How to Setup Authentication for admins in Check Point GAiA?

How to Setup Authentication for admins in Check Point GAiA?

What steps would you take? Let us know!

Hi there - one of our community members created this post to answer this question. I've included the high level steps below to get you started. Thanks!


GAIA WebUI and SSH introduction.

When you login to a Check Point firewall or device over either web or SSH, you are authenticated in the same way. The different authentication methods are

  1. Local user account
  2. External authentication server for a local account
  3. External authentication for a non-local account

Adding a local user in GAI

This is the simplest way and often the easiest method of adding a user and authenticating. Begin by logging into the WebUI. The standard is HTTPS over port 443

  • Go to User Management > Users and click “Add” to set up a new user
  • In the next window you can select options for the user

Login Name: This is the username used when logging in
Password: Password
Real name: To identify users easier
Home directory: Home directory, this will be /home/<USERNAME> as default
Shell: This is the standard shell when you login. Default shell is clish. If you change it to /bin/bash remember that the user will be able to run commands with root privileges if he has UID = 0
UID: The default is 0, which means that you will have the same permissions as root if you get into the /bin/bash shell. However in order to get into that shell you must either have that set as your standard shell, or know the expert password.

You can also select if the user can login to either Web or SSH or both, as well as assign one or more Roles. The Roles determine what permissions you have to run commands and modify configuration.

Adding a local user in GAiA - Using clish

clish is the default shell when connecting to the Check Point device over SSH. clish works in a very similar way as when modifying configurations in a switch or router.

Adding user

# add user <USERNAME> uid <UID> homedir <HOME_DIRECTORY> # set user <USERNAME> password # add rba user <USERNAME> roles <ROLE> # save config

Deleting user

# delete user <USERNAME>

So using local users is easy, but let’s see what the pros and cons are :

Advantage: Easy to setup
Disadvantages: Static passwords on each device means a lot of work to change them all if you have many devices
There is no password expiration set as default
If a user quits it’s a lot of work to find everywhere where the user has accounts and delete them
If a new user joins the team it’s a hassle to create accounts for him on all devices

These disadvantages often lead to teams managing the devices to use the admin account for everything, and share the password, since it is easier. This is of course bad for several reasons.
Sharing the account means that you cannot determine who did what from the logs. A shared password is more work to change, as everyone needs to be informed, and often means that it will be changed less frequently, if at all.
According to PCI-DSS 8.5.8 it is stated:
8.5.8 Do not use group, shared, or generic accounts and passwords, or other authentication methods.

Password policy for local accounts

Here you can setup the password policy for local users


Roles are permissions sets that you can assign to a user.

Each Role has two types of permissions.
Commands = Commands that can be executed in CLI
Features = Part of the configuration. If a user does not have the NTP feature then the user will not see the NTP part in WebUI and cannot change it in CLI either.

There are three pre-defined Roles, adminRole, cloningAdminRole and monitorRole with different permission sets.

Authentication Servers

Configure if you want to use an external authentication server, either for non-local users, or local users who authenticate remotely


RADIUS Servers: Here you can define your RADIUS servers, which IP, port and timeout as well as shared secret.
Network Access Server (NAS): The IP that should be recorded in the RADIUS Access Request as the IP of the gateway. If nothing is selected here it will use the source IP address of the packet.
Sometimes when packets go via NAT the source IP of the packet can change. Then it can be good to have the true source IP recorded inside the RADIUS Access Request.
RADIUS Users Default Shell: This is the default shell for non-local users.
Super User UID: This is the UID for non-local users when entering expert mode. This should be 0 in most cases. The only other option is 96, which is the UID of the “_nonlocl” built in user. If 96 is selected the user will not be able to run any commands from expert.
If you are unable to select 0, then check sk98958 or sk97206.

View full post here: