Machine Certificate

The R80.40 release adds a new VPN authentication capability to Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.. Authentication with a machine certificate as of Endpoint Security Client E80.71 is now available for gateways.

Machine certificate authentication supports these modes:

  • User and machine authentication - Authenticate with a machine certificate and a user authentication method.

  • Machine-only authentication - Authenticate with a machine certificate only. This mode is available before and after the user logs in to Windows.

Note - Machine certificate authentication works with the Endpoint Client only. For more details on how to configure this feature on the client side, see the "Machine Authentication" section in these Administration Guides:


  • The machine must be defined on a Microsoft AD server.

  • The Subject field of a machine certificate must not be empty.

    The hostname must be the first value.

    For example:

    CN = DESKTOP-12345, OU= Computers, DC = example, DC = com

  • Machine-only authenticated tunnels require the Security Gateway authentication method to be “Defined on user record (Legacy authentication)” or a certificate based realm.

  • Check Point Desktop Policy with Machine Groups is not supported.

  • The Check Point Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. does not provide machine certificate enrollment or distribution functionality.

  • You must use Access Roles for the machine entity. Objects such as machine@location are not supported.

Feature Configuration Steps