Configuring Local and Remote System Administrators

The Device > Administrators page lists the appliance administrators. Here you can:

  • Create new local administrators.

  • Configure the session timeout.

  • Limit login failure attempts.

  • Regenerate keys.

Administrators can also be defined in a remote RADIUS server and you can configure the appliance to allow them access. Authentication of those remotely defined administrators is done by the same RADIUS server.

Note - This page is available from the Device and Users & Objects tabs.

Administrator Roles:

  • Super Administrator - All permissions. Super Administrators can create new locally defined administrators and change permissions for others.

  • Read Only Administrator - Limited permissions. Read Only Administrators cannot update appliance configuration but can change their own passwords or run a traffic monitoring report from the Tools page.

  • Networking Administrator - Limited permissions. Networking Administrators can update or modify operating system settings. They can select a service or network object but cannot create or modify it.

  • Mobile Administrator - Mobile administrators are allowed all networking operations on all interfaces. They can change their own passwords, generate reports, reboot, change events and mobile policy, active hosts operations and pairing. They cannot login from or access the WebUI.

  • Remote Access Administrator - Limited permissions. Remote access administrators can manage the VPN remote access configuration. They can add, edit and delete VPN remote access users and servers.

  • Access Policy Administrator - Limited permissions. Access policy administrators can manage the Firewall settings; Applications and URL filtering settings; and the Firewall access policy. They can also create, edit, and delete network objects, services and custom applications.

Two administrators with write permissions cannot log in at the same time. If an administrator is already logged in, a message shows. You can choose to log in with Read-Only permission or to continue. If you continue the login process, the first administrator session ends automatically.

The correct Administrator Role must be configured to perform the operations listed below. If not, a Permission Error message shows.

Local Administrators

  1. Click New.

    The Add Administrator page opens.

  2. Enter the administrator details:

    Note - To enable Two-Factor Authentication (available starting from the R81.10.10 release), all administrators must have both an email address and a phone number configured. Click Test to verify that you can receive messages at both the email address and phone number.

    • Name. The hyphen (-) character is allowed in the administrator name.

    • Password and then Confirm password.

      Note - You cannot use these characters in a password or shared secret: { } [ ] ` ~ | ‘ " \ (maximum number of characters: 255)

    • Email address.

      Note - In the R81.10.X releases, this feature is available starting from the R81.10.05 version.

    • Phone number. - Include the country code and do not include “+” at the beginning of the phone number. For example, "44123456789" where "44" is the country code.

      Note - In the R81.10.X releases, this feature is available starting from the R81.10.05 version.

    • Administrator role Select from the pull-down menu.

    • Enforce password change upon the next login. . The next time the administrator logs in, this message appears: "Your password has expired and must be changed."

      After the password is changed, the checkbox is clear. You can reselect to enforce password change at any time.

  3. Click Save.

    The name and Administrator Role is added to the table. When logged in to the WebUI, the administrator name and role is shown at the top of the page.

Note - If Two-Factor Authentication is not enabled, defining an email address and phone number is optional. However, you must have either an email address or a phone number defined to:

  • To reset your password on the Login page of the WebUI (see below).

  1. Select the administrator from the table and click Edit.

  2. Make the relevant changes.

  3. Click Apply

  1. Select an administrator from the list.

  2. Click Delete.

  3. Click Yes in the confirmation message.

Note - You cannot delete an administrator who is currently logged in.

Note - In the R81.10.X releases, this feature is available starting from the R81.10.08 version.

You can securely reset your password when you log in to your Security GatewayClosed A dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..

Note - You must have an email address or phone number configured as part of the administrator details.

  1. In the Login page, enter the User Name and click Forgot my password.

  2. The Find Your Account screen appears. Enter your Username and your Email or Phone number, and click Next.

    You receive a message with a security code (One Time Password).

  3. Enter the security code and click Next.

  4. Create and enter your new password in the applicable field.

    Note - The password must contain a minimum of 6 characters.

  5. In the Confirm password field, Enter the password again.

  6. Click Next

  7. A message on the screen confirms your password was successfully changed.

  8. Click Next to proceed to the Login page.

Remote Administrators

Note - In R81.10.10, Two-Factor Authentication is not supported when RADIUS or TACACS is configured for administrator access.

  1. Make sure administrators are defined in the remote RADIUS server.

  2. Make sure a RADIUS server is defined on the appliance. If there is no server, click the RADIUS configuration link at the top of this page. You must configure the IP address and shared secret used by the RADIUS server.

  3. When you have a configured RADIUS server, click Edit permissions.

    The RADIUS Authentication window opens.

  4. Select Enable RADIUS authentication for administrators.

    Use roles defined on RADIUS server is selected by default.

  5. Configure the role for each user on the RADIUS server. See additional details below.

    Note - A user without role definition will get a login error.

  6. If you select Use default role for RADIUS users, select the Administrators Role:

    • Super Admin

    • Read only

    • Networking Admin

    • Mobile Admin

  7. To define groups, click Use specific RADIUS groups only and enter the RADIUS groups separated by a comma.

  8. Click Apply

  1. Click Security Settings.

    The Administrators Security Settings window opens.

