PAM Wallix Bastion - Admin Guide en 10.0 Hotfix5 - Complete

BASTION DOCUMENTATION
WALLIX Bastion 10.0

hotfix 5
ADMINISTRATION GUIDE
Reference: https://doc.wallix.com/en/Bastion/10.0/Bastion-admin-guide-en.pdf
Copyright © 2023 WALLIX

WALLIX Bastion 10.0.5 – Administration Guide
Table of Contents
1. Introduction .......................................................................................................................... 12
1.1. Preamble ................................................................................................................... 12
1.2. Copyright & Licenses ................................................................................................ 12
1.3. Third-party components ............................................................................................ 12
1.4. Legend ...................................................................................................................... 12
1.5. About this document ................................................................................................. 13
2. Compatibility and limits ........................................................................................................ 14
3. Glossary ............................................................................................................................... 15
4. Concepts .............................................................................................................................. 17
4.1. General information ................................................................................................... 17
4.2. Positioning of WALLIX Bastion in the network infrastructure ...................................... 17
4.3. The concept of WALLIX Bastion ACLs ...................................................................... 18
4.4. Roll-out ...................................................................................................................... 19
4.5. Rights of the user connected to WALLIX Bastion ...................................................... 19
4.6. Data encryption ......................................................................................................... 19
4.6.1. Administration with HTTPS protocol (Web interface and API) ......................... 20
4.6.2. Administration with SSH protocol ................................................................... 20
4.6.3. RDP (TLS based) primary connection algorithms ........................................... 21
4.6.4. SSH primary connection algorithms ............................................................... 22
4.6.5. Secondary connection algorithms ................................................................... 22
5. Specific features .................................................................................................................. 23
5.1. WALLIX Session Manager ........................................................................................ 23
5.2. WALLIX Password Manager ..................................................................................... 23
5.3. Password external vault ............................................................................................ 23
5.4. High-Availability ......................................................................................................... 24
6. Getting started with WALLIX Bastion ................................................................................... 25
6.1. Pre-configuration of TCP and UDP network ports ..................................................... 25
6.1.1. Communication from WALLIX Bastion ............................................................ 25
6.1.2. Communication to WALLIX Bastion ................................................................ 25
6.2. Using the command line to connect to WALLIX Bastion ............................................ 26
6.3. Browsing through the menu of the Web interface ..................................................... 27
6.4. Availability of specific management features ............................................................. 32
6.4.1. Session management ..................................................................................... 32
6.4.2. Password management .................................................................................. 32
6.5. Managing data search, sort and layout customization in the tables of the Web
interface ........................................................................................................................... 32
6.5.1. Search data ................................................................................................... 32
6.5.2. Sort data ........................................................................................................ 33
6.5.3. Customize layout ............................................................................................ 33
6.5.4. Delete data .................................................................................................... 34
7. Login on the Web interface ................................................................................................. 35
7.1. Access to the Web administration interface .............................................................. 35
7.2. Description of the home page ................................................................................... 37
7.3. Setting your preferences ........................................................................................... 38
7.4. Summary ................................................................................................................... 39
8. Appliance configuration ........................................................................................................ 40
8.1. Interface configuration ............................................................................................... 41
8.1.1. Configuring the Web user interface ................................................................ 41
8.1.2. Configuring the session timeout ..................................................................... 42
8.1.3. Configuring the OEM ..................................................................................... 42
8.1.4. Configuring the display of a banner message ................................................ 44
2
8.2. License ..................................................................................................................... 44

8.2.1. Managing the license key from the command line .......................................... 46
8.2.2. Managing the sending of notifications ............................................................ 46
8.3. Encryption ................................................................................................................. 46
8.4. System status ........................................................................................................... 48
8.5. System logs .............................................................................................................. 49
8.6. Network ..................................................................................................................... 49
8.7. Time service ............................................................................................................. 52
8.8. Remote storage ........................................................................................................ 53
8.9. SIEM integration ....................................................................................................... 54
8.10. SNMP ...................................................................................................................... 55
8.11. Service control ........................................................................................................ 59
8.11.1. Service mapping ........................................................................................... 59
8.11.2. Service activation ......................................................................................... 60
8.12. SMTP server ........................................................................................................... 61
8.13. Backup and Restoration .......................................................................................... 62
8.13.1. Restoration of configuration files .................................................................. 63
8.13.2. Backup/Restoration from the command line ................................................. 64
8.13.3. Automatic backup configuration .................................................................... 65
8.13.4. Automatic backup purge .............................................................................. 66
8.14. High-Availability ....................................................................................................... 67
8.14.1. Operating limitations and pre-requisites ....................................................... 67
8.14.2. Cluster configuration .................................................................................... 67
8.14.3. Starting the cluster ....................................................................................... 68
8.14.4. Stopping/Restarting the cluster ..................................................................... 68
8.14.5. Recovery from fatal error (WALLIX Bastion HA is locked down) ................... 69
8.14.6. Network outages and Split-Brain .................................................................. 69
8.14.7. Reconfiguring the cluster network ................................................................ 70
8.14.8. Replacing a faulty machine .......................................................................... 70
8.14.9. Recovering a faulty volume .......................................................................... 70
8.14.10. High-Availability operation tests .................................................................. 71
9. Users ................................................................................................................................... 74
9.1. User accounts ........................................................................................................... 74
9.1.1. Add a user ..................................................................................................... 75
9.1.2. Edit a user ..................................................................................................... 77
9.1.3. Delete a user ................................................................................................. 77
9.1.4. View the user's rights on the GUI .................................................................. 77
9.1.5. View the devices, applications and target accounts accessible by a user ........ 78
9.1.6. Import users ................................................................................................... 78
9.2. User groups .............................................................................................................. 83
9.2.1. Add a user group ........................................................................................... 84
9.2.2. Edit a user group ........................................................................................... 85
9.2.3. Delete a user group ....................................................................................... 85
9.2.4. View the user group members ....................................................................... 86
9.2.5. Import user groups ......................................................................................... 86
9.3. User profiles .............................................................................................................. 87
9.3.1. Default profiles ............................................................................................... 87
9.3.2. Add a user profile .......................................................................................... 88
9.3.3. Edit a user profile .......................................................................................... 89
9.3.4. Delete a user profile ...................................................................................... 90
9.3.5. Import user profiles ........................................................................................ 90
9.4. User data retention policy ......................................................................................... 94
9.5. Notification configuration ........................................................................................... 95
3
9.5.1. Add a notification ........................................................................................... 96

9.5.2. Edit a notification ........................................................................................... 97
9.5.3. Delete a notification ....................................................................................... 97
9.5.4. Create custom notification templates .............................................................. 97
9.6. Local password policy configuration .......................................................................... 99
9.7. X509 certificate authentication configuration ........................................................... 101
9.7.1. Setting X509 certificate authentication .......................................................... 101
9.7.2. CRL management ........................................................................................ 103
9.7.3. OCSP management ..................................................................................... 104
9.7.4. User authentication configuration ................................................................. 105
9.7.5. X509 authentication ...................................................................................... 106
9.7.6. Disable and unset X509 certificate authentication mode ............................... 108
9.8. External authentication configuration ....................................................................... 109
9.8.1. Add an external authentication ..................................................................... 110
9.8.2. Edit an external authentication ..................................................................... 118
9.8.3. Delete an external authentication ................................................................. 118
9.9. Configuration of LDAP, Active Directory or Azure AD domain mapping .................... 118
9.9.1. Add an authentication domain ...................................................................... 119
9.9.2. Edit an authentication domain ...................................................................... 128
9.9.3. Delete an authentication domain .................................................................. 129
9.9.4. Import authentication domains ..................................................................... 129
9.9.5. Import authentication domain mappings on user groups ............................... 132
10. Targets ............................................................................................................................. 135
10.1. Devices ................................................................................................................. 135
10.1.1. Add a device .............................................................................................. 135
10.1.2. Edit a device .............................................................................................. 140
10.1.3. Use tags to organize devices ..................................................................... 140
10.1.4. Delete a device .......................................................................................... 141
10.1.5. Import devices ............................................................................................ 142
10.1.6. SSH specific options .................................................................................. 143
10.1.7. RDP specific options .................................................................................. 144
10.2. Applications ........................................................................................................... 145
10.2.1. Configure the jump server .......................................................................... 146
10.2.2. Configure the application launch using RemoteApp mode .......................... 147
10.2.3. Automate connections to an application using AutoIt scripts ....................... 148
10.2.4. Automate connections to a Web application using WALLIX Application
Driver ...................................................................................................................... 149
10.2.5. Add an application ..................................................................................... 157
10.2.6. Edit an application ...................................................................................... 158
10.2.7. Delete an application .................................................................................. 158
10.2.8. Add an account to the application .............................................................. 158
10.2.9. Manage the resource associations with the application .............................. 158
10.2.10. Import applications ................................................................................... 159
10.3. Domains ................................................................................................................ 160
10.3.1. Add a global domain .................................................................................. 162
10.3.2. Associate the domain with an SSH Certificate Authority ............................. 163
10.3.3. Edit a global or a local domain ................................................................... 164
10.3.4. Add an account to the global or a local domain .......................................... 165
10.3.5. Change the passwords for all the accounts on the global domain ............... 165
10.3.6. Change the passwords for all the accounts on the local domain ................. 165
10.3.7. Revoke the signed certificate for the accounts on the domain associated
with a Certificate Authority ..................................................................................... 166
10.3.8. Delete a global domain .............................................................................. 166
4
10.3.9. Import global domains ................................................................................ 166

10.3.10. Import local domains ................................................................................ 169
10.4. Target accounts ..................................................................................................... 171
10.4.1. Add a target account to a global domain .................................................... 172
10.4.2. Add a target account to a device ............................................................... 175
10.4.3. Add a target account to an application ....................................................... 177
10.4.4. Edit a target account .................................................................................. 178
10.4.5. Change the credentials automatically for one or several accounts .............. 179
10.4.6. Change the credentials manually for a given target account ....................... 179
10.4.7. Delete a target account .............................................................................. 180
10.4.8. Import target accounts ............................................................................... 180
10.5. Target groups ........................................................................................................ 183
10.5.1. Add a target group ..................................................................................... 183
10.5.2. Edit a target group ..................................................................................... 194
10.5.3. Delete a target group ................................................................................. 194
10.5.4. Import target groups ................................................................................... 194
10.6. Clusters ................................................................................................................. 196
10.6.1. Add a cluster .............................................................................................. 196
10.6.2. Edit a cluster .............................................................................................. 197
10.6.3. Delete a cluster .......................................................................................... 197
10.6.4. Import clusters ............................................................................................ 197
10.7. External password vault plugins ............................................................................ 198
10.7.1. Bastion plugin ............................................................................................ 199
10.7.2. CyberArk Enterprise Password Vault plugin ............................................... 199
10.7.3. HashiCorp Vault plugin ............................................................................... 200
10.7.4. Thycotic Secret Server plugin .................................................................... 202
10.8. Checkout policies .................................................................................................. 205
10.8.1. Add a checkout policy ................................................................................ 206
10.8.2. Edit a checkout policy ................................................................................ 207
10.8.3. Delete a checkout policy ............................................................................ 207
10.9. Discovery .............................................................................................................. 208
10.9.1. Scan configuration ...................................................................................... 208
10.9.2. View the results of a scan job .................................................................... 215
10.9.3. Onboarding ................................................................................................. 216
11. Password management .................................................................................................... 221
11.1. User authorizations on passwords ......................................................................... 221
11.1.1. Password access through an approval workflow ......................................... 222
11.2. Password change plugins ...................................................................................... 223
11.2.1. Plugin matrix .............................................................................................. 224
11.2.2. Cisco plugin ................................................................................................ 225
11.2.3. Dell iDRAC plugin ...................................................................................... 225
11.2.4. Fortinet FortiGate plugin ............................................................................. 226
11.2.5. IBM 3270 .................................................................................................... 226
11.2.6. Juniper SRX plugin ..................................................................................... 229
11.2.7. LDAP plugin ............................................................................................... 229
11.2.8. MySQL plugin ............................................................................................. 230
11.2.9. Oracle plugin .............................................................................................. 231
11.2.10. Palo Alto PA-500 plugin ............................................................................ 231
11.2.11. Unix plugin ................................................................................................ 232
11.2.12. Windows plugin ........................................................................................ 233
11.2.13. WindowsService plugin ............................................................................. 234
11.2.14. Cisco Nexus plugin ................................................................................... 235
11.2.15. HP-ILO plugin ........................................................................................... 235
5
11.2.16. Checkpoint plugin ..................................................................................... 236

11.2.17. Ultra VNC plugin ...................................................................................... 236
11.2.18. AIX plugin ................................................................................................. 236
11.2.19. Citrix ADC plugin ...................................................................................... 237
11.2.20. Esx plugin ................................................................................................. 238
11.2.21. F5 plugin .................................................................................................. 238
11.3. Password change policies ..................................................................................... 239
11.3.1. Add a password change policy ................................................................... 239
11.3.2. Edit a password change policy ................................................................... 241
11.3.3. Delete a password change policy ............................................................... 241
11.4. "Break glass" mechanism configuration ................................................................. 241
12. Session management ...................................................................................................... 243
12.1. User authorizations on sessions ........................................................................... 243
12.1.1. Specific options for SSH sessions .............................................................. 244
12.1.2. Specific options for RDP sessions .............................................................. 244
12.1.3. Session access through an approval workflow ........................................... 245
12.2. Target connection in interactive mode for SCP and SFTP protocols ...................... 247
12.3. Audit data .............................................................................................................. 248
12.3.1. Current sessions ........................................................................................ 248
12.3.2. Current sessions in real-time view .............................................................. 249
12.3.3. Session sharing and remote control on RDP current sessions .................... 250
12.3.4. Session history ........................................................................................... 250
12.3.5. Session recordings ..................................................................................... 252
12.3.6. Account history ........................................................................................... 256
12.3.7. Approval history ......................................................................................... 257
12.3.8. Authentication history ................................................................................. 258
12.3.9. Connection statistics .................................................................................. 259
12.4. Connection policies ............................................................................................... 261
12.4.1. Add a connection policy ............................................................................. 262
12.4.2. Edit a connection policy ............................................................................. 263
12.4.3. Delete a connection policy ......................................................................... 263
12.5. Session recording options ..................................................................................... 264
12.6. Universal Tunneling sessions (RAWTCPIP) .......................................................... 264
12.6.1. Prerequisites .............................................................................................. 265
12.6.2. Specific options .......................................................................................... 265
12.6.3. Configuration to access an IT or OT target ................................................ 266
12.6.4. Audit ........................................................................................................... 266
12.7. Transformation rule to get a login for secondary connection .................................. 267
12.8. Transformation rule to retrieve the credentials of an account in the vault of
WALLIX Bastion ............................................................................................................. 267
12.9. Using an antivirus software or a DLP (Data Loss Prevention) solution with ICAP ... 269
12.9.1. Configuration of connection to ICAP servers .............................................. 269
12.9.2. Enabling file verification .............................................................................. 270
12.9.3. Blocking file transfer on invalid verification ................................................. 270
12.9.4. Enabling file storage on invalid verification ................................................. 271
12.10. Enabling storage of files transferred during the RDP or SSH session .................. 271
12.11. Enabling smart card authentication on targets for RDP protocol .......................... 271
12.12. Setting up an AD authentication silo ................................................................... 272
12.12.1. General description .................................................................................. 272
12.12.2. Procedure ................................................................................................. 272
12.13. Configuration of recorded sensitive data in logs for RDP protocol ........................ 274
12.14. Allowing or rejecting dynamic virtual channels for RDP protocol .......................... 274
6
12.15. Log configuration of all the keyboard input for RLOGIN, SSH and TELNET
protocols ......................................................................................................................... 275
12.16. TELNET/RLOGIN connection scenario on a target device ................................... 275
12.17. Configuration of cryptographic algorithms supported on target devices ................ 277
12.17.1. SSH cryptographic settings on target devices .......................................... 277
12.17.2. RDP cryptographic settings on target devices .......................................... 277
12.18. Connecting to a VNC session over an SSH tunnel .............................................. 277
12.19. SSH startup scenario on a target device ............................................................. 278
12.19.1. Commands ............................................................................................... 278
12.19.2. Token ....................................................................................................... 279
12.19.3. Startup scenario configuration .................................................................. 281
12.20. Transparent mode configuration for RDP and SSH proxies ................................. 281
12.21. Enabling KeepAlive function for the proxies ........................................................ 282
12.21.1. Enabling KeepAlive function for connection between the RDP proxy and
the RDP client ........................................................................................................ 282
12.21.2. Enabling KeepAlive function for connection between the SSH proxy and
the SSH client ........................................................................................................ 283
12.21.3. Enabling KeepAlive function for connection between the SSH proxy and
the SSH target server ............................................................................................ 283
12.22. Using the session probe mode ............................................................................ 283
12.22.1. Default operating mode ............................................................................ 284
12.22.2. Choice of the launcher ............................................................................. 285
12.22.3. Prerequisites ............................................................................................ 285
12.22.4. Configuration ............................................................................................ 286
12.22.5. Launching the session probe from a specific directory .............................. 290
12.23. Using the session probe mode with the WALLIX BestSafe agent ........................ 291
12.23.1. Enabling the interaction with the WALLIX BestSafe agent ........................ 291
12.23.2. Event logging ........................................................................................... 291
12.23.3. Detection of outbound connections .......................................................... 291
12.23.4. Detection of process launching ................................................................ 291
12.24. Load balancing with Remote Desktop Connection Broker ................................... 291
12.24.1. Prerequisites ............................................................................................ 292
12.24.2. Configuration ............................................................................................ 293
12.25. Connection messages ......................................................................................... 293
13. Dashboards ...................................................................................................................... 295
13.1. Administration dashboard ...................................................................................... 295
13.1.1. View the data on the “Connection data” tab ............................................... 295
13.1.2. View the data on the “Connection indicators” tab ....................................... 296
13.1.3. Common features ....................................................................................... 297
13.2. Audit dashboard .................................................................................................... 297
13.2.1. View the data ............................................................................................. 298
13.2.2. Common features ....................................................................................... 299
14. Authorization management ............................................................................................... 301
14.1. Add an authorization ............................................................................................. 301
14.2. Edit an authorization ............................................................................................. 302
14.3. Delete an authorization ......................................................................................... 302
14.4. Import authorizations ............................................................................................. 302
14.5. View the current approvals .................................................................................... 305
14.6. View the approval history ...................................................................................... 306
14.7. Approval workflow ................................................................................................. 307
14.7.1. Workflow configuration ............................................................................... 308
14.7.2. Workflow steps ........................................................................................... 309
14.8. Time frame configuration ....................................................................................... 309
7
14.8.1. Add a time frame ....................................................................................... 310

14.8.2. Edit a time frame ....................................................................................... 311
14.8.3. Delete a time frame ................................................................................... 311
15. Specific commands .......................................................................................................... 312
15.1. Use the command line to connect to WALLIX Bastion ........................................... 313
15.2. Restore WALLIX Bastion to factory settings .......................................................... 313
15.3. Restore the factory-set administrator account ....................................................... 314
15.4. Change the password of the factory-set administrator account .............................. 314
15.5. Set encryption key of WALLIX Bastion .................................................................. 314
15.6. Unlock encryption key of WALLIX Bastion ............................................................ 314
15.7. Reset data encryption in WALLIX Bastion ............................................................. 315
15.8. Get the version information of WALLIX Bastion ..................................................... 315
15.9. Change the keyboard layout ................................................................................. 315
15.10. Get the GUI URL ................................................................................................ 315
15.11. Change the GRUB password .............................................................................. 316
15.12. Change the network configuration ....................................................................... 316
15.13. Change the security level configuration ............................................................... 316
15.14. Configure services .............................................................................................. 317
15.15. Configure High-Availability (HA) .......................................................................... 317
15.16. Generate the report on the system status ........................................................... 317
15.17. Manage the license key ...................................................................................... 317
15.18. Use WABConsole to change the user password ................................................. 318
15.19. Display the content of "journalctl" logs ................................................................ 318
15.20. Export and/or purge session recordings manually ............................................... 318
15.21. Export and/or purge session recordings automatically ......................................... 320
15.22. Move local session recordings to remote storage ................................................ 321
15.23. Re-import archived session recordings ................................................................ 322
15.24. Check integrity of session log files ...................................................................... 322
15.25. Change target servers identification .................................................................... 323
15.26. Configure TLS options for LDAP external authentication ..................................... 323
15.27. Configure TLS client for SIEM integration ........................................................... 323
15.28. Change self-signed certificates of services .......................................................... 324
15.28.1. Change the certificate for the Web interface and the API .......................... 324
15.28.2. Change the RDP proxy certificate ............................................................ 325
15.28.3. Change the SSH proxy host key .............................................................. 325
15.29. Cryptographic configuration of services ............................................................... 325
15.29.1. Configure the security level to restore RDP protocol compatibility ............. 325
15.29.2. Configure the security level to restore SSH protocol compatibility ............. 326
15.29.3. Restore default cryptographic settings ...................................................... 326
15.30. Update the CRL (Certificate Revocation List) ...................................................... 326
15.31. Change the Redis password ............................................................................... 327
16. REST API Web Services ................................................................................................. 329
16.1. WALLIX Bastion REST API documentation ........................................................... 329
16.2. SCIM REST API documentation ........................................................................... 329
16.3. REST API key management ................................................................................. 329
16.3.1. Generate an API key ................................................................................. 330
16.3.2. Edit an API key .......................................................................................... 330
16.3.3. Delete an API key ...................................................................................... 330
17. SIEM messages ............................................................................................................... 331
17.1. Logs from WALLIX Bastion boot/reboot ................................................................ 331
17.2. Logs from authentication ....................................................................................... 331
17.2.1. Successful authentication ........................................................................... 331
17.2.2. Authentication failure .................................................................................. 332
8
17.2.3. Authentication cancellation (either by the client or by the user) ................... 332
17.3. Logs from WALLIX Bastion Web interface ............................................................ 332
17.3.1. Object type: Account .................................................................................. 332
17.3.2. Object type: Account activity (Audit) ........................................................... 333
17.3.3. Object type: Account history (Audit) ........................................................... 333
17.3.4. Object type: Answer from approval request ................................................ 333
17.3.5. Object type: API key .................................................................................. 333
17.3.6. Object type: Application .............................................................................. 333
17.3.7. Object type: Application path ...................................................................... 334
17.3.8. Object type: Approval ................................................................................. 334
17.3.9. Object type: Authorization .......................................................................... 334
17.3.10. Object type: Backup/Restore .................................................................... 335
17.3.11. Object type: Checkout policy .................................................................... 335
17.3.12. Object type: Cluster .................................................................................. 335
17.3.13. Object type: Connection policy ................................................................. 336
17.3.14. Object type: Credential change information .............................................. 336
17.3.15. Object type: Password change policy ....................................................... 337
17.3.16. Object type: Device .................................................................................. 337
17.3.17. Object type: Global domain ...................................................................... 337
17.3.18. Object type: LDAP domain ....................................................................... 338
17.3.19. Object type: LDAP mapping ..................................................................... 338
17.3.20. Object type: Local domain ........................................................................ 338
17.3.21. Object type: Notification ........................................................................... 338
17.3.22. Object type: Period ................................................................................... 339
17.3.23. Object type: Profile ................................................................................... 339
17.3.24. Object type: Local password policy .......................................................... 339
17.3.25. Object type: Recording options ................................................................ 339
17.3.26. Object type: Restriction ............................................................................ 340
17.3.27. Object type: Service ................................................................................. 340
17.3.28. Object type: Session logs ......................................................................... 340
17.3.29. Object type: Target group ......................................................................... 340
17.3.30. Object type: Time frame ........................................................................... 341
17.3.31. Object type: User ..................................................................................... 341
17.3.32. Object type: External authentication ......................................................... 341
17.3.33. Object type: User group ........................................................................... 342
17.3.34. Object type: X509 parameters (CRL) ....................................................... 342
17.4. Logs from the SSH service ................................................................................... 342
17.4.1. Flow of a successful session ...................................................................... 342
17.4.2. Flow of a connection failure: connection denied, machine is powered off or
service unavailable ................................................................................................. 344
17.4.3. Flow of a connection failure: invalid target or access denied ....................... 344
17.4.4. Successful session opening ....................................................................... 345
17.4.5. Session opening failure .............................................................................. 345
17.4.6. Session disconnection ................................................................................ 345
17.4.7. Channel events .......................................................................................... 345
17.4.8. Request events .......................................................................................... 346
17.4.9. Pattern detection on shell or remote command .......................................... 347
17.4.10. Command detection on Cisco devices ..................................................... 347
17.4.11. SFTP actions ............................................................................................ 348
17.4.12. File size restriction on SFTP .................................................................... 348
17.4.13. Beginning of file transfer on SFTP ........................................................... 348
17.4.14. End of file transfer on SFTP with file size and hash .................................. 348
17.4.15. File size restriction on SCP ...................................................................... 348
9
17.4.16. Beginning of file transfer on SCP ............................................................. 349

