This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
Advisor
‎2023-08-25 05:23 PM

2FA for administrator connections

Hello, everyone.

A question, is there any "free" option to work with 2FA, for administrator access to SMS (SmartConsole) and Gaia Portal for GWs?

The idea is that, the current administrators, both in the access to the SMS and the Gaia of all the GW we have, go through a 2FA filter (For the moment, we are looking for a free option).

Also, we want that for each connection event of an administrator, we can send an alert by email.

Are these options possible?

We have version R81.10

Greetings.

0 Kudos
7 Replies
the_rock
Legend
Legend
‎2023-08-26 06:35 AM

Hey bro,

I doubt CP would offer anything free for something like that, unless maybe if you connect with your Sales person, they might be able to get you something for 30 days as a try out.

Andy

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2023-08-26 08:43 AM

Yes, administrators can use a free certificate issued by the ICA to authenticate into the SmartConsole.  The first factor is possession of the certificate, and the second factor is knowing the pass phrase to decrypt the certificate for use which is encrypted at rest.  Another alternative is via RADIUS you can set up some kind of OTP/code to be texted to administrator's known cell phone number as detailed in another post.

Edit: As far as alerts you could set up a SmartTask with a "Before Login" trigger to send an email to an alias whenever someone logs in.  You can also have a SmartTask fire an email whenever a policy is reinstalled to a gateway if you like.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos
Alex-
Leader Leader
Leader
‎2023-08-26 09:25 AM

You can use the following guide to set up a free RADIUS + Google Authenticator OTP. 

https://community.checkpoint.com/t5/General-Topics/MFA-with-Google-Authenticator/m-p/39456

I never used it for the SC but for a small-scale VPN deployment but since SC console support RADIUS it should work.

Check Point recently proposed PlayBlocks which allows automated reactions to events. For this, you need to create an Infinity account and link your SMS to that account. You have then access to a catalog of automations and can link them to various methods of notifications like E-mail, SMS, Teams and so on.

 

 

Screenshot 2023-08-26 at 18.24.35.png

0 Kudos
the_rock
Legend
Legend
‎2023-08-26 09:28 AM

To add to what @Timothy_Hall mentioned, below is what it would look like.

Andy

Screenshot_1.png

Also, great suggestion by @Alex- 

0 Kudos
Matlu
Advisor
‎2023-08-27 02:04 PM
In response to the_rock

Hello,

 

My customer now tells us that he wants the integration through TACACS, for the 2FA (both SmartConsole and access to the Gaia OS WebUI).

 

The access to both "consoles" is independent, correct?

Cheers. 🙂

0 Kudos
the_rock
Legend
Legend
‎2023-08-27 02:18 PM
In response to Matlu

Thats right.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top