Defining user accounts

User Group and User elements define the user account information for end users.

You can use User Group and User elements in Firewall IPv4 and IPv6 Access rules to add a requirement for authentication. If you have enabled the Forcepoint User ID Service, the McAfee Logon Collector, or the Integrated User ID Service on the NGFW Engine, you can also use User Group and User elements as the source and destination of Access, Inspection, and NAT rules without user authentication. The Integrated User ID Service is primarily meant for demonstration purposes and proof-of-concept testing of user identification services.

Note: McAfee Logon Collector is only supported in Forcepoint NGFW version 5.8 or higher. For Forcepoint NGFW version 6.4 or higher, we recommend that you use the Forcepoint User ID Service.

Options for adding user accounts

If you are using the Management Server’s internal user database:

If you have existing user accounts stored in an internal user database on another Management Server, you can export or import the information between the databases.
Otherwise, you must create the User Groups and Users individually.

If you are using an external directory server:

If the LDAP database is integrated with the Management Server, you can view the user information in the Management Client. However, for the accounts to be valid in Access rules, you must configure at least one Authentication Method for the users. You can configure Authentication Methods as default settings for the LDAP Domain and for the User Groups and Users.
If the LDAP database is not integrated with the Management Server, the user accounts are not shown in the Management Client and are not available for configuration.