17.4.17. End of file transfer on SCP with file size and hash ................................... 349
17.4.18. User typed keyboard input ....................................................................... 349
17.4.19. Export group membership for target account in session metadata ............ 349
17.4.20. File verification by ICAP server ................................................................ 349
17.5. Logs from the RDP service ................................................................................... 350
17.5.1. Flow of a connection failure: connection denied, machine is powered off or
service unavailable ................................................................................................. 350
17.5.2. Flow of a connection failure: invalid target or access denied ....................... 350
17.5.3. Successful session opening ....................................................................... 351
17.5.4. Upload file via clipboard ............................................................................. 351
17.5.5. Download file via clipboard ........................................................................ 351
17.5.6. Upload data via clipboard (such as image, sound, etc. except Unicode text
format or local data) ............................................................................................... 351
17.5.7. Download data via clipboard (such as image, sound, etc. except Unicode
text format or local data) ........................................................................................ 352
17.5.8. Upload data via clipboard (such as Unicode text format or local data) ......... 352
17.5.9. Download data via clipboard (such as Unicode text format or local data) .... 352
17.5.10. Reading workstation file from server ........................................................ 352
17.5.11. Writing workstation file by server .............................................................. 352
17.5.12. Target disconnected the session .............................................................. 353
17.5.13. Session ended by proxy ........................................................................... 353
17.5.14. Session ending in progress ...................................................................... 354
17.5.15. Window title bars as detected by the Session Probe ................................ 354
17.5.16. Window title bars as detected by OCR ..................................................... 354
17.5.17. User typed keycodes translated using the current layout .......................... 354
17.5.18. Click on a button in a window .................................................................. 354
17.5.19. Text edition in a text field in a window ...................................................... 355
17.5.20. Focus in and out on a password text box ................................................. 355
17.5.21. Focus in and out on an unidentified input field ......................................... 355
17.5.22. New active windows detected by the Session Probe ................................ 355
17.5.23. Change of keyboard layout ...................................................................... 355
17.5.24. Creation of a new process ....................................................................... 355
17.5.25. Process ended ......................................................................................... 356
17.5.26. Process blocked ....................................................................................... 356
17.5.27. VNC session initiated ............................................................................... 356
17.5.28. VNC session ended ................................................................................. 356
17.5.29. UAC prompt displayed ............................................................................. 356
17.5.30. X509 server certificate match ................................................................... 357
17.5.31. Connection to server allowed ................................................................... 357
17.5.32. New X509 certificate created ................................................................... 357
17.5.33. X509 server certificate match failure ........................................................ 357
17.5.34. X509 server certificate internal error ......................................................... 357
17.5.35. Kerberos ticket creation ............................................................................ 357
17.5.36. Kerberos ticket deletion ............................................................................ 357
17.5.37. State of check boxes in metadata collected by the Session Probe ............ 358
17.5.38. Web navigation data collected from the Session Probe ............................ 358
17.5.39. Export group membership for target account in session metadata ............ 359
17.5.40. File verification by ICAP server ................................................................ 359
17.5.41. Opening of dynamic virtual channel ......................................................... 360
17.6. Logs from the system ........................................................................................... 360
17.6.1. Integrity of session log files ........................................................................ 360
17.6.2. System configuration changes .................................................................... 361
10
17.7. Logs from vault activities ....................................................................................... 362

18. Contact WALLIX Bastion Support .................................................................................... 363
Index ...................................................................................................................................... 364
11
Chapter 1. Introduction
1.1. Preamble
Thank you for choosing WALLIX Bastion.
The WALLIX Bastion solution is marketed in the form of a dedicated, ready-to-use server or as a
virtual device for the following virtual environments:
• Amazon Web Services (AWS)

• Google Cloud Platform (GCP)
• Kernel-based Virtual Machine (KVM)
• Microsoft Azure
• Microsoft Hyper-V
• Nutanix AHV
• OpenStack
• VMware vSphere
This product has been engineered with the greatest care by our teams at WALLIX and we trust that
it will deliver complete satisfaction.
1.2. Copyright & Licenses

This document is the property of WALLIX and may not be reproduced without its prior consent.
All the product or company names mentioned herein are the registered trademarks of their
respective owners.
WALLIX Bastion is subject to the WALLIX software license contract.
WALLIX Bastion is based on free software. The list and source code of GPL and LGPL licensed
software used by WALLIX Bastion are available from WALLIX. Please send your request on Internet
by creating a new case at https://support.wallix.com/ or in writing to:
WALLIX
Service Support
250 bis, Rue du Faubourg Saint-Honoré
75008 PARIS
FRANCE
1.3. Third-party components

Please refer to the Third-Party Components document to get the list of packages being modified by
WALLIX and the information related to the license agreement terms.
1.4. Legend
prompt $ command to input <parameter to replace>
command output
12
on one or more lines

prompt $
1.5. About this document

This document is the Administration Guide for WALLIX Bastion 10.0.5. Use it to configure WALLIX
Bastion prior to roll-out, and also for its administration and day-to-day operation.
The following documents are also provided by WALLIX:
• a Quick Start Guide to guide you through the initial start-up of your device (physical or virtual
appliance) for configuration or give you indication to access images for deployment of WALLIX
Bastion on virtual environments
• a User Guide to help you use WALLIX Bastion to connect to the devices you administer.
They can be downloaded from the WALLIX Support portal (https://support.wallix.com

[https://support.wallix.com/]).
13
Chapter 2. Compatibility and limits

Please refer to the Release Notes document to check the compatibility of WALLIX Bastion 10.0.5
with various clients or targets and learn more about the known limitations/issues and also the
technical requirements and feature enhancements of this latest version.
We do not recommend modifying your system configuration or installing an additional software as

it could prevent your WALLIX Bastion from being fully operational. Any additional tool or software
installation should only be performed upon instruction from the WALLIX Support Team. For further
information, refer to Chapter 18, “Contact WALLIX Bastion Support”, page 363.
14
Chapter 3. Glossary
You will encounter the following technical terms as you work with WALLIX Bastion and you go
through the sections of this guide. This list is not exhaustive.
ACL Acronym for "Access Control List". This is a system to manage

access to a resource (a device, file, etc.).
Account An entity (managed by WALLIX Bastion or by an external
password vault) that allows a user to be authenticated to a
system and to be granted a defined level of authorization to
access resources on that system, for management purposes.
An account belongs to a domain.
Account mapping Mechanism which allows a user to establish a connection to a
resource using their credentials (user name and password). This
may be particularly useful when the user account is declared
on a company directory and is granted access on the target
resource. These primary credentials (user name and password)
are then used by an RDP or an SSH client to authenticate
a session on the remote resource. A resource can be a
specific service on some device, or an application (running on
a jump server or a cluster). As prerequisites, the user must be
authorized to access this specific resource in account mapping
mode and an account with the same user name and password
must exist on the specified resource.
Check-in Operation which consists in releasing the credentials of a given
account. This action is complementary to the checkout action. If
the lock was set on the account at checkout, it is released with
the check-in operation.
Checkout Operation which consists in recovering and displaying the
credentials of a given account. It is possible to set the lock of
the account during this operation in order to prevent concurrent
use by multiple users.
Connection scenario Scenario to automate connection to a device that does not offer
protocols supporting automated sending of credentials (SSH or
RDP).
Device Physical or virtual device for which WALLIX Bastion manages
the access to sessions or passwords.
External authentication Authentication managed by a directory external to WALLIX
Bastion.
External password vault External structure that manages accounts.
Global domain Management entity grouping multiple target accounts which can
be used to authenticate across multiple devices. A password
change process (policy and change plugin) can be applied to all
accounts in the global domain.
A global domain can be associated with a password external
vault. In this case, this domain groups accounts which are
managed externally through the association of an external vault
plugin. As a result, a password change mechanism cannot be
applied to the related accounts within WALLIX Bastion.
15
Interactive login Mechanism which allows a user to dynamically enter their user
name and enter the secondary password on the selector of the
proxy client (RDP or SSH) to access a resource. The credentials
entered by the user on this selector are then used by the proxy
to authenticate the session on the remote resource. A resource
can be a specific service on a same device, or an application
(running on a jump server or a cluster). As prerequisites, the
user must be authorized to access this specific resource in
interactive login mode and an account with the same user name
and password must exist on the specified resource.
Local authentication Authentication managed by WALLIX Bastion.
Local domain Management entity grouping multiple target accounts which can
be used to authenticate on a single device only. A password
change process (policy and change plugin) can be applied to all
accounts in the local domain.
Lock Mechanism which prevents multiple concurrent use of an
account.
Password Password, SSH key, Kerberos ticket or any other secret data
that allows the account to be authenticated to a system.
Password vault Structure that manages accounts. It allows configuration via
policies and it enforces account usage according to these
policies.
Primary connection See WALLIX Bastion connection
Resource One of the following entities: a device (association of a device
and a service in the context of account mapping), a target or an
account.
Scenario account Target account which can be used by a startup scenario at the
beginning of the SSH session.
Secondary connection See Target connection
Startup scenario Scenario which can be used at the beginning of the SSH Shell
session to perform some actions, such as, assigning the user
the "root" privileges using "su" and "sudo" commands without
having knowledge of the password.
Target See Target application and Target account
Target application A target application is characterized by the association of the
following entities: an application and an account.
Target account A target account is characterized by the association of the
following entities: a device and a service and an account.
Target connection (also called Connection initiated between WALLIX Bastion and a target
"Secondary connection") account.
WALLIX Bastion connection Connection initiated between a user and WALLIX Bastion.
(also called "Primary
connection")
16
Chapter 4. Concepts
4.1. General information
WALLIX Bastion has been developed for the technical teams who administer IT infrastructure
(servers, network and security devices, etc.). This solution has been designed to meet the access
control and traceability needs of system administrators.
WALLIX Bastion includes access control lists (ACLs) and traceability features. It constitutes a
security buffer for administrators who wish to log on to devices by:
• checking the authentication detail provided by the user

• checking their access rights for the concerned resource
• managing passwords of the target accounts
WALLIX Bastion also allows you to automate logons to target devices to enhance the security of
the information system by preventing disclosure of server authentication detail.
Protocols currently supported are as follows:
• SSH (and its sub-systems)

• TELNET, RLOGIN
• RDP and VNC
• RAW TCP/IP. This protocol allows to forward local TCP/IP connections on the client station to a
target server using local TCP/IP port forwarding. The SSH proxy acts as an SSH server whose
function is only to provide local TCP/IP port forwarding. If a shell session channel is opened at
the beginning, it will then monitor the forwarding actions performed.
WALLIX Bastion offers a Web interface (also called "GUI"), compatible with Internet Explorer,
Chrome and Firefox to monitor activity and connections and also configure its components.
4.2. Positioning of WALLIX Bastion in the

network infrastructure
WALLIX Bastion is positioned between a low trust domain and a high trust domain.
The high trust domain is represented by the set of devices isolated by WALLIX Bastion.
These devices and their related accounts are called "target accounts" in the WALLIX Bastion
terminology.
The low trust domain is represented by the population with direct access to WALLIX Bastion:
• the company’s personnel

• the Internet zone
For users of the solution, access to the target accounts (in the high trust domain) is only possible
through WALLIX Bastion.
17
Figure 4.1. WALLIX Bastion in the network infrastructure
4.3. The concept of WALLIX Bastion ACLs

WALLIX Bastion features an advanced rights management engine relying on ACLs to determine
who has access to what, when and with which protocol(s).
These ACLs consist of the following objects:
• users: i.e. physical users of WALLIX Bastion from internal and/or external user directory
• user groups: a set of users
• devices: i.e. physical or virtualized devices to which access is requested via WALLIX Bastion
• target accounts: the accounts declared on a device or an application
• target groups: a set of target accounts
• applications: any type of application and services running on a device or a set of devices
In WALLIX Bastion, an authorization must be set to grant a user the access to a target account.
Authorizations are declared between a group of users and a group of target accounts (which means
that each target account must belong to a target group, and that each user must belong to a user
group).
The authorization allows users in group X to access target accounts in group Y, via protocols A,
B, or C.
Other elements are added to these primary entities to allow you to define:
• connection time frames

• criticality of access to target resources
• whether the session is recorded or not
• the type of user authentication procedure
You can also define a number of various WALLIX Bastion administrator profiles, with a full access
to the WALLIX Bastion features or limited rights to specific features. As an example, you can define
that WALLIX Bastion auditors will only access audit data or allow WALLIX Bastion administrators
to add/edit users, configure the system administration, manage authorizations, etc.
18
4.4. Roll-out
WALLIX Bastion includes a set of import tools to facilitate roll-out.
However, to ensure WALLIX Bastion is successfully implemented, we recommend inventorying:
• the roles of users who must have access to the target accounts
• the roles of users who must administer WALLIX Bastion
• the target devices and target accounts to be accessed through WALLIX Bastion
You must be able to answer the following questions for each user:
• does this user have the right to administer the solution, and if so, which rights should be assigned
to him or her?
• does this user need to access target accounts?
• when does the user have the right to log on?
• can the user access critical resources?
You must be able to answer the following questions for each target device or target account:
• is this target account or device critical? (then each time a critical device is accessed, a notification
is sent to the administrator)
• should user sessions on this account be recorded?
• which protocol(s) can be used to access this target account or device?
4.5. Rights of the user connected to WALLIX

Bastion
Depending on the rights assigned to a user during the configuration of their profile, this user will
only be able to access the functionalities of WALLIX Bastion he/she has permission to.
A user will only be allowed to display data existing within the application if the “View” right for the
related functionality is set in their profile.
A user will be allowed to access the various data creation, modification and deletion pages if the
“Modify” right for the related functionality is set in their profile.
For further information on the configuration of user profiles, refer to Section 9.3, “User
profiles”, page 87.
4.6. Data encryption

Many types of sensitive data may be stored in WALLIX Bastion and in particular:
• primary authentication information, i.e. information related to WALLIX Bastion authentication

• secondary authentication information, i.e. information related to target authentication
• passwords to access authentication services
• WALLIX Bastion configuration backups
All sensitive data is encrypted to ensure security.
19
Access to targets via the various services (RDP or SSH) generates data that is also encrypted.
Cryptography specifications to secure data gathered in WALLIX Bastion are described here below.
4.6.1. Administration with HTTPS protocol (Web interface

and API)
TLSv1.3 cipher:
• TLS_AES_256_GCM_SHA384
• TLS_CHACHA20_POLY1305_SHA256
TLSv1.2 cipher:
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1)
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1)
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1)
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
4.6.2. Administration with SSH protocol

Key exchange algorithms:
• curve25519-sha256
• curve25519-sha256@libssh.org
• diffie-hellman-group-exchange-sha256
Server host key algorithms:
• ecdsa-sha2-nistp256
• ssh-ed25519
Cipher algorithms:
• aes128-ctr
• aes192-ctr
• aes256-ctr
• aes128-gcm@openssh.com
• chacha20-poly1305@openssh.com
Integrity algorithms:
• hmac-sha2-256-etm@openssh.com
• hmac-sha2-256
• hmac-sha2-512
20
4.6.3. RDP (TLS based) primary connection algorithms

TLSv1.3 cipher:
• TLS_CHACHA20_POLY1305_SHA256
TLSv1.2 cipher:
• TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
• TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
• TLS_RSA_WITH_AES_256_GCM_SHA384
• TLS_RSA_WITH_AES_256_CBC_SHA256
• TLS_RSA_WITH_AES_128_GCM_SHA256
• TLS_RSA_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
• TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
• TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
• TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
• TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_DHE_RSA_WITH_AES_256_CCM
• TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
• RSA_WITH_AES_256_CCM_8
• RSA_WITH_AES_256_CCM
• RSA_WITH_AES_128_CCM_8
• RSA_WITH_AES_128_CCM
• ECDHE-ARIA256-GCM-SHA384
• ECDHE-ARIA128-GCM-SHA256
• DHE_RSA_WITH_AES_256_CCM_8
• DHE_RSA_WITH_AES_128_CCM_8
• DHE_RSA_WITH_AES_128_CCM
• DHE-RSA-ARIA256-GCM-SHA384
21
• DHE-RSA-ARIA128-GCM-SHA256
• ARIA256-GCM-SHA384
• ARIA128-GCM-SHA256
4.6.4. SSH primary connection algorithms

• curve25519-sha256@libssh.org
• diffie-hellman-group-exchange-sha256
• diffie-hellman-group14-sha256
Host key algorithms:
• ecdsa-sha2-nistp256
• ssh-ed25519
• ssh-rsa
• rsa-sha2-256
• rsa-sha2-512
Cipher algorithms:
• aes128-ctr
• aes192-ctr
• aes256-ctr
• chacha20-poly1305@openssh.com
Integrity algorithms:
• hmac-sha2-256
• hmac-sha2-512
4.6.5. Secondary connection algorithms

These algorithms depend on the protocols supported by the targets.
22
Chapter 5. Specific features

5.1. WALLIX Session Manager
This specific feature of WALLIX Bastion 10.0.5 is available according to your software license
contract.
This feature allows the administrator to:
• identify the users who are connected to specific devices and monitor their activity: sessions can
be viewed in real-time through the WALLIX Bastion Web administration interface or downloaded
to be viewed locally on the administrator's workstation
• review video-recorded activity from a privileged user session
• get a direct resource access using native clients such as PuTTY, WinSCP, MSTC or OpenSSH
• define and configure connection policies through mechanisms available for RDP, VNC, SSH,
TELNET, RLOGIN and RAW TCP/IP protocols
For further information, refer to Chapter 12, “Session management”, page 243.
5.2. WALLIX Password Manager

This specific feature of WALLIX Bastion 10.0.5 is available according to your software license
contract.
This feature allows the administrator to:
• secure target account passwords and SSH keys

• manage checkout and check-in actions for target account credentials
• change or generate target account passwords
• define a password change policy which can be selected during the creation/modification of a
global domain
• select a password change plugin among the list configured in WALLIX Bastion during the creation/
modification of a global or local domain
For further information, refer to Chapter 11, “Password management”, page 221.
5.3. Password external vault

WALLIX Bastion provides a modular approach to password vault management.
This setup allows a cluster of Bastions to handle sessions and user accesses related to accounts
managed by only one Bastion in the cluster. Account management in this context refers to concepts
such as credential change (password and SSH key) and checkout policy.
The local vault is the default vault. Accounts stored in this vault are managed by the local Bastion.
These accounts can be used either for session or credential access via the Web interface or the
REST API Web Service.
The external vaults are represented in the local Bastion via plugins. The plugins implement the link
allowing the local Bastion to communicate with the external vault.
23
Currently, the “Bastion” external password vault plugin is available to connect and use the password
vault provided by a WALLIX Bastion.
From the local Bastion's point of view, the “Bastion” plugin represents the password vault provided
by the remote Bastion. Accounts stored in this vault are managed by the remote Bastion and are
usable by the local Bastion either for session or credential access via the Web interface or the REST
API Web Service. In order to be used by the local Bastion these accounts need to be imported into
this local Bastion.
The local Bastion uses the remote Bastion's REST API Web Service to establish a secure
communication channel allowing to checkout or check in the accounts' credentials and also extend
the checkout duration (if set on the checkout policy on the remote Bastion).
“CyberArk Enterprise Password Vault”, “HashiCorp Vault” and “Thycotic Secret Server” external
password vault plugins are also embedded in WALLIX bastion to connect and use password vaults
of the privilege management solutions provided by these companies.
External vault accounts are mapped into the local Bastion through global domains acting as external
vault account containers. Several domains may point to the same external vault.
For further information on how to setup the local Bastion to use external vault accounts, refer to
Section 10.3, “Domains”, page 160, Section 10.7, “External password vault plugins”, page 198
and Section 11.1, “User authorizations on passwords”, page 221.
5.4. High-Availability
The High-Availability (HA) feature of WALLIX Bastion 10.0.5 delivers continuous WALLIX Bastion
service through a failover (also called "active/passive") bi-device cluster (access to target devices
and the Web console, session recordings), in the event that the "Master" device becomes
unavailable.
This automatic transfer to the second cluster node (i.e. the "Slave") works by:
• sharing a virtual IP address between the two Bastions in the cluster and hiding the actual IP
addresses from the users
• mirroring the configuration data, the connection logs and the files containing the session
recordings, as well as the WALLIX Bastion configuration files on the second cluster node using
DRBD (Distributed Replicated Block Device)
• an email notification mechanism advising the WALLIX Bastion administrator if:
– service is switched to degraded mode (the "Slave" node has taken over)
– the "Slave" node is unavailable
– a fault is detected (service unavailable, etc.)
– disk synchronization is ended.
For further information, refer to Section 8.14, “High-Availability”, page 67.
24
Chapter 6. Getting started with WALLIX

Bastion
6.1. Pre-configuration of TCP and UDP network
ports
6.1.1. Communication from WALLIX Bastion
The following ports should be opened to allow communication from WALLIX Bastion:
• SSH: 22
• RDP: 3389
• HTTP/HTTPS: 80/443
• SMTP: 25
• SMTPS: 465
• SMTP+STARTTLS: 587
• NTP: 123
• DNS: 53
• Kerberos external authentication: 88
• LDAP external authentication: 389
• LDAP over SSL external authentication: 636
• RADIUS external authentication: 1812
• TACACS+ external authentication: 49
• NFS network storage: 2049
• SMB/CIFS network storage: 445
• SMB for password management: 139 | 445
• Syslog: 514
• SNMP: 162 for trap notifications
6.1.2. Communication to WALLIX Bastion

The following ports should be opened to allow communication to WALLIX Bastion:
• SSH/SFTP/TELNET/RLOGIN proxy: 22
• RDP/VNC proxy: 3389
• SNMP: 161 for read/write access to OIDs
• WALLIX Bastion administration command line interface (SSHADMIN console): 2242
• WALLIX Bastion administration Web interface (GUI): 443
25
6.2. Using the command line to connect to

WALLIX Bastion
An SSH daemon listening on port 2242 allows you to connect to an administration shell.
For security reasons, all system passwords must be immediately changed on first connection.
Important:
Please remember your new password as it is the only way to connect again.
When WALLIX Bastion is initially installed, a graphical mode displays dialog boxes to guide you
through the configuration steps.
The procedure below illustrates the main steps to configure the WALLIX Bastion connection.
1. First step: choose the keyboard layout language you wish to use
If the current keyboard layout language is detected, it is then highlighted in the list. If this
language is not in the list, you can select "More options..." to display more choices.
2. Second step: set the password for the "wabadmin" user
The default credentials are as follows:
• Password: SecureWabAdmin
You are requested to change the default password for the "wabadmin" user. Enter and confirm
this new password.
By default, the "wabadmin" user is configured with minimum privileges. Follow next step to
configure the "wabsuper" user to access higher privileges.
3. Third step: set the password for the "wabsuper" user
Once the new password for the "wabadmin" user has been confirmed, you are requested to
enter and confirm the new password for the "wabsuper" user.
The "wabsuper" password can be passed through the "super" command to access higher
privileges, including the ability to get access to "root" privileges using the "sudo" command,
which uses the same password. Once you are logged in as "root", you can use a set of scripts
to manage the day-to-day operation of WALLIX Bastion.
Follow next step to configure the GRUB password.
4. Fourth step: set the password for the "GRUB" user
Once the new password for the "wabsuper" user has been confirmed, you are requested to
change the default password for the "GRUB" user.
You will be given the option to use the same password as the one entered previously for the
"wabsuper" user or set a new password.
Important:
Only ASCII characters are supported. If the password specified for the "wabsuper"
user contains non-ASCII characters, then it cannot be used as the same password
for the "GRUB" user: you are required to set a different password.
26
Warning:
Under VMware, once the initial installation has been performed and after the system
reboot, the input of the password for the "GRUB" user matches by default the US
QWERTY keyboard layout.
The default credentials are as follows:

• Login: wabbootadmin
• Password: SecureWabBoot (this default password is modified during this step)
Use the following command if you wish to change this password later:
wabsuper@wab$ WABChangeGrub
Beware of special characters and typing errors as the input cannot be corrected.
However, the "Esc" key allows you to fully delete the input.
Follow next step to configure the password for the “wabupgrade” user.
5. Fifth step: set the password for the “wabupgrade” user
Once the new password for the “GRUB” user has been confirmed, you are requested to enter
and confirm the new password for the “wabupgrade” user.
Important:
The “wabupgrade” user can only perform upgrades to higher versions of WALLIX
Bastion or hotfix installations.
6. Lastly, sixth step: define the network configuration
Once the new password for the “wabupgrade” user has been defined, you are requested to set
the network configuration.
6.3. Browsing through the menu of the Web

interface
Menu Sub-menu Actions
My preferences Change the user preferences
See Section 7.3, “Setting your

preferences”, page 38
My Sessions Display the user authorizations on sessions and
authorizations access targets
See Section 12.1, “User authorizations on

sessions”, page 243
Passwords Display the user authorizations on passwords and
access the target credentials
See Section 11.1, “User authorizations on

passwords”, page 221
27

Audit Current sessions List connections and logouts
See Section 12.3.1, “Current sessions”, page 248

