Configuring Local and Remote System Administrators

The Device > Administrators page lists the Check Point Appliance administrators and lets you:

  • Create new local administrators.

  • Configure the session timeout.

  • Limit login failure attempts.

Administrators can also be defined in a remote RADIUS server and you can configure the appliance to allow them access. Authentication of those remotely defined administrators is done by the same RADIUS server.

Administrator Roles:

  • Super Administrator - All permissions. Super Administrators can create new locally defined administrators and change permissions for others.

  • Read Only Administrator - Limited permissions. Read Only Administrators cannot update appliance configuration but can change their own passwords or run a traffic monitoring report from the Tools page.

  • Networking Administrator - Limited permissions. Networking Administrators can update or modify operating system settings. They can select a service or network object but cannot create or modify it.

  • Mobile Administrator - Mobile administrators are allowed all networking operations on all interfaces. They can change their own passwords, generate reports, reboot, change events and mobile policy, active hosts operations and pairing. They cannot login from or access the WebUI.

Two administrators with write permissions cannot log in at the same time. If an administrator is already logged in, a message shows. You can choose to log in with Read-Only permission or to continue. If you continue the login process, the first administrator session ends automatically.

The correct Administrator Role must be configured to perform the operations listed below. If not, a Permission Error message shows.

To create a local administrator:

  1. Click New.

    The Add Administrator page opens.

  2. Configure the parameters (name, password, and password confirmation). The hyphen (-) character is allowed in the administrator name.

    Note - You cannot use these characters in a password or shared secret: { } [ ] ` ~ | ‘ " \

  3. Select the Administrator Role.

  4. Click Apply.

    The name and Administrator Role is added to the table. When logged in to the WebUI, the administrator name and role is shown at the top of the page.

To edit the details of locally defined administrators:

  1. Select the administrator from the table and click Edit.

  2. Make the relevant changes.

  3. Click Apply.

To delete a locally defined administrator:

  1. Select an administrator from the list.

  2. Click Delete.

  3. Click Yes in the confirmation message.

Note - You cannot delete an administrator who is currently logged in.

To allow access for administrators defined in a remote RADIUS server:

  1. Make sure administrators are defined in the remote RADIUS server.

  2. Make sure a RADIUS server is defined on the appliance. If there is no server, click the RADIUS configuration link at the top of this page. You must configure the IP address and shared secret used by the RADIUS server.

  3. When you have a configured RADIUS server, click Edit permissions.

    The RADIUS Authentication window opens.

  4. Click the Enable RADIUS authentication for administrators checkbox.

    Use roles defined on RADIUS server is selected by default.

  5. Configure the role for each user on the RADIUS server. See additional details below.

    Note - A user without role definition will get a login error.

  6. If you select Use default role for RADIUS users, select the Administrators Role:

    • Super Admin

    • Read only

    • Networking Admin

    • Mobile Admin

  7. To define groups, click Use specific RADIUS groups only and enter the RADIUS groups separated by a comma.

  8. Click Apply.

To set the Session Timeout value for both local and remotely defined administrators:

  1. Click Security Settings.

    The Administrators Security Settings window opens.

  2. Configure the session timeout (maximum time period of inactivity in minutes). The maximum value is 999 minutes.

  3. To limit login failure attempts, click the Limit administrators login failure attempts checkbox.

  4. Enter the number of Maximum consecutive login attempts allowed before an administrator is locked out.

  5. In Lock period, enter the time (in seconds) that must pass before a locked out administrator can attempt to log in again.

  6. To enforce password complexity on administrators, click the checkbox and enter the number of days for the password to expire.

  7. Click Apply.

Note - This page is available from the Device and Users & Objects tabs.

Configuring a RADIUS Server for non-local Check Point Appliance users:

Non-local users can be defined on a RADIUS server and not in the Check Point Appliance. When a non-local user logs in to the appliance, the RADIUS server authenticates the user and assigns the applicable permissions. You must configure the RADIUS server to correctly authenticate and authorize non-local users.

