This section describes how to set global parameters.
Parameter |
Description |
|---|---|
Password Strength |
The configured password level takes effect in the following cases:
|
Force Password Change upon First Login |
If you select this check box, users are prompted to change their passwords upon the first login. If you do not select this check box, users are not prompted to change their passwords upon the first login. This configuration applies only to local authentication. |
Password Expiration |
|
Online User Timeout Period |
Enter a timeout period for online users. After a user is authenticated, an entry is generated for this user in the online user monitoring table. If a user does not generate service traffic within the timeout period, the entry of this online user is removed from the monitoring table. This user must be authenticated again before being able to access service. As the storage space of the online user monitoring table is limited, you must set a proper timeout period for the online users. If the timeout period is too long, the storage space of the online user monitoring table may be full, and new users cannot log in. If the timeout period is too short, users may frequently log in. The new timeout period does not take effect with users who have been online. You are advised to set the timeout period for SSO users to be long enough to prevent the FW from logging out users unexpectedly. |
Lockout After Failed Login |
After selecting the parameter, you can set Maximum Failed Login Attempts and Lockout Duration. If you do not select the parameter, the lockout after failed login function is disabled. |
Maximum Failed Login Attempts |
Set the threshold for consecutive authentication attempts. After the number of failed authentication attempts reaches the threshold, the user is locked out. The number of consecutive failed attempts is accumulated based on user instead of IP address. Assume that the maximum number of failed authentication attempts is set to three. If the same user fails to be authenticated on three hosts with different IP addresses, the user will be locked out. This parameter applies only to local authentication. |
Lockout Duration |
Enter a duration in which users are locked out. The lockout duration is irrelevant to the system time and Daylight Saving Time (DST). Users who are locked out cannot be authenticated before the lockout duration expires. This parameter applies only to local authentication. |
Apple CNA Bypass |
This function applies only to the portal authentication scenario. The iOS and OS X systems provide the Captive Network Assistant (CNA) function. This function enables an Apple device (such as iPhone, iPad, iPod, or iMAC) to automatically connect to a specified Apple website to check whether the Internet connection is proper after Wi-Fi is enabled. If the check fails (the Apple device does not receive the expected response), the Apple device automatically tears down the Wi-Fi connection. In the portal authentication scenario, to prevent Apple devices from tearing down Wi-Fi connections before passing the portal authentication, you must enable the Apple CNA Bypass function. After the function is enabled, the FW automatically responds to the packets sent from the iOS or OS X system for checking network connectivity, preventing Wi-Fi disconnections. |
XFF Proxy User Management and Control |
Enable the function of parsing the X-Forwarded-For fields in HTTP packets. When a user sends a packet to access the Internet through an HTTP proxy server, the source IP address of the packet becomes the IP address of the HTTP proxy server. As a result, the FW cannot implement user-based security control. To solve the problem, enable the function of parsing the X-Forwarded-For field. Then the FW can parse the X-Forwarded-For field in the HTTP packet header to obtain the IP address of the user and implement user-based security control. To implement user-based security control through the function of parsing the X-Forwarded-For field, ensure that the user has been online on the FW. Therefore, the FW can find the user name corresponding to the real IP address of the user and then search for the matching policy of the user. If the user is not online, the FW will block the packet. The function of parsing the X-Forwarded-For field is used together with SSO. Before the HTTP traffic of a user reaches the FW, the FW has obtained the identity of the user. |
Proxy Server IP Address |
Enter the IP address of the HTTP proxy server. The FW parses the HTTP packets (port 80) sent from a proxy server with the specified IP address. For other packets or packets without the X-Forwarded-For field, the FW cannot obtain the real IP addresses of users. In this case, the FW considers the source IP address of a received packet to be the IP address of the proxy server and matches the packet with policies. NOTE:
When the FW identifies the user identity after receiving a packet, the FW only adds the user name as the user identity. The source IP address of the packet is still the IP address of the proxy server. Therefore, configure the security policy that references users and then the security policy that references the proxy server IP address. Otherwise, traffic matches the security policy that references the proxy server IP address but not the security policy that references users. The FW can parse only level-1 proxy server. If proxy servers of multiple levels are deployed, the FW cannot obtain the real IP addresses of users. |
Online User MAC Address Detection |
After you set the parameter, the FW obtains the MAC address of a user who goes online. If a user initiates a network access request again when going online, the FW checks whether the user MAC address in the request changes. If yes, the user will go offline. The user can access desired network resources only after being reauthenticated. The function takes effect only when the network between user devices and the FW is a Layer-2 network. |
Privacy Policy Statement |
After the privacy policy statement function is enabled and the privacy policy statement file is loaded, the built-in portal authentication page and SSL VPN virtual gateway login page require users to read and agree to the privacy policy before they log in. |