Session history List closed connections and display session recordings
See Section 12.3.4, “Session history”, page 250

Account history List the account activities
See Section 12.3.6, “Account history”, page 256

Approval history List the current and expired approval requests
See Section 12.3.7, “Approval history”, page 257

Authentication List the primary authentications
history
See Section 12.3.8, “Authentication
history”, page 258
Connection Generate connection statistics graphs
statistics
See Section 12.3.9, “Connection
statistics”, page 259
Users Accounts Manage and import (.csv file and LDAP directory)
WALLIX Bastion users
See Section 9.1, “User accounts”, page 74

Groups Manage and import (.csv file) WALLIX Bastion user
groups
See Section 9.2, “User groups”, page 83

Profiles Manage and import (.csv file) WALLIX Bastion user
profiles
See Section 9.3, “User profiles”, page 87

Targets Devices Manage and import (.csv file) target devices
See Section 10.1, “Devices”, page 135

Applications Manage and import (.csv file) target applications
See Section 10.2, “Applications”, page 145

Domains Manage and import (.csv file) global and local domains
See Section 10.3, “Domains”, page 160

Accounts Manage and import (.csv file) target accounts
See Section 10.4, “Target accounts”, page 171

Clusters Manage and import (.csv file) clusters of jump servers
See Section 10.6, “Clusters”, page 196

Groups Manage and import (.csv file) target groups
See Section 10.5, “Target groups”, page 183
28

Password vault Display the list of available external password vault
plugins plugins
See Section 10.7, “External password vault

plugins”, page 198
Checkout policies Manage password checkout policies
See Section 10.8, “Checkout policies”, page 205

Discovery Discover assets on configured network and AD
See Section 10.9, “Discovery”, page 208

Authorizations Manage Manage and import (.csv file) authorizations between
authorizations target groups and user groups
See Chapter 14, “Authorization

management”, page 301
My current approvals Manage the current approval requests and provide
answers
See Section 14.5, “View the current

approvals”, page 305
My approval history List the current and expired approval requests
See Section 14.6, “View the approval

history”, page 306
Session Connection policies Manage authentication mechanisms for proxies (RDP,
management VNC, SSH, TELNET, RLOGIN and RAW TCP/IP)
See Section 12.4, “Connection policies”, page 261

Recording options Manage options for session recording storage
See Section 12.5, “Session recording

options”, page 264
Password Password change Manage password change policies
management policies
See Section 11.3, “Password change
policies”, page 239
Password change Display the list of available plugins for password
plugins change
See Section 11.2, “Password change

plugins”, page 223
Configuration Configuration Configure specific WALLIX Bastion aspects (e.g. the
options GUI options, the RDP proxy, the SSH proxy, etc.)
See Chapter 8, “Appliance configuration”, page 40

Time frames Manage time frames
See Section 14.8, “Time frame

configuration”, page 309
29

External Manage external authentication methods (LDAP,
authentications Active Directory, Kerberos, RADIUS)
See Section 9.8, “External authentication

Authentication Integrate external user accounts via LDAP, Active
domains Directory or Azure AD
Import (.csv file) authentication domains and
authentication domain mappings on user groups
See Section 9.9, “Configuration of LDAP, Active

Directory or Azure AD domain mapping”, page 118
Notifications Manage the notification mechanism
See Section 9.5, “Notification

Local password Manage the local password policy
policy
See Section 9.6, “Local password policy
Connection Configure the message displayed on a banner when a
messages user logs on to proxies
See Section 12.25, “Connection

messages”, page 293
X509 configuration Configure X509 certificate authentication
See Section 9.7, “X509 certificate authentication

API keys Manage API keys
See Section 16.3, “REST API key

management”, page 329
License Display and update license key
See Section 8.2, “License”, page 44

Encryption Set the encryption protection
See Section 8.3, “Encryption”, page 46

Audit logs Display the content of the "wabaudit" file
See Section 8.5, “System logs”, page 49

System Status Display general information on system status
See Section 8.4, “System status”, page 48

Network Configure network settings
See Section 8.6, “Network”, page 49

Time service Configure time service settings (NTP)
See Section 8.7, “Time service”, page 52
30

Remote storage Manage remote storage of session recordings
See Section 8.8, “Remote storage”, page 53

SIEM integration Manage routing of logs to other network devices
See Section 8.9, “SIEM integration”, page 54

SNMP Manage the SNMP agent
See Section 8.10, “SNMP”, page 55

SMTP server Configure the mail server for notification sending
See Section 8.12, “SMTP server”, page 61

Service control Define service mapping with network interfaces and
WALLIX Bastion services to be enabled/disabled
See Section 8.11, “Service control”, page 59

Syslog Display the content of the "syslog" file

Boot messages Display the content of the "dmesg" file

Backup/Restore Save and restore a WALLIX Bastion configuration
See Section 8.13, “Backup and

Restoration”, page 62
Import/Export CSV Import data from a .csv file
Export data as a .csv file, a .zip or .tar.gz archive
See:
Section 9.1, “User accounts”, page 74,
Section 9.2, “User groups”, page 83,
Section 9.3, “User profiles”, page 87,
Section 10.1, “Devices”, page 135,
Section 10.2, “Applications”, page 145,
Section 10.3, “Domains”, page 160,
Section 10.4, “Target accounts”, page 171,
Section 10.6, “Clusters”, page 196,
Section 10.5, “Target groups”, page 183,
Section 14.1, “Add an authorization”, page 301,
Section 9.9, “Configuration of LDAP, Active Directory

or Azure AD domain mapping”, page 118
Users from LDAP/AD Import users from an LDAP or AD directory
31

See Section 9.1, “User accounts”, page 74
6.4. Availability of specific management

features
6.4.1. Session management
The "Session Management" menu and the "Sessions" entry in "My Authorizations" can only be
managed if the WALLIX Session Manager feature is associated with your license key.
6.4.2. Password management

The "Password Management" menu and the "Passwords" entry in "My Authorizations" can only be
managed if the WALLIX Password Manager feature is associated with your license key.
6.5. Managing data search, sort and layout

customization in the tables of the Web interface
The WALLIX Bastion Web interface includes functionalities that enable you to search, sort,
customize and delete the data displayed within the tables.
Note:
When long data appears truncated within a table (for example: “abcdefghijk...”), its whole
textual value can be displayed in a tool tip by hovering the mouse over the data for 0.5
second.
6.5.1. Search data

The search fields located in most column headers of the Web interface tables are used to search
for data and are displayed by clicking on the icon . Then, enter a term and click on the “Search”
button. An active search is symbolized by an orange icon .
It is also possible to search for data on multiple columns by repeating the above actions in the
column(s) concerned.
The wildcard symbol * can also be used in the search fields to perform a search based on specific
criteria. This character can be placed anywhere to replace any string (including empty strings) in
the search terms.
The table below illustrates the possible search types using the wildcard symbol *:
Search string Returns only lines with at least one column matching...
rdp* any string starting with the word “rdp” (e.g.: RDPDevice1)
*rdp any string ending with the word “rdp” (e.g.: ServiceRdp)
*rdp* or rdp any string including the word “rdp”, regardless of the position of the keyword
in the character string found.
32
Search string Returns only lines with at least one column matching...
r*p any string starting with “r” and ending with “p”. (e.g.: Rdp, RP)
A search can be saved by activating the “Save search filter” button in the “Table settings” window
accessible via the icon . The search filter is then saved for the active table.
Note:
The search is not case-sensitive.
The search focuses on the entire table and not only on the active view.
The result of a single or multiple search can be deleted by clicking on the icon then on the “Reset”
button or, by clicking on the icon located in the upper right corner of the page.
6.5.2. Sort data

It is possible to sort the data displayed in the tables of the Web interface either alphabetically or
numerically and in either ascending or descending order by clicking in the column headers: up
arrow for sorting in ascending order; down arrow for sorting in descending order. An active sort is
symbolized by an orange arrow.
Note that a multiple sort can be performed by enabling the “Multiple sorting” button in the “Table
settings” window accessible via the icon . The multiple sort is then saved for the active table.
Note:
The sort applies to all the data contained in the table and not only to those of the active
view.
The table settings can be restored by disabling the “Multiple sorting” button or by clicking on “Reset
table user preferences”. These options are accessible via the icon .
6.5.3. Customize layout

The WALLIX Bastion Web interface includes the possibility to resize the tables by clicking on a
column separator and dragging it left or right to the desired width.
It is also possible to show or hide the columns of a table and to change the order in which they are
displayed via the “Table settings” window accessible via the icon .
In this window, you can make the following changes:
• change the order in which the columns are displayed by using the up and down arrows
• hide or show a column by deselecting or selecting the check box at the beginning of the line of
the relevant column (the columns are checked by default)
Warning:
The first column of a table or any column that contains an access link to another page
of the interface cannot be moved or hidden.
33
The table settings can be restored by clicking on “Reset table user preferences” located in the “Table
settings” window.
6.5.4. Delete data

It is possible to delete data from the tables of the Web interface at any time and on each page.
To do so, check the box at the beginning of the line of the data you wish to delete and click on the
“Delete” button located in the upper right corner of the page.
To delete all the data from a table, check the box in the table header and click on the “Delete” button
located in the upper right corner of the page.
Warning:
This action only deletes the data of the active view.
Any selection made using the check boxes can be canceled by clicking on the cross displayed
above the table, next to the summary for the number of selected entries.
34
Chapter 7. Login on the Web interface

Note:
It is possible to choose which interface will be displayed by default from the menu
“Configuration” > “Configuration options” > “GUI”. For further information, refer to
Section 8.1.1, “Configuring the Web user interface”, page 41.
7.1. Access to the Web administration interface

To access the Web administration interface of WALLIX Bastion, enter the following URL in your
browser's address bar:
https://bastion_ip_address/ui or https://<bastion_name>/ui
Warning:
Internet Explorer is not supported by the default interface.
Your browser must be configured to accept cookies and run JavaScript.
For security reasons, WALLIX Bastion checks that the hostname received in the URL
matches its FQDN, hostname or the interface's IP address. If it is not recognized, the
user will be redirected to the IP address of the network interface used. To prevent any
redirection, it is possible to add trusted hostnames and IP addresses via the option
“Trusted hostnames for HTTP_HOST header” accessible from the menu “Configuration”
> “Configuration options” > “Global”, section “main”.
WALLIX Bastion comes as standard with a factory-set administrator account whose default
credentials are as follows:
• User name: admin

• Password: admin
This default password can be changed. For further information, refer to Section 15.4, “Change
the password of the factory-set administrator account”, page 314.
For security reasons, it is required to change the administrator account password on first login. For
further information, refer to Section 7.3, “Setting your preferences”, page 38.
The login page of WALLIX Bastion supports different authentication methods to enable users to
access the Web interface. For further information on the configuration of these authentication
methods, refer to Section 9.8, “External authentication configuration”, page 109 and Section 9.7,
“X509 certificate authentication configuration”, page 101.
On the other hand, the AD user can be prompted for password change after expiration on this
screen or when connecting to the RDP or SSH sessions. The prerequisites are then as follows:
• the minimum required version for the Active Directory server is Windows Server 2008 R2
• the option “AD user password change” (accessible from the menu “Configuration” >
“Configuration Options” > “Global” > section “main”) must be selected and
35
• at least one encryption protocol (either StartTLS or SSL) must be set on the authentication method
associated with the domain. For further information, refer to Section 9.8.1.3, “Add an LDAP
external authentication”, page 112 and Section 9.9, “Configuration of LDAP, Active Directory or
Azure AD domain mapping”, page 118.
Note:
The logo image, the product name as well as the display of the copyright notice
on the login screen can be managed from the menu “Configuration” > “Configuration
Options” > “GUI” > “oem” section. For further information, refer to Section 8.1, “Interface
configuration”, page 41.
The warning message on the login screen can be managed from the menu “Configuration”
> “Connection messages”. For further information, refer to Section 12.25, “Connection
messages”, page 293.
Figure 7.1. Login screen
Once you have successfully logged on, the following page is displayed:
36
Figure 7.2. WALLIX Bastion home page (displayed for an administrator profile)
Note:
The administrator can configure an alert, an information or a warning message to be
displayed on the header of the Web administration and user interfaces and also on
the RDP and SSH selectors, from “Configuration” > “Configuration options” > “Global”,
section “banner”. For further information, refer to Section 8.1.4, “Configuring the display
of a banner message”, page 44.
7.2. Description of the home page

The WALLIX Bastion home page displays the following elements:
• a header containing:
– the name of the user who is logged on. When hovering the mouse over the user name area, a
contextual menu displays the entry for the “My preferences” page, the “Legacy interface” icon
to access the legacy interface, and the logout icon.
Note:
Any logout made from this interface is only effective on WALLIX Bastion. Thus, a user
authenticated via SAML external authentication on Azure AD will not be disconnected
from their session on this tenant.
– the icon providing a menu to access the technical documentation delivered as a contextual
on-line help
– the icon providing an access to the possible notifications (the approval requests for the user
with the approver profile and the password expiration warning)
37
• a vertical menu on the left of the screen from which you can access all the WALLIX Bastion
administration functions. The layout of the Web interface is subdivided vertically and horizontally
so as to clearly structure it.
• a working area on which is displayed a welcome message. The information introduced by this
message can be hidden by clicking on the “Do not show again” button.
• a dashboard located at the bottom of the screen which provides the shortcuts to the most used
administration functions.
7.3. Setting your preferences

The “My preferences” page is accessible by hovering your mouse over your user name at the top
right of the screen. All users have access to this page, regardless of their administration rights.
On this page, the user has access to four tabs:
• “Profile”: to change the email address and to select the preferred language
• “Password”: to change the password (only if the user has been declared locally with a
“local_password” authentication)
• “SSH public key”: to drag-and-drop, upload or enter manually an SSH public key using RSA,
ED25519 or ECDSA algorithm, or to delete an existing SSH public key (only if the user has been
declared locally with a “local_sshkey” authentication)
Warning:
In the “SSH public key” tab, it is not possible to drag-and-drop, upload or enter manually
a key if no algorithm is allowed for the SSH key on the “Local Password Policy” page
from the “Configuration” menu. For further information, refer to Section 9.6, “Local
password policy configuration”, page 99.
This key must be in the OpenSSH format. Otherwise an error message is displayed.
If you use PuTTYgen to generate the key, you must save in a text file the public key
displayed in the OpenSSH format during the generation. As an example, this key is
labelled as follow:
“ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA0yR9lBQov6[.....]c3xu9p/xNjw==
rsa-key-20151204”
You can then upload this key on the “SSH public key” tab.
If a key already exists, you can load a private key using Puttygen in order to generate
the corresponding public key in the appropriate format.
• “GPG key”: to drag-and-drop, upload or display a GPG key, or delete an existing GPG key
Warning:
If the GPG key is not specified for the user with the “product_administrator” or
“operation_administrator” profile, then a warning email is sent daily to notify the user
of the missing declaration of the GPG key.
The sending of this warning email can be managed via the “Missing GPG key warning
email” option in the menu “Configuration” > “Configuration options” > “Global”. By
default, this option is enabled.
38
Figure 7.3. "My Preferences" page
7.4. Summary
In the modification pages of the Web interface, a summary is displayed on the right part of your
screen. It gives an overview of the data previously defined.
By clicking on the main entries of the summary, you are redirected to the concerned pages and
you can enter, add, edit or delete data. Note that you have the possibility to hide and show this
summary at any time.
39
Chapter 8. Appliance configuration

Important:
All the IP addresses which can be set on WALLIX Bastion support both IPv4 and IPv6
formats.
The “Configuration Options” page on the “Configuration” menu allows advanced configuration of
global WALLIX Bastion parameters.
Click on the needed option in the list to display the related parameters which can be configured
on the dedicated page for:
• the data retention policy. For further information, refer to Section 9.4, “User data retention
policy”, page 94.
• the global parameters
• the Web interface (“GUI”). For further information, refer to Section 8.1, “Interface
• the legacy Web interface (“GUI (Legacy)”)
• the license configuration
• the logger
• the configuration of the external modules
• the OEM (“OEM (Legacy GUI)”)
• the RDP proxy
• the RDP proxy session manager
• the REST API
• the options regarding session log retention. For further information, refer to Section 15.21, “Export
and/or purge session recordings automatically”, page 320 and Section 15.24, “Check integrity
of session log files”, page 322.
• the SSH proxy
• the Watchdog
On each of these pages, a useful description can be displayed for all the fields by selecting the
check box of the “Help on options” field at the top right of the page. This description includes the
appropriate format to be specified in the concerned field.
Warning:
The options displayed when the check box of the “Advanced options” field at the top right
of the page is selected should ONLY be changed upon request of the WALLIX Support
Team! An orange exclamation mark is displayed near the concerned fields.
40
Figure 8.1. "Configuration Options" page for SSH proxy with field descriptions
8.1. Interface configuration

The Web interface of WALLIX Bastion can be customized in order to match your specific needs.
8.1.1. Configuring the Web user interface

From the menu “Configuration” > “Configuration options” > “GUI”, under the “ui” section, you
can select in the field “Default user interface” the Web user interface which will be displayed by
default. For further information, refer to Figure 8.2, “"Configuration options" page for Web interface
configuration (GUI) - Part 1”, page 43).
If “current” is selected, then the user will be redirected to the login page of the default interface.
However, they will still have access to the legacy interface via the link “Legacy interface” that
appears when hovering over the user name at the top of the page.
If “legacy” is selected, then the user will be redirected to the login page of the legacy interface.
However, they will still have access to the default interface via the link “Switch to the default interface”
located at the top of the page or to both interfaces via:
https://bastion_ip_address/ui or https://<bastion_name>/ui for the default

interface
https://bastion_ip_address or https://<bastion_name> for the legacy interface
41
Note:
If the configuration option “Link switch default interface” (accessible from “Configuration”
> “Configuration options” > “GUI (Legacy)”) is deselected, then the link “Switch to the
default interface” will not be displayed on the home page of the legacy interface. The user
will then not be able to access the default interface.
8.1.2. Configuring the session timeout

From the menu “Configuration” > “Configuration options” > “GUI”, under the “ui” section, you can edit
in the field “Session timeout” the maximum time period for the session disconnection. For further
information, refer to Figure 8.2, “"Configuration options" page for Web interface configuration (GUI)
- Part 1”, page 43.
The session timeout value is set by default to 900 seconds. The timeout value cannot be lower
than 300 seconds.
The modification will apply at next login.
8.1.3. Configuring the OEM

From the menu “Configuration” > “Configuration options” > “GUI”, you have the possibility to
customize the Web interface by configuring, under the “oem” section:
• the product name displayed on the pages of the interface as well as on the Web browser tab
(“Product name”)
• the short version of the product name (“Product name short”)
• the name of the Support Team (“Product support name”)
• the display of WALLIX copyright on the login page (“Copyright login”)
• the small site icon displayed on the Web browser tab (“Favicon”)
• the logo displayed at the top of the left sidebar menu (“Logo”)
• the small version of the logo displayed at the top of the left sidebar menu when collapsed (“Logo
small”)
• the logo displayed on the login page (“Login page logo”)
• the welcoming title of the login page for each language supported by WALLIX Bastion (“Login
page title”)
• the color of the welcoming title and connection message displayed on the login page (“Login
page info color”)
• the background color of the login page's right side panel (“Login page background color”)
• the background image of the login page's left side panel (“Login page background image”)
Note that the images must be in PNG format and that it is possible to restore the default WALLIX
Bastion images by checking the box “Restore default image”.
42
Figure 8.2. "Configuration options" page for Web interface configuration (GUI) - Part 1
43
Figure 8.3. "Configuration options" page for Web interface configuration (GUI) - Part 2
8.1.4. Configuring the display of a banner message

From the menu “Configuration” > “Configuration options” > “Global”, under the “banner” section,
you can configure an alert, an information or a warning message to be displayed on the header of
the Web administration and user interfaces and also on the RDP and SSH selectors.
According to the banner type selected, the message will be displayed in a given font weight or color
on the RDP or the SSH selectors and in a specific background color on the Web interface.
8.2. License
The use of WALLIX Bastion is controlled by a license key. This key contains the elements included
in the sales contract and is provided by WALLIX. It is entered in WALLIX Bastion by the client via
the Web user interface.
From the "License" page on the "Configuration" menu, you can display the license properties and
update the license key.
According to the sales contract, the license mechanism can check:
• the license type for a perpetual license agreement (“Legacy Bastion license”)
44
• the pack for a subscription license agreement (“WALLIX license”)

• the add-ons for a subscription license agreement (“WALLIX license”)
• the license expiration date
Note:
When notifications are enabled for the license expiration warning, an email will be sent
15 days, 10 days, 5 days and 1 day before the license expiration date. For further
information, refer to Section 9.5, “Notification configuration”, page 95.
• the number of concurrent connections to the Bastion (i.e. primary connections)
Note:
Connections of the administrator account with the "product_administrator" profile are
not counted.
• the number of concurrent connections to targets (i.e. secondary connections)

• the number of users which can be named, i.e. the number of unique users declared in WALLIX
Bastion or who connected from an LDAP domain mapping
• the number of protected resources, i.e. the number of devices and applications declared in
WALLIX Bastion
• when WALLIX Session Manager is associated with the license key, the number of targets included
in groups which can be declared to initiate sessions
Note:
Each target is only counted once, regardless of the number of groups into which it is
included.
Target accounts which can be used as scenario accounts are not counted.
• when WALLIX Password Manager is associated with the license key, the number of targets
included in groups which can be declared to check out the accounts' credentials
Note:
Each target is only counted once, regardless of the number of groups into which it is
included.
• when WALLIX Password Manager is associated with the license key, the number of
clients using WALLIX Application-to-Application Password Manager (also called “WAAPM”).
Documentation related to WAAPM can be downloaded from WALLIX Support portal (https://
support.wallix.com [https://support.wallix.com/]).
To obtain a license, a context file must be created and sent to WALLIX Support (https://
support.wallix.com/). To do so, click on the “Download context file” button to generate and
download a context file and send it to the WALLIX Support Team which will provide you with a
license key update.
Once you have received the license update file, upload or drag-and-drop it in the “License update”
section and click on the “Apply” button.
45
It is possible to revoke the licenses installed on WALLIX Bastion by clicking on the “Revoke” button.
The legacy licenses (“Legacy Bastion license”) are revoked immediately. The current licenses
(“WALLIX license”) will become invalid 15 days after performing the revocation.
Warning:
When a subscription license expires, access to WALLIX Bastion is still possible if a trial
license is valid. If all licenses have expired, then only the administrator account associated
with the “product_administrator” profile can connect to the WALLIX Bastion interface to
upload a new license. Please make sure to renew your license before it expires to ensure
continuity of service.
In the context of a perpetual license (“Legacy Bastion license”), the latter is bound to the
MAC addresses of the first two interfaces of the Bastion (when more than one interface
is declared). If WALLIX Bastion is deployed on a virtual environment using two virtual
machines on two different nodes, make sure the MAC addresses are cloned to provide
redundancy. Moreover, we strongly recommend defining static MAC addresses to avoid
any change at reboot.
8.2.1. Managing the license key from the command line

The license key can be managed from the command line when logged in as "root".
To display the license properties and metrics:
wab2:~# WABGetLicenseInfo
To generate the license context file:
wab2:~# WABSetLicense -c -f <License context file>
To import a new license:
wab2:~# WABSetLicense -u -f <License update file>
To revoke the license:
wab2:~# WABSetLicense -d
Warning:
The legacy licenses (“Legacy Bastion license”) are revoked immediately. The current
licenses (“WALLIX license”) will become invalid 15 days after performing the revocation.
8.2.2. Managing the sending of notifications

