Configuring Local and Remote System Administrators

The Device > Administrators page lists the Check Point Appliance administrators and lets you:

  • Create new local administrators.

  • Configure the session timeout.

  • Limit login failure attempts.

  • Generate a QR code to connect the mobile application with the appliance for the first time.

Administrators can also be defined in a remote RADIUS server and you can configure the appliance to allow them access. Authentication of those remotely defined administrators is done by the same RADIUS server.

Administrator Roles:

  • Super Administrator - All permissions. Super Administrators can create new locally defined administrators and change permissions for others.

  • Read Only Administrator - Limited permissions. Read Only Administrators cannot update appliance configuration but can change their own passwords or run a traffic monitoring report from the Tools page.

  • Networking Administrator - Limited permissions. Networking Administrators can update or modify operating system settings. They can select a service or network object but cannot create or modify it.

  • Mobile Administrator - Mobile administrators are allowed all networking operations on all interfaces. They can change their own passwords, generate reports, reboot, change events and mobile policy, active hosts operations and pairing. They cannot login from or access the WebUI.

Two administrators with write permissions cannot log in at the same time. If an administrator is already logged in, a message shows. You can choose to log in with Read-Only permission or to continue. If you continue the login process, the first administrator session ends automatically.

The correct Administrator Role must be configured to perform the operations listed below. If not, a Permission Error message shows.

To create a local administrator:

  1. Click New.

    The Add Administrator page opens.

  2. Configure the parameters (name, password, and password confirmation). The hyphen (-) character is allowed in the administrator name. You cannot use these characters when you enter a password or shared secret: { } [ ] ` ~ | ‘ " # + \

  3. Select the Administrator Role.

  4. Click Apply.

    The name and Administrator Role is added to the table. When logged in to the WebUI, the administrator name and role is shown at the top of the page.

To edit the details of locally defined administrators:

  1. Select the administrator from the table and click Edit.

  2. Make the relevant changes.

  3. Click Apply.

To delete a locally defined administrator:

  1. Select an administrator from the list.

  2. Click Delete.

  3. Click Yes in the confirmation message.

Note - You cannot delete an administrator who is currently logged in.

To allow access for administrators defined in a remote RADIUS server:

  1. Make sure administrators are defined in the remote RADIUS server.

  2. Make sure a RADIUS server is defined on the appliance. If there is no server, click the RADIUS configuration link at the top of this page. You must configure the IP address and shared secret used by the RADIUS server.

  3. When you have a configured RADIUS server, click edit permissions.

    The RADIUS Authentication window opens.

  4. Click the Enable RADIUS authentication for administrators checkbox.

    Use roles defined on RADIUS server is selected by default.

  5. Configure the role for each user on the RADIUS server. See additional details below.

    Note - A user without role definition will get a login error.

  6. If you select Use default role for RADIUS users, select the Administrators Role:

    • Super Admin

    • Read only

    • Networking Admin

    • Mobile Admin

  7. To define groups, click Use specific RADIUS groups only and enter the RADIUS groups separated by a comma.

  8. Click Apply.

To set the Session Timeout value for both local and remotely defined administrators:

  1. Click Security Settings.

    The Administrators Security Settings window opens.

  2. Configure the session timeout (maximum time period of inactivity in minutes). The maximum value is 999 minutes.

  3. To limit login failure attempts, click the Limit administrators login failure attempts checkbox.

  4. Enter the number of Maximum consecutive login attempts allowed before an administrator is locked out.

  5. In Lock period, enter the time (in seconds) that must pass before a locked out administrator can attempt to log in again.

  6. To enforce password complexity on administrators, click the checkbox and enter the number of days for the password to expire.

  7. Click Apply.

Note - This page is available from the Device and Users & Objects tabs.

To connect the mobile application with the appliance for the first time:

  1. Click Mobile Pairing Code.

    The Connect Mobile Device window opens.

  2. Select an administrator from the pull down menu.

  3. Click Generate.

    This generates a QR code to connect the Check Point WatchTower mobile application with the appliance for the first time.

For more information about the mobile application, see the Check Point SMB WatchTower App User Guide.

Configuring a RADIUS Server for non-local Check Point Appliance users:

Non-local users can be defined on a RADIUS server and not in the Check Point Appliance. When a non-local user logs in to the appliance, the RADIUS server authenticates the user and assigns the applicable permissions. You must configure the RADIUS server to correctly authenticate and authorize non-local users.

