Services
Select the authentication servers for the firewall and other services such as VPN. You can configure global authentication settings, as well as settings for Kerberos and NTLM, web client, and RADIUS single sign-on. Web policy actions let you specify where to direct unauthenticated users.
Note
You can only select a maximum of 20 authentication servers for each authentication method.
Firewall authentication methods
Authentication server to use for firewall connections.
Authentication server list: Configured authentication servers.
Selected authentication server: Server to use for authentication. In order to authenticate users for this service, you must select at least one server. You can specify an external server or the local database, that is the users and groups you have configured on the firewall. When more than one server is selected, the authentication request is forwarded in the order indicated.
Default group: Group to use for authenticating users who are not defined in the firewall. Users who are not included in a local group will be assigned to the default group.
User portal authentication methods
Authentication server to use for the user portal.
Set authentication methods same as firewall: Use the firewall traffic's authentication servers for the user portal.
Authentication server list: Configured authentication servers.
Selected authentication server: Server to use for authentication. To authenticate users for this service, you must select at least one server. You can specify an external server or the local server, that is, the users and groups you have configured on the firewall.
VPN portal authentication methods
Authentication server to use for the VPN portal.
Set authentication methods same as firewall: Use the firewall traffic's authentication servers for the VPN portal.
Authentication server list: Configured authentication servers.
Selected authentication server: Server to use for authentication. To authenticate users for this service, you must select at least one server. You can specify an external server or the local server, that is, the users and groups you have configured on the firewall.
VPN (IPsec/dial-in/L2TP/PPTP) authentication methods
Authentication server to use for VPN connections.
Set authentication methods same as firewall: Make all the authentication servers configured for firewall traffic available for VPN traffic authentication.
Authentication server list: Configured authentication servers.
Selected authentication server: Server to use for authentication. To authenticate users for this service, you must select at least one server. You can specify an external server or the local server, that is, the users and groups you have configured on the firewall. If you select more than one server, the authentication request is forwarded in the order indicated.
Make sure you use a supported authentication protocol for L2TP and PPTP connections based on the following list:
- Local: PAP, CHAP, or MSCHAPv2
- Active Directory: PAP
- RADIUS: PAP, CHAP, or MSCHAPv2
- LDAP: PAP
- TACACS+: PAP or CHAP
Administrator authentication methods
Server to use for authenticating administrator users.
Note
Administrator authentication settings do not apply to the super administrator.
Set authentication methods same as firewall: Make all the authentication servers configured for firewall traffic available for administrator authentication.
Authentication server list: Configured authentication servers.
Selected authentication server: Server to use for authentication. To authenticate users for this service, you must select at least one server. You can specify an external server or the local server, that is, the users and groups you have configured on the firewall. If you select more than one server, the authentication request is forwarded in the order indicated.
SSL VPN authentication methods
Authentication server to use for SSL VPN connections.
Same as VPN: Use the same authentication method as configured for VPN traffic.
Same as firewall: Use the same authentication method as configured for firewall traffic.
Authentication server list: Configured authentication servers.
Selected authentication server: Server to use for authentication. To authenticate users for this service, you must select at least one server. You can specify an external server or the local server, that is, the users and groups you have configured on the firewall. If you select more than one server, the authentication request is forwarded in the order indicated.
Global settings
Maximum session timeout: Maximum session length for users who have successfully logged in to any service. Once the time has been exceeded, the user will be logged out.
The firewall checks authorization every three minutes. Possible causes for limiting the session length are access policies, surfing quota, data transfer limit, and the maximum session length.
Simultaneous logins: Maximum number of concurrent sessions allowed to users.
Note
This restriction applies only to users who are added after you set this value.
AD SSO settings (NTLM and Kerberos)
Settings for Windows Challenge/Response to be used for Active Directory authentication.
Inactivity time: Inactive or idle time after which the user will be logged out.
Data transfer threshold: Minimum amount of data to be transferred within the inactivity time. If the minimum data is not transferred within the specified time, the user will be marked as inactive.
HTTP challenge redirect on intranet zone: When a site hosted on the internet initiates the NTLM web proxy challenge for authentication, redirect the NTLM authentication challenge to the Intranet zone. The client is transparently authenticated through the device’s local interface IP and credentials are exchanged only in the Intranet zone. User credentials remain protected. If this setting is turned off, the client is transparently authenticated by the browser through the device by sending user credentials over the internet.
Web client settings (iOS, Android and API)
Settings for iOS, Android, and API.
Inactivity time: Inactive or idle time after which the user will be logged out.
Data transfer threshold: Minimum amount of data to be transferred within the inactivity time. If the minimum data is not transferred within the specified time, the user will be marked as inactive.
SSO using RADIUS accounting request
Settings for RADIUS single sign-on. The firewall can authenticate users transparently who have already authenticated on a RADIUS server.
RADIUS client IPv4: IPv4 address of the RADIUS client. Only requests from the specified IP address will be considered for SSO.
Shared secret: Text string that serves as the password between the client and the server.
Chromebook SSO
Settings for Chromebook single sign-on. The firewall can authenticate users transparently who have already authenticated at a Chromebook. To set up Chromebook SSO authentication, follow the instructions in Configure Chromebook single sign-on.
Domain: The domain name as registered with Google Workspace.
Port: The port number Chromebooks connect to from the LAN or Wi-Fi.
Certificate: The certificate used for communication with the Chromebooks. It must meet the following requirements:
- It must have a private key.
- It must have an associated CA installed.
- The certificate's common name (CN) must match the Chromebook users' zone or network, for example
gateway.example.com
.
Logging level: Select the amount of logging.
More resources