Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Fabz
Contributor
Jump to solution

Limiting concurrent user authentication

Hello Checkpoint Checkmates Forum,

 

Im new in this solution, but have similar experience with another firewall product.

According to my topic, I recently had a question from a customer about the Checkpoint Firewall's ability to restrict concurrent user authentication, whether local users or AD integration are used. Does Checkpoint Firewall support this?

 

The use case is similar with this for other product : https://community.fortinet.com/t5/FortiGate/Technical-Tip-Limiting-concurrent-user-authentication/ta... 

For example : we have user "CheckPoint", so this user only permitted to use a maximum of 5 devices for a captive portal or vpn.

 

Thank you 🙂

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

In what precise context are we discussing authentication?
For example, in Remote Access, there's a Global Property that specifically disallows a user from connecting to the gateway more than once.
image.png

In other contexts...not sure.
@Royi_Priov do we have some way to prevent a single user from showing up on multiple IPs?

View solution in original post

8 Replies
the_rock
MVP Gold
MVP Gold

Excellent question! Honestly, I never thought about it in all these years, but now that you mentioned it, Im also cusious to see if there is a way. I looked everywhere in global properties, gateway settings and cant find setting related to number or re-authentications.

I also checked guidbedit as well, but not sure if there is something there, but will keep looking.

Best,
Andy
Fabz
Contributor

Hi @the_rock 

Yes i also looked at sk document, but found nothing. May this feature will be available on the next new OS?

0 Kudos
the_rock
MVP Gold
MVP Gold

Hopefully @_Val_ or @PhoneBoy may know...they are CP encyclopedias.

Best,
Andy
0 Kudos
Fabz
Contributor

hi @the_rock 

Yes i also looked at sk document, but found nothing. May this feature will be available on the next new OS? Thanks!

PhoneBoy
Admin
Admin

In what precise context are we discussing authentication?
For example, in Remote Access, there's a Global Property that specifically disallows a user from connecting to the gateway more than once.
image.png

In other contexts...not sure.
@Royi_Priov do we have some way to prevent a single user from showing up on multiple IPs?

the_rock
MVP Gold
MVP Gold

Hm, totally missed that option today in my lab, will verify again tomorrow.

Best,
Andy
0 Kudos
Fabz
Contributor

Hi @PhoneBoy  is it alao applicable for Captive Portal?

0 Kudos
PhoneBoy
Admin
Admin

Captive Portal is part of Identity Awareness, and the above only applies to Remote Access VPN.
While we have mechanisms to filter out users that appear on multiple computers, that requires R81.20.
This doesn't "restrict" a user to, say, 5 logins, but it invalidates ALL sessions for any user that exceeds whatever you've configured the threshholds for.
This is also not the specific use case for this feature (it's designed for Service accounts specifically), so it may not work for that purpose.

Assuming you're using an external identity source like Active Directly, it should be possible to configure such login limits there. 
For locally defined users where the password is defined in the Check Point management, there is no way to prevent them from logging in multiple times; this would be an RFE.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events