Configuring Password Policy in Gaia Portal

Procedure

Important - On Scalable Platforms (Maestro and Chassis), you must connect to the Gaia PortalClosed Web interface for the Check Point Gaia operating system. of the applicable Security Group.

Step

Instructions

1

In the navigation tree, click User Management > Password Policy.

2

Configure the password policy options:

3

Click Apply.

Password Strength

Parameter

Description

Minimum Password Length

The minimum number of characters in a GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. user, or an SNMP user password.

Does not apply to passwords that were already configured.

  • Range: 6 - 128

  • Default: 6

Disallow Palindromes

A palindrome is a sequence of letters, numbers, or characters that can be read the same in each direction.

  • Default: Selected

Password Complexity

The required number of character types:

  • 1 - Don't check

  • 2 - Require two character types (default)

  • 3 - Require three character types

  • 4 - Require four character types

Character types are:

  • Upper case alphabetic (A-Z)

  • Lower case alphabetic (a-z)

  • Digits (0-9)

  • Other (everything else)

Changes to this setting do not affect existing passwords.

Password History

Parameter

Description

Check for Password Reuse

Check for reuse of passwords for all users.

Enables or disables password history checking and password history recording.

When a user's password is changed, the new password is checked against the recent passwords for the user.

An identical password is not allowed. The number of passwords kept in the record is set by History Length.

Does not apply to SNMP passwords.

  • Default: Selected

History Length

The number of former passwords to keep and check against when a new password is configured for a user.

  • Range: 1 - 1000

  • Default: 10

Mandatory Password Change

Parameter

Description

Password Expiration

The number of days, for which a password is valid. After that time, the password expires.

The count starts when the user changes the password.

Users are required to change an expired password the next time they log in.

Does not apply to SNMP users.

  • Range: 1 - 1827, or Passwords never expires

  • Default: Passwords never expires

Warn users before password expiration

How many days before the user's password expires to start generating warnings to the user that user must change the password.

A user that does not log in, does not see this warning.

  • Range: 1 - 366

  • Default: 7

Lockout users after password expiration

Lockout users after password expiration.

After a user's password has expired, user has this number of days to log in and change it.

If a user does not change the password within that number of days, the user is unable to log in - the user is locked out.

The administrator can unlock a user that is locked out from the User Management > Users page.

  • Range: 1 - 1827, or Never lockout users after password expires

  • Default: Never lockout users after password expires

Force users to change password at first login after password was changed from Users page

Forces a user to change password at first login, after the user's password was changed using the command "set user <UserName> password", or from the Gaia Portal User Management > Users page.

  • Default: Not selected

Denying Access to Unused Accounts

Parameter

Description

Deny access to unused accounts

Denies access to unused accounts.

If there were no successful login attempts within a set time, the user is locked out and cannot log in.

  • Default: Not selected

Days of non-use before lock-out

Configures the number of days of non-use before locking out the unused account.

This only takes effect, if Deny access to unused accounts is enabled.

  • Range: 30 - 1827

  • Default: 365

Denying Access After Failed Login Attempts

Parameter

Description

Deny access after failed login attempts

If the configured limit is reached, the user is locked out (unable to log in) for a configured time.

Warning - Enabling this leaves you open to a "denial of service" - if an attacker makes unsuccessful login attempts often enough, the affected user account is locked out. Consider the advantages and disadvantages of this option, in light of your security policyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection., before enabling it.

  • Default: Not selected

Block admin user

This option is available only if Deny access after failed login attempts is enabled.

If the configured limit of failed login attempts for the admin user is reached, the admin user is locked out (unable to log in) for a configured time.

Maximum number of failed attempts allowed

This only takes effect if Deny access after failed attempts is enabled.

The number of failed login attempts that a user is allowed before being locked out.

After making that many successive failed attempts, future attempts fail.

When one login attempt succeeds, counting of failed attempts stops, and the count is reset to zero.

  • Range: 2 - 1000

  • Default: 10

Allow access again after time

This only takes effect, if Deny access after failed login attempts is enabled.

Allow access again after a user was locked out (due to failed login attempts).

The user is allowed access after the configured time, if there were no login attempts during that time.

  • Range: 60 - 604800 seconds

  • Default: 1200 seconds (20 minutes)

Examples:

  • 60 = 1 minute

  • 300 = 5 minutes

  • 3600 = 1 hour

  • 86400 = 1 day

  • 604800 = 1 week

Password Hashing Algorithm

Parameter

Description

Password hashing algorithm

Configures the hashing algorithm to store new passwords in the Gaia database.

  • Range: SHA256, or SHA512

  • Default: SHA512