Notifications can be sent to the administrator as soon as one of the license metrics has reached and/
or exceeded the given threshold(s), defined as a percentage. These thresholds can be managed
from “Configuration” > “Configuration options” > “License configuration” > section “[main]”.
8.3. Encryption
46
The encryption of WALLIX Bastion secures your sensitive data (such as target accounts' credentials,
local users' passwords, Web interface connections, RDP and SSH connections, etc.) by using a
strong cryptographic algorithm. For further information on the cryptography specifications to secure
data gathered in the Bastion, refer to Section 4.6, “Data encryption”, page 19.
This algorithm uses an encryption key which is secret and unique to your WALLIX Bastion and
totally hidden from users.
It is recommended to secure this encryption key by defining an associated passphrase with a

minimum length of 12 characters when installing WALLIX Bastion, from the “Encryption” page on
the “Configuration” menu. The definition of the passphrase involves a more complex access to
WALLIX Bastion and raises the protection of your data as no malicious user who does not know
the passphrase can access your product.
It is essential to remember this passphrase as it will be required:
• when restoring the configuration of WALLIX Bastion (refer to Section 8.13, “Backup and
Restoration”, page 62). If you loose the passphrase, you will no longer be able to access your
data stored on remote storage.
• when rebooting the system. As long as the passphrase is not entered by the administrator with
the “product_administrator” profile in the Web administration interface, the “System” configuration
menu will be hidden and connections using WALLIX Bastion proxies will not be usable.
• when changing the passphrase. If you wish to change your passphrase, you have to enter the
current passphrase to be able to set a new one.
Important:
For security reasons, the passphrase can only be defined during the installation of
WALLIX Bastion. It will be impossible to define it afterwards.
Once a passphrase has been set, it can no longer be deleted. However, an existing
passphrase can be modified.
After initialization of the encryption, it is highly recommended to back up WALLIX Bastion

at least once to keep a copy of the encryption key in a safe place (refer to Section 8.13,
“Backup and Restoration”, page 62).
Once the encryption is configured, you can go back at any time to the “Encryption” page on the
“Configuration” menu either to check that your WALLIX Bastion is ready and secured or to change
the passphrase.
47
Figure 8.4. "Encryption" page
8.4. System status

From the "Status" page on the "System" menu, you can view the following system information:
• the current version of WALLIX Bastion

• the number of current RDP or SSH sessions initiated from WALLIX Bastion
Note:
It corresponds to the list of active connections on the "Current Sessions" page
displayed from the "Audit" menu.
• the CPU usage

• the RAM usage
• the swap usage
• the available space on the partition /var/wab (where the session recordings are saved)
Note:
The RAM usage does not include the system cache.
All log and debugging information files can be downloaded as a .zip archive by clicking on the button
"Download debug information" on the bottom of the page.
48
Figure 8.5. "Status" page
8.5. System logs

You can view and save system logs from the Web user interface.
All the files for these logs (with the .log extension) can be downloaded as a .zip archive by clicking
on the dedicated icon on the right part of the concerned page.
WALLIX Bastion gathers the following system logs:
• "syslog" displayed from the "Syslog" page on the "System" menu. This log shows the session logs,
i.e. the majority of messages on proxy operation or the use of the Web administration interface.
• "dmesg" displayed from the "Boot Messages" page on the "System" menu. This log shows the
system start log.
• "wabaudit" displayed from the "Audit Logs" page on the "Configuration" menu. This log shows
the connections and operations performed by the auditors and the administrators.
Furthermore, all log and debugging information files can be downloaded from the "Status" page on
the "System" menu.
Note:
Some system logs saved in partition /var/log are stored for a maximum time period
of 5 weeks.
8.6. Network
From the “Network” page on the “System” menu, you can define and edit the network configuration
of the appliance.
49
You can edit the following configurations:
• the host name

• the domain name
• the network interfaces, including the VLAN interfaces, the bonding interfaces and the virtual
interfaces.
Important:
The eth1 interface (port 2 on appliances) is reserved for high-availability (HA)
interconnection. No other services can be mapped to this interface. For further
information, refer to Section 8.11.1, “Service mapping”, page 59.
When enabling an IPv6 network interface, it is required to select an IPv6 configuration
method from the list in the “IPv6 method” field. Five methods are available:
– “Automatic”: allows SLAAC and the DHCPv6 server to assign IPv6 addresses, the
router to set routes and the DHCPv6 server to set the DNS parameters
– “Stateful DHCPv6 only”: allows the DHCPv6 server to assign an IPv6 address and
set the DNS parameters, and the router to define routes
– “SLAAC address only”: allows SLAAC to auto-configure IPv6 addresses and only
set the default and on-link routes
– “Manual”: allows to manually assign a static IPv6 address and the subnet prefix
length
– “Link-local only”: allows only to auto-assign the link-local IPv6 address (with the prefix
FE80::/64)
You can also:
• add bonding interfaces

To do this, select the desired mode (“active-backup” or “802.3ad (LACP)”) for the new bonding
interface in the “Interface bonding” frame then click on the “+” button to add this interface. It is then
required to link this “master” bonding interface with a “slave” physical interface in the “Interfaces”
frame by selecting its name from the list in the “Bonding interface” field.
Important:
interconnection. It cannot be selected for interface bonding.
An interface can only be disabled by deselecting the the “Enable IPv4” or “Enable IPv6”
option when it is not mapped to any service on the “Service Control” page. For further
information, refer to Section 8.11, “Service control”, page 59.
To perform interface bonding, the “slave” physical interface cannot be linked to a VLAN,
a virtual interface or a route.
For further information on the “active-backup” and “802.3ad (LACP)” modes supported
for interface bonding, refer to https://www.kernel.org/doc/Documentation/
networking/bonding.txt.
• add routes
• define the default IPv4 and IPv6 egress interfaces and the related gateways
50
• enable IP source routing
To define IP source routing and thus enable inputs and outputs on the same physical interface,
it is required to check the box of the “Enable IP source routing” option in the “Routes” frame.
Routing is then enabled for the physical and VLAN interfaces via the “Enable IPv4” or “Enable
IPv6” options in the “Interfaces” frame.
Important:
interconnection. It cannot be selected for IP source routing.
The default IPv4 and IPv6 egress interfaces can be selected from a list of physical
and VLAN interfaces enabled via the “Enable IPv4” or “Enable IPv6” options in the
“Interfaces” frame.
An interface can only be disabled by deselecting the “Enable IPv4” or “Enable IPv6”
option when it is not mapped to any service on the “Service Control” page. For further
information, refer to Section 8.11, “Service control”, page 59.
The IP address specified for the gateway must match the subnet configured for
the selected egress interface. If the default gateway is not specified, then outbound
connections from the Bastion may fail.
• enable ICMP redirect
To set ICMP redirect, it is required to check the box of the “Enable ICMP redirect” option in the
“Routes” frame.
• define entries in the “hosts” file
• add the DNS servers
Warning:
Before changing the WALLIX Bastion IP address used to communicate with the file server
configured with remote storage, we recommend disabling the remote storage and re-
enabling it after the IP address is changed. For further information, refer to Section 8.8,
“Remote storage”, page 53.
51
Figure 8.6. "Network" page
8.7. Time service

From the "Time Service" page on the "System" menu, you can configure the time zone in which
WALLIX Bastion is located.
This setting is especially important, as:
• date and time in WALLIX Bastion must be synchronized with the Kerberos authentication servers
• WALLIX Bastion is the time reference for escalated audit information and time frame management
52
Note:
By default, the time service is active and synchronized with the Debian project time
servers.
Figure 8.7. "Time Service" page
8.8. Remote storage

From the "Remote Storage" page on the "System" menu, you can enable the export of session
video recordings to a remote file system by setting the connection to an SMB/CIFS, NFS or Amazon
EFS server.
Note:
WALLIX Bastion moves automatically the recordings of recently terminated sessions from
local storage to remote storage. For further information, refer to Section 15.22, “Move
local session recordings to remote storage”, page 321.
When remote storage is enabled but the file server is temporarily unavailable, the
various features of WALLIX Bastion can still be accessed. The session recordings are
nonetheless kept on local storage during server unavailability.
Specify the following elements to set the connection:
• the remote file system type: SMB/CIFS, NFS and Amazon EFS are supported
• the protocol version
Note:
If “Automatic” is selected, then WALLIX Bastion will try to detect the version
automatically.
For SMB/CIFS, “Automatic” detection does not support protocol versions prior to
SMBv2.1.
For NFS, “Automatic” detection does not support protocol versions NFSv4.1 and
NFSv4.2.
53
For Amazon EFS, only “Automatic” detection is available and selected by default.
• the IP address or FQDN of the file server

• the port number of the remote service (except for Amazon EFS)
• the remote directory in which the recordings will be stored (except for Amazon EFS)
You must also specify for SMB/CIFS:
• the user name to log on to the remote service

• the password
The "Activate" button enables the configuration.
Figure 8.8. "Remote Storage" page
8.9. SIEM integration

From the “SIEM Integration” page on the “System” menu, you can configure the routing of the logged
information to one or more other network devices through SIEM or syslog servers.
Warning:
This page is only displayed when the “SIEM” feature is associated with the license key.
Specify the following information to set up the routing through a SIEM server:
• the IP address or FQDN of the server

• the transmission protocol (UDP, TCP or TLS)
Note:
It is also possible to configure the TLS client by adding of a specific configuration
file. For further information, refer to Section 15.27, “Configure TLS client for SIEM
integration”, page 323.
54
• the port number

• the log format (either the standard RFC 5424 format or the RFC 3164 format)
• when the RFC 3164 log format is selected, you can choose the time stamp format RFC 3164 or
ISO format (YYYY-MM-DDTHH:MM:SS±TZ). The ISO format also includes the year and time zone.
Note:
When upgrading from a version earlier than WALLIX Bastion 6.2.3, the RFC 3164
format is applied by default to all servers previously configured on this page.
The RFC 3164 format always applies to backups created only on WALLIX Bastion
version 6.x.
• the filters to select the logged information categories to send to the server. These filters
correspond to the object types in the logs.
Note:
When upgrading from a version earlier than WALLIX Bastion 8.2, all the logged
information categories are selected by default for all servers previously configured on
this page.
The logs will be sent to the selected IP address, port and via the selected transmission protocol
and will also be stored on the local file system so that they are always available in the “Audit logs”
page, on the “Configuration” menu. For further information on this log, refer to Section 8.5, “System
logs”, page 49.
For further information on data export, refer to Chapter 17, “SIEM messages”, page 331.
Figure 8.9. "SIEM Integration" page
8.10. SNMP
WALLIX Bastion includes an embedded SNMP agent with the following properties:
55
• Protocol versions supported: 2c, 3

• MIBs implemented: MIB 2, DISMAN-EVENT-MIB
• Support of alert mechanisms ("traps") and notifications related to disk consumption and CPU load
• No ACL on the source IP address
Note:
Port 161 should be opened to allow communication to WALLIX Bastion for read/write
access to OIDs.
Port 162 should be opened to allow communication from WALLIX Bastion for trap
notifications.
A default minimum value set to 20 parallel connections is required for each port.
From the "SNMP" page on the "System" menu, you can configure this agent by defining the related
settings.
The "General Settings" section consists of the following fields:
• "Sysname": enter the name of the system, e.g., "WALLIX Bastion 10.0.5"
• "Syscontact": enter the email address of the system administrator, in format "root@yourdomain"
• "Syslocation": enter the system location
• "Sysdescr": enter a description, if needed. This field is empty by default.
• "Status": choose to enable or disable the SNMP agent. The agent is disabled by default.
• "Enable trap notifications": select the check box to enable SNMP trap notifications. Trap
notifications are disabled by default.
• "Trap sink": enter the address of the receiver. This field is displayed and required when trap
notifications are enabled.
The "SNMPv2 Settings" section consists of the following fields:
• "Disable SNMPv2": select the option to disable the SNMP protocol version 2c
• "Community": enter the community name used to connect to WALLIX Bastion. This field is
displayed and required when the SNMP protocol version 2c has been enabled.
• "Trap community": enter the community name used when trap messages are sent. This field is
displayed and required when trap notifications and the SNMP protocol version 2c have been
enabled.
The "SNMPv3 Settings" section consists of the following fields:
• "Authentication passphrase": enter and confirm the authentication passphrase. This field must
be longer than 8 characters. The authentication passphrase must be set at the same time as the
encryption passphrase.
• "Encryption passphrase": enter and confirm the secret key for encryption. This field must be longer
than 8 characters. The encryption passphrase must be set at the same time as the authentication
passphrase.
• "Trap receiver configuration": this sub-section is displayed when trap notifications have been
enabled and the SNMP protocol version 2c has been disabled. It consists of the following fields:
– "Trap user": enter the user name used to authenticate on the trap receiver. This field is empty
by default.
56
– "Security level": select the appropriate security level and specify the related fields depending
on the selection.
If "Authentication only" is selected, enter and confirm the authentication passphrase and select
the authentication ciphering scheme (SHA or MD5).
If "Authentication and encryption" is selected, enter and confirm both the authentication
and encryption passphrases and select the related ciphering schemes (SHA or MD5 for
authentication and AES or DES for encryption).
The "Threshold values ( % )" section allows to specify the values above which notifications are
triggered. It consists of the following fields:
• "Disk consumption": update the percentage value related to the disk consumption, if needed.
Notifications are sent when the disk consumption exceeds this value.
• "Average CPU load": update the percentage values related to the average CPU load for 1-minute,
5-minute and 15-minute time slices, if needed. Notifications are sent when these values are
exceeded.
The values entered in this section can be reset by clicking on the button "Reset default threshold
values" on the bottom-left of the section.
Warning:
By default, the SNMP agent is disabled and it can only be enabled via the Web interface.
By default, trap notifications are disabled and they can only be enabled via the Web
interface. When enabled, only acknowledged traps (i.e. INFORM traps) are sent.
By default, the SNMP protocol version 2c is disabled on a fresh WALLIX Bastion and can
only be enabled via the Web interface.
The SNMP protocol version 3 is always enabled. However, both authentication and
encryption passphrases must be set at the same time for proper operation.
When Bastions are configured in HA mode, the SNMP agent monitors all the nodes via
the virtual IP address.
Examples of use for SNMP protocol version 2c:
$ snmpget -v2c -c WALLIXdefault 192.168.0.5 system.sysDescr.0

SNMPv2-MIB::sysDescr.0 = STRING: "WALLIX Bastion Version 10.0.5"
$ snmpget -v2c -c WALLIXdefault 192.168.0.5 system.sysUpTime.0
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (65833) 0:10:58.33
$ snmpget -v2c -c WALLIXdefault 192.168.0.5 IF-MIB::ifHCOutOctets.1
IF-MIB::ifHCOutOctets.1 = Counter64: 255823831
Examples of use for SNMP protocol version 3:
$ snmpget -v3 -l authPriv -u wabsnmp -a SHA -A <authpass> -x AES -X <privpass>

192.168.0.5 system.sysDescr.0
SNMPv2-MIB::sysDescr.0 = STRING: "WALLIX Bastion Version 10.0.5"
192.168.0.5 system.sysUpTime.0
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (65833) 0:10:58.33
192.168.0.5 IF-MIB::ifHCOutOctets.1
57
IF-MIB::ifHCOutOctets.1 = Counter64: 255823831
Warning:
The system OIDs are defined in the MIB "SNMPv2-MIB". Please make sure this MIB is
installed on your client environment.
The SNMP agent can trace some specific data of WALLIX Bastion. A list of the variables
showing the data is available by downloading the following files:
• /usr/share/snmp/mibs/wallix/WALLIX-SMI and
• /usr/share/snmp/mibs/wallix/WALLIX-BASTION-MIB. This file WALLIX-
BASTION-MIB includes the descriptions of the variables and can be open with a text
editor.
These MIB files can also be downloaded as a .zip archive by clicking on the button
“Download MIB files” on the the top-right of the page.
The following command shows all the available variables:
• for SNMP protocol version 2c:
$ snmpwalk -v2c -c <community> 192.168.0.5 WALLIX-BASTION-

MIB::bastion
• for SNMP protocol version 3:
$ snmpwalk -v3 -l authPriv -u wabsnmp -a SHA -A <authpass> -x AES -

X <privpass> 192.168.0.5 WALLIX-BASTION-MIB::bastion
Figure 8.10. "SNMP" page with agent configuration
58
8.11. Service control

From the "Service Control" page on the "System" menu, you can define the service bindings for the
network interfaces and select the services to be enabled/disabled. For further information, refer to
Section 8.11.1, “Service mapping”, page 59 and Section 8.11.2, “Service activation”, page 60.
Figure 8.11. "Service Control" page
8.11.1. Service mapping

As an administrator, you can choose the services to be mapped to the network interfaces in the
"Service mapping frame". Thus it is possible to restrict the administration operations to a single
interface to improve the security of WALLIX Bastion.
Services are grouped into the following features:
• "User & audit features"

• "Administration features" and
• "High-Availability"
The "User & audit features" service group includes the access to targets and also historical data
and session recordings.
In order to be able to select the desired services, the network interfaces must be
previously configured on the "Network" page. For further information, refer to Section 8.6,
“Network”, page 49.
Important:
The interface eth1 (port 2 on appliances) is devoted, if present, to high-availability (HA)
interconnection. No other service can be mapped to it and the "High-Availability" service
cannot be mapped to any other interface. Therefore, the "High-Availability" service cannot
be selected if this interface is not present.
59
By default, the features specific to users (such as the target account access rights) and auditors
(such as the session audit rights) are not available on the Web administration interface but these can
be released by selecting the following check boxes: "User features (target account access rights)"
and "Audit features (session audit rights)".
A firewall is embedded in WALLIX Bastion, among other features, to protect WALLIX Bastion against
DDoS attacks. It is possible to restrict the parallel connections per IP to the Bastion to a pre-defined
number by selecting the option "Limit the number of parallel connections per IP" and specifying the
appropriate value in the field "Number of connections". The default value of this field is set to 10 and
the number of allowed parallel connections cannot exceed 999 connections per IP. As an example,
if the value entered in this field is "30" then a user can only perform 30 parallel connections to the
Bastion from their workstation.
The option "Enable path reverse filtering" is only relevant when WALLIX Bastion has two non-HA
interfaces configured with two different subnets (i.e. eth0 with subnet X and eth2 with subnet Y) and
the default route is set to one of the two interfaces (i.e. eth0).
By default, when a packet with a source IP address not belonging to subnet Y comes in through
interface eth2, WALLIX Bastion does not reply (no packet is going out through any of the two non-
HA interfaces). This is due to a reverse path filtering configuration set with the grsec kernel. For
further information on reverse path filtering, refer to http://tldp.org/HOWTO/Adv-Routing-
HOWTO/lartc.kernel.rpf.html.
If WALLIX Bastion should reply to the incoming packet (through the eth2 interface), then the reverse
path filtering should be unset.
When the option "Enable path reverse filtering" is selected, there is no reply from WALLIX Bastion
(on packets originating from a subnet different from the ingress interface).
When the option "Enable path reverse filtering" is deselected (by default), WALLIX Bastion replies
to all incoming packets (through the ingress interface).
8.11.2. Service activation

As an administrator, you can choose the services to be enabled in the "Service activation" frame.
The services which can be configured are as follows:
• GUI: WALLIX Bastion Web administration interface (port 443)

• RDP: RDP/VNC proxy (port 3389)
• SSH: SSH/SFTP/TELNET/RLOGIN proxy (port 22)
• SSHADMIN: WALLIX Bastion administration command line interface (port 2242)
When installing WALLIX Bastion, these services are automatically enabled by default.
In case of a restricted use of WALLIX Bastion, the administrator can activate/deactivate services
using a command line tool on the console or through the "ssh" command line interface (port 2242):
wabsuper$ sudo -i WABServices

##################################
# WALLIX Bastion Services Status #
##################################
gui : ENABLED
rdp : ENABLED
ssh : ENABLED
60
sshadmin : ENABLED
If no argument is entered, the current status of the service configuration is displayed.
The option "--help" lists the arguments which can be used to perform the configuration.
wabsuper$ sudo -i WABServices --help

usage: /opt/wab/bin/WABServices action [service's name]
Configure WALLIX Bastion Services
actions:
list list services status
enable enable a service
disable disable a service
The administrator must enter the following command to deactivate the GUI service:
wabsuper$ sudo -i WABServices disable gui

Configuration applied
Then, the administrator must enter the following command to activate it again:
wabsuper$ sudo -i WABServices enable gui

Configuration applied
8.12. SMTP server

From the "SMTP Server" page on the "System" menu, you can define/edit the mail server
configuration for the sending of notifications.
The SMTP server configuration page consists of the following fields:
• the protocol to use: SMTP (default value) or SMTPS or SMTP + STARTTLS

• the authentication method: None (default value), Automatic (the SMTP server chooses a method
automatically), PLAIN, LOGIN, SCRAM-SHA-1, CRAM-MD5, DIGEST-MD5 or NTLM
• the server address (IP or FQDN)
• the server port (default values: 25 for SMTP, 465 for SMTPS and 587 for SMTP+STARTTLS)
• the postmaster email which will receive emails from local services
• the sender name (default value: WALLIX Bastion)
• the certificate hash. This data must match the server certificate. This hash can be entered
manually or retrieved automatically by clicking on the "Check certificate" button. In this case, the
server address and port must be entered. When this hash has been entered manually, it can
be checked against the server certificate by clicking on the "Check certificate" button. In case
of mismatch between both certificates, an error is displayed and the hash can be modified by
clicking on the "Replace hash" button.
• the sender email
Caution:
The address specified in this field may also be used as a recipient for some system
alert emails.
• and possibly, a user name and password
61
To test the configuration, enter one or more destination addresses in the "Recipient email(s) for
test" field then click on the "Test" button.
Caution:
When WALLIX Bastion is configured in HA (or « High-Availability ») mode, the SMTP
server configuration is only spread out to the Slave node when the latter is switching from
Slave to Master.
Figure 8.12. "SMTP Server" page
8.13. Backup and Restoration

From the "Backup/Restore" page on the "System" menu, you can back up or restore a copy of your
WALLIX Bastion configuration.
Each backup is encrypted using a 16-character key. You must know the backup key before
performing a restore operation.
If a passphrase was defined on the backed-up Bastion, then it has to be entered again at restore
operation.
Warning:
• Only backups created from WALLIX Bastion version 6.0 or later can be restored
• Session recordings are not saved during a backup/restore operation
• All data edited or added after a backup will be lost if the backup is restored
• The administrator will be logged off. He/she must log on again with one of the accounts
included in the backup, which might be different from those in the system before the
backup/restore was performed
• It is possible to set the number of days during which backups are kept. This parameter
can be managed via "Configuration" > "Configuration Options" > "Global", then enter
a positive integer in the field "Remove backup older than". All backups older than this
value expressed in number of days are then removed.
• When restoring a backup in which an X509 certificate is not approved yet by the user's
browser, a security error message may be displayed in the “Backup/Restore” page.
Please refresh the page in order to approve it.
62
• The maximum size of a backup performed via the Web interface is 50 MB. For backups
larger than 50 MB, it is necessary to use the command line.
Figure 8.13. "Backup/Restore" page
8.13.1. Restoration of configuration files

When restoring, the configuration files related to specific settings located under the directory /etc/
opt/wab/ are restored aside of the current configuration which is thus not overwritten.
To use these elements, you will have to delete the current configuration files and rename in their
place the files restored from the backup which bare as an additional extension the name of the
backup followed by a timestamp set to the restoration time.
After renaming the files by removing the additional extension, you must restart the corresponding
services by entering the following commands:
# systemctl restart apache2

# systemctl restart mariadb.service
# systemctl restart wabrestapi
# systemctl restart wabgui
# systemctl restart sashimi
# systemctl restart redemption
However, most of configuration files specific to given services, keys and certificates are overwritten
in the current configuration during restoration.
These files are all located under the following directories:
• /var/wab/apache2/, as for example:

– the configuration for the X509 authentication activation status:
/var/wab/apache2/x509_ready
– the Apache server keys, certificates and CRLs for X509 authentication:
/var/wab/apache2/ssl.crt/*
63
/var/wab/apache2/ssl.crl/*
• /var/wab/etc/, as for example:
– the RDP proxy configuration:
/var/wab/etc/rdp/rdpproxy.ini
– the RDP proxy keys and certificate:
/var/wab/etc/rdp/*.pem
/var/wab/etc/rdp/rdpproxy.key
/var/wab/etc/rdp/rdpproxy.crt
– the SSH proxy private and public keys:
/var/wab/etc/ssh/*
Caution:
Note that properties related to the license, the FQDN and the MySQL database
password in /var/wab/etc/wabengine.conf/ are not overwritten during
restoration.
• /var/wab/config/, gathering system and network configuration files
8.13.2. Backup/Restoration from the command line

You can perform backup and restore operations using specific scripts.
8.13.2.1. Script for backup

wab2:~# /opt/wab/bin/wallix-config-backup.py -h
Usage: wallix-config-backup.py [options]
Options:
-h, --help show this help message and exit
-d DIRECTORY, --directory=DIRECTORY
Directory where you want to store your backup.
-s, --sdcard Set this option to store the Backup in the sdcard.
DIRECTORY is the directory path in which the backup file will be created.
Option -s can be used to create a copy on an external drive (SD Card or USB).
8.13.2.2. Script for restoration

wab2:~# /opt/wab/bin/wallix-config-restore.py -h
Usage: wallix-config-restore.py [options] -f FILENAME
wallix-config-restore.py [options] -s
Restores WALLIX Bastion backup from the specified file or from the sdcard. The
64
default behaviour is to restore the configuration part related to the network

page of the system settings menu only on the same host and in the same
standalone or HA mode. You can use options to ignore completely the system
settings and restore only the business data, or to force ignoring or restoring
the network part.
Options:
-h, --help show this help message and exit
-f FILENAME, --file=FILENAME
Provide the full path of the Backup file (.wbk).
Conflicts with -s
-s, --sdcard Enter in interactive mode to select file on SDcard.
Conflicts with -f
-a, --aes Set this option to force use of AES256 instead of GPG
symmetric cipher (for compatibility with old backup
files).
-b, --blowfish Set this option to force use of Blowfish instead of
GPG symmetric cipher (for compatibility with old
backup files). Overridden by -a
-S, --nosystem Set this option to not restore any system settings.
-N, --nonetwork Set this option to never restore network and HA
settings. Overridden by -S
--forcenetwork Set this option to force restoration of network and HA
settings. (Not recommended). Overridden by -S
FILENAME is the backup file path.

