This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Fabz
Contributor
‎2023-01-24 07:46 AM
Jump to solution

Limiting concurrent user authentication

Hello Checkpoint Checkmates Forum,

 

Im new in this solution, but have similar experience with another firewall product.

According to my topic, I recently had a question from a customer about the Checkpoint Firewall's ability to restrict concurrent user authentication, whether local users or AD integration are used. Does Checkpoint Firewall support this?

 

The use case is similar with this for other product : https://community.fortinet.com/t5/FortiGate/Technical-Tip-Limiting-concurrent-user-authentication/ta... 

For example : we have user "CheckPoint", so this user only permitted to use a maximum of 5 devices for a captive portal or vpn.

 

Thank you 🙂

 

Labels
0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2023-01-24 09:42 PM
Jump to solution

In what precise context are we discussing authentication?
For example, in Remote Access, there's a Global Property that specifically disallows a user from connecting to the gateway more than once.
image.png

In other contexts...not sure.
@Royi_Priov do we have some way to prevent a single user from showing up on multiple IPs?

View solution in original post

8 Replies
the_rock
Legend
Legend
‎2023-01-24 09:28 AM
Jump to solution

Excellent question! Honestly, I never thought about it in all these years, but now that you mentioned it, Im also cusious to see if there is a way. I looked everywhere in global properties, gateway settings and cant find setting related to number or re-authentications.

I also checked guidbedit as well, but not sure if there is something there, but will keep looking.

Fabz
Contributor
‎2023-01-24 03:42 PM
In response to the_rock
Jump to solution

Hi @the_rock 

Yes i also looked at sk document, but found nothing. May this feature will be available on the next new OS?

0 Kudos
the_rock
Legend
Legend
‎2023-01-24 05:11 PM
In response to Fabz
Jump to solution

Hopefully @_Val_ or @PhoneBoy may know...they are CP encyclopedias.

0 Kudos
Fabz
Contributor
‎2023-01-24 03:43 PM
In response to the_rock
Jump to solution

hi @the_rock 

Yes i also looked at sk document, but found nothing. May this feature will be available on the next new OS? Thanks!

PhoneBoy
Admin
Admin
‎2023-01-24 09:42 PM
Jump to solution

In what precise context are we discussing authentication?
For example, in Remote Access, there's a Global Property that specifically disallows a user from connecting to the gateway more than once.
image.png

In other contexts...not sure.
@Royi_Priov do we have some way to prevent a single user from showing up on multiple IPs?

the_rock
Legend
Legend
‎2023-01-24 09:54 PM
In response to PhoneBoy
Jump to solution

Hm, totally missed that option today in my lab, will verify again tomorrow.

0 Kudos
Fabz
Contributor
‎2023-01-25 05:27 AM
In response to PhoneBoy
Jump to solution

Hi @PhoneBoy  is it alao applicable for Captive Portal?

0 Kudos
PhoneBoy
Admin
Admin
‎2023-01-25 11:39 AM
In response to Fabz
Jump to solution

Captive Portal is part of Identity Awareness, and the above only applies to Remote Access VPN.
While we have mechanisms to filter out users that appear on multiple computers, that requires R81.20.
This doesn't "restrict" a user to, say, 5 logins, but it invalidates ALL sessions for any user that exceeds whatever you've configured the threshholds for.
This is also not the specific use case for this feature (it's designed for Service accounts specifically), so it may not work for that purpose.

Assuming you're using an external identity source like Active Directly, it should be possible to configure such login limits there. 
For locally defined users where the password is defined in the Check Point management, there is no way to prevent them from logging in multiple times; this would be an RFE.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Thu 25 Apr 2024 @ 10:00 AM (CEST)

    The Anatomy of a Cloud Hack by NotSoSecure - EMEA Session

    Thu 25 Apr 2024 @ 06:00 PM (IDT)

    The Anatomy of a Cloud Hack by NotSoSecure - America Session
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Thu 02 May 2024 @ 04:00 PM (CEST)

    CheckMates Live DACH - Keine Kompromisse - Sicheres SD-WAN
    Virtual

    Thu 02 May 2024 @ 05:00 PM (CEST)

    SASE Masters: Deploying Harmony SASE for a 6,000-Strong Workforce in a Single Weekend
    CheckMates Events