This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
dsethi
Participant
‎2023-02-06 03:01 PM
Jump to solution

MFA for admin access for checkpoint firewall on Gaia and Smartconsole

Could anyone guide me with steps for implementing best approach of MFA for checkpoint firewalls (only for admin access on Gaia and smartconsole R81.10) for an azure platform.

0 Kudos
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin
a week ago
In response to Daniel_Kavan
Jump to solution

We've added support for MFA for Gaia OS (WebUI, clish and API) in R82 as well as R81.20 JHF 96 and above.
The MFA is TOTP clients like Google/Microsoft Authenticator.
More details: https://support.checkpoint.com/results/sk/sk181854 

View solution in original post

0 Kudos
PhoneBoy
Admin
Admin
Tuesday
Jump to solution

I realize that you also asked about SmartConsole and MFA, which is very different.
From R81.20, you can use a SAML provider (Entra ID): https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuid...

In earlier releases, or without his is supported provided your MFA source is reachable via RADIUS or TACACS.
Note that you will only get a single password prompt, which means you enter your password plus MFA code in the same box.

View solution in original post

0 Kudos
10 Replies
PhoneBoy
Admin
Admin
‎2023-02-06 04:04 PM
Jump to solution

What is your identity source here?
If it's Azure AD, then you cannot authenticate to the Gaia OS using this method, only RADIUS or TACACS are supported.
SmartConsole supports integration with Azure AD from R81.20: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuid... 

dsethi
Participant
‎2023-02-06 04:16 PM
In response to PhoneBoy
Jump to solution

It is Azure AD for authentication. Would this SAML authentication with Azure suffice my MFA requirement for admin logins on Smartconsole and Gaia portal ?

0 Kudos
PhoneBoy
Admin
Admin
‎2023-02-07 10:38 AM
In response to dsethi
Jump to solution

Yes, because the entire authentication flow happens in Azure AD (which supports MFA).

Like I said, the Gaia OS does not support integration with SAML, only RADIUS or TACACS.
Which means you need a Windows NPS server set up with the appropriate plugin: https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/auth-radius 

You can actually use RADIUS for both SmartConsole and Gaia OS in R81.10.
The "MFA" would be entered in after your fixed password in both cases.
The user experience of the SAML-based approach is much better.

dsethi
Participant
‎2023-02-07 10:55 AM
In response to PhoneBoy
Jump to solution

Thank you so much for your response! Is there any documentation for the steps that can be followed to implement the MFA for both smartconsole and Gaia using RADIUS and Azure AD.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-02-07 01:29 PM
In response to dsethi
Jump to solution

Integration with RADIUS is explained in the various guides:

Refer to the appropriate Microsoft documentation to configure the NPS Server.

0 Kudos
Neal_Welsh
Participant
‎2025-02-10 06:26 AM
In response to PhoneBoy
Jump to solution

Hi , we have tried to get this working for Gaia R81.20 (using NPS and NPS plugin) , works fine for our other clients (Cisco routers etc) , but Checkpoint Gaia (Web/shh/console) does not.   I raised an SR and TAC informed me it wasn't supported .

Interested in what you mean in your comment The "MFA" would be entered in after your fixed password in both cases".  As neither the Web Gui or SSH session display a separate input page , do you mean you put it all in one go, i.e. password and MFA code on same line when entering the password, do you have to use any separators  or do you mean something else entirely ?

thanks Neal 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2025-02-10 11:03 AM
In response to Neal_Welsh
Jump to solution

Yes, you have to enter both the password and your MFA code in the same field.
The MFA code should be entered directly after the password, as I recall.

0 Kudos
Daniel_Kavan
MVP Gold
MVP Gold
a week ago
In response to PhoneBoy
Jump to solution

Hi, are there any new options with R82?  Also, since MFA is 90% effective, to get to 99.9% now we're being asked for phishing resistant MFA.    Maybe a user certificate on a Yubikey would work?   RE: admin access to Gaia, command line, LOM, and/or smartconsole.

0 Kudos
PhoneBoy
Admin
Admin
a week ago
In response to Daniel_Kavan
Jump to solution

We've added support for MFA for Gaia OS (WebUI, clish and API) in R82 as well as R81.20 JHF 96 and above.
The MFA is TOTP clients like Google/Microsoft Authenticator.
More details: https://support.checkpoint.com/results/sk/sk181854 

0 Kudos
PhoneBoy
Admin
Admin
Tuesday
Jump to solution

I realize that you also asked about SmartConsole and MFA, which is very different.
From R81.20, you can use a SAML provider (Entra ID): https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuid...

In earlier releases, or without his is supported provided your MFA source is reachable via RADIUS or TACACS.
Note that you will only get a single password prompt, which means you enter your password plus MFA code in the same box.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events