  2. Configure the session timeout (maximum time period of inactivity in minutes). The maximum value is 999 minutes.

  3. To limit login failure attempts, click the Limit administrators login failure attempts checkbox.

  4. Enter the number of Maximum consecutive login attempts allowed before an administrator is locked out.

  5. In Lock period, enter the time (in seconds) that must pass before a locked out administrator can attempt to log in again.

  6. To enforce password complexity on administrators, click the checkbox and enter the number of days for the password to expire.

    Note - We strongly recommend the use of complex passwords. Password must contain at least 12 characters - uppercase, lowercase, numeric, and non-alphanumeric characters. Allowed alphanumeric characters: ! @ # % ^ & * ( ) - _ + : ;

  7. Click Apply

Configuring a RADIUS Server for non-local Quantum Spark Appliance users

Non-local users can be defined on a RADIUS server and not in the Quantum Spark Appliance. When a non-local user logs in to the appliance, the RADIUS server authenticates the user and assigns the applicable permissions. You must configure the RADIUS server to correctly authenticate and authorize non-local users.

Notes:

  • The configuration of the RADIUS Servers may change according to the type of operating system on which the RADIUS Server is installed.

  • If you define a RADIUS user with a null password (on the RADIUS server), the appliance cannot authenticate that user.

  1. Create the dictionary file checkpoint.dct on the RADIUS server, in the default dictionary directory (that contains radius.dct). Add these lines in the checkpoint.dct file:

    @radius.dct

    MACRO CheckPoint-VSA(t,s) 26 [vid=2620 type1=%t% len1=+2 data=%s%]

    ATTRIBUTE CP-Gaia-User-Role CheckPoint-VSA(229, string)  r

    ATTRIBUTE CP-Gaia-SuperUser-Access CheckPoint-VSA(230, integer)  r

  2. Add these lines in the vendor.ini file on the RADIUS server (keep in alphabetical order with the other vendor products in this file):

    vendor-product = Quantum Spark Appliance

    dictionary = nokiaipso

    ignore-ports = no

    port-number-usage = per-port-type

    help-id = 2000

  3. Add this line in the dictiona.dcm file:

    "@checkpoint.dct"

  4. Add this Check Point Vendor-Specific Attribute to users in your RADIUS server user configuration file:

    CP-Gaia-User-Role = <role>

    Where <role> allowed values are:

    Administrator Role

    Value

    Super Admin

    adminRole

    Read only

    monitorrole

    Networking Admin

    networkingrole

    Mobile Admin

    mobilerole

  1. Create the dictionary file dictionary.checkpoint in the /etc/freeradius/ on the RADIUS server.

    Add these lines in the dictionary.checkpoint file:

    # Check Point dictionary file for FreeRADIUS AAA server

    VENDOR CheckPoint 2620

    ATTRIBUTE   CP-Gaia-User-Role          229   string  CheckPoint

    ATTRIBUTE   CP-Gaia-SuperUser-Access   230   integer CheckPoint

  2. Add this line in the /etc/freeradius/dictionary file

    "$INCLUDE dictionary.checkpoint"

  3. Add this Check Point Vendor-Specific Attribute to users in your RADIUS server user configuration file:

    CP-Gaia-User-Role = <role>

    Where <role> is the name of the administrator role that is defined in the WebUI.

    Administrator Role

    Value

    Super Admin

    adminRole

    Read only

    monitorrole

    Networking Admin

    networkingrole

    Mobile Admin

    mobilerole

  1. Create the dictionary file dict.checkpoint in the /etc/openradius/subdicts/ directory on the RADIUS server:

    # Check Point Gaia vendor specific attributes

    # (Formatted for the OpenRADIUS RADIUS server.)

    # Add this file to etc/openradius/subdicts/ and add the line

    # "$include subdicts/dict.checkpoint" to /etc/openradius/dictionaries

    # right after dict.ascend.

    $add vendor 2620 CheckPoint

    $set default vendor=CheckPoint

         space=RAD-VSA-STD

         len_ofs=1 len_size=1 len_adj=0

         val_ofs=2 val_size=-2 val_type=String

         nodec=0 noenc=0

    $add attribute 229 CP-Gaia-User-Role

    $add attribute 230 CP-Gaia-SuperUser-Access val_type=Integer val_size=4

  2. Add this line in the /etc/openradius/dictionaries file immediately after dict.ascend:

    $include subdicts/dict.checkpoint

  3. Add this Check Point Vendor-Specific Attribute to users in your RADIUS server user configuration file:

    CP-Gaia-User-Role = <role>

    Where <role> is the name of the administrator role that is defined in the WebUI.

    Administrator Role

    Value

    Super Admin

    adminRole

    Read only

    monitorrole

    Networking Admin

    networkingrole

    Mobile Admin

    mobilerole

To log in as a Super User:

A user with super user permissions can use the Quantum Spark Appliance shell to do system-level operations, including working with the file system.

  1. Connect to the Quantum Spark Appliance platform over SSH or serial console.

  2. Log in to the Gaia ClishClosed The default shell of the Gaia CLI shell with your user name and password.

  3. Run: expert

  4. Enter the Expert mode password.

Important:

  • To configure the Expert mode (Bash) as the default shell, run this command (not recommended):

    bashUser on

  • To configure the Gaia Clish as the default shell, run this command (recommended):

    bashUser off