Click the User Management > Users link to create and manage the different users who are allowed to access the Firewall Analyzer server.
The different types of users and their respective privileges are described in the table below:
User | Description |
---|---|
Administrator | This user can do all operations including configuring Syslog servers, setting up file archiving, adding additional users, and more |
Operator | This user can do all operations except configuring the Intranet settings, and user management |
By default, an Administrator user with username as admin and password as admin.
Note: We highly recommend that you change the password upon logging in for the first time.
If you have logged in as an Administrator user, the User Management page lists all the users created so far.
If you have logged in as an Administrator user, click the User Audit View link against a user to view the corresponding user audits. The User Audit page shows the remote host IP address from which the user logged on, the timestamp of the login, and the duration of the session.
The description the user details available in the user list table are explained below:
Select all users check box if you want to delete all the users and individual user(s) check boxes to delete the selected users. There is a check box against each user below the all user check box. Click Delete button to delete all the or selected user(s) from the list of users accessing Firewall Analyzer.
Note to reset password:
If you have logged in as an Administrator user, the User Management page lists all the users created so far.
OR
If you have logged in as an Operator or Guest user, click on the Account Settings link to change your password and default e-mail address.
Once you are done, click OK to save the new changes. Click Cancel to cancel editing the user operation.
How to reset Firewall Analyzer user password?
Types of User Privileges in Firewall Analyzer
Comparison of Feature Access to the Users
Sl No
|
Feature Name
|
||
1 |
User Management Create/Modify/Delete users |
Yes | No |
2 |
Predefined Reports and ReportProfiles | The user can view all predefined reports of all the firewalls. The user can perform Add/Edit/Delete operation of Report profiles created by all users. |
The user can view all predefined reports of Firewalls assigned to him. The user can perform Add/Edit/Delete operation of Report profiles created by himself. |
3 |
Alert Profiles and Alert Administration | The user can perform Add/Edit/Delete operation of Alert profiles created by all users. Administration of Alerts created by All Alert Profiles |
The user can perform Add/Edit/Delete operation of Alert profiles created by himself. Administration of Alerts created by his own Alert Profiles |
4 |
Edit/Delete Device | All Firewalls | Only for Firewalls assigned to him. |
5 |
Dashboard View Customization | For all Firewalls | Only for Firewalls assigned to him. |
6 |
Advanced Search | Yes | Yes |
7 |
Intranet Settings Configuring Firewall based LAN settings |
Yes | No |
8 |
Bookmark | The user can view only his bookmarks. | The user can view only his bookmarks. |
9 |
Configuration Settings listed in the Settings tab.
|
Yes |
Yes |
10 |
Configuration views present in the Settings Tab.
|
Yes |
Yes |
11 |
User Assistance
|
Yes |
No |
There are three types of User Roles in Firewall Analyzer:
Administrator Users have unrestricted access to perform read/ write operations in Firewall Analyzer. They add/remove devices, troubleshoot issues, change configurations and more without any limitations i.e they have complete access.
Operator Users have read-only/ restricted access in Firewall Analyzer. They can be granted further access by the Administrator User.
The level of access for users across different modules in Firewall Analyzer can be customized individually through Custom User Roles. The different levels of access that can be provided in Firewall Analyzer for users through custom roles include: Read/Write, Read and No Access.
Firewall Analyzer provides one more external authentication apart from the local authentication. It is Remote Authentication Dial-in User Service (RADIUS) authentication. If you add a RADIUS server details, you will find the Log on to field below the Password field in the Firewall Analyzer Client UI Login screen. The Log on to field will list the following options:
Enter the User Name and Password. Select one of the two options in Log on to (Local Authentication or Radius Authentication). Click Login button to log in to Firewall Analyzer Client UI.
You can also leverage the RADIUS authentication for user access bypassing the local authentication provided by Firewall Analyzer. In the RADIUS server authentication the users credentials are sent to the RADIUS server. The server checks for the user credentials and sends the authentication successful message to Firewall Analyzer server.
Note: |
If the user has only RADIUS server authentication, create the user in Firewall Analyzer with dummy password. On user logging in with RADIUS server authentication, the dummy password in the local server is ignored and the user credentials are sent to RADIUS server for authentication. Refer the procedure given in the Adding Users document to add a new user with dummy password. |
You can make Firewall Analyzer work with RADIUS server in your environment. This section explains the configurations involved in integrating RADIUS server with Firewall Analyzer.
Procedure to configure RADIUS server settings
To configure RADIUS server in Firewall Analyzer, provide the following basic details about RADIUS server and credentials to establish connection:
Click the RADIUS Server Settings link under the Settings > User Management tab to configure the RADIUS server configuration. On clicking the RADIUS Server Settings tab, the configuration fields are displayed. In that page, you will find the following fields:
RADIUS Server Settings |
Description |
Server IP |
The IP Address of the machine in which the RADIUS server is running. Enter the IP address of the host where RADIUS server is running |
Authentication Port | The port used by the RADIUS server for authenticating users. Enter the port used for RADIUS server authentication. By default, RADIUS has been assigned the UDP port 1812 for RADIUS Authentication. |
Server Secret | The secret string used for connecting RADIUS client (Firewall Analyzer) with the server. Enter the RADIUS secret used by the server for authentication |
Protocol |
The protocol used by the RADIUS server for authenticating users. Select the protocol that is used to authenticate users. Choose from four protocols:
|
Authentication Retries | The number of retries the RADIUS server to permit for authenticating users. Select the number of times you wish to retry authentication in the event of an authentication failure |
Procedure to configure AD settings
To add a domain:
A new domain has been successfully added.
