Managing Online Users

This section describes how to view online users, forcibly log out a specified user or all users, and lock out or unlock online users.

The online user list is a list of online Internet access users. When the access type in the authentication domain is only VPN access, VPN users are not in the list. When the access type in the authentication domain is VPN access and online behavior management, VPN users are in the list. In such cases, you can control per-VPN user's access permission. The SSL VPN access users include only those using the network extension service.

Configuring Online User Information Synchronization

Select Online User Synchronize Information and configure online user information synchronization.For details about this function, see online user information synchronization in User Organizational Structure.

Parameter	Description
Local ID	Enter the local ID used for the online users information synchronization function. The local ID uniquely identifies a FW from which online user entries are synchronized. You must plan the local ID of each FW in advance and do not change the IDs unless necessary. Otherwise, online user entries may be asynchronous.
Listening Port	Enter the service port used for the online users information synchronization function. The default port number is 8886.
Shared Key	Enter the shared key for encrypted transmission of online users synchronization and query messages. The shared key must be the same on the two communication parties. By default, no shared key is set. online users synchronization and query messages are transmitted in plain text. For security, you are advised to set a shared key for encrypted transmission. The encryption algorithm is AES128 for the configured shared key.
Synchronize Information to	Enter the IP address and port number of the device that receives synchronization messages. The port number must be the same as Listening Port on the peer. When a user with built-in Portal authentication and AD/Agile Controller/RADIUS SSO goes online or offline on the FW, the FW sends the information to the devices in the notification list, so that the user goes online and offline on other FWs at the same time. As online user entries are frequently matched on the query server, the server performance may deteriorate. Therefore, you are not advised to configure the query server to send synchronization messages to other devices. NOTE: If the administrator logs out all online users by setting Disconnect All on the FW, the FW will send all users logout information to the devices included in the list. If the administrator logs out some online users by setting Disconnect on the FW, the FW will not send user logout information to the devices included in the list.
Query User Information from	Enter the IP address and port number of the query server. The port number must be the same as Listening Port on the peer. If traffic passing the FW does not match any online user entries, the FW can initiate a query to the query server. If the query server has a matching entry, it will deliver the entry to the FW. You do not need to set this parameter for the device serving as the query server.

Viewing Online Users

To view information about online users, perform the following operations:

Choose Object > User > Online User.

In Online User List, view information about online users.

Parameter	Description
User Name (Display Name)	User name (also display name, if any) of an online user For example, if the value is t0001 (tom), t0001 indicates the user name, and tom indicates the display name.
Group	User group and security group to which an online user belongs
IP Address	IP address used by an online user for login
Authentication Mode	Mode of authentication for an online user Authentication Exemption (bidirectional IP/MAC+user binding) Local Authentication AD Server Authentication LDAP Server Authentication HWTACACS Server Authentication RADIUS Server Authentication SSO Authentication Anonymous Authentication
Access Mode	Access mode of an online user. Possible values are as follows: LOCAL(Internet user access) PPP SSL VPN IPSec VPN wired-portal wireless-portal wired-802.1x wireless-802.1x
Device	Type of devices that a Agile Controller SSO user accesses, such as Windows_7 or Huawei-Android. If the access device type of a user is unavailable or a user uses other authentication modes, the field value is unknown.
Login Time/Lockout Time	Login time or lockout time of an online user. The lockout time is displayed in red characters.
Time Online/Time Remaining	Online duration or remaining lockout duration of an online user. The remaining lockout duration is displayed in red characters.
Upstream Rate	Uplink rate of an online user.
Downstream Rate	Downlink rate of an online user.
Traffic(KB)	Traffic volume of an online user. You can click the title of this column to view user rankings by traffic volume in ascending or descending order.

Forcibly Logging Out an Online User

To forcibly log out specified users, perform the following operations:

Choose Object > User > Online User.
In Online User List, select the online users to be forcibly logged out and click Disconnect.

Users who are logged out are no longer displayed in Online User List.

After an online user is forcibly logged out, the online user must initiate an authentication request again before being able to access network resources.

If an online user has multiple IP addresses and you have forcibly logged out the online user at an IP address, the online user can still log in to the system using another IP address.

Forcibly Logging Out All Online Users

To forcibly log out all online users, perform the following operations:

Choose Object > User > Online User.
In Online User List, click Disconnect All.

If this operation succeeds, no user is displayed in Online User List.

Locking Out Online Users

You can lock out an online user for a specified period of time to temporarily cancel the network access permission of the online user.

Choose Object > User > Online User.
In Online User List, select the online user to be locked out and click Lock.
Enter a lockout duration and click OK.

For users who are locked out, the times when they logged in and were locked out are displayed in red characters in Login Time/Lockout Time.

After an online user is locked, the user cannot access network resources. Neither can the user log out itself or initiate another authentication request. After the lockout duration expires or the administrator unlocks the user, if the timeout period has not expired, the online user can once again access network resources. If the timeout period has expired, the online user needs to be authenticated again before being able to access network resources.

Unlocking an Online User

To allow an online user that is locked out to access network resources again, unlock the online user.

Choose Object > User > Online User.
In Online User List, select the online user to be unlocked and click Unlock.

For users who are unlocked, the time when they were locked out or unlocked is no longer displayed in red characters in Login Time/Lockout Time.

After the lockout duration expires or the administrator unlocks the online user, if the timeout period has not expired, the online user can once again access network resources. If the timeout period has expired, the online user needs to be authenticated again before being able to access network resources.