Filter
Top Products
User Management
1108
SonicOS 5.8.1 Administrator Guide
White Listing IP Addresses to Bypass SSO and Authentication
If you have IP addresses that should always be allowed access without requiring user
authentication, they can be white-listed.
To white-list IP addresses so that they do not require authentication and can bypass SSO:
Step 1 On the Network > Address Objects page, create an Address Group containing the IP
addresses to be white-listed.
Step 2 If you have access rules requiring user authentication for certain services, then add an
additional rule for the same services on the Firewall > Access Rules page. Set the Source to
the Address Group you just created, and set Users Allowed to All.
Step 3 If you also want those IP addresses to bypass SSO for services such as CFS, IPS, App Rules,
DPI-SSL, or Anti-Spyware, then navigate to Users > Settings, select SSO Agent for the Single-
sign-on method and click Configure. On the Enforcement tab, select the Address Group you
created in the Bypass the Single Sign On process for traffic from field.
The default CFS policy will be applied to users at these
IP addresses, and no IPS policies or
App Control policies that include particular users will be applied to them.
This method is appropriate for small numbers of IP addresses or to white-list subnets or IP
address ranges. It will work for large numbers of separate IP addresses, but could be rather
inefficient.
Forcing Users to Log In When SSO Fails with CFS, IPS, App Control
You can use Access Rules to force users to log in via the Web UI when they cannot be
identified via Single Sign-On (SSO). Users need to be identfied for CFS, IPS, App Rules, or
other policies to be correctly applied. An Access Rule can make the SonicWALL prompt the
user for username and password.
If there are multiple CFS policies, or if IPS, App Rules, App Control, Anti-Spyware or DPI-SSL
have policies that are set to include/exclude certain users/user groups, then SSO is initiated to
identify users. By default, if SSO fails to identify a user, the user is given access through the
firewall while constrained by the default CFS policy or without the IPS policy, App Rule, or other
policy being applied.
You can use Access Rules in conjunction with the above services to force all users to log in via
the Web UI with username/password when SSO fails, before they are allowed access through
the firewall. Set an access rule that requires users to be authenticated, and that rule will initiate
SSO. In this case, if SSO fails to identify the user they are blocked and, in the case of HTTP,
redirected to the login page.