User/Group

See the User/Group section for related information on these screens.

User Account Overview

A user account defines the privileges of a user logged into the ZyWALL. User accounts are used in firewall rules and application patrol, in addition to controlling access to configuration and services in the ZyWALL.

User Types

There are the types of user accounts the ZyWALL uses.

Types of User Accounts 

Type
Abilities
Login Method(s)
Admin Users
   
Admin
Change ZyWALL configuration (web, CLI)
WWW, TELNET, SSH, FTP
Limited-Admin
Look at ZyWALL configuration (web, CLI)
Perform basic diagnostics (CLI)
WWW, TELNET, SSH
Access Users
   
User
Access network services
Browse user-mode commands (CLI)
WWW, TELNET, SSH
Guest
Access network services
WWW
Ext-User
External User Account
WWW

Note: The default admin account is always authenticated locally, regardless of the authentication method setting.

Ext-User Accounts

Set up an Ext-User account if the user is authenticated by an external server and you want to set up specific policies for this user in the ZyWALL. If you do not want to set up policies for this user, you do not have to set up an Ext-User account.

Ext-User users should be authenticated by an external server, such as LDAP or RADIUS. If the ZyWALL tries to use the local database to authenticate an Ext-User, the authentication attempt always fails.

Note: If the ZyWALL tries to authenticate an Ext-User using the local database, the attempt always fails.

Once an Ext-User user has been authenticated, the ZyWALL tries to get the user type from the external server. If the external server does not have the information, the ZyWALL sets the user type for this session to User.

For the rest of the user attributes, such as reauthentication time, the ZyWALL checks the following places, in order.

Setting up User Attributes in an External Server

To set up user attributes, such as reauthentication time, in LDAP or RADIUS servers, use the following keywords in the user configuration file.

LDAP/RADIUS: Keywords for User Attributes 

Keyword
Corresponding Attribute in Web Configurator
type
User Type. Possible Values: admin, limited-admin, user, guest.
leaseTime
Lease Time. Possible Values: 1-1440 (minutes).
reauthTime
Reauthentication Time. Possible Values: 1-1440 (minutes).

Creating a Large Number of Ext-User Accounts

If you plan to create a large number of Ext-User accounts, you might use CLI commands, instead of the web configurator, to create the accounts. Extract the user names from the LDAP or RADIUS server, and create a shell script that creates the user accounts.

User Groups

Use user groups when you want to create the same rule for several user accounts, instead of creating separate rules for each one. User groups may consist of user accounts or other user groups, but you cannot put access users and admin users in the same user group.

Note: You cannot put access users and admin users in the same user group.

In addition, you cannot put the default admin account into any user group.

Note: You cannot put the default admin account into any user group.

The sequence of members in a user group is not important.

Access Users and the ZyWALL

By default, access users do not have to log in to the ZyWALL to use the network services it provides. The ZyWALL automatically routes packets for everyone. In this case, the ZyWALL does not enforce any user-aware policies, but you can still set up policies based on IP address or other criteria.

If you want to enforce user-aware policies, access users must log in to the ZyWALL first. In this case, they should go to the appropriate IP address (or domain name, if you set up DNS) to log in to the ZyWALL.You can provide an incentive to do this by preventing access users from using network services until they log in.

Force User Authentication Policy

Instead of making users to go to the Login screen manually, you can configure the ZyWALL to display the Login screen automatically whenever it routes HTTP traffic for anyone who has not logged in yet. Then, the ZyWALL can enforce user-aware policies.

Note: This works with HTTP traffic only. The ZyWALL does not force users to log in before it routes other kinds of traffic.

The ZyWALL does not automatically route the request that prompted the login, however, so users have to make this request again.

User Summary

The User screen provides a summary of all user accounts.

User/Group 

Label
Description
#
This field is a sequential value, and it is not associated with a specific user.
User Name
This field displays the user name of each user.
Description
This field displays the description for each user.
Add icon
This column provides icons to add, edit, and remove users.
To add a user, click the Add icon at the top of the column. The User Add/Edit screen appears.
To edit a user, click the Edit icon next to the user. The User Add/Edit screen appears.
To delete a user, click the Remove icon next to the user. The web configurator confirms that you want to delete the user before doing so.

User Add/Edit

The User Add/Edit screen allows you to create a new user account or edit an existing one.

