Add Access rules for browser-based user authentication

Browser-based user authentication is not allowed by default in the Firewall Template policy. You must add Access rules that allows this traffic to the Engine Policy.

To reduce the risk of resource consumption or DoS (denial of service) attacks, we recommend limiting the number of connections from each source IP address. Under normal conditions, there should only be one connection at a time from each source IP address. However, incomplete connections or other network errors might temporarily result in more than one simultaneous connection attempt from the same IP address. Set the limit for your simultaneous connections according to your network environment so that the limit does not interfere with legitimate connection attempts.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration.
  2. Browse to Policies > <Policy type>.
  3. Right-click a policy, then select Edit <Policy name>.
  4. Add the following IPv4 or IPv6 Access rule:
    Table 1. Access rule for browser-based user authentication
    Source Destination Service Action
    ANY $$Local Cluster (CVI addresses only) or $$Interface ID X. (If specific listening interfaces are selected on the General tab in the Browser-Based User Authentication Properties.) HTTP, HTTPS, or both (Port settings must be the same as defined on the General tab in the Browser-Based User Authentication Properties.) Allow

    Connection tracking: Default

    Connection limit by Source: the number of simultaneous connection attempts you want to allow

  5. Click Save and Install.