Pass-through authentication (Single Sign-on) provides the ability to authenticate yourself automatically in Firewall Analyzer using your currently logged in windows system username and password. You would not need to manually enter your windows credential to log-in to Firewall Analyzer web client.
Active directory authentication must have been configured in Firewall Analyzer for the domain you want enable Pass-through Authentication. Click here to know how to add a domain under Active Directory authentication in Firewall Analyzer.
User accounts to whom you want to enable pass-through must have been already available in Firewall Analyzer. Click here to know how you can add new users.
Note: Pass-through authentication will work only for the active directory users already been added to Firewall Analyzer. If you do not want to manually create user account for all the users in your domain, enable auto-login for the domain (Admin → User Manager → Windows Domains). Once auto-login is enabled, you have to manually enter username and password of your account only during the first login and an user account in Firewall Analyzer will be created automatically. From there on, you can simply work without manually entering.
A computer account must be created in the Domain Controller for accessing the NETLOGON service in a domain by Firewall Analyzer. Click here to know how you can create a new computer account.
Note: After version 124085, new computer accounts can be created from the Passthrough configuration window itself, if the Firewall Analyzer service is running under a user who has administrative privileges. Also, if the Firewall Analyzer server has been started from Command Prompt, make sure it is being run as a administrator.
Firewall Analyzer webserver must be added as a trusted site in all browsers you are going to use to access the Firewall Analyzer webclient, to prevent the browsers from opening unnecessary popups for providing your credentials.
After all the prerequisites have been ensured, follow the steps below to auto-configure Passthrough Authentication in Firewall Analyzer:
Note: If there are any issues in fetching the necessary details, or if you're in a version of Firewall Analyzer earlier than 124085, you will have to configure these settings manually.
To manually configure Passthrough authentication, you'll need the following details:
In the Domain Controller device, open Start → Administrative Tools → Active Directory Users and Computers.
Open Command Prompt in Firewall Analyzer server. Run the command "ipconfig /all". The first IP Address mentioned in the DNS Servers field is the primary DNS Server IP Address.
In Domain Controller device, open Start → Administrative Tools → Active Directory Sites and Services. The Site under which your Domain Controller device name listed is your site name. You can leave the DNS Site field empty in Pass-through configuration form in Firewall Analyzer, if there is only one site present in your Domain Controller.
To create a new computer account, follow the steps below:
cscript NewComputerAccount.vbs account_name /p password /d domain_name
cscript SetComputerPass.vbs account_name /p password /d domain_name
Note: The length of the computer account name must be less than or equal to 15 characters.
Design Limitation:
Pass-through authentication can be enabled for only one domain, preferably the domain in which Firewall Analyzer server resides. If pass-through has been configured for a domain other than the one in which Firewall Analyzer server resides, ensure the other domain will provide logged in user information to a website from different domain.
Disable Pass-through Authentication:
In Firewall Analyzer web client, click on Settings → Basic Settings → User Management → Pass-through. Use the radio buttons to Enable/ Disable Passthrough Authentication.
Log File:
If you face any issue with Pass-through Authentication, contact support with a ZIP file of the logs present under Firewall Analyzer_Home\logs folder.
A password policy is a set of rules designed to enhance security by encouraging users to employ strong passwords. Another possible defense against password-guessing attacks is enabling an account-lockout, which means the account will be locked after a specified number of invalid or failed login attempts.
To configure a password policy in Firewall Analyzer, go to Settings > Basic Settings > User Management > Password Policy.
Minimum password length: Specify the minimum number of characters required in a password. It should be within 5-25 characters.
Enforce password history: Number of unique passwords that must be associated with a user account before re-using an old password.
Password complexity: Level of complexity to be associated with a password.
Simple
1. Minimum characters as specified above
2. Maximum 25 characters
Complex
1. Minimum characters as specified above
2. Maximum 25 characters
3. Minimum 1 uppercase, 1 lowercase and 1 special character (! ~ @ # $ % ^ & + = _ *).
Password should not be same as username: Enable this to option to prevent duplication of a username in the password.
User Account Lockout Policy: The User Account Lockout setting allows the administrator to lockout accounts after a specified number of invalid login attempts. A locked out account cannot be used until reset by an administrator or until the account lockout duration has expired. For instance, if invalid credentials have been provided for over 5 times, the account will be locked out for 2 mins. This lockout interval and the number of bad login attempts can be configured.
Maximum invalid login attempts: Specify the maximum invalid login attempts before an account gets locked out.
Lockout period: Specify the lockout duration in minutes.