Note - The configuration of the RADIUS Servers may change according to the type of operating system on which the RADIUS Server is installed.

Note - If you define a RADIUS user with a null password (on the RADIUS server), the appliance cannot authenticate that user.

To configure a Steel-Belted RADIUS server for non-local appliance users:

  1. Create the dictionary file checkpoint.dct on the RADIUS server, in the default dictionary directory (that contains radius.dct). Add these lines to the file:

    @radius.dct



    MACRO CheckPoint-VSA(t,s) 26 [vid=2620 type1=%t% len1=+2 data=%s%]



    ATTRIBUTE CP-Gaia-User-RoleCheckPoint-VSA(229, string)  r

    ATTRIBUTE CP-Gaia-SuperUser-AccessCheckPoint-VSA(230, integer)  r

  2. Add the following lines to the vendor.ini file on RADIUS server (keep in alphabetical order with the other vendor products in this file):

    vendor-product = Check Point Appliance
    dictionary = nokiaipso
    ignore-ports = no
    port-number-usage = per-port-type
    help-id = 2000

  3. Add to the dictiona.dcm file the line:
    “@checkpoint.dct”

  4. Add this Check Point Vendor-Specific Attribute to users in your RADIUS server user configuration file:

    CP-Gaia-User-Role = <role>

    Where <role> allowed values are:

    Administrator Role

    Value

    Super Admin

    		 adminRole

    Read only

    		 monitorrole

    Networking Admin

    		 networkingrole

    Mobile Admin

    mobilerole

 

To configure a FreeRADIUS server for non-local appliance users:

  1. Create the dictionary file dictionary.checkpoint in /etc/freeradius/ on the RADIUS server:

    #Check Point dictionary file for freeradius AAA server

    VENDORCheckPoint2620
    ATTRIBUTE       CP-Gaia-User-Role            229     string  CheckPoint
    ATTRIBUTE       CP-Gaia-SuperUser-Access     230     integer CheckPoint

  2. Add to /etc/freeradius/dictionary the line:
    "$INCLUDEdictionary.checkpoint"

  3. Add this Check Point Vendor-Specific Attribute to users in your RADIUS server user configuration file:

    CP-Gaia-User-Role = <role>

    Where <role> is the name of the administrator role that is defined in the WebUI.

    Administrator Role

    Value

    Super Admin

    		 adminRole

    Read only

    		 monitorrole

    Networking Admin

    		 networkingrole

    Mobile Admin

    mobilerole

To configure an OpenRADIUS server for non-local appliance users:

  1. Create the dictionary file dict.checkpoint in
    /etc/openradius/subdicts/
    on the RADIUS server:

    # Check Point Gaia vendor specific attributes

    # (Formatted for the OpenRADIUS RADIUS server.)

    # Add this file to etc/openradius/subdicts/ and add the line

    # "$include subdicts/dict.checkpoint" to etc/openradius/dictionaries

    # right after dict.ascend.



    $add vendor 2620 CheckPoint



    $set default vendor=CheckPoint

              space=RAD-VSA-STD

         len_ofs=1 len_size=1 len_adj=0

         val_ofs=2 val_size=-2 val_type=String

         nodec=0 noenc=0



    $add attribute 229CP-Gaia-User-Role

    $add attribute 230CP-Gaia-SuperUser-Accessval_type=Integer val_size=4

  2. Add the line
    $include subdicts/dict.checkpoint
    to
    /etc/openradius/dictionaries
    immediately after dict.ascend

  3. Add this Check Point Vendor-Specific Attribute to users in your RADIUS server user configuration file:

    CP-Gaia-User-Role = <role>

    Where <role> is the name of the administrator role that is defined in the WebUI.

    Administrator Role

    Value

    Super Admin

    		 adminRole

    Read only

    		 monitorrole

    Networking Admin

    		 networkingrole

    Mobile Admin

    mobilerole

To log in as a Super User:

A user with super user permissions can use the Check Point Appliance shell to do system-level operations, including working with the file system.

  1. Connect to the Check Point Appliance platform using an SSH client or serial console client.

  2. Log in to the Clish shell using your user name and password.

  3. Run Expert

  4. Enter the expert password.