Enable browser-based user authentication on the Firewall

Browser-based user authentication is configured in the properties of the Firewall.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Right-click a Firewall or Virtual Firewall, then select Edit <element type>.
  2. In the navigation pane on the left, browse to Add-Ons > User Authentication.
  3. Select HTTPS to allow authentication using encrypted HTTPS connections and HTTP to allow authentication using plain HTTP connections.
    CAUTION:
    Plain HTTP connections are unsecured and transfer the user name and password in cleartext. Use encrypted HTTPS connections to avoid loss of sensitive information.
  4. (Optional) Change the port settings if you want to use a different port for the authentication interface.
    You must use the same port settings when you define the IPv4 Access rules that allow the authentication connections.
  5. (Optional) Select Always Use HTTPS if the engine also listens on other ports and you want to redirect the connections to the HTTPS port and enforce the use of HTTPS.
    Example: The engine listens on port 80, but you want to redirect connections to port 443.
  6. (Recommended) To prevent unauthorized access to resources, select the interfaces through which users can authenticate to the Firewall or Virtual Firewall in the Listen on Interfaces section. Only interfaces that have IPv4 addresses are supported.
  7. From the User Authentication Page drop-down list, select a User Authentication Page element.
    The User Authentication Page element defines the look of the logon page, challenge page, and status page shown to end users when they authenticate.

    If the User Authentication Page element you want to select is not listed, select Select, or select New to create a User Authentication Page.

  8. (Optional) Select Enable Session Handling to enable cookie-based strict session handling.
    If the option is selected, the end user must keep the status page open. If the status page is closed or cannot be refreshed, the connection is terminated.
  9. (Optional) Select Refresh Status Page Every and define how often the status page is automatically refreshed.
    • The option is automatically selected when you select Enable Session Handling.
    • If the option is selected, the end user must keep the status page open. If the status page is closed or cannot be refreshed, the connection is terminated.
  10. (Optional) In the navigation pane on the left, browse to Advanced Settings > Authentication, then configure advanced settings for browser-based user authentication.

Engine Editor – Add-Ons – User Authentication

Use this branch to enable user authentication on the engine. You can configure authentication using HTTP connections or encrypted HTTPS connections.

Option Definition
HTTP When selected, allows authentication using plain HTTP connections.

Change the Port settings if you want to use a different port for the authentication interface. The default port is 80.
HTTPS

(Required for client certificate authentication)

 When selected, allows authentication using encrypted HTTPS connections.

Change the Port settings if you want to use a different port for the authentication interface. The default port is 443.
HTTPS Settings Opens the Browser-Based User Authentication HTTPS Configuration dialog box.
TLS Profile

(Required for client certificate authentication)

 The TLS Profile element that defines TLS settings for HTTPS connections for authentication, and the trusted certificate authority for client certificate authentication.

Click Select to select a TLS Profile element.
Use Client Certificates for Authentication When selected, the NGFW Engine allows users to authenticate using X.509 certificates. Client certificate authentication is supported for browser-based user authentication.
Always Use HTTPS When selected, redirects connections to the HTTPS port and enforces the use of HTTPS if the engine also listens on other ports.
Authentication Time-Out Defines the length of time after which authentication expires and users must reauthenticate.
Listen on Interfaces Restricts the interfaces that users can authenticate through.
  • All — Users can authenticate through all interfaces.
  • Selected — Users can only authenticate through the selected interfaces.
User Authentication Page Select the User Authentication Page element that defines the look of the logon page, challenge page, and status page shown to end users when they authenticate.
Enable Session Handling

(Optional)

 When selected, enables cookie-based strict session handling.
Note: When Enable Session Handling is selected, the Authentication Idle Time-Out option is not available. The Refresh Status Page Every option defines the authentication timeout.
Authentication Idle Time-Out Defines an idle timeout for user authentication.

If there have been no new connections within the specified time limit after the closing of a user's previous connection, the user is removed from the list of authenticated users.
Refresh Status Page Every

(Optional)

 Defines how often the status page is automatically refreshed.

When Enable Session Handling is selected, defines the authentication timeout.

Engine Editor – Advanced Settings – Authentication

Use this branch to configure advanced settings for user authentication.

Option Definition
Default User Domain The default LDAP domain from which the NGFW Engine looks up users.
Note: This setting applies to all user authentication, including browser-based user authentication, VPN clients, and the SSL VPN Portal.
Allow user lookup from known User Domain matching to client certificate email domain or UPN suffix When selected, the NGFW Engine looks up the user from the domain specified in the email address or user principal name before looking up the user in the default domain.
Note: This option is ignored when the value of the Client Certificate Identity Field for TLS option is Distinguished Name.
Client Certificate Identity Field for TLS The attribute that is used to look up the user entry from the user domain when using TLS. The NGFW Engine only uses values from the Active Directory or LDAP server that is associated with the global default LDAP domain or the engine-specific default user domain.
  • User Principal Name — The User Principal Name attribute on the Attributes tab of the Active Directory Server or LDAP Server element is used.
  • Email — The E-mail attribute on the Attributes tab of the Active Directory Server or LDAP Server element is used.
  • Distinguished Name — The specified value in the distinguished name is used.
    Note: If you select Distinguished Name, you must specify the identity search value on the Client Certificate tab of the Active Directory Server or the LDAP Server Properties dialog box.