Use Users and Groups in Policies

When you create policies in your Firebox configuration file, you can use specified user and group names. For example, you can define policies that only allow connections for authenticated users, or you can limit connections on a policy to particular users.

An authenticated user can send traffic through the Firebox only if the traffic is allowed by a policy on the Firebox.

Define Users and Groups for Firebox Authentication 

If you want to use your Firebox as an authentication server, you can specify the users and groups that can authenticate to the Firebox. For instructions to define these users and groups, go to Define a New User for Firebox Authentication and Define a New Group for Firebox Authentication.

Define Users and Groups for Third-Party Authentication

In your Firebox configuration file, you can define the users and groups to use for third-party authentication. When you create a group, if you use more than one Active Directory domain for authentication, you must specify the domain that you want users in the group to use to authenticate.

For both individual users and user groups, you can also enable login limits. When you enable unlimited concurrent logins for a user or group, you allow more than one user or member of a group to authenticate with the same user credentials at the same time, to one authentication server. This is useful for guest accounts or in laboratory environments. When the second user logs in with the same credentials, the first user authenticated with the credentials is automatically logged out. The other option you can select for user and group login limits is to limit your users or members of a group to a single authenticated session. If you select this option, your users cannot log in to one authentication server from different IP addresses with the same credentials. When a user is already authenticated and tries to authenticate again, you can select whether the first user session is terminated when the additional session is authenticated, or if the additional session is rejected.

User and group names on your Active Directory server are case-sensitive. When you add a user or group to your Firebox, the user or group name must have the same capitalization used in the name on the Active Directory server.

If you use Active Directory authentication and the group membership for a user does not match your Mobile VPN policy, you can see an error message that says Decrypted traffic does not match any policy. If you see this error message, make sure that the user is in a group with the same name as your Mobile VPN group.

If a user is already logged in when you add a new group to the Firebox configuration, the user is not associated with that group by the Firebox until the next time the user logs in to the Firebox.

To limit concurrent user sessions for mobile VPN users, you must use Mobile VPN with IKEv2 and Firebox-DB user accounts. You cannot limit concurrent user sessions for Mobile VPN with IKEv2 users with accounts on third-party authentication servers. You cannot limit concurrent user sessions for Mobile VPN with L2TP, Mobile VPN with SSL, or Mobile VPN with IPSec users with Firebox-DB accounts or accounts on third-party authentication servers.

Allow Unlimited Concurrent Login Sessions

You can allow more than one user to authenticate with the same user credentials at the same time, to one authentication server. This is useful for guest accounts or in laboratory environments. When the second user logs in with the same credentials, the first user authenticated with the credentials is automatically logged out. If you do not allow this feature, a user cannot authenticate to the authentication server more than once at the same time.

To allow unlimited concurrent login sessions for your users:

  1. Select the Enable login limits for each user or group check box.
  2. Select Allow unlimited concurrent firewall authentication logins from the same account.

Limit Login Sessions

You can limit your users to a specific number of authenticated sessions. If you select this option, you can specify the number of times your users can use the same credentials to log in to one authentication server from different IP addresses. When a user is authenticated and tries to authenticate again, you can select whether the first user session is terminated when an additional session is authenticated, or if the additional sessions are rejected.

You can configure login session limits at the global, group, and user level.

  • User settings take precedence over the group and global settings.
  • If user's login session limits are not configured, group settings take precedence, if configured.
  • If a user belongs to more than one group, the settings for the first group in the user's group list takes precedence.
  • If user or group login session limits are not configured, the global settings are used.

To limit login sessions for your users:

  1. Select the Enable login limits for each user or group check box.
  2. Select Limit concurrent user sessions to.
  3. In the text box, type or select the number of allowed concurrent user sessions.
  4. From the drop-down list, select an option:
    • Reject subsequent login attempts
    • Allow subsequent login attempts and logoff the first session.

Add Users and Groups to Policy Definitions 

Any user or group that you want to use in your policy definitions must be added as a user. All users and groups you create for Firebox authentication, and all Mobile VPN users, are automatically added to the list of users and groups on the Users and Groups dialog box. You can add any users or groups from third-party authentication servers to the user and group list with the previous procedure. You are then ready to add users and groups to your policy configuration.

After you add a user or group to a policy configuration, the WatchGuard Authentication policy is automatically added to your Firebox configuration file. This policy controls access to the Authentication Portal web page. For instructions to edit this policy, go to Use Authentication to Restrict Incoming Connections.

For one example of how you can configure Firebox policies for different users or groups, go to Configure WebBlocker Actions for Groups with Active Directory Authentication.

Related Topics

About Third-Party Authentication Servers

Set Access Rules for a Policy