Skip to content

Add a user locally

Add a user to Sophos Firewall locally and assign a group, policies, and restrictions.

Add a user

  1. Go to Authentication > Users and click Add.
  2. Enter a username to use for authentication.

    Note

    You can't change the username later.

  3. Enter a name for the user record.

  4. Enter a password.

    If the firewall finds a match with the commonly used passwords and dictionary words in its database, it prompts you to enter a stronger password.

    To change the password in an existing user record, click Change password.

  5. Select the type of user from the following:

    • User: End users of your network.
    • Administrator: They can sign in to the firewall's consoles with rights based on the profile you select. See Profiles > Device access.
      • Profile: Select an administrator profile.
  6. Enter an email address.

    Note

    For user records imported from Active Directory, the firewall replaces the locally configured email addresses with those from Active Directory at the time of authentication.

  7. Specify the following policies:

    1. Group: Group to which the user belongs.

      Users can belong to more than one group.

      To add a clientless group, go to Authentication > Groups and create a group with the Group type set to Clientless. You can then select it here.

      Note

      Users' policies take precedence over group policies. Don't change the other policies and restrictions if you want the group policies to apply.

    2. Surfing quota: Duration of surfing time assigned to the user.

    3. Access time: Allows or denies internet access based on a schedule.
    4. Network traffic: Quota for data usage.
    5. Traffic shaping: Bandwidth assigned to the user.
  8. Specify the following remote access VPN settings:

    Note

    Users' policies take precedence over group policies.

    1. SSL VPN policy: Allows remote access SSL VPN using the Sophos Connect client.

      Note

      If a RADIUS server is configured to lease IP addresses, it leases the static IP addresses to remote access SSL VPN users.

    2. Clientless SSL VPN policy: Allows remote access through a browser using bookmarks.

    3. IPsec remote access: Allows remote access IPsec using the Sophos Connect client. Enter an IP address to lease to the remote user.
    4. L2TP: Allows remote access using L2TP. Enter an IP address to lease to the remote user.
    5. PPTP: Allows remote access using PPTP. Enter an IP address to lease to the remote user.

      Note

      For SFOS 18.5 MR2 and later, when you turn on L2TP or PPTP, the policy members must first sign in to the user portal and create a password before they can connect.

  9. Specify the following settings:

    1. Quarantine digest: Emails the list of quarantined emails to the user.
    2. MAC binding: Requires users to sign in through endpoints that have the MAC addresses you specify.
    3. MAC address list: Enter the MAC addresses if you turn on MAC binding.

      Note

      The firewall doesn't bind remote access VPN users with MAC addresses.

    4. Simultaneous sign-ins: Number of concurrent sessions the user can have. Select from the following:

      • Global setting: Go to Authentication > Services to see these settings.
      • Unlimited: Allows unlimited concurrent sessions.
      • Clear Unlimited and enter a value.
    5. Sign-in restriction: Allows access only from the specified IP addresses:
      • Any node: The user can sign in from any IP address.
      • User group nodes: Sign-in restriction of the user's group applies.
      • Selected nodes: Enter IPv4 addresses and click the plus () button for each.
      • Node range: Enter the start and end IPv4 addresses.
  10. If you set User type to Administrator, click Administrator advanced settings and specify the following settings:

    1. Schedule for device access: Allows sign-ins to the web admin console during the schedule you select.
    2. Login restriction for device access: Allows sign-ins only from the specified IP addresses:
      • Any node: The administrator can sign in to the web admin console from any IP address.
      • Selected nodes: Enter IPv4 addresses and click the plus () button for each.
      • Node range: Enter the start and end IPv4 addresses.
  11. Click Save.

Usage and accounting

  • To see a user's internet use, scroll down and click View usage.
  • To reset the user’s surfing time and network traffic usage, click Reset user accounting.

More resources