User objects restrict access rules to specific users and user groups. You can apply user objects to Forwarding Firewall access rules and specify user conditions such as login names, groups, and policy role patterns. You also have the option to include VPN groups in the object configuration.
User objects are populated by querying the external authentication servers or the local authentication service on the firewall. For VPN, user objects can also query X.509 certificate patterns.
When you create a new user object, you can configure multiple User Conditions. The user conditions are evaluated from the top to the bottom. Each user condition is made up of the following settings:
Authentication Pattern – Users matching both login name and group pattern according to the configured external authentication scheme (MSAD, LDAP, or RADIUS).
- Login Name – Enter a pattern for the user name. * and ? wildcard characters are allowed.
- Group Patterns – Enter patterns matching user groups. At least one group pattern must match for the authentication pattern to match.
Policy Roles Patterns – The policy role patterns for VPN users when using the
. You can select:
X509 Certificate Pattern – The certificate conditions for VPN users and groups:
Subject/Issuer – The subject/issuer of the affected X.509 certificate. If multiple subject parts (key value pairs) are required, separate them with a forward slash (/). For example, if OU=test1 and OU=test2 are required, select OU and enter
- Subject/Issuer – The subject/issuer of the affected X.509 certificate. If multiple subject parts (key value pairs) are required, separate them with a forward slash (/). For example, if OU=test1 and OU=test2 are required, select OU and enter
Policy/AltName – The ISO number and the SubjectAltName according to the certificate.
- VPN User Pattern – The VPN login and VPN group policy that the object has to apply to in the VPN Group field.
Authentication Method – In this section, you can specify the following settings:
Origin – Defines the type of originator. The following originators are available when configured:
- VPNP (PersonalVPN)
- VPNG (GroupVPN)
- VPNT (Tunnel)
- HTTP (Browser login)
- Proxy (Login via proxy)
Server/Service/Box – Allows enforcing authentication on a certain server/service/box.
- Origin – Defines the type of originator. The following originators are available when configured:
Create a User Object
Create user objects to include them in access or applications rules.
For more information, see How to Create and Apply Custom User Objects and How to Create and Apply User Objects for VPN Users.