Best Practices when User Authentication using Access Rules is enforced on firewall

08/02/2023 7 People found this article helpful 223,028 Views

Description

If user authentication is enforced on firewall using the user settings in access rules, then the changes mentioned in this article are recommended as best practices should the firewall be seen to be experiencing high CPU load.

TIP: To learn more about configuring user settings in access rules and how to use it, please check How can I enforce local authentication for my users before allowing access to the Internet?

Cause

Access rules are used to enforce authentication for users before they can be allowed to access resources.

When user traffic reaches the firewall, it will require the user to be authenticated before letting it pass, redirecting any HTTP/HTTPS traffic from an unauthenticated source to a login page.

If this is enforced in a large network where huge numbers of connections may need to be redirected to the login page, it could result in a high load on the internal web server, particularly if a lot of the connections are coming from non-user devices that can't respond to it and log in.

The changes mentioned in this article will help reduce load on the web server, allowing redirecting to the login page more efficiently for both HTTP and HTTPS.

Resolution

Turn on “Add rule to enable redirect from HTTP to HTTPS” on the network interface
The firewall has a proprietary mechanism for redirecting HTTP connections which allows it to do that extremely efficiently, without putting any load onto its internal web server, hence preventing that being taken out of service by DDOS. The access rule added by an interface’s “Add rule to enable redirect from HTTP to HTTPS” setting will be utilized to allow this mechanism to operate.
TIP: This step can be used for any interface, not just X0 interface. Make sure to enable “Add rule to enable redirect from HTTP to HTTPS” for every interface that you need Users to Authenticate from!

NOTE: This change isn't needed if HTTP User Login or HTTP Management are enabled on the interface since the required access rule will then already exist for those.

Turn off “Redirect HTTPS connections” on the diag page
All of the common modern browsers have a mechanism for detecting Internet access login portals, that operate by sending out HTTP requests and detecting when those get redirected to a login page. By disabling redirecting HTTPS connections in the firewall, we prevent the possibility of DDOS due to getting flooded with those, while allowing that HTTP-based portal detection mechanism to operate as it should. To access diag page, How can I access the internal settings of the firewall?

NOTE: Browsers send theses HTTP portal detection probes separate from and concurrent with the user's traffic, hence it operates independently from it and is not affected by the type of traffic sent by the user traffic, be it HTTP or HTTPS.