Home > User Interface > Configuration > Integration > Firewall SSO
|
Menu path: Configuration > Integration Overview > Firewall SSO.
This integration is used to inform firewalls which client is using a particular IP address. This information can be used by the firewall to apply per-user or per-role policies, including establishing single-signon. The firewalls supported by A3 include:
New Firewall SSO entries are added by selecting 
.
The dialog for creating new BarracudaNG firewall entries are:
| Field | Usage | Example |
|---|---|---|
| Host Name or IP Address | The hostname or IP address of the server running the firewall. | barracuda.example.com |
| User Name | The user name for the login to the firewall. | admin |
| Secret or Key | The secret or key used to login. | secret |
| Port | The port number on which to connect to the firewall. | 22 |
| Roles | A list of Roles indicating which roles the firewall will be applied to. | |
| SSO-Enabled Networks | A comma-separated list of networks on which SSO applies, each in CIDR format. | 192.168.0.0/24 |
| Cache Updates | If enabled, DHCP updates that are normally sent with each DHCP request are held for a period if the information remains the same. |
|
| Cache Timeout | This value should be set to half the firewall's expiration delay, which should match the DHCP renewal interval. | |
| User Name Format | Defines how to format the username that is sent to the firewall. $username represents the user name and $realm represents the realm of your user, if applicable. $pf_username represents the unstripped user name as it is stored in the A3 database. If empty, $pf_username will be used. | $pf_username |
| Default Realm | The default realm to be used while formatting the user name when no realm can be extracted. |
The dialog for creating new Checkpoint firewall entries are:
| Field | Usage | Example |
|---|---|---|
| Host Name or IP Address | The hostname or IP address of the server running the firewall. | checkpoint.example.com |
| Secret or Key | The secret or key used to login. | secret |
| Port | The port number on which to connect to the firewall. | 1813 |
| Roles | A list of Roles indicating which roles the firewall will be applied to. | |
| SSO-Enabled Networks | A comma-separated list of networks on which SSO applies, each in CIDR format. | 192.168.0.0/24 |
| Cache Updates | If enabled, DHCP updates that are normally sent with each DHCP request are held for a period if the information stays the same. |
|
| Cache Timeout | This value should be set to half the firewall's expiration delay, which should match the DHCP renewal interval. | |
| User Name Format | Defines how to format the username that is sent to the firewall. $username represents the user name and $realm represents the realm of your user, if applicable. $pf_username represents the unstripped user name as it is stored in the A3 database. If empty, $pf_username will be used. | |
| Default Realm | The default realm to be used while formatting the user name when no realm can be extracted. |
The dialog for creating new Family Zone firewall entries are:
| Field | Usage | Example |
|---|---|---|
| Host Name or IP Address | The hostname or IP address of the server running the firewall. The region should be included in the FQDN when using the cloud version. For example, login.myregion.linewize.net. | FZ.example.com |
| Username | The user name for login to the Family Zone server. | admin |
| Secret or Key | The secret or key used to login. | secret |
| DeviceID | ||
| Roles | A list of Roles indicating which roles the firewall will be applied to. | |
| SSO-Enabled Networks | A comma-separated list of networks on which SSO applies, each in CIDR format. | 192.168.0.0/24 |
| Cache Updates | If enabled, DHCP updates that are normally sent with each DHCP request are held for a period if the information stays the same. |
|
| Cache Timeout | This value should be set to half the firewall's expiration delay, which should match the DHCP renewal interval. | |
| User Name Format | Defines how to format the username that is sent to the firewall. $username represents the user name and $realm represents the realm of your user, if applicable. $pf_username represents the unstripped user name as it is stored in the A3 database. If empty, $pf_username will be used. | |
| Default Realm | The default realm to be used while formatting the user name when no realm can be extracted. |
The fields in the FortiGate firewall definition are the same as those in BarracudaNG.
