Services

Select the authentication servers for the firewall and other services such as VPN. You can configure global authentication settings, as well as settings for Kerberos and NTLM, web client, and RADIUS single sign-on. Web policy actions let you specify where to direct unauthenticated users.

Firewall authentication methods

Authentication server to use for firewall connections.

Authentication server list
Configured authentication servers.
Selected authentication server
Server to use for authentication. In order to authenticate users for this service, you must select at least one server. You can specify an external server or the local database, that is the users and groups you have configured on the firewall. When more than one server is selected, the authentication request is forwarded in the order indicated.
Default group
Group to use for authenticating users who are not defined in the firewall. Users who are not included in a local group will be assigned to the default group.

VPN authentication methods

Authentication server to use for VPN connections.

Set authentication methods same as firewall
Make all the authentication servers configured for firewall traffic available for VPN traffic authentication.
Authentication server list
Configured authentication servers.
Selected authentication server
Server to use for authentication. In order to authenticate users for this service, you must select at least one server. You can specify an external server or the local database, that is the users and groups you have configured on the firewall. When more than one server is selected, the authentication request is forwarded in the order indicated. If you select a RADIUS server, PPTP and L2TP connections established using MSCHAPv2 or CHAP can be authenticated through RADIUS.

Administrator authentication methods

Server to use for authenticating administrator users.

Note Administrator authentication settings do not apply to the super administrator.
Set authentication methods same as firewall
Make all the authentication servers configured for firewall traffic available for administrator authentication.
Authentication server list
Configured authentication servers.
Selected authentication server
Server to use for authentication. In order to authenticate users for this service, you must select at least one server. You can specify an external server or the local database, that is the users and groups you have configured on the firewall. When more than one server is selected, the authentication request is forwarded in the order indicated.

SSL VPN authentication methods

Authentication server to use for SSL VPN connections.

Same as VPN
Use the same authentication method as configured for VPN traffic.
Same as firewall
Use the same authentication method as configured for firewall traffic.
Authentication server list
Configured authentication servers.
Selected authentication server
Server to use for authentication. In order to authenticate users for this service, you must select at least one server. You can specify an external server or the local database, that is the users and groups you have configured on the firewall. When more than one server is selected, the authentication request is forwarded in the order indicated.

Global settings

Maximum session timeout
Maximum session length for users who have successfully logged in to any service. Once the time has been exceeded, the user will be logged out.

The firewall checks authorization every three minutes. Possible causes for limiting the session length are access policies, surfing quota, data transfer limit, and the maximum session length.

This setting applies to administrative sessions only.

Simultaneous logins
Maximum number of concurrent sessions allowed to users.
Note This restriction applies only to users who are added after you set this value.

NTLM settings

Settings for Windows Challenge/Response to be used for Active Directory authentication.

Inactivity time
Inactive or idle time after which the user will be logged out.
Data transfer threshold
Minimum amount of data to be transferred within the inactivity time. If the minimum data is not transferred within the specified time, the user will be marked as inactive.
HTTP challenge redirect on intranet zone
When a site hosted on the internet initiates the NTLM web proxy challenge for authentication, redirect the NTLM authentication challenge to the Intranet zone. The client is transparently authenticated through the device’s local interface IP and credentials are exchanged only in the Intranet zone. User credentials remain protected. If this setting is turned off, the client is transparently authenticated by the browser through the device by sending user credentials over the internet.

Web client settings

Settings for iOS, Android, and API.

Inactivity time
Inactive or idle time after which the user will be logged out.
Data transfer threshold
Minimum amount of data to be transferred within the inactivity time. If the minimum data is not transferred within the specified time, the user will be marked as inactive.

SSO using RADIUS accounting request

Settings for RADIUS single sign-on. The firewall can authenticate users transparently who have already authenticated on a RADIUS server.

RADIUS client IPv4
IPv4 address of the RADIUS client. Only requests from the specified IP address will be considered for SSO.
Shared secret
Text string that serves as the password between the client and the server.

Chromebook SSO

Settings for Chromebook single sign-on. The firewall can authenticate users transparently who have already authenticated at a Chromebook. To set up Chromebook SSO authentication, follow the instructions in Configure Chromebook single sign-on.

Domain
The domain name as registered with G Suite.
Port
The port number Chromebooks connect to from the LAN or Wi-Fi.
Certificate
The certificate used for communication with the Chromebooks. It must meet the following requirements:
  • It must have a private key.
  • It must have an associated CA installed.
  • The certificate's common name (CN) must match the Chromebook users' zone or network, for example gateway.example.com.
Logging level
Select the amount of logging.