Option -s can be used to restore from the external drive (sdcard or USB).
Options -a and -b should not normally be used. Without these options, the file is GPG decrypted.
Option -S can be used to not restore the part of the configuration of the system settings (set in the
"System" menu). In this case, only the business data will be restored.
Option -N can be used to not restore the network configuration set on the "Network" page in the
"System" men) and the network addresses of the peer and the cluster when HA is enabled.
Option --forcenetwork, whose use is not recommended, can be used to force restoration of
the part of the configuration corresponding to the network configuration (set on the "Network"
page in the "System" menu), when restoration is done on a different machine or in a different
HA/standalone mode. In this case, files that were not previously in /var/wab/config such
as file ha.py or the files corresponding the system MAC addresses will be restored by
suffixing their name with the name of the backup without extension. For example, if archive
bastion.myhost_2019-05-01_16-30-00.wbk contains MAC file 01_02_03_04_05_06.py
but the 01:02:03:04:05:06 MAC address is not present on the system, the file will be renamed
01_02_03_04_05_06.py.bastion.myhost_2019-05-01_16-30-00. You can delete those
files or use information they contain to update corresponding files on your system before restarting
services.
8.13.3. Automatic backup configuration

WALLIX Bastion performs an automatic backup configured in a cron job. By default, this is performed
every day at 6:50 p.m. in the time zone in which WALLIX Bastion is located, as defined in the
"Time Service" page on the "System" menu. For further information, refer to Section 8.7, “Time
service”, page 52.
The files are stored in the directory /var/wab/backups.
65
You can change the time and frequency of the backups in /etc/cron.d/wabcore by changing
the line that runs the WABExecuteBackup command.
The fields are crontab fields, namely MINUTE, HOUR, DAY_OF_MONTH, MONTH and DAY_OF_WEEK.
The values authorized in each field are as follows:
• MINUTE: from 0 to 59
• HOUR: from 0 to 23
• DAY_OF_MONTH: from 1 to 31
• MONTH: from 1 to 12
• DAY_OF_WEEK: from 0 to 7 (0 or 7 for Sunday)
Each field can also be filled with an asterisk "*" corresponding to all possible values. Lists are also
permitted, with the values separated by commas and intervals, separating the range with a hyphen,
e.g. "1,2,5-9,12-15,21".
You can also change the path and the value of the key used by editing the file /opt/wab/bin/
WABExecuteBackup and changing the DIR and KEY values at the beginning of the file.
It is possible to set a key used to encrypt the automatic backup at generation. This parameter can
be managed via "Configuration" > "Configuration Options" > "Global", then enter a 16-character
string in the field "Backup key".
8.13.4. Automatic backup purge

WALLIX Bastion performs the purge of automatic backup stored files in a cron job. By default, this is
performed every day at 3:42 a.m. in the time zone in which WALLIX Bastion is located, as defined in
the "Time Service" page on the "System" menu. For further information, refer to Section 8.7, “Time
service”, page 52.
You can define a limit in hours, days or months to keep traces or specify the minimum acceptable
free space by setting the arguments of the following command:
# WABBackupPurge
When this command is executed, the purge is performed on the backup files according to the
specified arguments.
All backup files older than the STANDARD_BACKUP parameter value are deleted each time the
command is executed. This value corresponds to the number of days during which backups are
kept.
If the remaining disk space is lower than the MIN_FREE parameter value, then backup files
older than the CRITICAL_BACKUP parameter value are deleted until the value of the threshold
of the minimum acceptable free space is greater than or equal to the MIN_FREE value. The
CRITICAL_BACKUP value corresponds to the number of days during which backups are kept.
It is possible to set the number of days during which backups are kept and the threshold of
the minimum free disk space from the Web interface. These parameters can be managed via
"Configuration" > "Configuration Options" > "Global", then enter the appropriate values in the fields
“Keep critical backup newer than”, “Keep standard backup newer than” and “Keep min free disk
space”.
When the WABBackupPurge command is executed, the values in these fields are then considered
as the default values if the arguments CRITICAL_BACKUP, STANDARD_BACKUP and MIN_FREE
are not specified.
66
8.14. High-Availability
8.14.1. Operating limitations and pre-requisites
The WALLIX Bastion 10.0.5 HA active/passive type cluster does not have a load balancing function.
Both devices must be linked directly to each other using a Ethernet crossover cable through RJ45
port labelled "2".
The HA interfaces on both the "Master" and the "Slave" nodes must be configured with static IP
addresses belonging to the same subnet.
The system must be configured (especially the /etc/hosts and /etc/network/interfaces
files) from the Web interface or using the WABHASetup script to prevent desynchronization with the
configuration files of the replicated file system.
Both cluster nodes must be strictly at the same level regarding their WALLIX Bastion version and
hotfix numbers.
Warning:
The WALLIX Bastion HA feature is designed to answer hardware issues related to disk,
motherboard, network card, etc and is not supported through virtual appliances.
In a virtual environment, the setup is different as there is no "hardware" part. We thus
recommend using the High-Availability feature provided by VMware. The High-Availability
provided by VMware is available from the entry level VMware license (VMware vSphere
Standard) and requires at least two hypervisors. For further information, see https://
www.vmware.com/uk/products/vsphere/high-availability.html
Please also refer to the Quick Start Guide for further information.
Caution:
The following precautions need to be observed before implementing a new node in an
existing High-Availability configuration:
• the new node must be strictly at the same level as the other node regarding the WALLIX
Bastion version and hotfix numbers
• the new node must have the same number of configured interfaces, including VIPs and
VLANs but excluding HA VIPs (interfaces suffixed with “ha”).
• storage capacity for the hard drive coming with the new node must be equal to or
greater than the one of the former node
• System time of the new node must be synchronized with the one of the other node
8.14.2. Cluster configuration

1. Check that both devices are linked directly to each other using a Ethernet crossover cable
through RJ45 port labelled "2".
2. Start the two machines of the cluster starting either by one or the other. The devices are
delivered pre-installed, but the cluster feature is not configured.
67
3. Use the "wabadmin" account to log directly onto the "Master" and "Slave" device consoles.
Caution:
All data on the "Slave" will be permanently deleted!
4. Enter the "super" command then the "sudo -i" command to sign in as a super-user.
5. Check that the clocks of both cluster nodes are synchronized using the Linux "date" command
or by synchronization with an NTP server, as explained on Section 5.3.4, “Time service
configuration” in the Quick Start Guide.
6. Carry out the send notification test (refer to Section 5.3.5, “SMTP server configuration” in the
Quickstart Guide) to check that an SMTP server is configured and operational.
7. Check that both devices are configured with a static IP address, their "eth1" interfaces are setup
and they have different machine names. If not, proceed to the required adjustments on the GUI.
Note the IP address of the "eth1" interface of the "Slave" node which is required for answering
to the "Slave IP:" question during the execution of the "WABHASetup" command as described
in next step.
8. Run the "WABHASetup" command on the "Master" device console and follow the instructions:
wabsuper$ WABHASetup
Slave IP:
HA Virtual IP:
HA Virtual netmask:
HA Notification mail address:
...
Note:
A log file wabhasetup.log is created in the directory from which this command has
been launched and stores the output of the operation.
The WABHASetup command requests the interface configuration for all the physical
and VLAN interfaces which are mapped with services. For further information on
service mapping configuration, refer to Section 8.11, “Service control”, page 59.
9. The WALLIX Bastion cluster is now configured and enabled.
8.14.3. Starting the cluster

The cluster is now accessible on the virtual IP addresses specified in the WABHASetup
configuration tool. Only these addresses should be provided to your users.
The following email is sent to the address indicated at the end of the WALLIX Bastion High-
Availability configuration.
Subject: [WAB] - The WALLIX Bastion HA has been configured

This notification sums up your HA configuration. Initial MASTER node: ... Initial SLAVE node: ...
HA Virtual ip: ...
8.14.4. Stopping/Restarting the cluster

The administrator can use the maintenance commands below to check cluster operation.
68
Note that "Start" and "Stop" commands will only apply to the local node.
# sudo systemctl stop wabha

# sudo systemctl start wabha
Warning:
To avoid unintentional switch, we recommend stopping the "Slave" node before the
"Master" one and start the "Slave" node after the "Master" one.
To check the current state of a node, the administrator can use the following maintenance command:
wabsuper$ /opt/wab/bin/WABHAStatus
8.14.5. Recovery from fatal error (WALLIX Bastion HA is

locked down)
If the WALLIX Bastion HA detects a malfunction that it cannot automatically resolve (by restarting
the service concerned), the switch-over procedure is locked.
The WALLIX Bastion HA sends a notification raising the detection of a fatal error, then creates the
lock file and stops. The presence of this file prevents the HA from restarting thereby preventing it
from attempting to resolve the problem indefinitely.
After resolving the malfunction, you must manually delete this lock file using the following command :
affected_node# rm /etc/opt/wab/ha/fatal_error
8.14.6. Network outages and Split-Brain

If the nodes are still connected to the network but no longer connected to each other (network cable
between two switches disconnected, etc.), the passive node will become the "Master" (standard
procedure since from its point of view the "Master" is no longer active). Therefore, we now have a
configuration with two "Master" nodes and the data in the shared volume will start to diverge.
When the connection is restored, the DRBD layer of the shared volume will detect the divergence
(known as "Split-Brain") and the cluster will stop working. Indeed, because both machines have
continued to operate independently, their data is incompatible and manual intervention is required.
As explained in the notification, it is up to the administrator to select the most up-to-date node to
resolve the divergence. The notification contains the list of the last files modified on both Bastions.
There are three possibilities:
1. The outage was short and the nodes were not used (no sessions created, no accounts added,
etc.): in this case, the administrator can choose either of the nodes as the reference "Master".
2. The outage was short and/or only one of the nodes was actually used (shown by the presence of
session files and of more recent modification dates on only one of the nodes). The administrator
must select this node as the new reference "Master".
3. The outage was complex and both nodes were used in parallel (which is unlikely, related to a
serious network failure). The administrator must then select a node to be the new reference
"Master" (the one with the most modifications) and back up the data from the other node. Lastly,
the data must be manually imported to the new "Master".
Once the reference "Master" is chosen, follow the procedure below to restore the cluster:
69
outdated_node# drbdadm secondary wab

ref_master# drbdadm primary wab
outdated_node# drbdadm invalidate wab
ref_master# (drbdadm cstate WALLIX Bastion | grep -q StandAlone) && drbdadm
connect wab
outdated_node# (drbdadm cstate WALLIX Bastion | grep -q StandAlone) && drbdadm
connect wab
ref_master# systemctl start wabha
outdated_node# systemctl start wabha
8.14.7. Reconfiguring the cluster network

Warning:
All cluster maintenance operations must be performed on the "Master" node.
When Bastions are configured in HA mode, it is no longer possible to make network changes, such
as IP addresses, from the GUI. As the disks of both machines are synchronized through the network,
you must connect to the "Master" node in SSH and run the following command:
wabsuper$ WABHASetup --reconfigure_hosts

...
8.14.8. Replacing a faulty machine

Warning:
In the event of a node replacement, first disconnect the faulty device and start the replacement
WALLIX Bastion. Make sure to configure it with the same static IP address as the faulty node, and
then enter this command on the operational node:
wabsuper$ WABHASetup --configure_new_slave

...
8.14.9. Recovering a faulty volume

Warning:
In the event of a file system integrity error, detectable through the kernel messages (i.e.: "File
system is now read-only due to the potential of on-disk corruption. Please
run fsck.ext4 once the file system is unmounted."), proceed as follows:
1. Enter "sudo -i WABHAInitd --force stop" to turn off HA on both nodes, starting with the "Slave".
2. Check that the shared file system is removed from both nodes by entering "sudo -i umount /
var/wab".
3. Disable DRBD on the "Slave" mode by entering "sudo -i drbdadm secondary wab".
4. Enable DRBD on the "Master" mode by entering "sudo -i drbdadm primary wab".
70
5. Enter "sudo -i fsck.ext4 -y -f /dev/drbd1" on the "Master" node.
slave_node# WABHAInitd --force stop

master_node# WABHAInitd --force stop
8.14.10. High-Availability operation tests

To check the various error recoveries managed by the WALLIX Bastion HA feature, we recommend
proceeding with the following tests before rolling out the solution. We will refer to the current "Master"
node as "WabA" and to the "Slave" node as "WabB" in the following subsections.
8.14.10.1. Switching from "Master" to "Slave" (software)

Action: Turn off HA on the "Master":
WabA# systemctl stop wabha
Consequence: the "Slave" will detect the fault.

Notification: [WAB] - WALLIX Bastion HA master WabA error detected by the WabB!
(HA_MASTER_FAULT) Reason: Service unreachable on master node!
Result: the "Slave" takes over
Notification: [WAB] - The WALLIX Bastion HA master WabB is online
Full resolution: restart HA on the "Master" and it will become the new "Slave"
WabA# systemctl start wabha
Notification: [WAB] - The WALLIX Bastion HA slave WabA is online
8.14.10.2. Switching from "Master" to "Slave" (hardware)

Action: Physically turn off the "Master" (disconnect the power cord):
Consequence: the "Slave" will detect the fault
Notification: [WAB] - WALLIX Bastion HA master WabA error detected by the WabB!
(HA_MASTER_FAULT) Reason: Host does not respond to ping...
Result: the "Slave" takes over
Notification: The [WAB] - WALLIX Bastion HA master WabB is online
Full resolution: restart the "Master" and it will become the new "Slave"
Notification: the [WAB] - WALLIX Bastion HA Slave WabA is online
8.14.10.3. Fault detected on the "Master"

Action: Inject a fault on the "Master" (i.e. ssh service disabled):
WabA# mv /etc/ssh/sshd_config /etc/ssh/sshd_config.tmp

WabA# systemctl stop ssh
Consequence: Both nodes will detect the fault (ssh not accessible)
Notifications: [WAB] - WALLIX Bastion HA master WabA error detected by WabA Reason: Service
ssh isn't responding and we couldn't restart it!
71
Notifications: [WAB] - WALLIX Bastion HA master WabA error detected by WabB Reason: Host
respond to ping but ssh service is down, will try to switch to master...
Result: the "Slave" will take over and the "Master" will be downgraded to "Slave"
Notification: [WAB] - The WALLIX Bastion HA Slave WabA is online
Full resolution: repair the fault so that WabA can become the "Master" again
WabA# mv /etc/ssh/sshd_config.tmp /etc/ssh/sshd_config

WabA# systemctl start ssh
8.14.10.4. Fault detected on the "Slave"

Action: Physically turn off the "Slave" (disconnect the power cord)
Consequence: the "Master" will detect the fault
Notification: [WAB] - The WALLIX Bastion HA slave WabB is no longer connected to master WabA!
Master data replication isn't working.
Result: data replication interrupted, but the volume is still working (in degraded mode)
Full resolution: restart the "Slave"
Notification: [WAB] - The WALLIX Bastion HA slave WabB is online
Note: If the volume of data on the degraded "Master" is negligible (e.g. no new session),
synchronization takes place instantaneously. If not, a notification is sent.
Notification: [WAB] - The WALLIX Bastion HA cluster synchronization completed! The data on both
nodes is now fully synchronized.
8.14.10.5. Loss of connectivity between both nodes

Action: Disconnect one of the network nodes or make sure that both Bastions cannot communicate,
e.g. with iptables:
WabA# iptables -A INPUT -s IpWabB -j DROP; iptables -A OUTPUT -d IpWabB -j DROP

WabB# iptables -A INPUT -s IpWabA -j DROP; iptables -A OUTPUT -d IpWabA -j DROP
Consequence: both nodes will detect the fault. The "Master" will continue to operate in degraded
mode.
Notification: [WAB] - The WALLIX Bastion HA slave WabB is no longer connected to master WabA!
Master data replication isn't working.
Notification: [WAB] - The WALLIX Bastion HA master WabA error detected by

sparewab2.corp.wallix.com Reason: Host does not respond to ping...
Consequence: the "Slave" will assume that the "Master" is turned off and will switch over to "Master"
and will operate in degraded mode.
Notification: [WAB] - The WALLIX Bastion HA slave WabA isn't connected to the master master
WabB anymore! Master data replication isn't working.
72
Result: the shared volume will start to diverge between both nodes. The most probable case is that
one of the nodes is no longer on the network, in which case the resolution is simple: reconnect both
Bastions or if you have used iptables:
WabA# iptables -F
WabB# iptables -F
Notification: [WAB] - The WALLIX Bastion HA disks diverged (split brain detected) The WALLIX
Bastion HA drbd shared volume is now disconnected. Peers have lost connection with each other
and both have switched to master node... Data can't be synced cleanly! You need to manually
discard the changes on one of the nodes.
Once you find out the out-of-date node, follow the procedure below:
failing_node# drbdadm secondary wab

recent_node# drbdadm primary wab
failing_node# drbdadm invalidate wab
failing_node# drbdadm connect wab
recent_node# systemctl start wabha
failing_node# systemctl start wabha
In full resolution, follow the instructions in the email:
WabB# drbdadm secondary wab

WabA# drbdadm primary wab
WabB# drbdadm invalidate wab
WabB# drbdadm connect wab
WabA# systemctl start wabha
WabB# systemctl start wabha
Notification: [WAB] - The WALLIX Bastion HA master WabA is online
Notification: [WAB] - The WALLIX Bastion HA slave WabB is online
73
Chapter 9. Users
Important:
formats.
The "Users" menu allows you to create and manage WALLIX Bastion users/administrators.
You can also configure the user groups to which the authorizations apply. For further information,
refer to Chapter 14, “Authorization management”, page 301.
Note:
User account names are not case sensitive but case is preserved as account is created.
9.1. User accounts

The "Accounts" page allows you to:
• list user accounts according to a filter on local accounts or domain accounts from LDAP and
Active Directory domains. When an LDAP or Active Directory domain is selected from the list,
then the users from the directory mapped with a user group in WALLIX Bastion are displayed. For
further information on this mapping, refer to Section 9.9, “Configuration of LDAP, Active Directory
or Azure AD domain mapping”, page 118.
• add/edit/delete a user account
• identify the users for whom the "Credential recovery" right is enabled in their profile: a key icon
is then displayed in the "Profile" column on the related line. These users receive an email
gathering the target account passwords in case of password change. For further information,
refer to Section 11.4, “"Break glass" mechanism configuration”, page 241.
For further information on user profiles, refer to Section 9.3, “User profiles”, page 87.
• release the lock of a user account by clicking on the padlock icon displayed in the "Status"
column on the related line. A user account is locked when the maximum number of allowed
authentication failures defined in the local password policy has been reached. For further
information, refer to Section 9.6, “Local password policy configuration”, page 99.
• identify the users for whom the account is active: a tick icon is then displayed in the "Status"
column on the related line.
• identify the users for whom the account has expired: an hourglass icon is then displayed in the
"Status" column on the related line. The account expiration date can be set during the creation
or modification of the account.
• identify the users for whom the account is disabled: a warning icon is then displayed in the
column "Status" column on the related line. The user account deactivation can be set during the
creation or modification of the account.
• access the detail of the account to view the user's rights on the GUI but also their authorizations
regarding devices, applications and target accounts
• import users from a .csv file which can be used to populate the WALLIX Bastion user database
74
For further information on how to search data and customize the layout in the tables of WALLIX
Bastion, refer to Section 6.5, “Managing data search, sort and layout customization in the tables
of the Web interface”, page 32.
Figure 9.1. "Accounts" page
9.1.1. Add a user

From the "Accounts" page, click on "Add a user" to display the user creation page.
The user creation page consists of the following fields:
• the user name used to log on to the Web user interface and proxies.
• a name, used to identify the person to whom the user name belongs
• an email address which can be modified later on by the user
• a field to upload a GPG public key: the user will receive the new password in an encrypted email.
This key can be modified later on by the user.
Warning:
If the GPG key is not specified for the user with the “product_administrator” or
“operation_administrator” profile, then a warning email is sent daily to notify the user
of the missing declaration of the GPG key.
The sending of this warning email can be managed via the “Missing GPG key warning
email” option in the menu “Configuration” > “Configuration options” > “Global”. By
default, this option is enabled.
• a preferred language, used to select the language in which the messages sent to the user from
the proxies are displayed. This choice can be modified later on by the user.
• a profile, used to define the user rights and limitations (refer to Section 9.3, “User
profiles”, page 87)
• a check box to indicate whether the user account is disabled. If so, this user will not be allowed to
log on to the WALLIX Bastion Web interface and proxies. This check box is deselected by default.
75
Caution:
If this check box is deselected and no rights are defined in the user profile, then the
user will not be allowed to log on to the WALLIX Bastion Web interface, the REST API
Web Service and RDP/SSH sessions.
• a field including a calendar (displayed with a right-click) to select, if needed, the account expiration
date
• a list of groups, used to select the groups into which the user should be included. You can
also add a user to a group in the add or edit page for a group (refer to Section 9.2, “User
groups”, page 83)
• an authentication procedure, which may be different for each user (refer to Section 9.8, “External
authentication configuration”, page 109). You can select several procedures to indicate the
backup servers for external authentications (LDAP, RADIUS, etc.)
• if the chosen authentication procedure is "local_password":
– a field to enter and confirm a password: there may be certain requirements regarding
the passwords the system will accept (refer to Section 9.6, “Local password policy
configuration”, page 99). This password can be modified later on by the user.
– a field to force the password change for the user. The latter will then receive a notification
message indicating that their account has been created and that the password must be
changed at first login (see also Section 8.12, “SMTP server”, page 61). If the administrator
forces password change, the user will have to change the password next time they will
authenticate either on the login screen of WALLIX Bastion or when connecting to the RDP or
SSH session. No access will be granted as long as the password is not changed.
• if the chosen authentication procedure is "local_sshkey", a field to upload or enter manually an
SSH public key using RSA, ED25519 or ECDSA algorithm. This key can be modified later on
by the user.
Warning:
It is not possible to set a key if no algorithm is allowed for the SSH public key on the
"Local Password Policy" page from the "Configuration" menu. For further information,
refer to Section 9.6, “Local password policy configuration”, page 99.
This key must be in the OpenSSH format. Otherwise an error message is displayed.
If you use PuTTYgen to generate the key, you must save in a text file the public key
displayed in the OpenSSH format during the generation. As an example, this key is
labelled as follow:
"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA0yR9lBQov6[.....]c3xu9p/xNjw==
rsa-key-20151204"
You can then upload this key on the dedicated area on this page.
If a key already exists, you can load a private key using Puttygen in order to generate
the corresponding public key in the appropriate format.
• if the chosen authentication procedure is "local_x509" a field to enter the DN (i.e. "Distinguished
Name") of the certificate to allow the user authentication (refer to Section 9.7.4, “User
authentication configuration”, page 105) when X509 authentication is set for WALLIX Bastion
76
• a source IP/subnet address or range of addresses to restrict the access to this address/range of
addresses for proxies and the Web interface.
Figure 9.2. "Accounts" page in addition mode
9.1.2. Edit a user

From the "Accounts" page, click on a user name and then on "Edit this user" to display the user
modification page.
The fields in this page are the same as those in the user creation page.
Note:
If the "password" field is not changed, the user password is not modified.
9.1.3. Delete a user

From the "Accounts" page, check the box at the beginning of the line(s) to select the related
account(s), then click on the trash icon to delete the selected line(s). WALLIX Bastion displays a
dialogue box requesting a confirmation before permanently deleting the line(s).
9.1.4. View the user's rights on the GUI
77
From the "Accounts" page, click on a user name to display the user data and expand the "Rights
on GUI" area to view the related data for this user.
9.1.5. View the devices, applications and target accounts

accessible by a user
From the "Accounts" page, click on a user name to display the user data and expand the following
areas to view the related authorizations:
• "Authorizations on devices": this area shows the list of the devices which can be accessed by
this user
Click on the icon at the beginning of a line to download the configuration file to establish a
connection.
• "Authorizations on applications": this area shows the list of the applications which can be
accessed by this user
Click on the icon at the beginning of a line to download the configuration file to establish a
connection.
• "Authorizations on accounts": this area shows the list of the target accounts which can be
accessed by this user
9.1.6. Import users

