Managing Administrator Accounts
A Check Point administrator is an IT professional who manages and maintains a Check Point security environment with SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., CLI, or the API. Check Point administrators configure and manage Check Point's security products to protect their organizations' networks from cyber attacks, malware, and other security threats. A Check Point administrator typically installs, configures, and maintains the Check Point software, manages network traffic and security policies Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection., monitors system performance, and troubleshoots security issues. Administrators also ensure that the Check Point security environment is up to date with the latest Hotfixes and updates to maintain optimal security.
You can store administrator accounts in the Check Point management database or on an external LDAP server. The Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. authenticates administrators. Check Point supports different authentication methods for administrators.
Creating an Administrator Account
To successfully manage security for a large network, we recommend that you first set up your administrative team, and delegate tasks.
We recommend that you create administrator accounts in SmartConsole, with the procedure below or with the First Time Configuration Wizard.
When you create an administrator account through SmartConsole, you can select one of these authentication methods:
Authentication Method |
Description |
---|---|
Check Point Password |
Check Point password is a static password that is configured in SmartConsole. The local database on the Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. stores the password. No additional software is required. SeeCreating an Administrator Account with Check Point Password Authentication. |
OS Password |
OS password is kept on the operating system of the computer on which the Security Management Server is installed. You can also use passwords that are stored in Windows domain. No additional software is required. See Creating an Administrator Account with OS Password Authentication |
RADIUS |
Remote Authentication Dial-In User Service (RADIUS) is an external authentication method that provides security and scalability by separating the authentication function from the access server. With RADIUS, the Security Management Server forwards the authentication requests to the RADIUS server. The RADIUS server, which stores administrator account information, does the authentication. The RADIUS protocol uses UDP to communicate with the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. or the Security Management Server. See Creating an Administrator Account with RADIUS Server Authentication |
TACACS |
Terminal Access Controller Access Control System (TACACS) provides access control for routers, network access servers and other networked devices through one or more centralized servers. TACACS is an external authentication method that provides verification services. With TACACS, the Security Management Server forwards authentication requests by remote administrators to the TACACS server. The TACACS server, which stores administrator account information, authenticates administrators. The system supports physical card key devices or token cards and Kerberos An authentication server for Microsoft Windows Active Directory Federation Services (ADFS). secret key authentication. TACACS encrypts the administrator name, password, authentication services and accounting information of all authentication requests to secure communication. See Creating an Administrator Account with TACACS Server Authentication |
SecurID |
SecurID requires administrators to possess a token authenticator and to supply a PIN or password. Token authenticators generate one-time passwords that are synchronized to an RSA Authentication Manager (AM) and may come in the form of hardware or software. Hardware tokens are key-ring or credit card-sized devices. Software tokens reside on the PC or device from which the administrator wants to authenticate. All tokens generate a random, one-time use access code that changes approximately every minute. When an administrator attempts to authenticate to a protected resource, the AM must validate the one-time use code. The Security Management Server forwards SecurID authentication requests by remote administrators to the AM. The AM manages the database of the RSA users and their assigned hard or soft tokens. The Security Management Server act as an AM Agent and directs all access requests to the RSA AM for authentication. For additional information on agent configuration, refer to the RSA Authentication Manager documentation. There are no specific parameters required for the SecurID authentication method. Authentication requests can be sent over SDK-supported API or through REST API. See Creating an Administrator Account with SecurID Authentication. |
API Key |
You can use SmartConsole to configure an API key for administrators to use the management API. You can only use the API to execute API commands and not for SmartConsole authentication. For more information, see Creating an Administrator Account with API Key Authentication |
SAML |
An administrators can log in to SmartConsole through a central 3rd party Identity Provider with the SAML protocol. The Identity Provider holds the information about the administrators, including the ability to authenticate the administrators. Check Point supports these Identity Providers: Okta, Ping Identity, Azure. For more information, see Creating an Administrator Account with SAML Authentication Login. |
After you configure authentication with one of the Check Point authentication methods, you can, in addition, configure certificate file authentication. The administrator can then authenticate to SmartConsole with one of the Check Point authentication methods or with a certificate file.
You create the certificate file in SmartConsole. The administrator can use the certificate to log in to SmartConsole in two ways:
-
Log in to SmartConsole with the Certificate File option. The administrator must provide the password to use the certificate file.
-
You can import the certificate file to the Windows Certificate Store on the Microsoft Windows SmartConsole computer. The administrator can use this stored certificate to log in to SmartConsole with the CAPI Certificate option. The administrator does not need to provide a password to log in.
