The Global Settings button manages the certificate for the GUI, the authentication method (management of the credentials necessary when the GUI is launched), geolocation, the logo, and the SNMP users. Almost all of the following settings require an apply from the configuration for these changes to be valid.
Define a specific certificate to the WAF by importing a key and certificate file in PEM format and optionally a chain file if the certificate is signed with your own PKI.
chain file and keystore
If you decide to use a chain file from your own PKI, it becomes mandatory to load a Java keystore in the GUI of the WAF to validate the custom certificate uploaded in the product. In the authentication pop-up, you must check the "Use Custom Keystore" option in the "Preferences > SSL Check" menu and upload a Java keystore containing the root certificate corresponding to your internal PKI.
This function changes the way in which users of the Administration Interface (GUI) on the Management Box are authenticated. These settings also affect authentication for the Web Services API.
Users can be authenticated either on the appliance’s internal store (the default), or on an external RADIUS or LDAP server.
- The “Internal” type uses the credentials present in the Roles, Users & Authorizations section.
- The “RADIUS” and “LDAP” types use credentials from a RADIUS server or LDAP directory configured in Authentication servers.
- Authentication server: Selects the Authentication Server (LDAP or RADIUS) to be used to verify users’ login/password.
- Maps Role on attribute: Check this box to associate an existing role (Roles, Users & Authorizations section) with the user, one of whose attributes retrieved from the authentication server (see Authentication Servers, Extended attributes tab) has the name of the role as its value.
The user authenticated on the GUI is assigned an authorization role. This role will be chosen based on an attribute returned by the authentication server.
- Parameter Name: the name of the parameter (declared in Authentication Servers, Extended attributes tab) used to assign the role. For choosing the attribute returned by the authentication server containing the role to be assigned to the user.
In RADIUS authentication, when this parameter is enabled and the RADIUS server provides an attribute that does not correspond to a declared role, the user is rejected (except in the case of users with the Administrator option enabled).
Example of assigning a role
We want users to be authenticated on an LDAP directory, and to assign them a specific role (and the associated rights) as a function of the value of the "memberOf" attribute of their LDAP record:
- List the memberOf values in the directory a particular role is to be assigned to. For example: "Admin" and "BackupOperator".
- Create a role for each value we want, with the same name as the value of the attribute: in Roles, Users & Authorizations, create a Role object whose Name parameter is "Admin", then create a Role object whose parameter Name is "BackupOperator".
- On the LDAP Authentication Server, add an Extended Attribute named "memberOf".
- In the Gui Authentication dialogue box, select the LDAP Authentication Server, check the Maps Role on attribute box, and select "memberOf" in the parameter Parameter Name.
- IP Restriction: Authorizes only those users whose source IP address corresponds to the regular expression. If this parameter is empty (the default), no restriction is applied on the source IP address.
- Session Timeout (s): The duration (in seconds) after which the user's connection will become invalid. Default is 900 seconds.
- Multi user write access : allow several users to connect in same time in read+write mode. Enabling this feature exposes users to concurrent modification issues. A confirmation window will open each time the product detects such overwrite (overwrites are detected for each object of the configuration). When multiple users are working on the cluster at the same time, it is recommended to refresh its configuration periodically.
If authentication on the LDAP or RADIUS server fails, or the server fails to respond, the credentials are tested on the internal store.
To associate roles or rights to a RADIUS or LDAP user without using the Maps Role on attribute function, you must create the user in Roles, Users & Authorizations and assign him/her a role, authorizations, or enable the Administrator setting. If there is no associated role, a user authenticated via an LDAP or RADIUS server cannot perform operations on the Box.
IP Geolocation database
This function updates the database of the maxminddb module (.mmdb extension). Only the Country database is handled. Database can be downloaded from https://dev.maxmind.com/geoip/geoip2/geolite2
This function lets you modify the logo that will appear on the WAF reports.
Sets the duration for keeping logs in database :
- Security logs database retention: duration for keeping security logs in days (365 days by default)
- Access logs database retention: duration for keeping access logs in days (7 days by default)
- Learning logs database retention: duration for keeping learning logs in days (7 days by default)
- WAM logs retention: duration for keeping learning logs in days (7 days by default)
- Monitoring logs retention: duration for keeping learning logs in days (60 days by default)
- Distributed datastores session retention: maximum number of WAM sessions (100 000 by default)
- Event logs retention: maximum number of event logs (10 000 by default)
Any modifications need an apply on Boxes.
Access and Learning logs retention
Warning, increasing the number of days for the retention of Access and Learning logs will increase the database size and can reduce Elasticsearch and Kibana performances. Make sure to have necessary resources before increasing that limit (memory and disk space).
If performances are low because of a high traffic, it is recommended to decrease this retention.
To send a query to the SNMP daemon v3, at least one SNMP user must be defined here.
- Name: the user’s login
- Password: The user’s password. Even though it is compulsory to enter it, it is not used for a “NoAuth” Authentication type.
- Authentication type: the security level associated with the user
- NoAuth: Neither authentication nor encryption are required.
- Auth: Authentication is required, but the data are not encrypted.
- Priv: Authentication is required and the data are encrypted.
Only the SHA1 (for authentication) and AES (for encryption) algorithms are supported.
- OID: Optional; an OID to be filtered for the user. Example: “iso.22.214.171.124.126.96.36.199” will allow the user to display only the name of the Box.
Clear DNS Cache
Clears the DNS cache of one or more Boxes.
N.B.: Reverse Proxies are re-started.
Disable Check SSL Peer
This feature allows to ignore SSL peer errors on desired managed boxes for the next apply. This feature has to be used when SSL certificates between Management and Managed boxes happens and boxes are unable to communicate anymore.
This feature will be used to re-synchronize a Managed box that was just downgraded to version below 6.5.1.
IP Reputation Provider
- A Webroot license is required to enable IP reputation features (node and provider). Credentials for the Webroot API are provided by the licence.
- The management appliance need an Internet access through HTTPS (TCP port 443) to contact the Webroot API along with the option "Enable DNS" activated and correctly configured to resolve the address of the Webroot servers, or you can also use a Proxy Profile to download database.
In order to use the IP Reputation node in workflows, a database of IP Reputation score and threats is needed. This screen shows a setup example of how the appliance can retrieve a database.
The Provider parameter specify how to retrieve the database. Choosing "none" (by default) will deactivate any update of the database. Choosing "Auto update from Webroot API" will activate the automatic update following the frequency set.