You can import users from:
• a .csv file or
• a company directory (LDAP or Active Directory) if you only want to replicate a snapshot of
your directory into the WALLIX Bastion database. You can use the LDAP domain integration
functionality that makes direct use of the directory (refer to Section 9.9, “Configuration of LDAP,
Active Directory or Azure AD domain mapping”, page 118).
9.1.6.1. Import users from a .csv file

You can import users from a .csv file which can be used to populate the WALLIX Bastion user
database:
• from the "CSV" page on the "Import/Export" menu. You can select the "Users" check box to import
the related data. The field and list separators can also be configured.
• or from the "Accounts" page on the "Users" menu. You can click on the "Import CSV file" icon at
the top right of the page to import the related data. You are then redirected to the "CSV" page on
the "Import/Export" menu: the "Users" check box is automatically selected to import the related
data. The field and list separators can also be configured.
The file must begin with a line containing the following tag:
#wab910 user
Important:
Data related to the users' password, SSH key or X509 DN is not provided in the .csv file
when exporting users. It must then be specified in the .csv file prior to import.
The update of existing data when importing a .csv file overwrites old data.
78
Warning:
The first line of the .csv file containing the tag must not be modified. If this line is modified,
the file can no longer be imported into WALLIX Bastion.
Each subsequent line must be formed as follows:
Field Type R(equired)/O(ptional) Possible values Default

value
Username Text R [aA-zZ], [0-9], '-', '_' N/A
Groups Text O [aA-zZ], [0-9], '-', '_' N/A
There can be several groups

for the same user.
If the user group does not

exist, it is created with the
default time frame set as
"allthetime".
Full name Text O Free text N/A
Source IPs IP/FQDN O [aA-zZ], [0-9], '-', '_' N/A
Can be either an IP address or

a domain or an IP range (e.g.
"10.10.10.11-10.10.10.42").
Profile Text R Profiles defined N/A
Account Date and O YYYY-MM-DD and HH:MM N/A
expiration time
date Date and time at which the
account will expire
User Text R Authentications defined N/A
authentications
There can be several
authentications for the same
user.
Public key Text Required when [aA-zZ], [0-9], '-', '_' N/A
authentication is
"local_sshkey"
The corresponding data

is not provided in
the .csv file when
exporting users. It must
then be specified in
the .csv file prior to
import.
Password Text Required when Free text N/A
authentication is
"local_password" Must be compliant with
the current password
The corresponding data policy (number of special
is not provided in characters, etc.).
79

value
the .csv file when When the import is performed
exporting users. It must from WALLIX Bastion 6.1:
the .csv file prior to • if this field is empty, then
import. the password is deleted
during import. Caution!
The import cannot be
performed if there is
no other authentication
method (SSH key, etc.) for
the user.
• if this field is filled with the
[hidden] keyword, then
the existing password is not
modified. Caution! If there is
no existing password for the
account, then this field is set
at [hidden].
• if this field is filled with
a value other than the
[hidden]keyword, then
the password is updated
with this new value
Caution! When the import is

performed from a WALLIX
Bastion whose version is
earlier than 6.1 and if this field
is empty, then the password is
NOT deleted during import.
Email Text R Email address N/A

Force Boolean R True or False False
change
password
Lock counter Integer O Authentication failure counter 0
number
Positive integer number, will
lock out the user if greater
than or equal to the value
of the maximum number
of allowed authentication
failures per user specified in
the password policy.
Last Text O This field is ignored. N/A
connection
Preferred Text O "de" for German "en"
language
"en" for English
80

value
"es" for Spanish
"fr" for French
"ru" for Russian

Certificate Text Required when A certificate DN as mentioned N/A
DN authentication is in Section 9.7.4, “User
"local_x509" authentication
The corresponding data
is not provided in
the .csv file when
exporting users. It must
the .csv file prior to
import.
Disabled Boolean O True or False False
Option used to define

if the user account is
disabled or not.
Example of import syntax:

#wab910 user
martin;linuxadmins;Pierre Martin;;user;;local;;jMpdu9/
x2z;martin@wallix.com;False;0;;fr
;/C=FR/O=Wallix/CN=PKI_USER;False
Once you have imported the .csv file, a summary report is displayed.
This report lists the number of elements which were created and updated in the WALLIX Bastion
database but also the rejected data. In case of rejection, the corresponding error is mentioned.
9.1.6.2. Import users from an LDAP or AD directory

From the "Users from LDAP/AD" page on the "Import/Export" menu, you can import the user data
stored in a remote directory to populate the WALLIX Bastion internal ACL database.
This procedure only allows you to import users from a remote directory. If you wish to include
users to an LDAP domain from a directory and remain synchronized with any updates made in
this directory, refer to Section 9.9, “Configuration of LDAP, Active Directory or Azure AD domain
mapping”, page 118.
Warning:
If the imported users should authenticate on the directory used for the import, you
must first create the authentication method (see also Section 9.8.1, “Add an external
authentication”, page 110).
Case 1: Import users from an LDAP directory without using Active Directory
To import users from an LDAP directory without using Active Directory, enter the fields on the "Users
from LDAP/AD" page as follows:
81
• "Server": enter a server address (IP or FQDN)

• "Port": the default connection port is specified. It can be modified if needed.
• "Active Directory": the check box must not be selected
• "Encryption": select the appropriate encryption protocol. The connection port is then updated
depending on the selection.
Note:
For further information on TLS configuration, refer to Section 15.26, “Configure TLS
options for LDAP external authentication”, page 323.
• "Base DN": specify the organization unit "Distinguished Name"

• "User name attribute": specify the name of the LDAP user attribute which will be used for the
WALLIX Bastion user name
• "User email attribute": enter the user’s email address attribute
• "Search filter": the query allowing to retrieve all the users from the directory is specified by default.
It can be modified to retrieve the appropriate users using LDAP syntax.
• "Bind method": select either the anonymous or the simple bind method. When the simple bind
method is selected, the "User" and "Password" fields are then displayed.
• "User" and "Password": specify a user name and a password to use for searching the user name
in the directory. These fields are not displayed when the anonymous bind method is selected.
Note:
The user must have read rights for the base DN used.
Case 2: Import users from an LDAP directory using Active Directory

To import users from an LDAP directory using Active Directory, enter the fields on the "Users from
LDAP/AD" page as follows:
• "Server": enter a server address (IP or FQDN)

• "Port": the default connection port is specified. It can be modified if needed.
• "Active Directory": select the check box
• "Encryption": select the appropriate encryption protocol. The connection port is then updated
Note:
• "Base DN": depends on the domain name. For example, for the domain "mycorp.lan", the base
DN should be "dc=mycorp,dc=lan"
• "User name attribute": the connection attribute is "sAMAccountName"
Caution:
Due to an Active Directory limitation, the “sAMAccountName” attribute must be up to
20 characters long and cannot contain the following characters: "/\[]:;|=,+*?<>
82
• "User email attribute": enter the user’s email address attribute

• "Search filter": the query allowing to retrieve all the users from the directory is specified by default.
It can be modified to retrieve the appropriate users using AD syntax.
• "Bind method": select either the anonymous or the simple bind method. When the simple bind
method is selected, the "User" and "Password" fields are then displayed.
• "User" and "Password": specify a user name and a password to use for searching the user name
in the directory. These fields are not displayed when the anonymous bind method is selected.
Note:
Once the fields are entered, click on the "Import" button.
If the import is successful, a page listing the users extracted from the directory is displayed: choose
the users you wish to import in WALLIX Bastion by selecting the check box at the beginning of the
concerned line. Before final import, you must assign an authentication and a profile to the selected
users. A user group and a domain name can also be assigned to the selection.
Click on the "Import" button to import data on the user database of WALLIX Bastion.
Once the import operation is performed, a summary report is displayed. This report lists the number
of users which were created/rejected in the WALLIX Bastion database. In case of rejection, the
corresponding error is mentioned.
Note:
The user name of the imported user is based on the following syntax:
• “domain_name\sAMAccountName” for an LDAP directory without using Active

Directory or
• “domain_name\uid” for an LDAP directory using Active Directory
9.2. User groups

The "Groups" page allows you to:
• list declared user groups

• add/edit/delete a group
• view the members of each group
• import user groups from a .csv file which can be used to populate the WALLIX Bastion user
database
Note:
The administrator cannot view on this page the profile defined for a group (displayed in
the “Profile” field) when this profile has at least one permission that the administrator's
profile cannot grant as a transferable right. For further information, refer to Section 9.3,
“User profiles”, page 87.
83
Figure 9.3. "Groups" page
9.2.1. Add a user group

From the "Groups" page, click on "Add a group" to display the user group creation page.
The user group creation page consists of the following fields:
• the group name

• a description
• the time frame(s) to apply
Note:
If several time frames are selected, the time frame applied is the combination of all the
selected times frames.
• a list to select the users in the group

• a list of actions to apply when certain character sequences (defined in the "Rules" field)
are detected in the upward flow from proxies (refer to Section 10.5.1.7.1, “SSH flow
analysis / Pattern detection”, page 187 and Section 10.5.1.7.2, “RDP flows analysis / Pattern
detection”, page 192)
Warning:
Character sequence detection is only enabled for data sent by the client to the
server and only for connections under specific protocols (available in the list from the
"Subprotocol" field).
• in case of LDAP, AD or Azure AD integration, as described in Section 9.9, “Configuration of LDAP,

Active Directory or Azure AD domain mapping”, page 118, the fields in the “Authentication
domain mapping” frame allow to set the profile of the user group members.
Warning:
When there is no LDAP, AD or Azure AD authentication domain configured in WALLIX
Bastion, the “Authentication domain mapping” frame is not displayed on this page.
84
Figure 9.4. "Groups" page in addition mode
9.2.2. Edit a user group

From the "Groups" page, click on a group name and then on "Edit this group" to display the user
group modification page.
The fields in this page are the same as those in the user group creation page.
The field "Authorizations" lists the active authorizations linked to the user group.
Note:
The administrator cannot view the area “LDAP authentication mapping” when the
profile mapped to the group has at least one permission that the administrator's profile
cannot grant as a transferable right. For further information, refer to Section 9.3, “User
9.2.3. Delete a user group

From the "Groups" page, check the box at the beginning of the line(s) to select the group(s), then
click on the trash icon to delete the selected line(s). WALLIX Bastion displays a dialogue box
requesting a confirmation before permanently deleting the line(s).
Warning:
You cannot delete a user group linked to active authorizations (refer to Chapter 14,
“Authorization management”, page 301).
85
9.2.4. View the user group members

From the "Groups" page, click on a group name to display information regarding this group: the
"Users" field contains the list of the users in this group.
Figure 9.5. "Groups" page - Group information summary
9.2.5. Import user groups

From the "Groups" page, click on the "Import CSV file" icon at the top right of the page to import
the related data. You are then redirected to the "CSV" page on the "Import/Export" menu: the "User
groups" check box is automatically selected to import the related data. The field and list separators
can also be configured.
#wab910 usersgroup
Important:
Warning:
Field Type R(equired)/ Possible values Default value

O(ptional)
Name Text R [aA-zZ], [0-9], '-', '_' N/A
Description Text O Free text N/A
Profile Text O Profiles defined N/A
Time frame Text R Time frames defined N/A
There can be several time

frames for the same user
group.
Users Text O Users defined N/A
86

O(ptional)
There can be no user or one
or several users defined.
9.3. User profiles

The "Profiles" page allows you to:
• list user profiles

• add/edit/delete a user profile
• define the administration rights and limitations on WALLIX Bastion for a profile
• import user groups from a .csv file which can be used to populate the WALLIX Bastion user
database
9.3.1. Default profiles

WALLIX Bastion is configured with default user profiles. These predefined profiles displayed on the
"Profiles" page are as follows:
• "approver": this profile can accept/reject approval requests to access target accounts
• "auditor": this profile can view WALLIX Bastion audit data (refer to Section 12.3, “Audit
data”, page 248) but cannot access target accounts
• "operation_administrator": this profile can perform any operation. However, it has no access to
the following features: the "System" menu (including system backup and restoration), the "Audit"
menu, all the system logs and the target accounts.
• "disabled": this profile has no rights; it can be edited or deleted if unused but it should not be used
to disable a user account. We recommend selecting the "Disabled" option on the user account
add/edit page if you wish to disable a user. For further information, refer to Section 9.1, “User
accounts”, page 74.
Caution:
The "disabled" profile is only displayed on an upgraded version of WALLIX Bastion as it
is inherited by default from a former version. During the upgrade, users with the former
"disabled" profile are automatically linked to the "user" profile and the "Disabled" option
on the user account edit page is selected by default.
• "system_administrator": this profile has full system administration rights via the "System" menu.
It can change the appliance configuration, access the console to create and restore backups and
view all the system logs. However, this profile cannot access target accounts.
• "user": this profile has no administration rights but can access target accounts
87
• "product_administrator": this profile has full administration rights and can connect to target
accounts
Note:
The configuration for the factory-set administrator account is the
"product_administrator" profile.
9.3.2. Add a user profile

From the "Profiles" page, click on "Add a profile" to display the user profile creation page.
The user profile creation page consists of the following fields:
• the profile name

• an area ("Rights") to define the rights for the profile members
• an area ("Transferable rights") to define the rights which can be granted by the profile members.
This area is only displayed when the "Modify" right for the "Users", "User profiles" or "Settings"
feature is set on the "Rights" part.
• an area ("Other features") to specify limitations for the profile members
On the "Rights" part, you can set the authorizations for the main features of the Web interface
displayed from the WALLIX Bastion menu:
• "None": no rights: the menu entry will not appear when the user logs on
• "View": the user can view the elements created but cannot edit them
• "Modify": the user can view and edit elements
• "Execute" (only for backup/restoration): the user can perform a system backup or restoration
(refer to Section 8.13, “Backup and Restoration”, page 62)
Another option can be used to enable/disable the access to the target accounts.
The "Transferable rights" part is displayed if the "Modify" right for the "Users", "User profiles" or
"Settings" feature is set on the "Rights" part.
On the "Transferable rights" part, you can set the authorizations which can be granted by the profile
members. These authorizations are inherited from the rights set for the profile. The rights which can
be transferred by the profile members cannot overtake their own rights. As a consequence, a profile
cannot give permissions to modify a feature if it has not the right to modify this specific feature and
is not allowed to transfer this right (except for the "Session audit" and the "Target account access"
rights).
Note:
A user cannot view the profiles and the profile members having at least one permission
that this user does not have (except for the "Session audit" and the "Target account
access" rights).
However, this rule does neither apply to the "Groups" sub-entry in the "Users" menu nor
to the entries in the "Audit" menu.
On the "Dashboards" part, you can select the dashboards which can be viewed by the profile
members. The list of dashboards displayed on this area is inherited from the authorizations set for
your profile.
88
By default, the user associated with the “product_administrator” or “operation_administrator” profile

is allowed to view the “Administration” entry in the “Dashboards” menu.
By default, the user associated with the “product_administrator” or “auditor” profile is allowed to
view the “Audit” entry in the “Dashboards” menu.
On the "Other features" part, you can define limitations for the profile members from the following
fields:
• "IP limitations": define the source IP for which the access is restricted for primary connection.
This address can be a single IP address or sub-network mask or hostname.
• "User group limitations" and "Target group limitations": select the user groups and/or the target
groups which can only be viewed and managed by the profile members. The authorizations set
for the profile members will apply to these groups and the addition of users and/or target accounts
will be restricted to these groups.
If you define limitations on target groups, select from the list of values the default group to which
the new target accounts will belong.
The limitations which are defined on this section apply to the users linked to the profile, these can be
either local users or users imported from an LDAP/AD directory or members of a WALLIX Bastion
user group linked through an authentication mapping to a group from the LDAP/AD directory.
Warning:
If the target account access is allowed for a profile, we do not recommend defining
limitations for the profile members from the "Other features" part as it may lead to
functional inconsistencies.
Figure 9.6. "Profiles" page in addition mode
9.3.3. Edit a user profile

From the "Profiles" page, click on a profile name to display the user profile modification page.
The fields in this page are the same as those in the user profile creation page, except the "Profile
name" field which cannot be accessed.
89
Warning:
A predefined profile can neither be deleted nor edited.
9.3.4. Delete a user profile

From the "Profiles" page, check the box at the beginning of the line(s) to select the related profile(s),
then click on the trash icon to delete the selected line(s). WALLIX Bastion displays a dialogue box
Warning:
A predefined profile can neither be deleted nor edited.
You cannot delete a profile if at least one user is linked to this profile.
9.3.5. Import user profiles

From the "Profiles" page, click on the "Import CSV file" icon at the top right of the page to import the
related data. You are then redirected to the "CSV" page on the "Import/Export" menu: the "Profiles"
check box is automatically selected to import the related data. The field and list separators can also
be configured.
#wab910 profile
Important:
Warning:
Field Type R(equired)/ Possible values Default

O(ptional) value
Rights Text R Rights defined for the profile N/A
members.
Possible values:
-: none
r: right to "View"
w: right to "Modify"
x: right to "Execute"
90

O(ptional) value
These rights are to be defined
in compliance with the order
of the WALLIX Bastion Web
interface features' list displayed
for a given profile.
List of the features in the

appropriate order and possible
rights for each:
- Session audit ('-', 'r')

- System audit ('-', 'r')
- Users ('-', 'r', 'w')
- User groups ('-', 'r', 'w')
- Targets & accounts ('-', 'r',

'w')
- Target groups ('-', 'r', 'w')
- Manage Authorizations ('-',

'r', 'w')
- Manage Approvals ('-', 'r', 'w')
- User profiles ('-', 'w')
- Settings ('-', 'r', 'w')
- System settings ('-', 'w')
- Backup/Restore ('-', 'x')
- Credential recovery ('-', 'x')
A profile with the definition

--rrrrw---wx- is granted the
following rights:
- Session audit: none
- System audit: none

- Users: right to "View"
- User groups: right to "View"
- Targets & accounts: right to

"View"
- Target groups: right to "View"
- Manage Authorizations:
right to "Modify"
91

O(ptional) value
- Manage Approvals: none
- User profiles: none
- Settings: none
- System settings: right to
"Modify"
- Backup/Restore: right to
"Execute"
- Credential recovery: none
Target Boolean R True or False False
account
access
IP limitations IP/subnet/ O [aA-zZ], [0-9], '-', '/', '.' N/A
hostname
e.g. for subnet: 1.1.1.0/24
There can be either no network

address or a single address.
User group Boolean R True or False False
limitations
User groups Text O User groups defined N/A
There can be no user group

or one or several user groups
defined.
Target group Boolean R True or False False
limitations
Target Text O Target groups defined N/A
groups
There can be no target group
or one or several target groups
defined.
Default Text O Default target group defined N/A
target group
Transferable Text O Transferable rights defined for N/A
rights the profile members.
Possible values:
-: none
r: right to "View"
w: right to "Modify"
x: right to "Execute"
These rights are to be defined

in compliance with the profile
92

O(ptional) value
rights specified in the "Rights"
column.
List of the features in the
appropriate order and possible
rights for each:
- Session audit ('-', 'r')
- System audit ('-', 'r')

- Users ('-', 'r', 'w')
- Targets & accounts ('-', 'r',

'w')
- Manage Authorizations ('-',

'r', 'w')
- Manage Approvals ('-', 'r', 'w')
- User profiles ('-', 'w')
- Settings ('-', 'r', 'w')
- System settings ('-', 'w')
- Backup/Restore ('-', 'x')
- Credential recovery ('-', 'x')
A profile with the definition

--rrw---wx- is granted the
following rights:
- Session audit: none
- System audit: none
- Users: right to "View"
- Targets & accounts: right to

"View"
- Manage Authorizations:
right to "Modify"
- Manage Approvals: none
- User profiles: none
- Settings: none
- System settings: right to

"Modify"
- Backup/Restore: right to
"Execute"
93

O(ptional) value
- Credential recovery: none
Dashboards Text O Dashboard(s) selected for the N/A
profile.
Possible values: opsadmin

and/or audit or none.
9.4. User data retention policy

In the process of compliance with the GDPR requirements, WALLIX Bastion allows you to define
retention periods for the user data.
Warning:
When WALLIX Bastion is configured in High-Availability mode with DRBD, the user data
retention configuration is only spread out to the “Slave” node when the latter becomes
“Master” node after a switchover. It is recommended to force a DRBD switch in order to
display the new configuration on all nodes.
The “Data retention policy” section, available from “Configuration” > “Configuration options”, allows
you to configure the following options:
• “Remove user data older than”: it consists of deleting the users' data contained in the databases
of WALLIX Bastion, i.e. the data located in the following tables: account activity, answer,
approval, auth_log, session_log and user. Thus, all data older than the value defined in
this field in number of weeks (with the suffix “w” such as “10w” for 10 weeks) or in number of days
(with the suffix “d” such as “24d” for 24 days) is deleted. If no suffix is specified, then the value
is considered to be expressed in number of weeks.
Note:
The deletion of user data from the WALLIX Bastion databases is based on:
– for the account activity table: the date of the user's activity
– for the answer table: the creation date of the approval answer
– for the approval table: the end date of the approval
– for the auth_log table: the timestamp of the authentication logs
– for the user table: the deactivation date of the user
For further information on the session purge, refer to Section 15.20, “Export and/or
purge session recordings manually”, page 318 and Section 15.21, “Export and/or
purge session recordings automatically”, page 320.
• “Max delete objects”: it consists of the maximum number of objects, per data type, to delete from
the database. This field is displayed when the check box of the "Advanced options" field at the
top right of the page has been selected. It should ONLY be changed upon instructions from the
WALLIX Support Team!
94
• “Remove user logs older than”: it consists of deleting the users' data contained in the logs of
WALLIX Bastion, i.e. the data located in the files saved in partition /var/log: syslog, debug,
error, user.log, wabaudit.log and wabauth.log. Thus, all data older than the value
defined in this field in number of weeks (with the suffix “w” such as “20w” for 20 weeks) or in
number of days (with the suffix “d” such as “36d” for 36 days) is deleted. If no suffix is entered,
then the value is considered to be expressed in number of weeks. The maximum retention time
for the logs is 365 days or 52 weeks.
Warning:
If the defined value for the option “Remove user data older than” is higher than the one
set for “Remove user logs older than”, then the log retention time takes into account the
value defined for “Remove user data older than”.
9.5. Notification configuration

WALLIX Bastion allows you to define notifications which are triggered and sent to the user if some
specific events are detected, such as:
• a wrong primary authentication, i.e. user authentication failure on WALLIX Bastion

• a wrong secondary authentication, i.e. a target authentication failure
• a login or a password checkout on a critical target
• a new SSH key fingerprint saved
• a wrong SSH key fingerprint detected
• an integrity error
Note:
When notifications are enabled for this event type, the email summarizes errors for
sessions older than 3 days by default. It is however possible to set a different value
for this number of days. To edit this parameter, go to “Configuration” > “Configuration
options” > “Session log policy”, then enter a positive integer in the field “Summarize
error older than” below section “IntegrityChecker”. If “0” is entered in this field, then
there is no error summary in the notification email.
• a RAID error
• a pattern detection during analysis of an RDP or SSH flow
• a license expiration warning
Note:
When notifications are enabled for this event type, the warning email will be sent 15
days, 10 days, 5 days and 1 day before the license expiration date.
It is also possible to define thresholds to trigger a notification to the administrator when
one of the license metrics has reached and/or exceeded these thresholds. For more
information, refer to Section 8.2.2, “Managing the sending of notifications”, page 46.
• a password expiration alert

• a disk space alert
From the “Notifications” page of the “Configuration” menu, you can add, edit or delete notifications.
95
9.5.1. Add a notification

From the “Notifications” page of the “Configuration” menu, click on the “+ Add” button to display
the notification creation page.
The notification creation page consists of the following fields:
• the notification name

• the notification description
• a toggle button to enable or disable the email notification. By default, the notification is enabled.
• the recipients' email address
Note:
Once you have entered a valid email address, click on “+ Add” to add it to the recipient
list. Once an email address is added, you have the possibility to delete it from the list
by clicking on the “-” icon.
You can add as many recipients' email as necessary.
• the language in which the notification will be issued to the recipient

• check boxes to select the event types which will trigger the notification
Figure 9.7. "Notifications" page in addition mode
96
Note:
You can configure the settings for sending emails on the “SMTP Server” page of the
“System” menu (refer to Section 8.12, “SMTP server”, page 61).
9.5.2. Edit a notification

From the “Notifications” page of the “Configuration” menu, click on a notification name. The
modification page opens and it is possible to edit the data already entered.
The fields of this page are the same as those on the notification creation page, except for the “Name”
field which cannot be edited.
9.5.3. Delete a notification

From the “Notifications” page of the “Configuration” menu, check the box at the beginning of the
line to select the notification you wish to delete, then click on the “Delete” button. WALLIX Bastion
displays a dialogue box requesting a confirmation before permanently deleting the notification.
9.5.4. Create custom notification templates

You can create custom notification templates from the command line in order to:
• modify the subject and body of the notifications to your specific needs
• send notifications in HTML format
Note:
Once a custom notification template has been created, the notification will be sent in the
following order:
• First, the custom notification in the user's language if a corresponding template exists.
For example: approval_pending_user_fr.txt
• Or the custom notification in English if a corresponding template exists. For example:
approval_pending_user_en.txt
• Or the default notification of WALLIX Bastion in the user's language. For example:
approval_pending_user.txt
To create a custom notification template, follow the steps below:
1. Connect to WALLIX Bastion via SSH.