Note - The configuration of the RADIUS Servers may change according to the type of operating system on which the RADIUS Server is installed.

Note - If you define a RADIUS user with a null password (on the RADIUS server), the appliance cannot authenticate that user.

  1. Create the dictionary file checkpoint.dct on the RADIUS server, in the default dictionary directory (that contains radius.dct). Add these lines in the checkpoint.dct file:

    @radius.dct

    MACRO CheckPoint-VSA(t,s) 26 [vid=2620 type1=%t% len1=+2 data=%s%]

    ATTRIBUTE CP-Gaia-User-Role CheckPoint-VSA(229, string)  r

    ATTRIBUTE CP-Gaia-SuperUser-Access CheckPoint-VSA(230, integer)  r

  2. Add these lines in the vendor.ini file on the RADIUS server (keep in alphabetical order with the other vendor products in this file):

    vendor-product = Check Point Appliance

    dictionary = nokiaipso

    ignore-ports = no

    port-number-usage = per-port-type

    help-id = 2000

  3. Add this line in the dictiona.dcm file:

    "@checkpoint.dct"

  4. Add this Check Point Vendor-Specific Attribute to users in your RADIUS server user configuration file:

    CP-Gaia-User-Role = <role>

    Where <role> allowed values are:

    Administrator Role

    Value

    Super Admin

    adminRole

    Read only

    monitorrole

    Networking Admin

    networkingrole

    Mobile Admin

    mobilerole

  1. Create the dictionary file dictionary.checkpoint in the /etc/freeradius/ on the RADIUS server.

    Add these lines in the dictionary.checkpoint file:

    #Check Point dictionary file for FreeRADIUS AAA server

    VENDOR CheckPoint 2620

    ATTRIBUTE   CP-Gaia-User-Role          229   string  CheckPoint

    ATTRIBUTE   CP-Gaia-SuperUser-Access   230   integer CheckPoint

  2. Add this line in the /etc/freeradius/dictionary file

    "$INCLUDE dictionary.checkpoint"

  3. Add thisCheck Point Vendor-Specific Attribute to users in your RADIUS server user configuration file:

    CP-Gaia-User-Role = <role>

    Where <role> is the name of the administrator role that is defined in the WebUI.

    Administrator Role

    Value

    Super Admin

    adminRole

    Read only

    monitorrole

    Networking Admin

    networkingrole

    Mobile Admin

    mobilerole

  1. Create the dictionary file dict.checkpoint in the /etc/openradius/subdicts/ directory on the RADIUS server:

    # Check PointGaia vendor specific attributes

    # (Formatted for the OpenRADIUS RADIUS server.)

    # Add this file to etc/openradius/subdicts/ and add the line

    # "$include subdicts/dict.checkpoint" to /etc/openradius/dictionaries

    # right after dict.ascend.

    $add vendor 2620 CheckPoint

    $set default vendor=CheckPoint

         space=RAD-VSA-STD

         len_ofs=1 len_size=1 len_adj=0

         val_ofs=2 val_size=-2 val_type=String

         nodec=0 noenc=0

    $add attribute 229 CP-Gaia-User-Role

    $add attribute 230 CP-Gaia-SuperUser-Access val_type=Integer val_size=4

  2. Add this line in the /etc/openradius/dictionaries file immediately after dict.ascend:

    $include subdicts/dict.checkpoint

  3. Add this Check Point Vendor-Specific Attribute to users in your RADIUS server user configuration file:

    CP-Gaia-User-Role = <role>

    Where <role> is the name of the administrator role that is defined in the WebUI.

    Administrator Role

    Value

    Super Admin

    adminRole

    Read only

    monitorrole

    Networking Admin

    networkingrole

    Mobile Admin

    mobilerole

To log in as a Super User:

A user with super user permissions can use the Check Point Appliance shell to do system-level operations, including working with the file system.

  1. Connect to the Check Point Appliance platform over SSH or serial console.

  2. Log in to the Gaia Gaia Clish shell with your user name and password.

  3. Run: expert

  4. Enter the Expert mode password.