# Checkpoint SSL VPN Integration

General Overview

This guide explains the configuration of multi-factor authentication (MFA) for Check Point appliance with Mirket. It also includes instructions to configure your Check Point appliance for integration with Mirket.

Prior configuration and deployment of Check Point appliance are required before setting up MFA with Mirket. Check Point appliance offers various MFA configuration modes. In this integration, we've configured RADIUS authentication with Mirket.

**Create a new RADIUS server entity:**\
Open the Check Point SmartConsole (available only on Windows OS).\
Go to the top-left menu and choose **New Object > New Host**.

![](https://help.okta.com/en-us/content/resources/images/checkpoint1.png)

**Input the following details:**

* **Name:** Provide a distinct name for the machine hosting the RADIUS server. For example: *MyHost*.
* **IPv4 Address:** Enter a unique IP address assigned to the host running the RADIUS server. For example: *192.168.1.101*.
* Click **OK** to proceed.

![](https://help.okta.com/en-us/content/resources/images/checkpoint2.png)

From the menu in the upper-left corner, go to **New Object > More Object Types > Server > More > New RADIUS**. Then, provide the following information:

* **Name:** Assign a distinctive name for the RADIUS server. Example: *MyRADIUS*.
* **Host:** Choose the Host object you created earlier.
* **Service:** Set this to **NEW-RADIUS** to align with UDP port **1812**, which was configured previously in the RADIUS application.
* **Shared Secret:** Enter the RADIUS secret that you configured in the Mirket RADIUS setup.
* **Version:** Choose **RADIUS Ver 2.0**.
* **Protocol:** Select **PAP**.
* **Priority:** Default is set to **1**. You can adjust this if you're configuring multiple RADIUS servers.

Click **OK** to save.

**Note:** Ensure that the Check Point Management Server can reach the RADIUS server over **UDP port 1812** (authentication) and **UDP port 1813** (accounting). You may need to allow these ports through intermediate firewalls or network access control lists.

![](https://help.okta.com/en-us/content/resources/images/checkpoint3.png)

From the top-left menu, go to **Global Properties > Advanced > SecuRemote/SecuClient**.\
Enable the **add\_radius\_groups** option by checking the box, then click **OK** to apply the changes.

![](https://help.okta.com/en-us/content/resources/images/checkpoint4.png)

Go to **VPN Clients > Authentication > Settings**.\
In the **Single Authentication Clients Settings** window, choose **RADIUS** as the authentication method.\
For the **Server** option, select the RADIUS server you configured earlier.\
Once everything is set, click **OK** to save the changes.

![](https://help.okta.com/en-us/content/resources/images/checkpoint9.png)

Make sure Remote access is enabled in Identity Awareness settings.

<figure><img src="https://2335748515-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FXMCDrulGJr20rbbYKJ91%2Fuploads%2FXYJh8St9B3ew7dX97ljU%2Fimage.png?alt=media&#x26;token=0733b386-c629-4716-b319-5eebf9be36c9" alt=""><figcaption></figcaption></figure>

\
To apply the changes, click **Install Policy**—this will publish your updates and deploy the policy to the **R80 gateway**.

## Configure Mirket

To enable Mirket to receive authentication requests from Check Point, follow these steps:

* Define Check Point appliance as a RADIUS client resource within Mirket.
* Create an authentication policy for the Check Point RADIUS client resource or include it in an existing authentication policy.
* Attach the Check Point resource to the Mirket Radius.

### Add Check Point as a Resource in Mirket with Radius Gateway

Before starting, ensure that you have installed Mirket Radius Gateway from the **Configuration** > **Gateway.** To add a Radius Gateway to the Mirket, follow these steps:

* Go to **Configuration** > **Gateway** and click on the **Add Radius Gateway** button.
* On the displayed screen, enter a name for your Radius Gateway in the **Name** field.
* Enter the SAM value of the gateway in the **Sam Value** field. In Mirket, user identification is done using the SAM (Security Account Manager) name. This is preferred over the standard username. This username is used for authentication and access controls.
* Enter the IP address of the server where the gateway is installed in the **Host IP Address** field.
* Enter the authentication port value you set for the gateway in the **Auth Port** field. The default value is 1812.
* Enter the accounting port value you specified for the gateway in the **Acc Port** field. The default value is 1813. **Note**: After completing these fields, you must create a **RADIUS client** for the newly created RADIUS Gateway.
* Click on the **Add Radius Client** option at the bottom of the displayed screen.
* Enter a name for your Radius Client in the **Radius Client** field.
* Enter the IP address of the client(firewall) that will communicate with the gateway in the **IP Address** field.
* Enter the secret key that the client will communicate with the gateway in the **Secret Key** field.

<figure><img src="https://2335748515-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FXMCDrulGJr20rbbYKJ91%2Fuploads%2FFQRip3MoLETV17kYpOAm%2FRGAdd.png?alt=media&#x26;token=f19b1024-3846-4b6e-ab92-4508875d3991" alt="" width="563"><figcaption></figcaption></figure>

* Click on the **Save** button to confirm the settings.