2. Create a notification template in .txt format in the directory /var/wab/etc/notifier/.
Caution:
The name of the custom notification templates must be the same as the name of the
default notification templates, followed by the language suffix.
For example: approval_pending_user_en.txt.
97
To display the list of default notifications in order to copy the name, run
the following command: ls /opt/wab/lib/python3.7/site-packages/
wallixgenericnotifier/templates/mail.
3. Customize the notification template according to the following rules:

• The first line corresponds to the subject of the notification. It must fit on a single line
• The second line must contain two consecutive hyphens that indicate the separation between
the subject and the body of the notification. They will not be displayed in the mail received
by the user
• The other lines correspond to the body of the notification
• If necessary, the same variables as those of the default notifications can be
used. Their format must be as follow: {{name}}. The list of these variables is
available in the following directory: /opt/wab/lib/python3.7/site-packages/
wallixgenericnotifier/templates/mail/.
The table below lists the additional variables available for the custom notifications:
WALLIX Bastion's variables Description

{{ product_name }} Product name (“WALLIX Bastion” by default)
{{ product_name_short }} Short version of the product name (“Bastion” by
default)
{{ product_support_name }} Name of the Support Team (“WALLIX” by default)
{{ notifier.ip }} WALLIX Bastion user interface's IP address
{{ notifier.hostname }} WALLIX Bastion's hostname
{{ notifier.fqdn }} WALLIX Bastion's FQDN (if the FQDN is not set,
the hostname is used by default)
The table below lists the variables available for the custom approval notifications sent to users
asking for approval (all the templates: approval_*_user.txt):

{{ target }} Target name
{{ name }} Name of the user asking for approval
{{ answer_user }} Name of the approver (for a notification sent after
an answer)
{{ begin }} Start time (format: “YYYY-MM-DD hh:mm”)
{{ end }} End time (format: “YYYY-MM-DD hh:mm”)
{{ duration }} Duration, in time units (“h” for hours, “m” for
minutes)
{{ approvers }} Comma-separated list of approver names
{{ reason }} Reason given by the approver (for a notification
sent after an answer)
The table below lists the variables available for the custom approval notifications sent to
approvers (all the templates: approval_*_approver.txt):
98

{{ approval_uid }} UID of the approval request
{{ user }} Name of the user asking for approval
{{ target }} Target name
{{ begin }} Start time (format: “YYYY-MM-DD hh:mm”)
{{ end }} End time (format: “YYYY-MM-DD hh:mm”)
{{ duration }} Duration, in time units (“h” for hours, “m” for
minutes)
{{ approvers }} Comma-separated list of approver names
{{ reason }} Approval comment (“-” if not set)
{{ ticket }} Approval ticket (“-” if not set)
Example of custom notification template:
Your access request on {{ target }}

--
Target: {{ target }}
between {{ begin }} and {{ end }} ({{ duration }})
Your access request has been sent.
You will be promptly notified after your request is reviewed.

--
Your {{ product_name_short }} administrator.
4. If necessary, add the <html> element in the template in order to send a custom notification in
the HTML format as shown in the example below:
Your access request on {{ target }}

--
<html>
Target: {{ target }}
 
between {{ begin }} and {{ end }} ({{ duration }})
 
Your access request has been sent.
 
You will be promptly notified after your request is reviewed.
 
--
 
Your {{ product_name_short }} administrator.
</html>
9.6. Local password policy configuration

The password policy establishes a set of rules for storing local passwords. These rules define the
level of complexity for the password.
99
From the “Local Password Policy” page on the “Configuration” menu, you can define the password
policy and configure the password expiration time.
This page consists of the following fields:
• the password validity period in number of days. After this period, the user will be prompted for
password change on the login screen of WALLIX Bastion or when connecting to the RDP or SSH
session. We recommend configuring this setting for a period of less than one year.
Note:
A warning window displays when this field is updated to list the users whose password
will expire the next time they login.
• the period in number of days before the display of the first password expiration warning. We
recommend setting this period to a value of at least 20 days.
• the maximum number of authentication failures allowed per user. We recommend setting this
number to a value of at most 5 authentication attempts.
• the number of previous passwords which cannot be reused. We recommend rejecting at least
the last 4 passwords.
• the minimum length of the password. This value must be greater than the sum of the other length
constraints. We recommend setting this length to a value of at least 12 characters.
• the minimum number of special characters in the password. We recommend setting this number
to a value of at least 1 character.
• the minimum number of uppercase letters in the password. We recommend setting this number
• the minimum number of lowercase letters in the password. We recommend setting this number
• the minimum number of digits in the password. We recommend setting this number to a value
of at least 1 character.
• a list to select one or several algorithms allowed for the SSH public key. If the “RSA” algorithm is
selected, the minimum key length must be entered in the “Minimum RSA key length” field. This
value must not be lower than 1024 bits.
Note:
If no algorithm is selected, then the definition of the SSH public key cannot be performed
on the “My Preferences” page and the SSH public key cannot be set for the local user
on the “Accounts” page from the “Users” menu.
• a toggle button to allow passwords similar to the user name. We do not recommend allowing
similarity.
• a button to upload the file containing the list of banned passwords.
Note:
The file containing the list of banned passwords must be in a UTF-8 format.
• a button to download the file containing the list of banned passwords.
100
Figure 9.8. "Local Password Policy" page
9.7. X509 certificate authentication

configuration
X509 certificate authentication is supported by WALLIX Bastion to allow users to authenticate with
certificates.
From the “X509 configuration” page on the “Configuration” menu, you can configure the X509
authentication as well as Certificate Revocation Lists (CRLs) and the Online Certificate Status
Protocol (OCSP). To do so, select “Certificates”, “CRL” or “OCSP” from the drop-down list.
9.7.1. Setting X509 certificate authentication

9.7.1.1. Prerequisites for the configuration
Before setting up X509 authentication, make sure you have the following required elements:
• the public key in PEM format of the Certificate Authority which issued the server certificate. The
certificate may be auto-signed or issued by an accredited authority.
• the certificate in PEM format for the WALLIX Bastion Web server
• the private key in PEM format for the server certificate
101
9.7.1.2. X509 configuration

On the “Certificates” page, please follow the following steps to configure and enable the X509
authentication:
• In the “X509 server certificates” section:

1. Upload the server certificate in PEM format (it contains the public key) or the chained
certificate.
Warning:
If the signature algorithm of the server certificate is too weak, an error message is
displayed during the upload. Please contact the WALLIX Support Team for more
information.
2. Upload the server private key in PEM format.

• In the “X509 authentication” section:
1. Upload the CA certificate in PEM format (it contains the public key). If several CA certificates
exist, it is necessary to upload them one after the other.
2. Enable the authentication with the “Enable X509 authentication” button.
• Click on the “Apply” button to enable the X509 authentication and restart the Web interface of
WALLIX Bastion. This process may take a few seconds.
Warning:
If the X509 authentication is enabled, TLSv1.3 cryptographic algorithm for HTTPS
connection will be deactivated. However, this algorithm is activated by default when the
X509 authentication is disabled.
Note:
The WALLIX Bastion Web interface and the REST API Web Service are not available
during this set-up phase. The connections on the interface are thus disconnected.
However, RDP and SSH sessions are not affected.
102
Figure 9.9. "X509 configuration" page for the upload of certificates
9.7.2. CRL management

On the “CRL” page, please follow the following steps to manage CRLs:
1. Upload a CRL (Certificate Revocation List) file.

2. Specify an address from which the CRL is fetched automatically and hourly.
3. Enable the “Enable CRL checking” button to perform a check on the CRL. The check is disabled
by default.
4. Click on the “Apply” button.
Note:
The CRL files are stored in the directory /var/wab/apache2/ssl.crl/.
An uploaded file gathering several CRLs will be divided into several unit CRL files.
An uploaded CRL will only replace an old one if the number corresponding to the
“CRLNumber” is greater than or equal to the one of this former version.
This list can also be updated using a dedicated command. For further information, refer
to Section 15.30, “Update the CRL (Certificate Revocation List)”, page 326.
103
Figure 9.10. "X509 configuration" page for CRL configuration
9.7.3. OCSP management

The OCSP provides information on the certificate revocation status when a user connects to a
server using an SSL certificate. The OCSP responder receives the request and returns a response
message indicating that:
• the certificate is valid or

• the certificate is revoked or
• the information related to the certificate is unknown
On the “OCSP” page, please follow the following steps to manage the OCSP:
1. Select one of the three directives.

2. Specify the URL of the proxy which will be used for the queries to the OCSP responder. The
OCSP responder used is extracted from the certificate itself.
3. Specify the URI of the default OCSP server which will be used to override the OCSP responder.
4. Enable the “Enable OCSP validation of client certificate chain” button to validate certificates in
the client's certificate chain with an OCSP responder.
104
Figure 9.11. "X509 configuration" page for OCSP configuration
9.7.4. User authentication configuration

From the “Accounts” page on the “Users” menu, you need to configure the user's authentication
method.
The “Local authentication - X509” section and the “Certificate DN” field appear on the page when
adding or editing a user (refer to Section 9.1, “User accounts”, page 74). To associate the user
with the certificate, the DN (i.e. "Distinguished Name") of the certificate must be entered in the
“Certificate DN” field as follows:
CN=Lucas Martin,O=MyCorp,L=PARIS,ST=IDF,C=FR
When the certificate is used, the associated user will then be authenticated on WALLIX Bastion.
Caution:
Some certificates include the attribute "emailAddress" mentioned as "E =... " in the
certificate DN. This attribute must be replaced by "emailAddress =... " in the field provided.
Note:
The certificates must be signed by the same Certificate Authority as the Web server
certificate.
The Unicode character set is supported in the DN if the certificate is UTF-8-encoded

according to RFC2253, if not, only standard ASCII code is supported.
The maximum supported length of a DN is 1,024 bytes (the exact number of characters
may be less depending on the length of the UTF-8 encoding).
105
Figure 9.12. "Accounts" page in modification mode with the "Certificate DN" field
9.7.5. X509 authentication

9.7.5.1. X509 authentication on the Web interface
Upon the next log on, the WALLIX Bastion authentication page displays a new link to complete the
authentication using an SSL certificate.
106
Figure 9.13. Login screen with X509 authentication
Users and administrators can then log on using a saved certificate stored in the browser.
Figure 9.14. User authentication using an SSL certificate
9.7.5.2. X509 connection to the target

When the user authenticates via a X509 certificate, the connection process to a target is as follows:
1. The user connects to a target device using an RDP or SSH client.

2. The proxy asks WALLIX Bastion for the user's authentication method on the Web interface.
3. If the user is using X509 authentication, a connection confirmation request is displayed on the
Web interface.
4. The user must confirm the request to automatically authenticate on the target.
107
They can choose to accept or reject multiple automatic connections for RDP sessions, SSH
sessions or both for a given time period expressed in seconds by enabling the “Also applies to
all connections for:” button and configuring the fields underneath this button.
Figure 9.15. Confirmation request to connect to a target
Warning:
The browser and the RDP or SSH client must be both running on the same workstation
(then use the same IP) to allow the connection confirmation request display.
The maximum duration value during which automatic connections are allowed can be
defined in the field “X509 automatic sessions timer” from “Configuration” > “Configuration
Options” > “Global”. This duration cannot exceed 60 seconds and is set to 15 seconds by
default. The user cannot specify in the popup window a duration greater than this value.
If the authentication is based on account mapping, the user must enter their password
on the target.
9.7.6. Disable and unset X509 certificate authentication

mode
On the “Certificates” page, you can disable or unset the X509 certificate authentication.
• To disable X509 authentication, follow these steps:

1. Disable the “Enable X509 authentication” button in the “X509 authentication” section.
• To unset the X509 authentication, click on the “Unset X509 configuration” button.
Warning:
The Web interface is restarted. Thus, no user connections must be active.
The default configuration is restored: the certificates are deleted and new auto-signed
certificates are generated.
Users can no longer log on using their certificates.
108
Figure 9.16. "X509 configuration" page
9.8. External authentication configuration

The external authentication methods which can be defined in WALLIX Bastion are used to set the
authentication of a user on the application.
An external authentication method is linked to a user account during the creation or modification of
the account. For further information, refer to Section 9.1.1, “Add a user”, page 75.
WALLIX Bastion supports the following authentication methods:
• Kerberos
• Kerberos-Password
• LDAP
• Active Directory
• RADIUS
• PingID
• SAML
From the “External authentications” page on the “Configuration” menu, you can add, edit or delete
external authentication configurations.
In order to integrate users from an external LDAP, Active Directory or Azure AD domain, you will
then need to configure the authentication domain. For further information, refer to Section 9.9,
“Configuration of LDAP, Active Directory or Azure AD domain mapping”, page 118.
109
Note:
The default authentication configured on WALLIX Bastion is “local”. This external
authentication method allows users to log in using the product’s internal data engine.
9.8.1. Add an external authentication

From the “External authentications” page on the “Configuration” menu, hover the mouse over the
“+ Add” button to display a drop-down list from which you can select an external authentication and
display the corresponding creation page.
Please refer to the sections below to get specific information on the creation of external
authentications.
Once the fields have been entered, click on “Apply”.
Figure 9.17. "External Authentications" page in addition mode for LDAP authentication
9.8.1.1. Add a Kerberos external authentication

For Kerberos authentications, please ensure that the Kerberos infrastructure, browser and SSH
proxy client are properly configured to be able to authenticate.
Specify the fields as follows:
• “Name”: specify the authentication name

• “Realm name”: specify the domain name (REALM)
• “Key distribution center”: specify the domain name or the IP address of the KDC server
• “Port”: specify the port number of the KDC server. The default port is 88.
• “Keytab file”: browse to the keytab files used for the service authentication. Each uploaded keytab
file is merged with the previously loaded files.
110
If an HTTP service is present in the keytab file, the Kerberos support is activated for authenticating
on the GUI; this requires adding the iwab suffix to the url: https://bastion_ip_address/
iwab or https://<bastion_name>/iwab.
HOST services are used for Kerberos authentication to the SSH proxy. It is then possible
to use a “forwardable” ticket to connect to a target within the same Kerberos domain using
account mapping (refer to Section 10.4.1, “Add a target account to a global domain”, page 172,
Section 10.4.2, “Add a target account to a device”, page 175 or Section 10.4.3, “Add a target
account to an application”, page 177).
• “Description”: enter a description if needed
• “Use primary domain name for two-factor authentication (2FA)”: this option is only relevant when
this authentication is used as a second factor after first authenticating via LDAP. Check the box
to force the domain name to be mentioned in the login (e.g. “user@domain”) during the second
authentication.
In order for a Kerberos authenticated user (via the GUI or the SSH proxy) to be acknowledged by
WALLIX Bastion, at least one of the following two conditions is required:
• the user is defined locally on WALLIX Bastion and the appropriate Kerberos external
authentication is configured for this user or
• the user is an LDAP user mapped to a WALLIX Bastion group. In this case, at least one of the
following configurations is required:
– a mapping must be defined on WALLIX Bastion for the LDAP domain of the user and the
Kerberos domain name must match the LDAP domain name (case insensitive) or
– a default LDAP domain is defined on WALLIX Bastion
9.8.1.2. Add a Kerberos-Password external authentication

This authentication is seen as a standard authentication (i.e. entering a login and a password) by
the user. WALLIX Bastion then acts as a Kerberos client.
For Kerberos-Password authentications, please ensure that the Kerberos infrastructure is properly
configured to be able to authenticate.

• “Realm name”: specify the domain name (REALM)
• “Key distribution center”: specify the domain name or the IP address of the KDC server
• “Port”: specify the port number of the KDC server. The default port is 88.
• “Keytab file”: browse to the keytab files used for the service authentication. Each uploaded keytab
file is merged with the previously loaded files.
authentication.
In order for a Kerberos-Password authenticated user to be acknowledged by WALLIX Bastion, at

least one of the following two conditions is required:
111
• the user is defined locally on WALLIX Bastion and a Kerberos-Password external authentication
is configured for this user or
• Kerberos-Password is used as a second factor after first authenticating via LDAP with or without
using Active Directory
9.8.1.3. Add an LDAP external authentication

9.8.1.3.1. Add an LDAP external authentication without using Active Directory
To add an LDAP external authentication without using Active Directory, specify the fields as follows.
In the “Network parameters” section:

• “Server”: specify the server address (IP or FQDN)
• “Port”: specify the port number of the server. The default port is 389.
• “Timeout”: specify the maximum waiting time (expressed in seconds) for a connection attempt to
the LDAP server. This value is set to 3 seconds by default.
Caution:
This timeout applies to any new LDAP external authentication. The LDAP external
authentications inherited from an earlier version of WALLIX Bastion keep the former
timeout value defined.
• “Encryption”: select the appropriate encryption protocol. The connection port is then updated
Note:
• “CA certificate”: this field is accessible when “StartTLS” or “SSL” is selected as the encryption
protocol. Browse a path to upload the CA certificate file. The authenticity of the certificate is
compared with the LDAP server certificate during the connection.
Important:
The hostname specified in the “Server” field must be identical to the one entered in the
“CN” field of the certificate.

authentication.
• “Test network parameters”: click on this button to test the LDAP network parameter configuration
once the required fields are entered. A test in progress can be cancelled at any time.
In the “Authentication” section:
• “Bind method”: select the “anonymous”, “simple (password)” or “simple (client certificate)” bind
method
112
• “User” and “Password”: these fields are displayed when the simple (password) bind method is
selected. Specify a user name and a password to use to search for the WALLIX Bastion user
name in the directory.
Note:
• “Client certificate” and “Client key”: these fields are displayed when the simple (client certificate)
bind method is selected and the chosen encryption protocol is either “StartTLS” or “SSL”. Browse
to the private key and the certificate used to connect and authenticate on the LDAP server by
providing a PKCS#12 file. Once the files have been uploaded, a passphrase can be provided for
the certificate on the dedicated field. The authenticity of the certificate is compared with the CA
certificate during the connection.
• “Test authentication”: click on this button to test the LDAP authentication configuration once the
required fields are entered. A test in progress can be cancelled at any time.
In the “User attributes” section:
• “Base DN”: specify the organization unit “Distinguished Name”

• “Login attribute”: specify the login attribute used for the connection. By default, this connection
attribute corresponds to “uid”. The “mail” attribute can be specified in this field to allow users
associated with this authentication to use their email when logging into the Web interface. The
following login formats are then supported:
– jdoe@mycompany.com@domain. The format is “login@domain” with the email defined as login
(i.e. “jdoe@mycompany.com”)
– domain\\jdoe@mycompany.com. The format is “domain\\login” with the email defined as login
(i.e. “jdoe@mycompany.com”)
– jdoe@mycompany.com with the domain defined as the default LDAP/AD domain
• “User name attribute”: specify the user name attribute. The user name attribute must be the name
of the LDAP attribute where the WALLIX Bastion user name is stored. By default, it corresponds
to “uid”.
9.8.1.3.2. Add an LDAP external authentication using Active Directory
Important:
When using this method, the user may be prompted to change their password after
expiration on the login screen of WALLIX Bastion or when connecting to the RDP or SSH
session. The prerequisites are then as follows:
• the minimum required version for the Active Directory server is Windows Server 2008
R2
• the option “AD user password change” (accessible from the menu “Configuration” >
“Configuration options” > “Global” > section “main”) must be selected and
• at least one encryption protocol must be set for this method in the “Encryption” field
(i.e. either “StartTLS” or “SSL”)
To add an LDAP external authentication using Active Directory, specify the fields as follows.
In the “Network parameters” section:
113

Important:
For an LDAP external authentication using Active Directory, the fully qualified domain
name (FQDN) must be properly specified to be supported in Active Directory.
the LDAP server. This value is set to 3 seconds by default.
Caution:
This timeout applies to all new LDAP external authentications. The LDAP external
• “Encryption”: select the appropriate encryption protocol. The connection port is then updated
Note:
• “CA certificate”: this field is displayed when “StartTLS” or “SSL” is selected as the encryption
protocol. Browse to the CA certificate file. The authenticity of the certificate is compared with the
LDAP server certificate during the connection.
Important:
The hostname specified in the “Server” field must be identical to the one entered in the
“CN” field of the certificate.

authentication.
• “Test network parameters”: click on this button to test the LDAP network parameter configuration
once the required fields are entered. A test in progress can be cancelled at any time.
In the “Authentication” section:
• “Bind method”: select the “anonymous”, “simple (password)”, “simple (client certificate)” or “GSS-
API” bind method
Note:
The SASL bind method based on GSS-API must be selected when the LDAP user is
included in the “Protected users” group.
114
• “User” and “Password”: these fields are displayed when the simple (password) bind method or
the GSS-API bind method is selected. Specify a user name and a password to use to search for
the WALLIX Bastion user name in the directory.
Note:
• “Client certificate” and “Client key”: these fields are displayed when the simple (client certificate)
bind method is selected and the chosen encryption protocol is either “StartTLS” or “SSL”. Browse
to the private key and the certificate used to connect and authenticate on the LDAP server by
providing a PKCS#12 file. Once the files have been uploaded, a passphrase can be provided
for the certificate in the dedicated field. The certificate is compared with the CA certificate during
the connection.
• “Test authentication”: click on this button to test the LDAP authentication configuration once the
required fields are entered. A test in progress can be cancelled at any time.
In the “User attributes” section:
• “Base DN”: depends on the domain name. For example, for the domain “mycorp.lan”, the base
DN should be “dc=mycorp,dc=lan”.
• “Login attribute”: specify the login attribute used for the connection. By default, this connection
attribute corresponds to “sAMAccountName”.
Caution:
The “mail” attribute can be specified in this field to allow users associated with this authentication
to use their email when logging into the Web interface. The following login formats are then
supported:
– jdoe@mycompany.com@domain. The format is then “login@domain” with the email defined
as login (i.e. “jdoe@mycompany.com”)
– domain\\jdoe@mycompany.com. The format is then “domain\\login” with the email defined as
login (i.e. “jdoe@mycompany.com”)
– jdoe@mycompany.com with the domain defined as the default LDAP/AD domain
• “User name attribute”: specify the user name attribute. By default, it corresponds to
“sAMAccountName”.
Caution:
9.8.1.4. Add a PingID external authentication

For PingID authentications, specify the fields as follows:

the server. This value is set to 30 seconds by default.
115
• “Properties file”: browse to the PingID properties file (named pingid.properties) containing
several account-specific settings. This file can be downloaded from the PingID administrator
interface.
• “Force OTP”: check the box to force the one-time password (or “OTP”) authentication only. In this
case, no other authentication method will be proposed.
authentication.
Note:
The WALLIX Bastion administrator should remind the user to specify only the login field
to access the Web interface when authenticating via PingID.
9.8.1.5. Add a RADIUS external authentication

For RADIUS authentications, WALLIX Bastion supports the challenge-response mechanism.

the server. This value is set to 5 seconds by default.
Caution:
This timeout applies to any new RADIUS external authentication. The RADIUS external
• “Secret”: enter the packet encryption key

