Services
Select the authentication servers for the firewall and other services such as VPN. You can configure global authentication settings, and settings for Kerberos and NTLM, web client, and RADIUS single sign-on. Web policy actions let you specify where to direct unauthenticated users.
Firewall authentication methods
Authentication server to use for firewall connections.
Authentication server list: Configured authentication servers.
Selected authentication server: Server to use for authentication. To authenticate users for this service, you must select at least one server. You can specify an external server or the local database, that is, the users and groups you've configured on the firewall. When more than one server is selected, the authentication request is forwarded in the order indicated.
Default group: Group to use for authenticating users not defined in the firewall. Users not included in a local group will be assigned to the default group.
VPN authentication methods
Authentication server to use for VPN connections.
Set authentication methods same as firewall: Make all the authentication servers configured for firewall traffic available for VPN traffic authentication.
Authentication server list: Configured authentication servers.
Selected authentication server: Server to use for authentication. To authenticate users for this service, you must select at least one server. You can specify an external server or the local database, that is, the users and groups you've configured on the firewall. When more than one server is selected, the authentication request is forwarded in the order indicated. If you select a RADIUS server, PPTP and L2TP connections established using MSCHAPv2 or CHAP can be authenticated through RADIUS.
Administrator authentication methods
Server to use for authenticating administrator users.
Note
Administrator authentication settings don't apply to the super administrator.
Set authentication methods same as firewall: Make all the authentication servers configured for firewall traffic available for administrator authentication.
Authentication server list: Configured authentication servers.
Selected authentication server: Server to use for authentication. To authenticate users for this service, you must select at least one server. You can specify an external server or the local database, that is, the users and groups you've configured on the firewall. When more than one server is selected, the authentication request is forwarded in the order indicated.
SSL VPN authentication methods
Authentication server to use for SSL VPN connections.
Same as VPN: Use the same authentication method configured for VPN traffic.
Same as firewall: Use the same authentication method configured for firewall traffic.
Authentication server list: Configured authentication servers.
Selected authentication server: Server to use for authentication. To authenticate users for this service, you must select at least one server. You can specify an external server or the local database, that is, the users and groups you've configured on the firewall. When more than one server is selected, the authentication request is forwarded in the order indicated.
Global settings
Maximum session timeout: Maximum session length for users who have successfully logged in to any service. Once the time has been exceeded, the user will be logged out.
The firewall checks authorization every three minutes. Possible causes for limiting the session length are access policies, surfing quota, data transfer limit, and the maximum session length.
Simultaneous logins: Maximum number of concurrent sessions allowed to users.
Note
This restriction applies only to users added after you set this value.
NTLM settings
Settings for Windows Challenge/Response to be used for Active Directory authentication.
Inactivity time: Inactive or idle time after which the user will be logged out.
Data transfer threshold: Minimum amount of data to be transferred within the inactivity time. If the minimum data isn't transferred within the specified time, the user will be marked as inactive.
HTTP challenge redirect on intranet zone: When a site hosted on the internet initiates the NTLM web proxy challenge for authentication, redirect the NTLM authentication challenge to the Intranet zone. The client is transparently authenticated through the device’s local interface IP address and credentials are exchanged only in the Intranet zone. User credentials remain protected. If this setting is turned off, the client is transparently authenticated by the browser through the device by sending user credentials through the internet.
Web client settings
Settings for iOS, Android, and API.
Inactivity time: Inactive or idle time after which the user will be logged out.
Data transfer threshold: Minimum amount of data to be transferred within the inactivity time. If the minimum data isn't transferred within the specified time, the user will be marked as inactive.
SSO using RADIUS accounting request
Settings for RADIUS single sign-on. The firewall can authenticate users transparently who have already authenticated on a RADIUS server.
RADIUS client IPv4: IPv4 address of the RADIUS client. Only requests from the specified IP address will be considered for SSO.
Shared secret: Text string that serves as the password between the client and the server.
Chromebook SSO
Settings for Chromebook single sign-on. The firewall can authenticate users transparently who have already authenticated at a Chromebook. To set up Chromebook SSO authentication, follow the instructions in Configure Chromebook single sign-on.
Domain: The domain name as registered with G Suite.
Port: The port number Chromebooks connect to from the LAN or Wi-Fi.
Certificate: The certificate used for communication with the Chromebooks. It must meet the following requirements:
- It must have a private key.
- It must have an associated CA installed.
- The certificate's common name (CN) must match the Chromebook users' zone or network, for example
gateway.example.com.
Logging level: Select the amount of logging.
More resources