the_rock
Legend
Legend

Thats right.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events