<figure><img src="https://2335748515-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FXMCDrulGJr20rbbYKJ91%2Fuploads%2FAUfc9froWmf2e1ObOigm%2FRG.png?alt=media&#x26;token=0ef86424-cebc-4ae3-b30d-d9acb7c09c5f" alt=""><figcaption></figcaption></figure>

### Configuring Radius Gateway

* After creating the Radius Gateway, click on the **Download > Config** from the menu on the right side of the gateway.

<figure><img src="https://2335748515-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FXMCDrulGJr20rbbYKJ91%2Fuploads%2FA3EDj7G4xT6t09uoSyTw%2FRGDownload.png?alt=media&#x26;token=1990d477-394f-437d-ae35-b1c2828af55a" alt=""><figcaption></figcaption></figure>

* This option will generate a script related to the gateway, which will be displayed from the RADIUS Setup config file. The config file will automatically begin downloading once this option is selected.

<figure><img src="https://2335748515-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FXMCDrulGJr20rbbYKJ91%2Fuploads%2F0Jlzbxukpodt1NxoUWct%2FRGConfig.png?alt=media&#x26;token=7c21d1c2-3ef9-4099-884e-0bb4e430d6da" alt="" width="563"><figcaption></figcaption></figure>

* Replace the existing config file in the `"C:\MirketRadius"` directory with the downloaded file. Alternatively, copy the displayed script and paste it into the config file in `"C:\MirketRadius"`.

<figure><img src="https://2335748515-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FXMCDrulGJr20rbbYKJ91%2Fuploads%2FYsMVAEqt0dUnQ7aWNsQQ%2FRGDirectory.png?alt=media&#x26;token=01858387-1169-42c2-ba60-cd9ce5036926" alt="" width="479"><figcaption></figcaption></figure>

* Then, restart the **Mirket Radius Service**.

<figure><img src="https://2335748515-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FXMCDrulGJr20rbbYKJ91%2Fuploads%2FfLX2FpfkbKYnUkWqHbBH%2FRGService.png?alt=media&#x26;token=aab3abe8-bdf7-44a4-9b28-065af8fb372d" alt=""><figcaption></figcaption></figure>

You can check whether the Radius Gateway you created is active by navigating to **Configuration** > **Gateway**.

### User and Group configuration on Mirket

To set up multifactor authentication, make sure you have at least one **user** or **group** in Mirket.

If it is preferred to use a local user, you can first create a local group and then create a local user and make the user a member of the group. Alternatively, you can create a local user without creating a local group.

* [Create a Local Group to add users manually.](https://docs.mirketsecurity.com/mirket-help-center/mirket-help-center/mirket-saas-platform/mirket-portal/groups)
* [Add local Mirket users manually.](https://docs.mirketsecurity.com/mirket-help-center/mirket-help-center/mirket-saas-platform/mirket-portal/users/local-users)

If it is preferred to use LDAP users, the priority External Source is created by pulling users from Active Directory or OpenLDAP in Mirket. **Note**: Before proceeding, ensure that you have installed Mirket LDAP Gateway. ([Refer to create LDAP Gateway.](https://docs.mirketsecurity.com/mirket-help-center/mirket-help-center/mirket-saas-platform/mirket-portal/connector/ldap-gateways))

* [Create an External Source to include LDAP users.](https://docs.mirketsecurity.com/mirket-help-center/mirket-help-center/mirket-saas-platform/mirket-portal/external-sources/active-directory)
* [Sync users from an external user database.](https://docs.mirketsecurity.com/mirket-help-center/mirket-help-center/mirket-saas-platform/mirket-portal/users/ldap-users)

### Add a Radius Rule to Mirket

Radius Rules define user access to resources and the authentication methods available (such as SMS, Approve / Deny, OTP, etc.).

First, you should follow these steps:

* Go to **Configuration > Radius Rules**.
* Click on the **Add Radius Rule** button.
* On the displayed screen, enter a name for the rule in the **Name** field.
* Enter the rule description in the **Description** field.
* Select the Radius Client to which the rule will apply from the **Radius Client** dropdown list.
* Enter the source IP addresses to which the rule will apply in the **Source Adress** field.
* Select the source countries where the rule will be applied from the Source Country dropdown list.
* Click on the **Next** button.

<figure><img src="https://2335748515-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FXMCDrulGJr20rbbYKJ91%2Fuploads%2FKREEfwZtOz3W4AhRQE0Q%2FRadiusRuleAdd.png?alt=media&#x26;token=13331afd-8e1a-4db9-85c5-8829276fead2" alt="" width="563"><figcaption></figcaption></figure>

* Specify whether the rule will be applied to a user or a group.
* After specifying, click on the **Next** button.

<figure><img src="https://2335748515-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FXMCDrulGJr20rbbYKJ91%2Fuploads%2FI6N93Xsg2eEV1QtZnSJ2%2FRadiusRuleAdd2.png?alt=media&#x26;token=3aaaa4f2-99d7-4b99-ab64-52b8a4c4dabb" alt="" width="563"><figcaption></figcaption></figure>

* Select the users or groups to which the rule will apply. Transfer your selections to the **Selected Users/Groups** table by clicking the arrow icon next to the **Available Users/Groups** table.
* Click on the **Next** button.