User/Group > User > Edit 

Label
Description
User Name
Type the user name for this user account. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. User names have to be different than user group names, and some words are reserved.
User Type
Select what type of user this is. Choices are:
  • Admin - this user can look at and change the configuration of the ZyWALL
  • Limited-Admin - this user can look at the configuration of the ZyWALL but not to change it
  • User - this user has access to the ZyWALL's services but cannot look at the configuration
  • Guest - this user has access to the ZyWALL's services but cannot look at the configuration
  • Ext-User - this user account is maintained in a remote server, such as RADIUS or LDAP.
Password
Enter the password of this user account. It can consist of 4 - 30 alphanumeric characters.
Retype
This field is only available if Password is checked. Enter the password again.
Description
Enter the description of each user, if any. You can use up to 60 printable ASCII characters. Default descriptions are provided.
Lease Time
Enter the number of minutes this user has to renew the current session before the user is logged out. You can specify 1 to 1440 minutes. You can enter 0 to make the number of minutes unlimited. Admin users renew the session every time the main screen refreshes in the web configurator. Access users can renew the session by clicking the Renew button on their screen. If you allow access users to renew time automatically , the users can select this check box on their screen as well. In this case, the session is automatically renewed before the lease time expires.
Reauthentication Time
Type the number of minutes this user can be logged into the ZyWALL in one session before the user has to log in again. You can specify 1 to 1440 minutes. You can enter 0 to make the number of minutes unlimited. Unlike lease time, the user has no opportunity to renew the session without logging out.

Rules for User Names

Enter a user name from 1 to 31 characters.

The user name can only contain the following characters:

The first character must be alphabetical (A-Z a-z), an underscore (_), or a dash (-). Other limitations on user names are:

Group Summary

User groups consist of access users and other user groups. You cannot put admin users in user groups. The Group screen provides a summary of all user groups. In addition, this screen allows you to add, edit, and remove user groups.

User/Group > Group 

Label
Description
#
This field is a sequential value, and it is not associated with a specific user group.
Group Name
This field displays the name of each user group.
Description
This field displays the description for each user group.
Member
This field lists the members in the user group. Each member is separated by a comma.
Add icon
This column provides icons to add, edit, and remove user groups.
To add a user group, click the Add icon at the top of the column. The Group Add/Edit screen appears.
To edit a user group, click the Edit icon next to the user group. The Group Add/Edit screen appears.
To delete a user group, click the Remove icon next to the user group. The web configurator confirms that you want to delete the user group before doing so. If you delete the group, you do not delete the users in the group.

Group Add/Edit

The Group Add/Edit screen allows you to create a new user group or edit an existing one.

User/Group > Group > Add 

Label
Description
Name
Type the name for this user group. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. User group names have to be different than user names.
Description
Enter the description of the user group, if any. You can use up to 60 characters, punctuation marks, and spaces.
#
The sequence of members in the user group is not important.
Available
This field displays the names of the users and user groups that can be added to the user group.
Select users and groups that you want to be members of this group and click the right arrow to add them to the member list.
Member
This field displays the names of the users and user groups that have been added to the user group. The order of members is not important. To remove members, select them and click the left arrow.

Setting Screen

The Setting screen controls default settings, login settings, lockout settings, and other user settings for the ZyWALL. You can also use this screen to specify when users must log in to the ZyWALL before it routes traffic for them.

User/Group > Setting 

Label
Description
User Default Setting
 
User Type
Select the default user type when you create a new user account. You can still change the user type for each user account.
Lease Time
Select the default lease time when you create a new user account. You can specify 1 to 1440 minutes. You can enter 0 to make the number of minutes unlimited. You can still change the lease time for each user account.
Reauthentication Time
Select the default reauthentication time when you create a new user account. You can specify 1 to 1440 minutes. You can enter 0 to make the number of minutes unlimited. You can still change the reauthentication time for each user account.
User Logon Setting
 
Limit ... for administration account
Select this check box if you want to set a limit on the number of simultaneous logins by admin users. If you do not select this, admin users can login as many times as they want at the same time using the same or different IP addresses.
Maximum number per administration account
This field is effective when Limit ... for administration account is checked. Type the maximum number of simultaneous logins by each admin user. The number must be between 1 and 1024.
Limit ... for access account
Select this check box if you want to set a limit on the number of simultaneous logins by non-admin users. If you do not select this, access users can login as many times as they want as long as they use different IP addresses.
Maximum number per access account
This field is effective when Limit ... for access account is checked. Type the maximum number of simultaneous logins by each access user. The number must be between 1 and 1024.
User Lockout Setting
 
