Special Character change in R81.20 JHF 96

C_H · ‎2025-03-10

Hello Everyone,

I recently came across the limitation described in https://support.checkpoint.com/results/sk/sk183201:

After installing JHF96+ for R81.20, a "." (dot) in a username is a problem for WebUI Login and logging in with a username with a dot no longer works (SSH is unaffected of this).

To be fair, I checked the documentation and only "-" and "_" are mentioned as allowed special characters in usernames (I looked in the GAiA Admin Guide R80.40, R81, R81.10 and R81.20), but I know several environments where dots are used in the admin name concept and have worked without problems so far

What are your opinions?

Best Regards

Colin

Ambar · ‎2025-03-10

Hi Colin, the agenda here is enhance the security for GAiA portal

The option for this is the enforce your environment and align the users

joerivang · ‎2025-03-11

Within our environment and our naming convention, we have dots in our admin usernames.

Enforcing and aligning this in an enterprise where 5k+ accounts have this character in the username is easier said than done. So we'll have to figure something out at the moment.. as the naming convention will not change because one vendor decided otherwise.

joth · ‎2025-03-13

Hi, denying dots in usernames is really a bad idea. The dot is one of the most used separators in usernames. I know already of some customers, which are affected by this. Implementing 2FA for the Gaia WebUI is great, but I don't see why this limits the set of allowed charcters in the username.

Changing the usernames in a company with thousands of accounts is a major change.

CP RnD could you please check again, if you can remove this limitation? Otherwise there will be issues with a lot of customers in the next months.

BR

joth

the_rock · ‎2025-03-13

I agree with you, for sure. I also believe that limitation should be removed.

Andy

C_H · ‎2025-03-12

Hi Ambar,

Yes, security is important, but from my point of view, a very widespread username concept (usernames with a dot) was made unusable in favor of a new feature (TOTP 2FA for GAiA) or rather its security.

We know that many of our customers use a dot in their usernames, which is nothing unusual from our point of view.

If I had to guess, this will become a bigger issue in the future, as the installbase of R81.20 JHF 96+ is currently not that big.

Best Regards

Colin

Stephan_Scholz · ‎2025-03-13

I agree that this is a very bad idea. Using dots in username is typical and widespread. Even though this is obviously limited to Gaia web GUI, it's simply a bad idea. This will affect many environmentsa and they are in for a bad surprise.

Ambar · ‎2025-03-13

Hi, I'll start with that we are taking internally the option for you to enable "."

as this affects only GAiA portal non local users, the affect of modification shouldn't be such extensive as the access to GAiA portal should be limited and not for the entire organization

the_rock · ‎2025-03-13

@Ambar

Just my logical suggestion...I can totally see where @C_H @joth @joerivang are coming from. If you think about it, say company even with 100 users, let alone 1000s, that is a HUMONGOUS change.

If CP could offer customers say custom fix for the time being and then have this corrected in later jumbo, that would probably be okay with clients who have lots of users with . in their Gaia usernames.

Anyway, something to consider...

Andy

David_C1 · ‎2025-05-07

I just stumbled across this after updating our lab from Take 92 to Take 99. We also use '.' extensively in our username standard, it is not practical for us to change usernames. Also, just suggesting that people use the default admin account ignores a certain basic security principal - we have individual named administrators/accounts for easy attribution and accountability. Using a shared admin account is bad security practice.

Dave

KeremAtesR · ‎2025-05-15

HI

Has there been any update on the option to enable? This is a stopper in large environments where . has been used for years.

G_W_Albrecht · ‎2025-05-16

Are you sure that there are so many GAiA WebGUI Admins in large environments ? This is only a limitation for GAiA portal non-local users...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

joerivang · ‎2025-05-16

So i should create local users on 120 different firewalls just to mitigate this?

Most of us use radius or some other authentication method so that we don't have to use local accounts on all different systems..

the_rock · ‎2025-05-16

I did not see mention of this in take 99, but lets hope its fixed soon.

joerivang · ‎2025-05-16

I know, just trying to elaborate to @G_W_Albrecht why this an issue. As we have a lot of gaia systems and multiple admins that go into there.

the_rock · ‎2025-05-16

Its huge issue, I totally get it. I would NEVER want to be in that situation myself.

Andy

G_W_Albrecht · ‎2025-05-16

So what did happen ? Is that option available again ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

the_rock · ‎2025-03-10

I noticed that too when I installed it in the lab, but figured must have been something I did. Glad to know its by design.

Andy

Tobi

Does someone know in which JHF the fix (PMTR-115412) will be implemented? Didn't see it in JHF 111

gadt

Hi Tobi,

PMTR-115412 will be fix in the next upcoming JHF

Gadi

joerivang

I'm not aware of this ID, will dots in usernames become available again?

Tobi

According to sk183201 - yes it is planned with PMTR-115412

Tobi

I installed JHF115 which includes PMTR-115412. Unfortunately I still can't log in with a username that contains "."

Error message on the webgui "Invalid username: Allowed characters are a-z, A-Z, 0-9, -, _ only". Is there an additional configuration that need to be set?

the_rock

I also checked R82 latest jumbo and this did not work.

Andy

Are you a member of CheckMates?

Special Character change in R81.20 JHF 96