Skip to content

Firewall rules configured to attach user identity



Configure appropriate settings to map IP addresses to usernames. Mapping users to IP addresses permits the firewall to create rules based on users and groups rather than IP addresses and subnets and log events by usernames rather than IP addresses or DNS names. The specifics of achieving IP-to-username mapping are highly dependent on the environment. It can be enabled by integrating the firewall with a domain controller, captive portal, Terminal Server, Kerberos, NTLM, and synchronized security heartbeat from various devices.


  1. Go to PROTECT > Rules and policies > Firewall rules.
  2. Open or create a firewall rule and ensure that Log firewall traffic is selected.
  3. Set the primary authentication server at the top in CONFIGURE > Authentication > Services > Firewall authentication methods.
  4. Add printers or IoT devices in CONFIGURE > Authentication > Clientless users that are unable to authenticate with standard authentication options.
  5. Select Kerberos & NTLM and Show captive portal link in CONFIGURE > Authentication > Web Authentication > Authorize unauthenticated users for web access.
  6. Do the following in CONFIGURE > Authentication > STAS:

    1. Turn on Enable Sophos Transparent Authentication Suite.
    2. Select Yes for Restrict client traffic during identity probe.
    3. Click Add new collector.


In Windows only environment, clientless SSO can be configured to authenticate with Sophos Firewall based on security logon events at the Domain Controllers.