Enable the Authentication Portal on the Firebox

Applies To: Cloud-managed Fireboxes

To enable user authentication, you configure users in the Firebox database or in an authentication domain. If you want users to connect to the cloud-managed Firebox to authenticate, you can enable the Authentication Portal. The Authentication Portal is a web page on the Firebox.

For the Firebox to allow connections to the Authentication Portal, you must add a WG-Auth firewall policy to the Firebox configuration. A WG-Auth policy allows TCP traffic on port 4100.

To add the WG-Auth policy, in WatchGuard Cloud:

  1. Select Configure > Devices.
  2. Select the cloud-managed Firebox.
  3. Click Device Configuration.
  4. Click the Firewall Policies tile.
    The Firewall Policies page opens.
  5. Click Add Firewall Policy.
    The Add Firewall Policy page opens.
  6. For the policy type, select First Run.
  7. Click Next.
  8. In the Name text box, type a name for this policy. For example Authentication Portal.
  9. Click Add Traffic Types.
  10. Select the WG-Auth traffic type.

Screen shot of the Add Traffic Types page with WG-Auth selected

  1. Click Add.
  2. To allow users to connect to the Authentication Portal from internal networks:
    1. Select Add Source.
      The Add Source Address dialog box opens.
    2. From the Type drop-down list, select Built-in Aliases.
    3. From the Built-in Aliases list, select Any-Internal.
    4. Click Add.
  3. To specify the Firebox as the destination for authentication portal traffic:
    1. Click Add Destination.
      The Add Destination Address dialog box opens.
    2. From the Type drop-down list, select Built-in Aliases.
    3. From the Built-in Aliases list, select Firebox.
    4. Click Add.
      The Firebox is added as the policy destination.

Screen shot of the Source and Destination with Built-in Aliases configured

  1. To save configuration changes to the cloud, click Save.

To enable the Firebox Authentication Portal, in WatchGuard Cloud:

  1. Select Configure > Devices.
  2. Select the cloud-managed Firebox.
  3. Click Device Configuration.
  4. In the Authentication section, click the Settings tile.
    The Settings page opens.

Screen shot of the Firebox Authentication Settings page

  1. Enable the Authentication Portal.
  2. To select the authentication domain in the Authentication Portal, from the Default authentication domain drop-down list, select an authentication domain.
  3. To save configuration changes to the cloud, click Save.

After you enable the Authentication Portal, the WatchGuard Authentication Portal system policy is added to the Firebox. This first-run system policy allows WG-Auth traffic from internal networks to the Firebox on port 4100.

After you deploy the configuration to the Firebox, users on internal networks can use a web browser to connect to the Authentication Portal.

Screen shot of the Authentication Portal page with a default authentication domain

On the Authentication Portal, the default Domain is the Default authentication domain that you configure in the Firebox Authentication settings.

For more information, see Connect to the Firebox Authentication Portal.

See Also

Connect to the Firebox Authentication Portal

About Firebox Authentication Settings

WatchGuard Cloud Authentication Domains