Settings

The Settings tab in the User Manager controls how the firewall authenticates users for the GUI and SSH.

Session Timeout:

This field specifies how long a GUI login session will last when idle. This value is specified in minutes, and the default is four hours (240 minutes). A value of 0 may be entered to disable session expiration, making the login sessions valid forever. A shorter timeout is better, though it should be long enough that an active administrator would not be logged out unintentionally while making changes.

Warning

Allowing a session to stay valid when idle for long periods of time is insecure. If an administrator leaves a terminal unattended with a browser window open and logged in, someone or something else could take advantage of the open session.

Authentication Server:

This selector chooses the primary authentication source for users logging into the GUI. This can be a RADIUS or LDAP server, or the default Local Database.

Note

Authentication falls back to Local Database if the RADIUS or LDAP server is unreachable, returns an authentication failure, or otherwise results in an error, even if another method is chosen.

This ensures that an administrator can always access the device, even if the authentication server is broken.

Password Hash Algorithm:

Selects which algorithm the firewall will use when creating hashes for passwords in user manager accounts.

May be one of the following choices:

bcrypt - Blowfish-based crypt:

Secure password hashing with a crypt algorithm based on Blowfish. The most secure option currently available.

Note

This hashing algorithm is restricted to a maximum password length of 72 characters.

SHA-512 - SHA-512-based crypt:

Secure password hashing with a crypt algorithm based on SHA-512. Weaker than bcrypt but still has an acceptable level of security in many environments.

Some users may prefer SHA-512-based crypt hashes for compatibility or compliance purposes.

Shell Authentication:

When set, the selected Authentication Server will also be configured as the authentication source for SSH access to the firewall. By default, only accounts in the User Manager with shell privileges can login over SSH.

This works with both RADIUS and LDAP servers, with some caveats:

RADIUS Servers:

When used with a RADIUS server, accounts must exist on the firewall with the same names and the expected privileges. They will authenticate against RADIUS but use the local accounts settings otherwise.

LDAP Servers:

When used with an LDAP server, the Shell Authentication Group DN must be set on the LDAP Authentication Server entry. Users must be a member of that group and have valid posixAccount attributes in their LDAP account.

Auth Refresh Time:

Time in seconds for which the firewall cache authentication results. The default is 30 seconds, maximum 3600 (one hour). Shorter times result in more frequent queries to authentication servers.

The firewall periodically re-authenticates users against the remote server to ensure the account is still valid and has the expected privileges. Checking frequently is more secure, but puts a larger burden on the authentication server and can increase page load times on the firewall.

Remote Authentication Servers and Privileges

When using a RADIUS or LDAP server to authentication for the GUI, the users and/or group memberships must be defined in the firewall in order to properly allocate permissions, as there is no method to obtain permissions dynamically from an authentication server.

For group membership to work properly, the firewall must be able to recognize the groups as presented by the authentication server. This requires two things:

  • The local groups must exist with identical names (Manage Local Groups).

  • The firewall must be able to locate or receive a list of groups from the authentication server.

See Authentication Servers for details specific to each type of authentication server.