Google reCAPTCHA Challenge
|
Note - In a Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., you must configure all the Cluster Members in the same way. |
The reCAPTCHA service uses an advanced risk analysis engine and adaptive CAPTCHAs to keep automated software from engaging in abusive activities. It prevents malicious logins and at the same time allows authenticated users to pass through easily.
Configure your Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. with Google reCAPTCHA v2 to challenge a user upon multiple, incorrect login attempts. reCAPTCHA appears as a challenge when a user reaches the maximum number of failed attempts.
The reCAPTCHA challenge is compatible with ClusterXL and VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts..
The reCAPTCHA challenge is not supported in the Capsule Workspace.
For supported browsers, see the Google documentation.
Registering Mobile Access for reCAPTCHA on Google
To use Mobile Access Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. with reCAPTCHA, you have to register the Mobile Access Portal FQDN with reCAPTCHA.
Go to the Google reCAPTCHA site for instructions.
Adding reCAPTCHA to the Mobile Access Portal
You have to configure the Security Gateway manually to add reCAPTCHA. To enable reCAPTCHA, the Security Gateway needs:
-
Internet connectivity
-
A DNS configured
-
Portal URL configuration with an FQDN and not an IP addres
If you browse to the Portal with an IP address rather than an FQDN, you are redirected to the FQDN link.
To configure the Security Gateway manually, edit the $CVPNDIR/conf/cvpnd.C
file.
|
Important - After every change in the |
This shows:
|
Fields |
Description |
---|---|
|
Enter true to enable. Enter false to disable. |
|
Determines if reCAPTCHA shows on a re-login flow. Enter true to enable. Enter false to disable. |
|
Entrance to the Portal. Enter true to enable. Enter false to disable. This determines when to block users:
False - User is not allowed access to the Portal. See the login log for more information. True - User is allowed access to the Portal. A warning that the reCAPTCHA challenge was not verified shows. See the login log for more information. |
|
The amount of time in seconds that the user in penalty is challenged with reCAPTCHA on each login until the user succeeds to log in. The default is 1800 seconds. |
|
This is the number of times a user tries to log in unsuccessfully before reCAPTCHA shows. The default is two failed login attempts within the pre-determined time frame. Failures within that time frame are counted. If the time frame passes, the failure counter is set to zero again. If the field is set to zero, there is a reCAPTCHA challenge on every login attempt. |
|
The site key from Google. |
|
The secret from Google. |
|
A utility page that checks the reCAPTCHA configuration and the connectivity from the Security Gateway. Enter true to enable the page. Enter false to disable the page. To see this page, go to:
|
|
Best Practice - If you enable and configure reCAPTCHA, make sure the Capsule Workspace uses certificate authentication. reCAPTCHA is not supported in the Capsule Workspace. |
When you are challenged with reCAPTCHA, some Java scripts are downloaded to your browser.