No on Demand Probe
Enable the manual on-demand probing of a domain PC as an alternate method for the SRX Series Firewall to retrieve address-to-user mapping information.
Authentication Entry Timeout
Set the timeout to 0 to avoid having the user's entrybeing removed from the authentication table after the timeout.
Note:
When a user is no longer active, a timer is started forthat user’s entry in the Active Directory authentication table.When the time is up, the user’s entry is removed from the table.Entries in the table remain active as long as there are sessions associatedwith the entry.
The default authentication entry timeout is 30 minutes. Starting in Junos OS Release 19.2R1, the defaultvalue is 60 minutes.
To disable timeout, set the interval to zero. The range is 10through 1440 minutes.
WMI Timeout
Enter the number of seconds that the domain PC has to respond to the SRX Series Firewall’s query through Windows Management Instrumentation (WMI) or Distributed Component Object Module (DCOM).
If no response is received from the domain PC within the wmi-timeoutinterval,the probe fails and the system either creates an invalid authenticationentry or updates the existing authentication entry as invalid. Ifan authentication table entry already exists for the probed IP address,and no response is received from the domain PC within the wmi-timeoutinterval, the probe fails and that entry is deleted from the table.
The range is 3 through 120 seconds.
Invalid Authentication Entry Timeout
Enter a value. The range is 10 through 1440 minutes.When a user is no longer active, a timer is started for that user’sentry in the Active Directory authentication table. When the timeis up, the user’s entry is removed from the table.
If this value is not configured, all the invalid auth entryfrom Active Directory will use the default value as 30 minutes.
The range is 10 through 1440 minutes.
Firewall Authentication Forced Timeout
Enter a value. The range is 10 through 1440 minutes.This is the firewall authentication fallback time. Set the timeoutto 0 to avoid having the user's entry being removed from the authenticationtable after the timeout.
Include
Enable to include IP addresses from the Available column.
Click + to create a new IP address and add it as either include or exclude from monitoring.
Click the Delete icon to delete a new IP address and add itas either include or exclude from monitoring.
Exclude
Enable to exclude IP addresses from the Available column.
Click + to create a new IP address and add it as either include or exclude from monitoring.
Click the Delete icon to delete a new IP address and add itas either include or exclude from monitoring.
Test
Click Test to check the Domain Connectionstatus.
test:Status page appears and displays the status.
+
Click + to add a domain.
The Add Domain page appears.
Note:
-
Starting in Junos OS Release 19.2R1, for SRX4200, SRX1500, SRX550M, and vSRX Virtual Firewall devices, and for the SRX5000 and SRX3000 lines of devices, you can configure the integrated user firewall in a maximum of two domains. For the other SRX Series Firewalls, you can create only one domain.
-
Starting in Junos OS Release 23.4R1, for SRX1600 and SRX2300 Firewalls, you can configure the integrated user firewall in a maximum of two domains.
You can select the pencil icon to edit the domain or select delete icon to delete the domain.
Domain Name
Enter the name of the domain.
The range for the domain name is 1 through 64 characters.
Username
Enter the password for the Active Directory account password.
The range for the username is 1 through 64 characters. Example:admin
Password
Enter the username for the Active Directory account name.
The range for the password is 1 through 128 characters. Example:A$BC123
Domain Controller(s)
Click + to add domain controller settings.
Domain Controller Name—Enter the domain controllername. Name can range from 1 through 64 characters.
You can configure up to maximum of 10 domain controllers.
IP Address—Enter the IP address of the domain controller.
User Group Mapping (LDAP)
Click +:
IP Address—Enter the IP address of the LDAP server.If no address is specified, the system uses one of the configuredActive Directory domain controllers.
Port—Enter the port number of the LDAP server. Ifno port number is specified, the system uses port 389 for plaintextor port 636 for encrypted text.
Default value is port 443.
Base Distinguish Name
Enter the LDAP base distinguished name (DN).
Example: DC=example,DC=net
Username
Enter the username of the LDAP account. If no usernameis specified, the system will use the configured domain controller’susername.
Password
Enter the password for the account. If no password isspecified, the system uses the configured domain controller’spassword.
Use SSL
Enable Secure Sockets Layer (SSL) to ensure secure transmissionwith the LDAP server. Disabled by default, then the password is sentin plaintext.
Authentication Algorithm
Enable this option to specify the algorithm used while the SRX Series Firewall communicates with the LDAP server. By default, simple is selected to configure simple(plaintext) authentication mode.
Discovery Method (WMI)
Enable the method of discovering IP address-to-user mappings.
WMI—Windows Management Instrumentation (WMI) is the discoverymethod used to access the domain controller. This option should beenabled only for internal hosts or trusted hosts.
Event Log Scanning Interval
Enter the scanning interval at which the SRX Series Firewall scans the event log on the domain controller. The range is 5 through 60 seconds.
Default value is 60 seconds.
Initial Event Log TimeSpan
Enter the time of the earliest event log on the domain controller that the SRX Series Firewall will initially scan. This scan applies to the initial deployment only. After WMIC and the user identification start working, the SRX Series Firewall scans only the latest event log.
The range is 1 through 168 hours. Default value is 1 hour.