The administrator can also give the certificate to other administrators to log in to SmartConsole with no administrator account of their own.
To create an Administrator Account with the "Check Point Configuration Tool" tool (cpconfig)
We do not recommend to create an administrator with cpconfig
, the Check Point Configuration Tool.
Use it only if there is no access to SmartConsole or the Gaia Portal Web interface for the Check Point Gaia operating system..
If you use cpconfig
to create an administrator:
-
You must restart Check Point Services to activate the administrator with these commands:
cpstop ; cpstart
-
It does not show the other administrators.
-
Check Point Password is automatically configured as the authentication method.
Editing an Administrator Account
-
Click Manage & Settings > Permissions & Administrators.
-
Double-click an administrator account.
The Administrators properties window opens.
Deleting an Administrator Account
To make sure your environment is secure, the best practice is to delete administrator accounts when personnel leave or transfer.
To delete an administrator account
-
Click Manage & Settings > Permissions & Administrators.
The Administrators pane shows by default.
-
Select an administrator account and click Delete.
-
Click Yes in the confirmation window that opens.
Default Expiration for Administrators
If you want to use the same expiration settings for multiple accounts, you can set the default expiration for administrator accounts. You can also select to show notifications about the approaching expiration date when an administrator logs into SmartConsole or one of the SmartConsole clients. The remaining number of days, during which the account is alive, shows in the status bar.
-
Click Manage & Settings > Permissions & Administrators > Advanced.
-
Click Advanced.
-
In the Default Expiration Date section, select a setting:
-
Never expires
-
Expire at - Select the expiration date from the calendar control
-
Expire after - Enter the number of days, months, or years (from the day the account is made) before administrator accounts expire
-
-
In the Expiration notifications section, select Show 'about to expire' indication in administrators view and select the number of days in advance to show the message about the approaching expiration date.
-
Publish the SmartConsole session.
|
Note - If you configure an expiration date for an administrator, then the administrator is not logged out automatically. Only a new login is blocked. To improve security, configure the idle timeout. Go to SmartConsole > Manage & Settings > Permissions & Administrators > Advanced > Idle Timeout. |
Configuring SmartConsole Session Timeout
Use the SmartConsole in a secure manner, and enforce secure usage for all administrators. Configuring a SmartConsole timeout is a basic requirement for secure usage. When an administrator does not use the SmartConsole, it logs out.
-
Click Manage & Settings.
-
Select Permissions & Administrators > Advanced.
-
In the Idle Timeout area, select Perform logout after being idle.
-
Enter a number of minutes.
When a SmartConsole is idle after this number of minutes, the SmartConsole automatically logs out the connected administrator, but all changes are preserved.
Revoking an Administrator Certificate
If an administrator that authenticates through a certificate cannot temporarily fulfill administrator duties, you can revoke the certificate for the account. The administrator account remains, but no one can authenticate to the Security Management Server with the certificate. However, if the account has an additional authentication method (a password, for example), the administrator can use this method to authenticate to the account.
To revoke an administrator certificate
-
Click Manage & Settings > Permissions & Administrators.
-
Select an administrator account and click Edit.
-
In General > Authentication, click Revoke.
Restricting Administrator Login Attempts
You can configure these login restrictions for administrators who log in to the Security Management Server with a Check Point password:
-
The number of login attempts before SmartConsole automatically locks an administrator account.
-
The number of minutes before SmartConsole unlocks the administrator's account after it was locked.
To configure login restrictions
-
Go to the Manage & Settings view or to the Multi-Domain view.
-
Go to Permissions & Administrators > Advanced > Login Restrictions.
|
Note - These restrictions apply only to administrators who authenticate to the Security Management Server with a Check Point password. |
Unlocking Administrator Accounts
An administrator with the Manage Administrators permission can unlock another administrator if the locked administrator authenticates to the Security Management Server with a Check Point password.
To unlock an administrator:
-
Go to the Manage & Settings view or to the Multi-Domain view.
-
Right-click the locked administrator and select Unlock Administrator.
Or:
Use the "unlock-administrator" API command.
|
Note - The Unlock Administrator feature does not apply to administrators who use other authentication methods. |
Multiple Administrators
If two administrators create an administrator account with the same name, after the first administrator publishes a session, the second administrator will not be able to publish their session. If the second administrator tries to change the name in the administrator account, they will not be able to do so. To resolve this issue, the second administrator must discard the session changes and reconnect.