To enable your users to authenticate, you create user accounts and groups. When a user connects to the Authentication Portal with a web browser on a computer or mobile device and authenticates to the Firebox, the user credentials and computer IP address are used to find whether the configuration includes a policy that applies to the traffic that the computer sends and receives.
To create a Firebox user account:
- Define a New User for Firebox Authentication.
- Define a New Group for Firebox Authentication and add the new user to that group.
- Create a policy that allows traffic only to or from a list of Firebox user names or groups.
This policy is applied only if a packet comes from or goes to the IP address of the authenticated user.
After you have added a user to a group and created policies to manage the traffic for the user, the user can open a web browser on a computer or mobile device to authenticate to the Firebox.
To require multi-factor authentication (MFA) when a user authenticates, specify AuthPoint as the authentication server for the user or group. To enable and use AuthPoint as an authentication server your Firebox must runFireware v12.7 or higher and you must configure a Firebox resource in AuthPoint. For detailed steps to configure AuthPoint MFA for the Firebox Authentication Portal, go to Firebox Authentication with AuthPoint.
In Fireware v12.5.5 or higher, connections to pages served by the Firebox Web Server must use TLS 1.2 or higher.
If you have configured the Firebox with an IPv4 or an IPv6 address, you can use either the IPv4 or the IPv6 address to authenticate to the device over port 4100.
To authenticate with an HTTPS connection to the Firebox over port 4100:
- In a web browser, go to https://<IP address of the device>:4100.
The login page appears.
- Type the Username and Password.
- From the Domain drop-down list, select the domain to use for authentication.
This option only appears if you can choose from more than one domain. - Click Login.
If the credentials are valid, the user is authenticated.
Firewall authentication takes precedence over Single Sign-On (SSO) and replaces the user credentials and IP address from your SSO session with the user credentials and IP address you select for Firewall authentication. For more information about how to configure SSO, go to How Active Directory SSO Works.