- Products
- Learn
- Local User Groups
- Partners
- More
Firewall Uptime, Reimagined
How AIOps Simplifies Operations and Prevents Outages
Introduction to Lakera:
Securing the AI Frontier!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
Hey guys,
I read couple of posts people ask about this in the past, but does not appear there was a concrete answer. Is there any possible way to block a user after they fail connecting to vpn after so many attempts? I know SAM rules are used to instantly block specific IP addresses, but that wont do for a user.
So, here is basic example...say user fails to authenticate to VPN site after 3 attempts, can admin block them for an hour before they can try again?
Thanks as always.
Andy
The only way I could see doing this is with an automatic reaction in SmartEvent.
Whether it's actually possible is a separate question.
The only way I could see doing this is with an automatic reaction in SmartEvent.
Whether it's actually possible is a separate question.
Thank you, appreciate the feedback as always!
Andy
What is authentication method of user in question ? Simple (not secured) username/password ?
In this case, yes, but I was more asking generally, regardless of what auth method is.
Andy
Hi Andy,
Not sure if it relates, but I know we have such feature for SNX but for IP addresses (not users).
https://support.checkpoint.com/results/sk/sk180271
Also I think PhoneBoy mentioned before in a different thread about using Gaia OS passwords as authentication to lockout users after failed login attempts.
Thanks Tom! Yes, I had seen that post before by Phoneboy, but sadly its not related to this exact scenario. Now, sk you mentioned, looks super interesting. I wonder if doing fw ctl set -f flag for below kernel parameter may actually work, definitely worth a try.
vpn_failed_auth_attempt_threshold
Thanks a lot again, I value the advice.
Andy
Hey again Tom,
I will have a call today with my colleague and bring up this kernel parameter setting and see if client would be okay to test this out. I dont think it should be an issue, as they are smaller shop, so probably not a big hurdle, if you will, to try.
Will keep you posted. Thanks a lot again for sending this, I feel really positive about it, as setting certainly does make sense.
Andy
Sadly, did not work. Tested in the lab, but no joy. I believe its only applicable to snx, NOT vpn client.
Andy
[Expert@R82:0]# fw ctl set -f int vpn_failed_auth_attempt_threshold 5
"fwkern.conf" was updated successfully
[Expert@R82:0]# more /opt/CPsuite-R82/fw1/boot/modules/fwkern.conf
udp_is_verify_cksum=0
vpn_failed_auth_attempt_threshold=5
[Expert@R82:0]#
I'd also like some built in solution (similar the one for SNX clients) for VPN clients. Bruteforcing of VPN users/passwords has increased last years.
Could this be the solution:
sk182087 "How to prevent multiple unsuccessful login attempts from Endpoint Security Client users on a Security Gateway"
EDIT: Seems to be user based only...
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
3 | |
2 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |
Tue 07 Oct 2025 @ 10:00 AM (CEST)
Cloud Architect Series: AI-Powered API Security with CloudGuard WAFThu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Thu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY