Control Network Traffic > User Authentication > Set Global Firewall Authentication Values

Set Global Firewall Authentication Values

When you configure the global authentication settings for your Firebox, you can configure the global values for firewall authentication, which include timeout values, user login session limits, and authentication page redirect settings. You can also enable Single Sign-On (SSO), and configure settings for Terminal Services. For more information about SSO and Terminal Services, see Enable Active Directory Single Sign-On (SSO) and Configure Terminal Services Settings.

If you configure user login session limits for individual users or groups, the limits set for a group and for a user take precedence over the global setting.

You can also configure global settings that apply to Device Management user accounts.

If your device runs Fireware v11.0–v11.3.x, the Authentication Settings for Terminal Services are not available.

Specify Firewall Authentication Settings

To configure Firewall Authentication settings, from Fireware Web UI:

  1. Connect to Fireware Web UI.
  2. Select Authentication > Settings.
    The Settings page appears.

Screen shot of the Authentication Settings page

  1. Configure authentication settings as described in the subsequent sections.
  2. Click Save.

To configure Firewall Authentication settings, from Policy Manager:

  1. Open Policy Manager.
  2. Select Setup > Authentication > Authentication Settings.
    The Authentication Settings dialog box appears with the Firewall Authentication tab selected by default.

Screen shot of the Authentication Settings dialog box

  1. Configure authentication settings as described in the subsequent sections.
  2. Click OK.

Set Global Authentication Timeouts

You can set the time period that users remain authenticated after they close their last authenticated connection. For users authenticated by third-party servers, the timeouts set on those servers also override the global authentication timeouts.

Global authentication timeout values for Firewall Authentication do not override the individual user authentication timeout settings for Mobile VPN with PPTP and Mobile VPN with L2TP users.

Session Timeout

The maximum length of time the user can send traffic to the external network. If you set this field to zero (0) seconds, minutes, hours, or days, the session does not expire and the user can stay connected for any length of time.

Idle Timeout

The maximum length of time the user can stay authenticated when idle (not passing any traffic to the external network). If you set this field to zero (0) seconds, minutes, hours, or days, the session does not time out when idle and the user can stay idle for any length of time.

If you set the Session Timeout or Idle Timeout to 0, authenticated users can remain authenticated until the Firebox is rebooted. If your network uses DHCP, the IP address for an authenticated user could be reassigned to a completely different user. If this happens, the new user can connect to your network without authentication.

For more information about user authentication settings, see Define a New User for Firebox Authentication.

Allow Unlimited Concurrent Login Sessions

By default, the Allow unlimited concurrent firewall authentication logins from the same account option is selected. This option allows users to authenticate to the authentication server more than once at the same time. This is useful for guest accounts or in laboratory environments.

Global authentication settings for concurrent user sessions do not apply to mobile VPN sessions.

Limit Login Sessions

To restrict your users to a specific number of authenticated sessions, select Limit concurrent user sessions to. If you select this option, you can specify the number of times your users can use the same credentials to log in to one authentication server from different IP addresses. When a user is authenticated and tries to authenticate again, you can select whether the first user session is terminated when a subsequent session is authenticated, or if the subsequent sessions are rejected.

  1. Select Authentication > Settings.
    The Authentication Settings page appears.
  2. Select Limit concurrent user sessions to.
  3. In the text box, type or select the number of allowed concurrent user sessions.
  4. From the drop-down list, select an option:
    • Reject subsequent login attempts
    • Allow subsequent login attempts and logoff the first session.

Screen shot of the Authentication Settings page, with Login Limit options
Firewall Authentication settings in Fireware Web UI


Firewall Authentication settings in Policy Manager

Specify the Default Authentication Server in the Authentication Portal

When your users log in to the Authentication Portal, they must select which authentication server to use for authentication. Users can select from any of the authentication servers you have enabled. By default, the first server in the list is Firebox-DB. You can change this setting so another enabled authentication server is first in the list of authentication servers. This is helpful if you want your users to authenticate with a server other than Firebox-DB.

To select the default authentication server:

From the Default authentication server on the authentication page drop-down list, select an authentication server.