The dialog for creating new Iboss firewall entries are:
| Field | Usage | Example |
|---|---|---|
| Host Name or IP Address | The hostname or IP address of the server running the firewall. | iboss.example.com |
| Secret or Key | The secret or key used to login. | secret |
| Port | The port number on which to connect to the firewall. | 8015 |
| NAC Name | The network access control (NAC) name from the iboss configuration. | students |
| Roles | A list of Roles indicating which roles the firewall will be applied to. | |
| SSO-Enabled Networks | A comma-separated list of networks on which SSO applies, each in CIDR format. | 192.168.0.0/24 |
| Cache Updates | If enabled, DHCP updates that are normally sent with each DHCP request are held for a period if the information stays the same. |
|
| Cache Timeout | This value should be set to half the firewall's expiration delay, which should match the DHCP renewal interval. | |
| User Name Format | Defines how to format the username that is sent to the firewall. $username represents the user name and $realm represents the realm of your user, if applicable. $pf_username represents the unstripped user name as it is stored in the A3 database. If empty, $pf_username will be used. | |
| Default Realm | The default realm to be used while formatting the user name when no realm can be extracted. |
The fields in the JuniperSRX firewall definition are the same as those in Checkpoint.
The dialog for creating new Lightspeed Rocket firewall entries are:
| Field | Usage | Example |
|---|---|---|
| Host Name or IP Address | The hostname or IP address of the server running the firewall. | lsr.example.com |
| Secret or Key | The secret or key used to login. | secret |
| Port | The port number on which to connect to the firewall. | 1813 |
| Roles | A list of Roles indicating which roles the firewall will be applied to. | |
| SSO-Enabled Networks | A comma-separated list of networks on which SSO applies, each in CIDR format. | 192.168.0.0/24 |
| Cache Updates | If enabled, DHCP updates that are normally sent with each DHCP request are held for a period if the information stays the same. |
|
| Cache Timeout | This value should be set to half the firewall's expiration delay, which should match the DHCP renewal interval. | |
| User Name Format | Defines how to format the username that is sent to the firewall. $username represents the user name and $realm represents the realm of your user, if applicable. $pf_username represents the unstripped user name as it is stored in the A3 database. If empty, $pf_username will be used. | |
| Default Realm | The default realm to be used while formatting the user name when no realm can be extracted. |
The dialog for creating new PaloAlto firewall entries are:
| Field | Usage | Example |
|---|---|---|
| Host Name or IP Address | The hostname or IP address of the server running the firewall. | paloalto.example.com |
| Vsys | The virtual system number when used with HTTP transport. | 1 |
| Transport | One of HTTP or Syslog. | HTTP |
| Port | The port number on which to connect to the firewall. | 443 |
| Secret or Key | If HTTP transport is used, then this is the password for the PaloAlto API. | secret |
| Roles | A list of Roles indicating which roles the firewall will be applied to. | |
| SSO-Enabled Networks | A comma-separated list of networks on which SSO applies, each in CIDR format. | 192.168.0.0/24 |
| Cache Updates | If enabled, DHCP updates that are normally sent with each DHCP request are held for a period if the information stays the same. |
|
| Cache Timeout | This value should be set to half the firewall's expiration delay, which should match the DHCP renewal interval. | |
| User Name Format | Defines how to format the username that is sent to the firewall. $username represents the user name and $realm represents the realm of your user, if applicable. $pf_username represents the unstripped user name as it is stored in the A3 database. If empty, $pf_username will be used. | |
| Default Realm | The default realm to be used while formatting the user name when no realm can be extracted. |
The dialog for creating new Smoothwall firewall entries are:
| Field | Usage | Example |
|---|---|---|
| Host Name or IP Address | The hostname or IP address of the server running the firewall. | smoothwall.example.com |
| Secret or Key | The secret or key used to login. | secret |
| Port | The port number on which to connect to the firewall. | 1813 |
| Roles | A list of Roles indicating which roles the firewall will be applied to. | |
| SSO-Enabled Networks | A comma-separated list of networks on which SSO applies, each in CIDR format. | 192.168.0.0/24 |
| Cache Updates | If enabled, DHCP updates that are normally sent with each DHCP request are held for a period if the information stays the same. |
|
| Cache Timeout | This value should be set to half the firewall's expiration delay, which should match the DHCP renewal interval. | |
| User Name Format | Defines how to format the username that is sent to the firewall. $username represents the user name and $realm represents the realm of your user, if applicable. $pf_username represents the unstripped user name as it is stored in the A3 database. If empty, $pf_username will be used. | |
| Default Realm | The default realm to be used while formatting the user name when no realm can be extracted. |
The fields in the WatchGuard firewall definition are the same as those in BarracudaNG.
The JSONRPC integration is a generic firewall SSO interface for Linux or BSD firewalls that do not include a vendor-specific interface for SSO.
See BarracudaNG for the fields in the JSONRPC definition form.
Copyright © 2023 Extreme Networks. All rights reserved. Published March 28, 2023.