Setting Global Parameters

This section describes how to set global parameters.

Procedure

Configure a password policy.

Access the password policy view.
password-policy

Configure a password policy.

Function	Command
Configure a password level. The default user password level is high. The configured password level takes effect in the following cases: The administrator sets a password for a local user. Local users change their passwords on authentication web pages. The administrator sets users when using the CSV file to import user information.	level { high \| middle \| low }
Prompt users to change their passwords upon the first login. By default, changing a password is not required upon the first login. This configuration applies only to local authentication.	firstmodify enable
Configure the validity period and expiration notification time of the password. After a user logs in within the expiration notification time, the system redirects the user to the password expiration notification page for password change. By default, user passwords are always valid, and the system does not notify users of password expiration in advance.	lefttime life-time alarmtime alarm-time

Function

Command

Configure a password level.

The default user password level is high.

The configured password level takes effect in the following cases:

The administrator sets a password for a local user.
Local users change their passwords on authentication web pages.
The administrator sets users when using the CSV file to import user information.

level { high | middle | low }

Prompt users to change their passwords upon the first login.

By default, changing a password is not required upon the first login.

This configuration applies only to local authentication.

firstmodify enable

Configure the validity period and expiration notification time of the password.

After a user logs in within the expiration notification time, the system redirects the user to the password expiration notification page for password change.

By default, user passwords are always valid, and the system does not notify users of password expiration in advance.

lefttime life-time alarmtime alarm-time

Optional: Enable the Apple CNA Bypass function.
user-manage captive-bypass enable

By default, the Apple CNA Bypass function is disabled.

The iOS and OS X systems provide the Captive Network Assistant (CNA) function. This function enables an Apple device (such as iPhone, iPad, iPod, or iMAC) to automatically connect to a specified Apple website to check whether the Internet connection is proper after Wi-Fi is enabled. If the check fails (the Apple device does not receive the expected response), the Apple device automatically tears down the Wi-Fi connection.

In the portal authentication scenario, to prevent Apple devices from tearing down Wi-Fi connections before passing the portal authentication, you must run the user-manage captive-bypass enable command to enable the Apple CNA Bypass function. After the function is enabled, the FW automatically responds to the packets sent from the iOS or OS X system for checking network connectivity, preventing Wi-Fi disconnections.

The Apple CNA Bypass function applies only to the portal authentication scenario.
Optional: Enable the function of parsing the X-Forwarded-For fields in HTTP packets.
user-manage xff-parse proxy-ip ip-address

When a user sends a packet to access the Internet through an HTTP proxy server, the source IP address of the packet becomes the IP address of the HTTP proxy server. As a result, the FW cannot implement user-based security control. To solve the problem, enable the function of parsing the X-Forwarded-For field. Then the FW can parse the X-Forwarded-For field in the HTTP packet header to obtain the IP address of the user and implement user-based security control.

To implement user-based security control through the function of parsing the X-Forwarded-For field, ensure that the user has been online on the FW. Therefore, the FW can find the user name corresponding to the real IP address of the user and then search for the matching policy of the user. If the user is not online, the FW will block the packet. The function of parsing the X-Forwarded-For field is used together with SSO. Before the HTTP traffic of a user reaches the FW, the FW has obtained the identity of the user.

The FW parses the HTTP packets (port 80) sent from a proxy server with the specified IP address. For other packets or packets without the X-Forwarded-For field, the FW cannot obtain the real IP addresses of users. In this case, the FW considers the source IP address of a received packet to be the IP address of the proxy server and matches the packet with policies.

When the FW identifies the user identity after receiving a packet, the FW only adds the user name as the user identity. The source IP address of the packet is still the IP address of the proxy server. Therefore, configure the security policy that references users and then the security policy that references the proxy server IP address. Otherwise, traffic matches the security policy that references the proxy server IP address but not the security policy that references users.

The FW can parse only level-1 proxy server. If proxy servers of multiple levels are deployed, the FW cannot obtain the real IP addresses of users.
In the system view, configure the online timeout period.
user-manage online-user aging-time aging-time

The default timeout period of online users is 30 minutes.

You are advised to set the timeout period for SSO users to be long enough to prevent the FW from logging out users unexpectedly.
In the system view, configure the maximum number of failed login attempts and lockout duration.
user-manage local-authentication { authentication-failed-times authentication-failed-times | locked-time locked-time } ^*

By default, the threshold for allowed consecutive authentication attempts is 3, and the lockout duration is 5 minutes.

The configuration takes effect only for the users on whom local authentication is implemented.
Optional: In the system view, configure the function of checking the MAC addresses of online users.
user-manage online-user mac-address check enable

By default, the function is disabled.

After the function is enabled, the FW obtains the MAC addresses of users who go online. If a user initiates a network access request again when going online, the FW checks whether the user MAC address in the request changes. If yes, the user will go offline. The user can access desired network resources only after being reauthenticated.

The function takes effect only when the network between user devices and the FW is a Layer-2 network.
Enable the privacy policy statement function and load the privacy policy statement file.
privacy-statement enable

privacy-statement-file

By default, the privacy policy statement function is disabled.

After the privacy policy statement function is enabled, the built-in portal authentication page and SSL VPN virtual gateway login page require users to read and agree to the privacy policy before they log in.