Skip to content

Add a user locally

Add a user to Sophos Firewall locally and assign a group, policies, and restrictions.

Add a user

  1. Go to Authentication > Users and click Add.
  2. Enter a username to use for authentication.

    Note

    You can't change the username later.

  3. Enter a name for the user record.

  4. Enter a password.

    If the firewall finds a match with the commonly used passwords and dictionary words in its database, it prompts you to enter a stronger password.

    To change the password in an existing user record, click Change password.

  5. Select the type of user from the following:

    • User: End users of your network.
    • Administrator: They can sign in to the firewall's consoles with rights based on the profile you select. See Profiles > Device access.

      • Profile: Select an administrator profile.
  6. Enter an email address.

    Note

    For user records imported from Active Directory, the firewall replaces the locally configured email addresses with those from Active Directory at the time of authentication.

  7. Specify the following policies:

    1. Group: Group to which the user belongs.

      Active Directory (AD) users can belong to more than one group. If an AD user belongs to more than one group, Group shows the user's main group in the firewall. See FAQs for Active Directory users and groups.

      To add the user to a clientless group other than the predefined group, you must first create the clientless group. You can then select it here.

      Note

      Users' policies take precedence over group policies. Don't change the policies and settings if you want the group policies to apply.

    2. Other group memberships: AD groups other than the main group the user belongs to. Some rules and policies support multiple group membership. See Support for Active Directory group memberships.

    3. Surfing quota: Duration of surfing time assigned to the user.
    4. Access time: Allows or denies internet access based on a schedule.
    5. Network traffic: Quota for data usage.
    6. Traffic shaping: Bandwidth assigned to the user.
  8. Specify the following remote access VPN settings:

    Note

    Users' policies take precedence over group policies for remote access VPNs other than SSL VPNs. For remote access SSL VPNs, the user is allowed access to all the resources in the full and split tunnel policies they or their groups are part of. See Support for Active Directory group memberships.

    1. SSL VPN policy: Remote access SSL VPN policy of the user's group or the policy you select for the user.
    2. Other SSL VPN policies: Remote access SSL VPN policies of the user's other groups.

      It only appears if more than one group of the AD user is part of remote access SSL VPN policies.

    3. SSL VPN IP address: Enter the static IPv4 and IPv6 addresses for the user.

      It only appears if you select Use static IP addresses on Remote access VPN > SSL VPN > SSL VPN global settings. Make sure the static address you assign to the user is from the static range automatically created on SSL VPN global settings.

      Note

      If a RADIUS server is configured to lease IP addresses, it leases the static IP addresses to remote access SSL VPN users.

    4. Clientless SSL VPN policy: Allows remote access through a browser using bookmarks.

    5. Other clientless SSL VPN policies: Clientless SSL VPN policies of the user's other groups.

      It only appears if more than one group of the AD user is part of clientless SSL VPN policies.

    6. IPsec remote access: Allows remote access IPsec using the Sophos Connect client. Enter an IP address to lease to the remote user.

    7. L2TP: Allows remote access using L2TP. Enter an IP address to lease to the remote user.
    8. PPTP: Allows remote access using PPTP. Enter an IP address to lease to the remote user.

      Note

      When you turn on L2TP or PPTP, the policy members must first sign in to the user portal and create a password before they can connect.

  9. Specify the following settings:

    1. Quarantine digest: Emails the list of quarantined emails to the user.
    2. MAC binding: Requires users to sign in through endpoints that have the MAC addresses you specify.

      Note

      MAC binding only supports client-based authentication methods. It doesn't support remote access VPN and captive portal users.

    3. MAC address list: Enter the MAC addresses if you turn on MAC binding.

      Note

      If you turn on MAC binding and don't enter a MAC address, the firewall automatically binds the user's MAC address on their first sign-in.

    4. Simultaneous sign-ins: Number of concurrent sessions the user can have. Select from the following:

      • Global setting: Go to Authentication > Services to see these settings.
      • Unlimited: Allows unlimited concurrent sessions.
      • Clear Unlimited and enter a value.
    5. Sign-in restriction: Allows access only from the specified IP addresses:

      • Any node: The user can sign in from any IP address.
      • User group nodes: Sign-in restriction of the user's group applies.
      • Selected nodes: Enter IPv4 addresses and click the plus () button for each.
      • Node range: Enter the start and end IPv4 addresses.
  10. If you set User type to Administrator, click Administrator advanced settings and specify the following settings:

    1. Schedule for device access: Allows sign-ins to the web admin console during the schedule you select.
    2. Login restriction for device access: Allows sign-ins only from the specified IP addresses:

      • Any node: The administrator can sign in to the web admin console from any IP address.
      • Selected nodes: Enter IPv4 addresses and click the plus () button for each.
      • Node range: Enter the start and end IPv4 addresses.
  11. Click Save.

Usage and accounting

  • To see a user's internet use, scroll down and click View usage.
  • To reset the user’s surfing time and network traffic usage, click Reset user accounting.

More resources