This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
velo
Collaborator
Tuesday
Jump to solution

SMB Admin login

I have a large amount of SMB appliances that are using local auth which isn't ideal. I tried to setup Radius but I couldn't get it working because connections to Radius were going out the internet interface instead of across the IPSEC VPN to the Data Centre. I tried a few things which were shown in some Checkpoint articles, but I couldn't get it working. 

I am now looking at using Azure SAML/SSO. Has anybody successfully got this working? The only downside is that I will need to create an enterprise app for every firewall. 

Has anybody had success with other methods of auth? 

The firewalls are centrally managed.

 

Thanks

Labels
0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
Tuesday
In response to velo
Jump to solution

Did you set the kernel variable as instructed specifically for centrally managed gateways?
There is also some route statements that might need to be added.
If you've done that and it's not working as expected, engage TAC.

As for SAML support for Admins, here's a screenshot of my 1590 running R81.10.17, with no mention of SAML.

image.png

Also no mention in the R82.xx firmware for SMBs about SAML support for Administrators either.

I presume fallback to local accounts would occur if RADIUS is offline.
However, that means you still have to manage local credentials on the device (at least for some user).

View solution in original post

(1)
8 Replies
PhoneBoy
Admin
Admin
Tuesday
Jump to solution

Which specific things did you try?
Doc/SK links would be helpful.
Even if you can make this work, relying on the VPN for authentication the local device would cause issues if the VPN is down.

As far as I know, we don't support SAML for authentication to the local device (e.g. for Administrators), only for Remote Access VPN.

0 Kudos
velo
Collaborator
Tuesday
In response to PhoneBoy
Jump to solution

I tried this with no luck (because it's centrally managed)

https://support.checkpoint.com/results/sk/sk119415

Also this, but I don't really want to be making these changes:

https://support.checkpoint.com/results/sk/sk92281

In the GUI I recall it seems to imply SAML is possible. I can't get a screenshot right now. 

If the VPN was down, I would hope it would fall back to local auth. That's usually how these types of setup work.

Cheers

0 Kudos
PhoneBoy
Admin
Admin
Tuesday
In response to velo
Jump to solution

Did you set the kernel variable as instructed specifically for centrally managed gateways?
There is also some route statements that might need to be added.
If you've done that and it's not working as expected, engage TAC.

As for SAML support for Admins, here's a screenshot of my 1590 running R81.10.17, with no mention of SAML.

image.png

Also no mention in the R82.xx firmware for SMBs about SAML support for Administrators either.

I presume fallback to local accounts would occur if RADIUS is offline.
However, that means you still have to manage local credentials on the device (at least for some user).

(1)
velo
Collaborator
Wednesday
In response to PhoneBoy
Jump to solution

Cheers, I did open a case with TAC previously. They referred me to sk31692. I just wasn't really keen on making those changes because it would affect every gateway. Also, as per the SK, even if I made those changes. They will get overwritten again when there is an upgrade on the SMS server, which isn't ideal at all. 

If I use external auth, then you would typically have one breakglass account that only a few people have access to. Then every team member would get an external account. 

These are the settings I was looking at, but I guess it's probably only for Remote Access VPN

saml.png

 

I'm surprised that this is not more straightforward because I would think that most enterprise environments should be setup like this. 

On other firewall platforms, you just choose the source interface for Radius requests.

Thanks

 

0 Kudos
PhoneBoy
Admin
Admin
Wednesday
In response to velo
Jump to solution

That is for Remote Access VPN only, correct.

0 Kudos
velo
Collaborator
Thursday
In response to PhoneBoy
Jump to solution

OK thank you for clarifying.

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
Tuesday
In response to velo
Jump to solution

The last time i looked at this the relevant advanced settings were:

VPN Site to Site global settings - Do not encrypt connections originating from the local gateway
VPN Site to Site global settings - Use internal IP address for encrypted connections from local gateway
Administrators RADIUS authentication - Local authentication (RADIUS inaccessible)
Administrators RADIUS authentication - Restrict Super User access by RADIUS

As PhoneBoy indicated some will have differing activation methods for centrally vs locally managed gateways however.

CCSM R77/R80/ELITE
0 Kudos
the_rock
MVP Platinum
MVP Platinum
Tuesday
Jump to solution

I would definitely do what Phoneboy suggested, certainly seems logical.

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events