User Licensing When Authentication Is Not Required; About User Authentication - Watchguard Firebox X15 User Manual

User and Group Management

User licensing when authentication is not required

A user license is not used when:
Traffic is passed between the trusted and optional networks.
Traffic is passed from a computer on the trusted or optional network to a computer on the other end
of a Branch Office VPN.
Incoming traffic of any kind is passed to the Edge protected network.
Traffic is passed from a computer to the Edge itself when no user authentication is required for access to the
external network.

About user authentication

User authentication is the process of finding whether a user is who he or she is declared to be. On the Firebox,
the use of passwords allows a user name to be associated with an IP address. This helps the Firebox
administrator to monitor connections through the Firebox. With authentication, users can log in to the
network from any computer, but get access to only the network ports and protocols for which they are
authorized. All the connections that start from that IP address also transmit the session name while the user is
authenticated.
You can configure the Edge as a local authentication server, or use your existing Active Directory or LDAP
authentication server, or an existing RADIUS authentication server. When you use third-party authentication,
account privileges for users that authenticate to the third-party authentication servers are based on group
membership.
WatchGuard's user authentication feature allows a user name to be associated with a specific IP address to
help you authenticate and track a user's connections through the Firebox. With the Firebox, the fundamental
question that is asked and answered with each connection is Should I allow traffic from source X to go to
destination Y?" The WatchGuard authentication feature depends on the relationship between the person
using a computer and the IP address of that computer to not change during the period of time that the person
is authenticated to the Firebox.
In most environments, the relationship between an IP address and the person that uses it is stable enough to
be used to authenticate that person's traffic. Environments in which the association between the person and
an IP address is not consistent, such as a kiosk or terminal server-centric networks, are usually not good
candidates for the successful use of our user authentication feature. WatchGuard currently provides support
for Authentication, Accounting, and Access control (AAA) in our firewall products, based on a stable
association between IP address and person.
We also have support for authentication to an Active Directory domain via Single Sign-On and support other
frequently used authentication servers. In addition, we support inactivity settings and session time limits.
These controls restrict the amount of time an IP address is allowed to pass traffic through the Firebox before
the users must supply their passwords again.
If you control SSO access with a white list, manage inactivity timeouts, session timeouts, and who is allowed
to authenticate, you can significantly improve your control of authentication, accounting, and access control.
188 Firebox X Edge e-Series