- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- 2FA for administrator connections
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2FA for administrator connections
Hello, everyone.
A question, is there any "free" option to work with 2FA, for administrator access to SMS (SmartConsole) and Gaia Portal for GWs?
The idea is that, the current administrators, both in the access to the SMS and the Gaia of all the GW we have, go through a 2FA filter (For the moment, we are looking for a free option).
Also, we want that for each connection event of an administrator, we can send an alert by email.
Are these options possible?
We have version R81.10
Greetings.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe something like: https://wiki.freeradius.org/guide/2FA-Active-Directory-plus-Proxy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey bro,
I doubt CP would offer anything free for something like that, unless maybe if you connect with your Sales person, they might be able to get you something for 30 days as a try out.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, administrators can use a free certificate issued by the ICA to authenticate into the SmartConsole. The first factor is possession of the certificate, and the second factor is knowing the pass phrase to decrypt the certificate for use which is encrypted at rest. Another alternative is via RADIUS you can set up some kind of OTP/code to be texted to administrator's known cell phone number as detailed in another post.
Edit: As far as alerts you could set up a SmartTask with a "Before Login" trigger to send an email to an alias whenever someone logs in. You can also have a SmartTask fire an email whenever a policy is reinstalled to a gateway if you like.
March 27th with sessions for both the EMEA and Americas time zones
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use the following guide to set up a free RADIUS + Google Authenticator OTP.
https://community.checkpoint.com/t5/General-Topics/MFA-with-Google-Authenticator/m-p/39456
I never used it for the SC but for a small-scale VPN deployment but since SC console support RADIUS it should work.
Check Point recently proposed PlayBlocks which allows automated reactions to events. For this, you need to create an Infinity account and link your SMS to that account. You have then access to a catalog of automations and can link them to various methods of notifications like E-mail, SMS, Teams and so on.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To add to what @Timothy_Hall mentioned, below is what it would look like.
Andy
Also, great suggestion by @Alex-
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
My customer now tells us that he wants the integration through TACACS, for the 2FA (both SmartConsole and access to the Gaia OS WebUI).
The access to both "consoles" is independent, correct?
Cheers. 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thats right.
