Services

Select the authentication servers for the firewall and other services such as VPN. You can also configure global authentication settings, NTLM settings, web client settings, and RADIUS single sign-on settings. Web policy actions let you specify where to direct unauthenticated users.

Firewall authentication methods

Authentication server to use for firewall connections.

Authentication server list
Configured authentication servers.
Selected authentication server
Server to use for authentication. In order to authenticate users for this service, you must select at least one server. You can specify an external server or the local database, that is the users and groups you have configured on the firewall. When more than one server is selected, the authentication request is forwarded in the order indicated.
Default group
Group to use for authenticating users who are not defined in the firewall. Users who are not included in a local group will be assigned to the default group.

VPN authentication methods

Authentication server to use for VPN connections.

Set authentication methods same as firewall
Make all the authentication servers configured for firewall traffic available for VPN traffic authentication.
Authentication server list
Configured authentication servers.
Selected authentication server
Server to use for authentication. In order to authenticate users for this service, you must select at least one server. You can specify an external server or the local database, that is the users and groups you have configured on the firewall. When more than one server is selected, the authentication request is forwarded in the order indicated. If you select a RADIUS server, PPTP and L2TP connections established using MSCHAPv2 or CHAP can be authenticated through RADIUS.

Administrator authentication methods

Server to use for authenticating administrator users.

Note Administrator authentication settings do not apply to the super administrator.
Set authentication methods same as firewall
Make all the authentication servers configured for firewall traffic available for administrator authentication.
Authentication server list
Configured authentication servers.
Selected authentication server
Server to use for authentication. In order to authenticate users for this service, you must select at least one server. You can specify an external server or the local database, that is the users and groups you have configured on the firewall. When more than one server is selected, the authentication request is forwarded in the order indicated.

SSL VPN authentication methods

Authentication server to use for SSL VPN connections.

Same as VPN
Use the same authentication method as configured for VPN traffic.
Same as firewall
Use the same authentication method as configured for firewall traffic.
Authentication server list
Configured authentication servers.
Selected authentication server
Server to use for authentication. In order to authenticate users for this service, you must select at least one server. You can specify an external server or the local database, that is the users and groups you have configured on the firewall. When more than one server is selected, the authentication request is forwarded in the order indicated.

Global settings

Maximum session timeout
Maximum session length for users who have successfully logged in to any service. Once the time has been exceeded, the user will be logged out.

The firewall checks authorization every three minutes. Possible causes for limiting the session length are access policies, surfing quota, data transfer limit, and the maximum session length.

This setting applies to administrative sessions only.

Simultaneous logins
Maximum number of concurrent sessions allowed to users.
Note This restriction applies only to users who are added after you set this value.

NTLM settings

Settings for Windows Challenge/Response to be used for Active Directory authentication.

Inactivity time
Inactive or idle time after which the user will be logged out.
Data transfer threshold
Minimum amount of data to be transferred within the inactivity time. If the minimum data is not transferred within the specified time, the user will be marked as inactive.
HTTP challenge redirect on intranet zone
When a site hosted on the internet initiates the NTLM web proxy challenge for authentication, redirect the NTLM authentication challenge to the Intranet zone. The client is transparently authenticated through the device’s local interface IP and credentials are exchanged only in the Intranet zone. User credentials remain protected. If this setting is turned off, the client is transparently authenticated by the browser through the device by sending user credentials over the internet.

Web client settings

Settings for iOS, Android, and API.

Inactivity time
Inactive or idle time after which the user will be logged out.
Data transfer threshold
Minimum amount of data to be transferred within the inactivity time. If the minimum data is not transferred within the specified time, the user will be marked as inactive.

SSO using RADIUS accounting request

Settings for RADIUS single sign-on. The firewall can authenticate users transparently who have already authenticated on a RADIUS server.

RADIUS client IPv4
IPv4 address of the RADIUS client. Only requests from the specified IP address will be considered for SSO.
Shared secret
Text string that serves as the password between the client and the server.

Chromebook SSO

Settings for Chromebook single sign-on. The firewall can authenticate users transparently who have already authenticated at a Chromebook. To set up Chromebook SSO authentication, follow the instructions in Configuring Chromebook single sign-on.

Domain
The domain name as registered with G Suite.
Port
The port number Chromebooks connect to from the LAN or Wi-Fi.
Certificate
The certificate used for communication with the Chromebooks. It must meet the following requirements:
  • It must have a private key.
  • It must have an associated CA installed.
  • The certificate CN must match the zone/network where the Chromebook users are, for example gateway.example.com.
Logging level
Select the amount of logging.

Web policy actions for unauthenticated users

Specify settings for unauthenticated users in the captive portal.

Prompt unauthenticated users to sign in
Redirect the access request of unauthenticated users either to the captive portal or the custom message page. When this setting is turned off, unauthenticated user traffic will be dropped.
Login prompt method
Method by which unauthenticated users should be redirected.
Captive portal uses HTTPS
Provide secure access to the captive portal using HTTPS.
Provide link to full user portal
Provide a link to the full user portal on the captive portal page.
Redirect to a URL after login
Redirect the user to the user requested page or custom page after logging on.
Preserve captive portal after login
Minimize the captive portal after the user has been authenticated.
Use keep alive to maintain user session
Use keep alive messaging to maintain the user’s connection to the captive portal. If the firewall does not receive a response from the user, the user is logged out automatically.
Tip Turn off this setting in the case of multiple concurrent users.
User inactivity timeout
Inactive or idle time after which the user will be logged out.
Data transfer threshold
Minimum amount of data to be transferred within the inactivity time. If the minimum data is not transferred within the specified time, the user will be marked as inactive.

Custom message options

Page header image
Image to display in the custom message page header. Supported formats:JPG, PNG, and GIF.
Page footer image
Image to display in the custom message page footer. Supported formats:JPG, PNG, and GIF.
Custom message
Message to display.