Configuring Administrator Access

On the Device > System > Administrator Access page you can:

  • Configure the IP addresses and interface sources that administrators can use to access the Quantum Spark Appliance.

  • Enable Two-Factor Authentication (2FA) to add an extra layer of security on the gateway.

  • Configure the Web and SSH ports.

Select one or more of these options:

  • LAN - All internal physical ports

  • Trusted wireless - Wireless networks that are allowed access to the LAN by default (only in Wireless Network models.)

  • VPN - Uses encrypted traffic through VPN tunnels from a remote site or uses a remote access client

  • Internet - Clear traffic from the Internet (not recommended to allow access from all IP addresses)

  1. Select the Any IP address option. This option is less secure and not recommended. We recommend you allow access from the Internet to specific IP addresses only.

  2. Change the WEB Port (HTTPS) and/or SSH port if necessary.

  3. Click Save.

    An administrator can access the Quantum Spark Appliance using any IP address through the allowed interface sources.

  1. Select the Specified IP addresses only option.

  2. Click New.

    The IP Address Configuration page appears.

  3. Select Type:

    • IPv4 address

    • IPv4 network

    • IPv6 address

    • IPv6 network

  4. Enter the IP address or click Get IP from My Computer.

  5. Click Save.

    The IP address is added to the table.

  6. Change the WEB Port (HTTPS) and/or SSH port if necessary.

  7. Click Save.

    An administrator can use the configured IP addresses to access the appliance through the allowed interface sources.

Select this option when it is necessary to allow administrator access from the Internet (you must define the specified IP addresses). Access from other sources is allowed from any IP address.

  1. Select the Internet source checkbox.

  2. Select the Specified IP addresses from the internet and any IP address from other sources option.

  3. Click New.

    The IP Address Configuration page shows.

  4. Select Type:

    • IPv4 address

    • IPv4 network

    • IPv6 address

    • IPv6 network

  5. Enter the IP address or click Get IP from My Computer.

  6. Click Save.

    The IP address is added to the table.

  7. Change the WEB Port (HTTPS) and/or SSH port if necessary.

  8. Click Save.

    An administrator can use the configured IP addresses to access the appliance through the allowed interface sources.

  1. Select the IP Address you want to delete from the IP Address table.

  2. Click Delete.

Important:

  • Configuring different access permissions for LAN and Internet is not supported when your Internet Connection is configured in bridge mode (the option Allow administration access from does not show Internet or LAN).

  • An automatic implied rule is defined to allow the access specified here. There is no need to add an explicit rule in the Access Policy page to allow this access.

  • When you block the IP address or the interface group through which you are currently connected, you are not disconnected immediately. The access policy is applied immediately, but your current session remains active until you log out.

Two-Factor Authentication (2FA)

Two-Factor Authentication is an extra layer of security on the gateway. When Two-Factor Authentication is enabled on the Administrator Access page, its use is mandatory for all administrators configured on the appliance and is required for login. All administrators must have both an email address and phone number configured.

When Two-Factor Authentication is enabled, if any administrators are missing information, a warning message appears on the DeviceSystem > Administrator Access page that all administrators must first configure an email address and phone number. A list of administrators who are missing information also appears.

Another message that may appear on this page is a recommendation to use a Network Time Protocol (NTP) server to set the date and time on your appliance to avoid sync issues with the Authenticator app.

Note - This feature is available starting from R81.10.10.

Note - In R81.10.10, Two-Factor Authentication is not supported when RADIUS or TACACS is configured for administrator access.

Important - When Two-Factor Authentication is enabled, it is always required for login.

Prerequisites for Two-Factor Authentication

  1. In each administrator object, configure an email address and a phone number. See Configuring Local and Remote System Administrators.

  2. To avoid sync issues with the Authenticator app, use a Network Time Protocol (NTP) sever to set the date and time on your appliance. See Managing Date and Time.

  1. Go to the Device > System > Administrator Access page.

  2. In the Two-Factor Authentication (2FA) section, select Enable Two-Factor Authentication enforcement.

  3. Click Save.

  4. The gateway sends an email (from do-not-reply@portal.checkpoint.com) to all configured administrators that explains how to use the Authenticator app.

    The email also contains a QR code and emergency keys.

    Important - Save the emails with the emergency keys. Use these keys to log in if you lose your smartphone, lose your mobile number pairing configuration, or if the gateway is not connected to the Internet. Note that each emergency key can be used only one time.

  5. In the Web UI popup window, select I received email if you received the email or click Resend email.

  6. Install the Authenticator app.

    You can use either the Microsoft Authenticator or the Google Authenticator.

    Both are available from the Apple App store or Google Play.

  7. In the Authenticator app, add a new account in one of these ways:

    • Scan the QR code you received in the email.

    • Enter the one-time verification code you received in the email.

  1. On the appliance Login page, enter your administrator name and password.

    The Two-Factor Authentication screen appears.

  2. Use one of these options to receive your verification code:

    • Select the two checkboxes SMS and Email

      Note - To log in with this authentication option, the gateway must be connected to the Internet.

    • Select only the SMS checkbox

      Note - To log in with this authentication option, the gateway must be connected to the Internet.

    • Select only the Email checkbox

      Note - To log in with this authentication option, the gateway must be connected to the Internet.

    • Click Authenticator app

      Note - After the initial authentication, you can use the time-based code generated in the Authenticator app to log in even when the gateway is not connected to the Internet.

      Enter the verification code that you receive based on the selected login option:

      • From the SMS.

      • From the email.

      • From the Authenticator app.

  3. Click Next.

  4. Enter the verification code you received and click Next.

  5. If you did not receive a code, click Resend code or Try another way to receive the code by another method.

  1. Connect to the command line on the appliance.

  2. Enter your username and password.

  3. Enter the number of your choice of how to receive the verification code.

  4. Enter the verification code.

  1. Go to the DeviceSystemAdministrators page.

  2. Select the administrator.

  3. Click the Regenerate Keys button.

Note - This invalidates the current secret key and emergency keys.

The new keys are sent to the email address of the selected administrator. Verify that you received the email and set the Authenticator app with the new secret key to allow login via the Authenticator app.