For example, if you want your users to authenticate to your Home AD Active Directory server, from the drop-down list, select Home AD.

The default authentication server you specify here is also used as the default authentication server for connections from the FireClient app, when Mobile Security is enabled. For more information, see About FireClient.

Automatically Redirect Users to the Authentication Portal

If you require your users to authenticate before they can get access to the Internet, you can choose to automatically send users who are not already authenticated to the authentication portal, or have them manually navigate to the portal. This applies only to HTTP and HTTPS connections.

Automatically redirect users to the authentication page

When you select this check box, all users who have not yet authenticated are automatically redirected to the authentication portal when they try to get access to the Internet. If you do not select this check box, unauthenticated users must manually navigate to the authentication portal to log in.

If this option is selected, users are only redirected if the device configuration does not include a policy that allows HTTP or HTTPS traffic from the users IP addresses. To make sure that your users are automatically redirected to the authentication page, you can remove any allow HTTP or HTTPS policies other than those that include your authorized users or groups.

For more information about user authentication, see User Authentication Steps.

Redirect traffic sent to the IP address of the Firebox to this host name

Select this check box to specify a host name for the page where your users are redirected, when you choose to automatically redirect users to the authentication portal. Type the host name in the text box.

Make sure that the host name matches the Common Name (CN) from the web server certificate. This host name must be specified in the DNS settings for your organization and the value of the host name must be the IP address of your Firebox.

If you have users who must manually authenticate to the authentication portal, and you use SSO, you can add an SSO exception for those users to reduce the amount of time it takes for them to authenticate. For more information about SSO exceptions, see Enable Active Directory Single Sign-On (SSO).

Users are only redirected to the Authentication Portal if the HTTP or HTTPS request does not match the policies on your Firebox. To make sure users are redirected to the Authentication Portal, you must make sure that your device configuration does not include an HTTP or HTTPS policy that allows user connections, which does not include the user name or user group in the From list. Because the default Outgoing policy includes all TCP and UDP ports, you must either disable the Outgoing policy, or edit the Outgoing policy to include user names or user groups in the From list.

After you have made any necessary configuration changes, to make sure that your users can reach the Authentication Portal, verify that users can connect to a local or external DNS server. Before an HTTP or HTTPS request can be completed for a user, the user must be able to resolve the DNS name of a website external to your network.

Use a Custom Default Start Page 

When you select the Automatically redirect users to authentication page check box to require your users to authenticate before they can get access to the Internet, the authentication portal automatically appears when a user opens a web browser. If you want the browser to go to a different page after your users successfully log in, you can define a redirect.

To specify a redirect:

  1. Select the Send a redirect to the browser after successful authentication check box.
  2. In the text box, type the URL of the website where users are redirected.

Set Management Session Timeouts

Use these options to set the time period that a user who is logged in with read/write privileges remains authenticated before the Firebox terminates the session.

Session Timeout 

The maximum length of time the user can send traffic to the external network. If you select zero (0) seconds, minutes, hours, or days, the session does not expire and the user can stay connected for any length of time.

Idle Timeout

The maximum length of time the user can stay authenticated when idle (not passing any traffic to the external network). If you select zero (0) seconds, minutes, hours, or days, the session does not expire when the user is idle, and the user can stay idle for any length of time.

Configure Device Management Account Lockout Settings

You can enable Account Lockout to prevent brute force attempts to guess user account passwords. When Account Lockout is enabled, the Firebox temporarily locks a user account after a specified number of consecutive, unsuccessful login attempts, and permanently locks a user account after a specified number of temporary account lockouts. A permanently locked user account can be unlocked only by a user with Device Administrator credentials.

The default admin user account can be temporarily locked but cannot be permanently locked.

For information about how to unlock a locked Device Management user account, see Manage Users and Roles on Your Firebox.

See Also

About User Authentication

Configure Your Firebox as an Authentication Server

About Active Directory Single Sign-On (SSO)

Install the WatchGuard Single Sign-On (SSO) Agent and Event Log Monitor

Give Us Feedback     Get Support     All Product Documentation     Technical Search