Skip to content
Last update: 2022-07-08

Register a user

Add a user to Sophos Firewall and assign policies to them, such as for internet access and VPN.

  1. Go to Authentication > Users and click Add.
  2. Type a username to be used for authentication.
  3. Enter a name.


    This is the user record name, not the username.

  4. Type a password to be used for authentication.

    Your password must not be a commonly used password or a dictionary word. Sophos Firewall compares the password you're trying to set with a database that includes commonly used passwords and dictionary words. If your password matches a password in the database, the firewall prompts you to change it.

  5. Select a type.

    Option Description
    User End users who are connecting to the internet from behind the firewall.
    Administrator Users who have access to firewall objects and settings as defined in a profile.

    Profile: Select an administration profile.

  6. Type an email address.


    If a user has been imported from Active Directory, Sophos Firewall overwrites the email addresses given in user registration with the email addresses given by Active Directory at the time of authentication.

  7. Select the policies.


    Policies specified at the user level take precedence over those specified at the group level.

    Option Description
    Group Group to which you want to add the user. If you don't specify policies for the user, the group's policies apply.To add a clientless group, go to Authentication > Groups and select the Group type.
    Surfing quota Access based on a defined period and type. This policy can include a cycle type, hours, validity, and maximum hours.
    Access time Access or denial based on a defined recurring period.
    Network traffic Access based on bandwidth usage.
    Traffic shaping Access based on QoS traffic shaping policy. This policy can include a policy association, priority, and specific limits for uploading and downloading.
  8. Select the SSL VPN policy settings.

    Option Description
    SSL VPN policy SSL VPN policy for remote access using the Sophos Connect client. If you don't select a policy, the group's policy applies to the user.
    SSL VPN IP address If you want to assign a static IP address to the user for remote access SSL VPN, enter an IP address from the static IP address range the firewall automatically created on Remote access VPN > SSL VPN > SSL VPN global settings.

    If you've updated the assigned IP addresses on SSL VPN global settings, make sure the address you assign to the user is within the updated static range.

    Clientless SSL VPN policy Access to be granted to users using only a browser as a client. This policy can include bookmarks or resources that clientless users are allowed to access.


    If you've configured a RADIUS server to authenticate users and lease IP addresses, the server assigns the static IP address you configure on it for the remote access SSL VPN user. The firewall won’t lease the address.

  9. Specify the other VPN settings.


    User policies take precedence over policies of the group to which the user belongs.

    Option Description
    IPsec remote access Allow remote access VPN using the Sophos Connect client. Optionally, specify an IP address to be leased to the user for Sophos Connect access.
    L2TP Allow access using L2TP. Optionally, specify an IP address to be leased to the user for L2TP access.
    PPTP Allow access using PPTP. Optionally, specify an IP address to be leased to the user for PPTP access.
  10. Specify the other settings.

    Option Description
    Quarantine digest Sends a list of emails held in the quarantine area to the user's inbox as a digest.
    MAC binding Requires users to sign in through the specified devices.
    MAC address list Enter the MAC addresses if you've turned on MAC binding.
    Simultaneous sign-ins Number of concurrent sessions that will be allowed for the user. Use the value specified in the global settings or specify a value.
    Sign-in restriction Allow access from the specified nodes:

    Any node: The user can sign in from any node in the network.

    User group nodes: If a user belongs to a specific group, they inherit the login restrictions applied to that group.

    Selected nodes: The user can only sign in from specified IP addresses.

    Node range: The user can sign in from any IP address within the specified range of IP addresses.


    You can't use MAC binding with VPNs.

  11. For administrator users, click Administrator advanced settings and specify the settings.

    Option Description
    Schedule for device access Allow access the device only during the time selected.
    Login restriction for device access Allow access from the specified nodes. You can specify no restriction (any node), named nodes, or a node range.
  12. Click Save.

More resources

Back to top