Excluding IP addresses from authentication

07/10/2023 66 People found this article helpful 489,212 Views

Description

This article describes a method to "white-list" IP addresses without the users needing to authenticate by either SSO or ULA.

Resolution

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

Login to the Firewall Management UI and navigate to Object | Match Objects | Addresses and Add a new Address object, containing the IP addresses to be white-listed.
If using Access rules for user authentication then add an additional rule with the source as newly created address object and Users allowed set to All.
If you also want the IP addresses to bypass SSO then navigate to Device | Users | Settings and click Configure SSO, on the Enforcement tab click on Add Bypass on SSO bypass section and select the address object configured to bypass SSO. Note that users at these IP addresses will then get the default CFS policy applied and will not be included in IPS policies, App Rules etc. that include particular users.

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

Login to the firewall management UI and navigate to Manage | Policies | Objects | Address Objects and create a new address object containing the IP address to be whitelisted.
If using Access rules for user authentication then add an additional rule with the source as newly created address object and Users allowed set to All.
If you also want the IP addresses to bypass SSO then navigate to Manage | Users | Settings and click Configure SSO, on the Enforcement tab click on Add Bypass on SSO bypass section and select the address object configured to bypass SSO. Note that users at these IP addresses will then get the default CFS policy applied and will not be included in IPS policies, App Rules etc. that include particular users.

Resolution for SonicOS 6.2 and Below

The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.

Create an Address Object under Network | Address Objects, containing the IP addresses to be white-listed.
If using Access Rules for user authentication then add an additional rule with the Source as the newly created Address Object and Users Allowed set to All.
If you also want the IP addresses to bypass SSO then select that Address Object with "Bypass the Single Sign On process for traffic from" on the Enforcement tab of the SSO configuration. Note that users at these IP addresses will then get the default CFS policy applied and will not be included in IPS policies, App Rules etc. that include particular users.