Use Authorized Users and Groups in Policies

You can use specified user and group names when you create policies in Fireware XTM Web UI. For example, you can define policies that only allow connections for authenticated users, or you can limit connections on a policy to particular users.

The term authorized users and groups refers to users and groups that are allowed to access network resources.

Define Users and Groups for Firebox Authentication 

If you use your XTM device as an authentication server and want to define users and groups that authenticate to the XTM device, see Define a New User for Firebox Authentication and Define a New Group for Firebox Authentication.

Define Users and Groups for Third-Party Authentication

You can use Fireware XTM Web UI to define the users and groups to use for third-party authentication. When you create a group, if you use more than one Active Directory domain for authentication, you must specify the domain that you want users in the group to use to authenticate.

For both individual users and user groups, you can also enable login limits. When you enable unlimited concurrent logins for a user or group, you allow more than one user or member of a group to authenticate with the same user credentials at the same time, to one authentication server. This is useful for guest accounts or in laboratory environments. When the second user logs in with the same credentials, the first user authenticated with the credentials is automatically logged out. The other option you can select for user and group login limits is to limit your users or members of a group to a single authenticated session. If you select this option, your users cannot log in to one authentication server from different IP addresses with the same credentials. When a user is authenticated, and tries to authenticate again, you can select whether the first user session is terminated when the subsequent session is authenticated, or if the subsequent session is rejected.

User and group names on your Active Directory server are case-sensitive. When you add an authorized user or group to your XTM device, the user or group name must have the same capitalization used in the name on the Active Directory server.

  1. Create a group on your third-party authentication server that contains all the user accounts on your system.
  1. Select Authentication > Users and Groups.
    The Authentication Users and Groups page appears.

Screen shot of the Authentication Users and Groups page

  1. Click Add.
    The Add User or Group dialog box appears.

Screen shot of the Users and Groups dialog box

  1. For the Type option, select Group or User.
  2. Type a user or group name that you created on the authentication server.
    The user or group name is case-sensitive and must match the capitalization used on the authentication server.
  3. (Optional) Type a description for the user or group.
  4. From the Authentication Server drop-down list, select your authentication server.
  1. To enable login limits, select the Enable login limits for each user or group check box and follow the instructions in the subsequent sections to select an option:
  2. Click Add.
  3. Click Save.

Allow Unlimited Concurrent Login Sessions

You can allow more than one user to authenticate with the same user credentials at the same time, to one authentication server. This is useful for guest accounts or in laboratory environments. When the second user logs in with the same credentials, the first user authenticated with the credentials is automatically logged out. If you do not allow this feature, a user cannot authenticate to the authentication server more than once at the same time.

From the Define User or Group dialog box:

  1. Select the Enable login limits for each user or group check box.
  2. Select Allow unlimited concurrent firewall authentication logins from the same account.

For Mobile VPN with IPSec and Mobile VPN with SSL users, concurrent logins from the same account are always supported regardless of whether this option is selected. These users must log in from different IP addresses for concurrent logins, which means that they cannot use the same account to log in if they are behind an XTM device that uses NAT. Mobile VPN with PPTP and Mobile VPN with L2TP users do not have this restriction.

Limit Login Sessions

From the Authentication Settings page, you can limit your users to a specific number of authenticated sessions. If you select this option, you can specify the number of times your users can use the same credentials to log in to one authentication server from different IP addresses. When a user is authenticated and tries to authenticate again, you can select whether the first user session is terminated when a subsequent session is authenticated, or if the subsequent sessions are rejected.

From the Define User or Group dialog box:

  1. Select the Enable login limits for each user or group check box.
  2. Select Limit concurrent user sessions to.
  3. In the text box, type or select the number of allowed concurrent user sessions.
  4. From the drop-down list, select an option:

Add Users and Groups to Policy Definitions 

Any user or group that you want to use in your policy definitions must be added as an authorized user. All users and groups you create for Firebox authentication, and all Mobile VPN users, are automatically added to the list of authorized users and groups on the Authorized Users and Groups dialog box. You can add any users or groups from third-party authentication servers to the authorized user and group list with the previous procedure. You are then ready to add users and groups to your policy configuration.

  1. Select Firewall > Firewall Policies.
    The Firewall Policies page appears.
  2. Select a policy from the list and click Action > Edit Policy.
    Or, double-click a policy.
    The Policy Configuration page appears.
  3. Below the From list, click Add.
    The Add Member dialog box appears.
  4. From the Member Type drop-down list, select Firewall User.
    The list of available users appears.

Screen shot of the Add Member dialog box with the Firewall User member type selected

If your user or group does not appear in the Groups list, see Define a New User for Firebox Authentication, Define a New Group for Firebox Authentication, or the previous Define users and groups for third-party authentication procedure, and add the user or group.

  1. Select a user and click OK.

After you add a user or group to a policy configuration, Fireware XTM Web UI automatically adds a WatchGuard Authentication policy to your XTM device configuration. Use this policy to control access to the authentication portal web page. For instructions to edit this policy, see Use Authentication to Restrict Incoming Traffic.

See Also

About Third-Party Authentication Servers

Set Access Rules for a Policy

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base