Enable logon retry limit
Select this check box to set a limit on the number of times each user can login unsuccessfully (for example, wrong password) before the IP address is locked out for a specified amount of time.
Maximum retry count
This field is effective when Enable logon retry limit is checked. Type the maximum number of times each user can login unsuccessfully before the IP address is locked out for the specified lockout period. The number must be between 1 and 99.
Lockout period
This field is effective when Enable logon retry limit is checked. Type the number of minutes the user must wait to try to login again, if logon retry limit is enabled and the maximum retry count is reached. This number must be between 1 and 65,535 (about 45.5 days).
User Miscellaneous Setting
 
Allow renewing lease time ...
Select this check box if access users can renew lease time automatically, as well as manually, simply by checking the Update lease time automatically check box on their screen.
Enable user idle detection
This is applicable for access users.
Select this check box if you want the ZyWALL to monitor how long each access user is logged in and idle (in other words, there is no traffic for this access user). The ZyWALL automatically logs out the access user once the User idle timeout has been reached.
User idle timeout
This is applicable for access users.
This field is effective when Enable user idle detection is checked. Type the number of minutes each access user can be logged in and idle before the ZyWALL automatically logs out the access user.
Force User Authentication Policy
Use this section to specify when users must log in to the ZyWALL before the ZyWALL routes HTTP traffic for them. Once users have logged in, the ZyWALL can enforce user-aware policies.s
This section displays the conditions that are applied, in sequence, to decide what the appropriate action is. By default, users do not have to log in to the ZyWALL.
#
This field is a sequential value, and it is not associated with a specific condition.
Schedule
This field displays the schedule object that specifies when this condition applies. It displays none if this condition always applies.
Source
This field displays the source address object of traffic to which this condition applies. It displays any if this condition applies to traffic from all source addresses.
Destination
This field displays the destination address object of traffic to which this condition applies. It displays any if this condition applies to traffic from all destination addresses.
Authenticate
This field displays whether users must log in (force) or whether users do not have to log in (skip) when this condition is checked and satisfied.
Add icon
This column provides icons to add, edit, move, and remove conditions. It also provides icons to activate and deactivate conditions.
To add a condition, click the Add icon at the top of the column or next to each condition. If you click the one at the top of the column, the new condition is first in the list. If you click the one next to a condition, the new condition appears right below this condition.
To edit a condition, click the Edit icon at the top of the column or next to each condition. The Force User Authentication Policy Add/Edit screen appears.
To remove a condition, click on the Remove icon next to the condition. The web configurator confirms that you want to delete the condition before doing so.
To move a condition up or down in the list, click on the Move to N icon next to the condition, and type the line number (# field) where you want to move this condition. The # field is updated accordingly.
To activate or deactivate

Force User Authentication Policy Add/Edit

Use this screen to specify a condition when users must log in or do not have to log in to the ZyWALL before their HTTP traffic can pass through the ZyWALL.

User/Group > Setting > Force User Authentication Policy > Add/Edit 

Label
Description
Enable
Select this if you want this condition to be active.
Description
Enter a description for this condition. It can be up to 60 printable ASCII characters long.
Authentication
Select whether users must log in (force) or whether users do not have to log in (skip) when this condition is checked and satisfied.
Source Address
Select a source IP address object or select Create Object to configure a new one.
Select any if this condition applies to traffic from all source addresses.
Destination Address
Select the destination address of traffic to which this condition applies or select Create Object to configure a new one. Select any if this condition applies to traffic from all destination addresses.
Schedule
Select the schedule object that specifies when this condition applies or select Create Object to configure a new one (see Schedules for details). Select none if this condition always applies.
OK
Select this to save your changes and return to the previous screen.
Cancel
Select this to return to the previous screen without saving any changes.

Web Configurator for Non-Admin Users

Access users cannot use the Web configurator to browse the configuration of the ZyWALL. Instead, when access users log in to the ZyWALL.

Web Configurator for Non-Admin Users 

Label
Description
User-defined lease time (max ... minutes)
Access users can specify a lease time shorter than or equal to the one that you specified. The default value is the lease time that you specified.
Renew
Access users can click this button to reset the lease time, the amount of time remaining before the ZyWALL automatically logs them out. The ZyWALL sets this amount of time according to the
  • User-defined lease time field in this screen
  • Lease time field in the User Add/Edit screen (see User Add/Edit)
  • Lease time field in the Setting screen (see Setting Screen)
Updating lease time automatically
This box appears if you checked the Allow renewing lease time automatically box in the Setting screen. (See Setting Screen.) Access users can select this check box to reset the lease time automatically 30 seconds before it expires. Otherwise, access users have to click the Renew button to reset the lease time.
Remaining time before lease timeout
This field displays the amount of lease time that remains, though the user might be able to reset it.
Remaining time before auth. timeout
This field displays the amount of time that remains before the ZyWALL automatically logs the access user out, regardless of the lease time.