<div><figure><img src="https://2335748515-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FXMCDrulGJr20rbbYKJ91%2Fuploads%2FzOFMfP7a3N72BCjWgS6F%2FRadiusRuleAdd31.png?alt=media&#x26;token=9313a78a-8ab0-4fdf-bffc-ce93a1beab23" alt=""><figcaption></figcaption></figure> <figure><img src="https://2335748515-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FXMCDrulGJr20rbbYKJ91%2Fuploads%2FgysyYXybxcmP3dkoTWl4%2FRadiusRuleAdd32.png?alt=media&#x26;token=7e9109d0-40fb-4015-be52-b1fbe0a4590a" alt=""><figcaption></figcaption></figure></div>

* Select the time period when the rule will run.
  * **All**: The rule will run every day.
  * **Recurring**: The rule will run on the specified days and times.
  * **One Time**: The rule will run within the date range you specify.
* After selecting, click on the **Next** button.

<figure><img src="https://2335748515-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FXMCDrulGJr20rbbYKJ91%2Fuploads%2FmbddhmoSf4psJigpwGtl%2FRadiusRuleAdd4.png?alt=media&#x26;token=124dd812-02c4-48fa-90d6-34ddd6fc631e" alt="" width="563"><figcaption></figcaption></figure>

* Specify whether the user or group will be granted access based on the rule in the **Action** field.
* Select the authentication provider to which the rule will apply from the **Auth Method** dropdown list.

<figure><img src="https://2335748515-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FXMCDrulGJr20rbbYKJ91%2Fuploads%2FUNeonzmNV154IB3y0Gta%2FRadiusRuleAdd5.png?alt=media&#x26;token=6db67697-954a-4f28-9d6a-63adef3af303" alt="" width="563"><figcaption></figcaption></figure>

* Click on **Save** to confirm the settings.

<figure><img src="https://2335748515-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FXMCDrulGJr20rbbYKJ91%2Fuploads%2FcxOxiA8O6sGEk9EfpLEF%2FRadiusRule.png?alt=media&#x26;token=ee7c674b-f8a8-4422-a8e2-fb1f6da6ff97" alt=""><figcaption></figcaption></figure>

### Test the Integration

To validate the integration between Mirket MFA and your Check Point appliance, perform authentication using a mobile token on your mobile device. For RADIUS resources, available authentication methods include Approve/Deny authentication.

In this example, we illustrate the use of the Approve/Deny authentication method.

* Launch the Check Point Endpoint Security client application. Then click on the VPN client icon in the taskbar and select **Connect to**.
* Choose the public IP address of the Check Point appliance from the **Site** dropdown list.
* Enter your Mirket username in the **Username** field.
* Input your password in the **Password** field.

<figure><img src="https://2335748515-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FXMCDrulGJr20rbbYKJ91%2Fuploads%2FqdgV04G1Nd8OEEUx1svM%2Fcheckpointtest.png?alt=media&#x26;token=493e959c-9037-4e5b-a71d-150414c804d7" alt=""><figcaption></figcaption></figure>

* Click on **Connect**. Then, select the '**Approve**' option(found in the Mirket mobile app) immediately and make sure it doesn't time out.

<figure><img src="https://2335748515-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FXMCDrulGJr20rbbYKJ91%2Fuploads%2F6No7mRZjthlAdoSR9DRu%2Fcheckpointtest2.png?alt=media&#x26;token=6b19cd5f-672c-4351-a488-98c61bdb1de0" alt=""><figcaption></figcaption></figure>

#### Related Topics

[Radius Clients](https://docs.mirketsecurity.com/mirket-help-center/mirket-help-center/mirket-on-premise/mirket-admin-panel/rules/radius-rules/radius-clients)

[Radius Rules](https://docs.mirketsecurity.com/mirket-help-center/mirket-help-center/mirket-on-premise/mirket-admin-panel/rules/radius-rules)

[Local Group Configuration](https://docs.mirketsecurity.com/mirket-help-center/mirket-help-center/mirket-on-premise/mirket-admin-panel/user-management/local-group-configuration)

[Local Users Configuration](https://docs.mirketsecurity.com/mirket-help-center/mirket-help-center/mirket-on-premise/mirket-admin-panel/user-management/local-users-configuration)

[LDAP Group Configuration](https://docs.mirketsecurity.com/mirket-help-center/mirket-help-center/mirket-on-premise/mirket-admin-panel/user-management/ldap-group-configuration)

[LDAP Users](https://docs.mirketsecurity.com/mirket-help-center/mirket-help-center/mirket-on-premise/mirket-admin-panel/user-management/ldap-users)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.mirketsecurity.com/mirket-help-center/mirket-help-center/mirket-saas-platform/integrations/checkpoint-ssl-vpn-integration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.