• “Use mobile device for two-factor authentication (2FA)”: this option is only relevant when this
authentication is used as a second factor after first authenticating via LDAP. Select the check box
to display a message on the login page informing the user that they must authenticate via a push
notification sent to their mobile device.
authentication.
Note:
In the context of a second factor authentication, if a user performs several connections
and the client's IP address is the same as the one used for the previous authentication
then they are not prompted to authenticate again.
116
9.8.1.6. Add an SAML external authentication
1. For SAML authentications, follow the prerequisites below to be able to authenticate:
• Register an application for WALLIX Bastion in the Microsoft Azure environment to enable
Single Sign On (SSO) feature. For further information, refer to https://docs.microsoft.com/en-
us/azure/active-directory/manage-apps/add-application-portal-setup-sso.
• Configure the Azure AD permissions “Application Directory.Read.All” and “Delegated
User.Read” for the application.
• Add all the users allowed to connect to the application one after another. For further
information, refer to https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/
assign-user-or-group-access-portal.
Important:
The internet connection between WALLIX Bastion and the Microsoft Azure
environment for the domain “https://graph.microsoft.com” must not be interrupted.
2. In WALLIX Bastion, from the menu “Configuration” > “External authentications”, click on “+ Add
[SAML]”.
3. Specify the fields as follows:
• “Name”: specify the authentication name.
• “Timeout”: specify the maximum waiting time (expressed in seconds) for an authentication
attempt. This time starts from the moment the user clicks on the Azure authentication button
on the login page. This value is set to 900 seconds by default.
• “Description”: enter a description if needed.
• “IdP metadata”: browse a path to upload the identity provider (also called “IdP”) metadata
XML file. This file is downloadable from the application registration described in the
prerequisites section above.
4. Click on “Apply”. Once the IdP metadata file has been uploaded, the following fields are
then displayed. The latter cannot be edited but the corresponding value can be copied to the
clipboard if needed.
• “IdP entity ID”: Identifier of the identity provider interacting with the service provider (also
called “SP”), i.e. WALLIX Bastion, in the SAML communication process. It corresponds to the
“entityID” attribute of the “EntityDescriptor” element in the identity provider metadata file.
• “IdP SAML request URL”: URL to which WALLIX Bastion redirects the user for
authentication. It corresponds to the “Location” attribute of the “SingleSignOnService”
element in the identity provider metadata file.
• “SP entity ID”: Identifier used to refer to WALLIX Bastion in interactions with the identity
provider in the SAML communication. It corresponds to the “entityID” attribute of the
“EntityDescriptor” element in the service provider metadata file.
• “SP assertion consumer service”: URL to which the identity provider redirects the user once
the latter has authenticated. It corresponds to the “AssertionConsumerService” attribute of
the “SPSSODescriptor” element in the service provider metadata file.
Note:
The identity provider metadata XML file can be downloaded by clicking on
“Download registered IdP metadata”.
117
The service provider metadata XML file can be downloaded by clicking on

“Download SP metadata”.
5. Create a new Azure AD authentication domain. For further information, refer to Section 9.9.1.2,
“Add an Azure AD authentication domain”, page 125.
9.8.2. Edit an external authentication

From the “External authentications” page on the “Configuration” menu, click on an external
authentication name to display the corresponding modification page.
The fields in this page are the same as those in the external authentication creation page.
9.8.3. Delete an external authentication

From the “External authentications” page on the “Configuration” menu, check the box at the
beginning of the line to select the authentication(s) you wish to delete, then click on the “Delete”
button. WALLIX Bastion displays a dialogue box requesting a confirmation before permanently
deleting the line(s).
Warning:
You cannot delete an external authentication if at least one user is linked to this
authentication.
9.9. Configuration of LDAP, Active Directory or

Azure AD domain mapping
WALLIX Bastion can directly import users defined in LDAP, Active Directory (AD) or Azure AD
directories so as to avoid creating them locally within the application.
WALLIX Bastion user account management can be used with one or more LDAP or Active Directory
(AD) directories. In this case, the user accounts are no longer stored locally in the WALLIX Bastion
configuration. The appropriate account information is retrieved from the directory whenever a user
connects to one of the WALLIX Bastion services.
In order to integrate an LDAP, AD or Azure AD domain into WALLIX Bastion, you must
configure the external authentications (LDAP, AD, or SAML for Azure AD) used to allow the
connection to the directories. For further information, refer to Section 9.8, “External authentication
From the “Authentication domains” page on the “Configuration” menu, you can define, configure,
edit and delete domains. You can also import authentication domains and LDAP authentication
mappings from the “CSV” page on the “Import/Export” menu.
Note:
It is possible to configure the TLS options to allow the request of a given CA certificate to
authenticate on the LDAP server by editing the file /etc/ldap/ldap.conf. For further
118
information on this file, refer to http://www.openldap.org/software/man.cgi?

query=ldap.conf.
9.9.1. Add an authentication domain

From the “Authentication domains” page on the “Configuration” menu, hover the mouse over the “+
Add” button to display a drop-down list from which you can select an authentication domain type
and display the corresponding creation page.
A domain lists the attributes of the directory schema to be used to find the attributes needed for
a Bastion account.
These attributes are listed in the various areas of the “Authentication domains” page. Please refer
to the section below to get specific information on the creation of authentication domains.
9.9.1.1. Add an LDAP or Active Directory authentication domain

To add an LDAP or Active Directory authentication domain, it is necessary to specify the following
fields.
On the “General” tab:
The “General” section lists the following main properties for the authentication domain:
• the WALLIX Bastion domain name

• the LDAP or AD authentication domain name
• the default domain option: this box can be checked to allow the stripping of the domain part (i.e.
@domain) from the user login when authenticating to WALLIX Bastion. Thus, local users defined
in WALLIX Access Manager can be mapped to users in the Bastion domain.
• a description
• the selection, in the list of values of the “Directory” field, of the directory to be used. If several
directories are selected, they are used one after the other, according to the defined order, until a
response is received from the server. This allows resilience in case of a directory server failure
as long as the configurations (users, groups, etc.) are the same.
• if needed, the selection, in the list of values of the “Secondary authentication” field, of a secondary
authentication to be used to enable two-factor authentication after a first authentication on the
domain. If several authentications (necessarily of the same type, e.g. only RADIUS or PINGID,
etc.) are selected, they are used one after the other, according to the defined order, until a
response is received from the server. This allows resilience in case of a secondary authentication
server failure as long as the configurations are the same.
Note:
With the exception of LDAP external authentication, all external authentications defined
from the “External authentications” page on the “Configuration” menu can be used as
a secondary authentication, after a first LDAP authentication.
The “User attributes” section lists the following attributes:
• the user: the schema attribute is specified in the “User name attribute” field on the “External
authentications” page (refer to Section 9.8.1, “Add an external authentication”, page 110). By
default, WALLIX Bastion uses “sAMAccountName” with AD or “uid” with LDAP.
119
Caution:
• the group attribute: this is the attribute describing a user group membership. The default
value is “memberOf” for an AD server and “(&(ObjectClass=posixGroup)(memberUid=
${uid}))” for an LDAP server. This is an LDAP query used to find the groups containing the
user defined by his or her “uid”. By default, some servers may not support for each account
the list of groups to which it belongs. It is therefore necessary to specify an additional query.
The “${uid}” syntax is specific to the Bastion; the “uid” attribute can be replaced by any user
attribute. If the LDAP server supports the “memberOf” value, its use is then recommended. This
is the case with OpenLDAP servers configured with the “memberOf” overlay.
Note:
The “memberOf” attribute must also be entered in the field of the “Ldap attributes”
option located in “Configuration” > “Configuration options” > “Global”. The field can be
set to “*” to retrieve all the attributes but the performance of WALLIX Bastion may be
affected. The “Ldap attributes” option is displayed when the check box of “Advanced
options” at the top right of the page has been selected. It should ONLY be changed
upon instructions from the WALLIX Support Team!
It is possible to manage recursive groups with an AD server. In this case, the default value has
to be changed with the query below:
(&(ObjectClass=group)(member:1.2.840.113556.1.4.1941:=${distinguishedName}))
This query can be slower than the default one.

• the display name attribute: usually, it is the “displayName” attribute for AD and “cn” attribute
for LDAP.
• the email attribute: it is the user’s email address attribute (AD and LDAP).
• the SSH public key attribute: it is the attribute used to retrieve the SSH public key(s) from the LDAP
or AD server, to enable users to authenticate with an SSH key. The “altSecurityIdentities”
attribute is recommended for the AD server. If the field is left empty, users authenticate using only
their LDAP or AD password.
Note:
The values defined in the LDAP or AD server must be prefixed as “sshKey: <public
key>”.
Multiple SSH keys can be defined for each user.
The SSH public keys must be in the OpenSSH format and encrypted with the following
algorithms:
Key type Size allowed

RSA 1024 bits | 2048 bits | 4096 bits | 8192 bits
ECDSA 256 bits | 384 bits | 521 bits
120

ED25519 N/A
• the default email domain: it is the domain component used to build the user's email address if not
found in the directory. This address is built by prefixing the domain with the user name.
• the language attribute: usually, it is the “preferredLanguage” attribute (AD and LDAP).
• the default language: it is the default language of the domain members if the language is not
defined in the directory.
Note:
In order to use Okta Identity Cloud as an LDAP domain, make sure to set these three
parameters, in “Configuration” > “Configuration options” > “Global” > section “main”, as
follows:
• the “Ldap attributes” parameter must correspond to “dn”

• the “Ldap partial search” parameter must be checked, and
• the “Ldap bind login” parameter must be unchecked
These parameters are displayed when the check box of the “Advanced options” field at
the top right of the page has been selected. It should ONLY be changed upon instructions
from the WALLIX Support Team!
The “X509 options” section lists the following properties:
• an option to enable the X509 authentication: if this option is checked, users can only authenticate
to the LDAP or AD domain using X509 certificate authentication method. When this option is
checked, the fields of this area are then enabled.
• the condition to match an LDAP or AD domain to the X509 certificate. If no condition is specified
in the field “Matching condition”, the LDAP or AD domain can be used for X509 authentication
regardless of the certificate.
This condition is formatted according to the following variables retrieved from the certificate:
Variables of WALLIX Bastion Description

${issuer} Issuer DN of client’s certificate
${issuer_c} Country name in Issuer DN
${issuer_l} Locality name in Issuer DN
${issuer_o} Organization name in Issuer DN
${issuer_ou} Organization Unit name in Issuer DN
${issuer_cn} Common name in Issuer DN
${issuer_st} State or Province name in Issuer DN
${issuer_email} Email Address in Issuer DN
${subject} Subject DN in client’s certificate
${subject_c} Country name in Subject DN
${subject_l} Locality name in Subject DN
${subject_o} Organization name in Subject DN
121
Variables of WALLIX Bastion Description

${subject_ou} Organization Unit name in Subject DN
${subject_cn} Common name in Subject DN
${subject_st} State or Province name in Subject DN
${subject_email} Email Address in Subject DN
${subject_uid} UID in Subject DN
${mail} Server certificate’s subjectAltName extension entries of
type rfc822Name
${msupn} Client certificate’s subjectAltName extension entries of
type otherName, Microsoft User Principal Name form
${dns} Server certificate’s subjectAltName extension entries of
type dNSName
${username} Common name from Subject DN or local part of Subject
DN if Subject DN is an email (e.g.: “local-part@domain”)
For example, the matching condition below will associate the domain with a certificate issued
by an organization whose name (“issuer_o”) includes “Company Ltd.” OR a certificate whose
common name (“issuer_cn”) includes “Security Cert” and whose user's organization unit
(“subject_ou”) corresponds to “Finance&Accounting”:
${issuer_o}~Company Ltd. || ${issuer_cn}~Security Cert &&

${subject_ou}=Finance&Accounting
The operator “&&” (i.e. “AND”) has precedence over the operator “||” (i.e. “OR”). The values are
case sensitive unlike variables.
Important:
The format corresponds to the syntax used in the advanced search filters of the REST
API. For further information, refer to the related online help page at this address:
https://bastion_ip_address/api/doc/Usage.html#search
• the LDAP or AD search filter to retrieve users from the domain. This data is expressed using
LDAP filter syntax, but any available variables as listed in the field “Matching condition” field can
also be used.
Note:
All variables specified in the “Search filter” field must be present in the certificate to
provide a valid LDAP or AD filter and retrieve users accordingly.
For example, the filter syntax below will retrieve LDAP or AD users whose “cn” is the
“subject_cn” of the certificate or whose “uid” is the “subject_uid” of the certificate and whose
“preferredLanguage” attribute is “fr”:
(&(|(cn=${subject_cn})(uid=${subject_uid}))(preferredLanguage=fr))
For example, the filter syntax below will retrieve AD users whose local part of the
“userPrincipalName” is the “subject_cn” of the certificate and whose domain includes either
“company.com” or “biz.company.com”:
122
(|(userPrincipalName=${subject_cn}@company.com)(userPrincipalName=
${subject_cn}@biz.company.com))
• when using X509 authentication with an Active Directory server, the mention of the domain name
to match the SAN email. The domain is used to check the email field from the X509 Subject
Alternative Name (SAN) extension.
On the “Mappings” tab:
It is then necessary to add LDAP or AD authentication mappings by clicking on the “+ Add” button.
A mapping links the WALLIX Bastion user group with a group from the directory. To define a
mapping, the name of the WALLIX Bastion user group must be selected in the “User group” field,
and the value of the directory group attribute (e.g. its full DN for “memberOf”) must be specified
in the “Group” field.
If the WALLIX Bastion group is not already mapped, you must also select the WALLIX Bastion profile
for the group members in the “User group profile” field. If no mapping is found when a user connects,
the latter can be placed in a default group. To do this, check the box “Default group for users without
group in this domain”. Thus, any user defined in the directory can access WALLIX Bastion.
The mappings can also be edited on the user group modification page (refer to Section 9.2, “User
groups”, page 83).
Note:
On the “Mappings” tab, the administrator cannot view the mappings whose profiles have
at least one permission that the administrator's profile cannot grant as a transferable right.
For further information, refer to Section 9.3, “User profiles”, page 87.
123
Figure 9.18. "LDAP Domain" page in addition mode - Part 1
124
Figure 9.19. "LDAP Domain" page in addition mode - Part 2
9.9.1.2. Add an Azure AD authentication domain

1. From the “Authentication domains” page on the “Configuration” menu, select the Azure AD
authentication domain by clicking on the “+ Add [Azure AD]” button to display the corresponding
modification page.
2. Specify the following fields on the “General” tab:
125
The “General” section lists the following main properties for the authentication domain:
• “Server domain name”: the WALLIX Bastion domain name.
• “Authentication domain name”: the Azure AD authentication domain name.
• “Default domain” option: check this box to allow the stripping of the domain part (i.e.
@domain) from the user login when authenticating to WALLIX Bastion. Thus, local users
defined in WALLIX Access Manager can be mapped to users in the Bastion domain.
• “Description”
• “Authentication protocol”: select in the dropdown list of this field the authentication protocol
to be used.
The “Azure parameters” section lists the following attributes:

• “Label for authentication button on the login page” of WALLIX Bastion. By default, the
field is already specified with “Azure AD”.
• “Tenant ID”: it is the Azure AD cloud tenant ID. The ID is to be retrieved from the “Directory
(tenant) ID” field of the application page in Azure AD.
• “Application ID”: it is the Azure AD cloud client ID. The ID is to be retrieved from the
“Application ID” field of the application page in Azure AD.
• “Client secret”: it is the secret generated by Azure AD and shared between WALLIX Bastion
and Azure AD. The secret is to be retrieved from the application page in Azure AD.
• “Server certificate”: it is the WALLIX Bastion certificate shared between WALLIX Bastion
and Azure AD. Browse a path to upload the server certificate file.
• “Server private key”: it is the private key associated with the certificate shared between
WALLIX Bastion and Azure AD. Browse a path to upload the server private key file. Once
the file containing the private key has been uploaded, a passphrase can be provided in the
field below.
• “Server private key passphrase”: it is the passphrase of the private key associated with the
certificate shared between WALLIX Bastion and Azure AD.
• “Default email domain”: it is the domain component used to build the user's email address
if not found in Azure AD. This address is built by prefixing the default email domain with the
user name. If this field is not specified, then the address is built by prefixing the authentication
domain name with the user name.
• “Default language”: it is the default language of the domain members if the language is not
defined in the directory.
• the URL to allow users to be redirected and logged in WALLIX Bastion from the Azure AD
portal. Once all the fields are specified and applied, the URL is displayed and can be copied
from the “IdP initiated URL” field into the “Sign on URL (Optional)” field of the Enterprise
Application of Azure AD during the Single Sign On configuration. For further information, refer
to Section 9.8.1.6, “Add an SAML external authentication”, page 117.
3. Add Azure AD authentication mappings by clicking on the “+ Add” button on the “Mappings” tab.
A mapping links the WALLIX Bastion user group with a group from Azure AD.
4. Select the name of the WALLIX Bastion user group in the “User group” field to define a mapping.
5. Specify the name of the Azure AD group in the “IdP group” field.
6. If the WALLIX Bastion group is not already mapped, select also the WALLIX Bastion profile
for the group members in the “User group profile” field. If no mapping is found when a user
connects, the latter can be placed in a default group. To do this, check the box “Default group for
users without group in this domain”. Thus, any user defined in the Azure AD group can access
126
WALLIX Bastion. The mappings can also be edited on the user group modification page (refer
to Section 9.2, “User groups”, page 83).
Note:
On the “Mappings” tab, the administrator cannot view the mappings whose
profiles have at least one permission that the administrator's profile cannot
grant as a transferable right. For further information, refer to Section 9.3, “User
127
Figure 9.20. "Azure AD Domain" page in addition mode
9.9.2. Edit an authentication domain

From the “Authentication domains” page on the “Configuration” menu, click on an authentication
domain name to display the corresponding modification page.
128
The fields in this page are the same as those in the authentication domain creation page.
9.9.3. Delete an authentication domain

From the “Authentication domains” page on the “Configuration” menu, check the box at the
beginning of the line to select the authentication domain(s) you wish to delete, then click on
the “Delete” button. WALLIX Bastion displays a dialogue box requesting a confirmation before
permanently deleting the line(s).
Warning:
You cannot delete an authentication domain if at least one user group is mapped to this
domain.
9.9.4. Import authentication domains

From the "CSV" page on the "Import/Export" menu, select the "Authentication domains" check box
to import the related data. The field and list separators can also be configured.
#wab910 domain
Important:
Warning:

O(ptional)
Name Text R [aA-zZ], [0-9], '-', '_', '.' N/A
Name for the WALLIX

Bastion domain
Label Text R if "Type" = [aA-zZ], [0-9], '-', '_' N/A
AzureAD
Label for Azure AD
authentication button on
WALLIX Bastion login page
Type Text R Type of the authentication
domain
"AzureAD"
"LDAP"
"AD"
129

O(ptional)
Is default Boolean R True or False False
domain
Authentication Text R [aA-zZ], [0-9], '-', '_', '.' N/A
domain
Name for the defined
authentication domain
X509 Boolean R if "Type" = LDAP True or False False
authentication or AD
SAN email DN Text O [aA-zZ], [0-9], '-', '_' N/A
LDAP/AD domain name for Empty if Check

the defined SAN email SAN x509v3 email
= False
User Text R [aA-zZ], [0-9], '-', '_' N/A
authentications
External authentications
defined
At least one external

authentication must be
defined
User Text O [aA-zZ], [0-9], '-', '_' N/A
secondary
authentications External secondary
authentications defined for
the LDAP/AD domain
Group attribute Text O [aA-zZ], [0-9], '-', '_' LDAP-AD:
"memberOf"
Group attribute defined for
the LDAP/AD domain LDAP:
"(&(ObjectClass=posixGroup)
(memberUid=
${uid}))"
Full name Text O [aA-zZ], [0-9], '-', '_' LDAP-AD:
attribute "displayName"
Full name attribute defined LDAP: "cn"
for the LDAP/AD domain
Public key Text O [aA-zZ], [0-9], '-', '_' N/A
attribute
Public key attribute defined
Email attribute Text O [aA-zZ], [0-9], '-', '_' "mail"
Email attribute defined for the

LDAP/AD domain
Language Text O [aA-zZ], [0-9], '-', '_' "preferredLanguage"
attribute
Language attribute defined
130

O(ptional)
Default Text R Default language of the "de" for German"
language domain's members if the
language is not defined in the "en" for English
directory. "es" for Spanish
"fr" for French
"ru" for Russian

Default email Text R if "Type" = LDAP Default domain for the "wallix.com"
domain or AD defined email. Spaces and
special characters are not
allowed.
X509 condition Text O Condition to match an LDAP/ N/A
AD domain with the X509
certificate. This condition
is formatted according to
the variables retrieved
from the certificate. For
further information, refer
to the table listing these
variables in Section 9.9.1,
“Add an authentication
domain”, page 119.
X509 search Text O LDAP/AD search filter to N/A
filter retrieve users within the
domain. Expressed using
LDAP filter syntax but any
available variables as listed
for field "X509 condition"
can also be used. For
further information, refer
to the table listing these
variables in Section 9.9.1,
“Add an authentication
domain”, page 119.
Tenant ID Text R if "Type" = [aA-zZ], [0-9], '-', '_' N/A
AzureAD
Identifier of the Azure AD
cloud tenant
Client ID Text R if "Type" = [aA-zZ], [0-9], '-', '_' N/A
AzureAD
Identifier of the Azure AD
cloud client
Client Secret Text O Secret shared between N/A
WALLIX Bastion and Azure
AD
Either the client secret or the

association client certificate/
131

O(ptional)
client private key/passphrase
must be defined
Client Text O Certificate in PEM format N/A
Certificate shared between WALLIX
Bastion and Azure AD

must be defined
Client Private Text O Private key in PEM format N/A
Key in relation with the certificate
shared between WALLIX
Bastion and Azure AD

must be defined
Passphrase Text O Passphrase of the private N/A
key in relation with the
certificate shared between
WALLIX Bastion and Azure
AD

must be defined
9.9.5. Import authentication domain mappings on user

groups
From the "CSV" page on the "Import/Export" menu, select the "Authentication domain mappings
on user groups" check box to import the related data. The field and list separators can also be
configured.
#wab910 usersgroupmappings
Important:
132
Warning:

O(ptional)
Canonical name for the

WALLIX Bastion user group
concerned by the mapping
This user group must exist
with a defined profile.
Domain Name Text O [aA-zZ], [0-9], '-', '_' N/A
Canonical name for

the authentication domain
concerned by the mapping
This domain must exist.
If no domain name and no

external group is specified,
then all the existing mappings
for the group are deleted
during import.
External Text O In the context of an Azure AD N/A
Groups domain, name of the external
user group(s). For example:
ext_group1 ext_group2 "ext

group3"
IMPORTANT: If several
groups are entered, then
they must be separated by
spaces. Additionally, if the
name of the group includes
one or more spaces, then it
must be enclosed in double
quotes (as shown in the
above example).
In the context of an
LDAP domain, rule allowing
to define the users in
the authentication domain
mapped to the WALLIX
Bastion user group. This
rule indicates the value to
map for the defined group
133

O(ptional)
attibute (e.g. its full DN for
"memberOf"). For example:
'CN=Account Mapping users,
CN=Users,DC=2008,
DC=system,DC=enterprise'
IMPORTANT: If this string

includes spaces and/or
commas, then it must be
enclosed in simple quotes
(as shown in the above
example).
If no external group is
specified, then all the existing
mappings for the group/
domain pair are deleted
during import.
If an external group
is specified without an
authentication domain, then
the import fails.
134
Chapter 10. Targets

Important:
formats.
The “Targets” menu allows you to create and manage devices, applications, domains, accounts and
groups which can be accessed from WALLIX Bastion.
This chapter describes the menu elements, i.e. the following pages:
• “Devices” (refer to Section 10.1, “Devices”, page 135)

• “Applications” (refer to Section 10.2, “Applications”, page 145)
• “Domains” (refer to Section 10.3, “Domains”, page 160)
• “Accounts” (refer to Section 10.4, “Target accounts”, page 171)
• “Clusters” (refer to Section 10.6, “Clusters”, page 196)
• “Groups” (refer to Section 10.5, “Target groups”, page 183)
• “Password vault plugins” (refer to Section 10.7, “External password vault plugins”, page 198)
• “Checkout policies” (refer to Section 10.8, “Checkout policies”, page 205)
• “Discovery” (refer to Section 10.9, “Discovery”, page 208)
10.1. Devices
A device is characterized by a physical or virtual equipment for which WALLIX Bastion manages
the access to sessions or passwords.
The “Devices” page on the “Targets” menu allows you to:
• list devices
• add, edit and delete a device
• filter devices using tags. For further information, refer to Section 10.1.3, “Use tags to organize
devices”, page 140.
It is possible to import devices from a .csv file to populate the WALLIX Bastion resource database.
For further information, refer to Section 10.1.5, “Import devices”, page 142.
10.1.1. Add a device

From the “Devices” page on the “Targets” menu, click on the “+ Add” button to display the device
creation page.
The device creation page consists of the following tabs: “General”, “Services”, “Local
domains”,“Local accounts”, “Groups”, “Certificates” and “Tags”.
10.1.1.1. Define general data

The “General” tab allows you to enter the following fields:
135
• the device name: this is the name users will use to access the device. It can be unrelated to the
machine’s DNS name. An existing name cannot be assigned to another device.
• an alias: it can be used as a second name for the device. The device name has priority over the
alias. An existing alias cannot be assigned to another device.
• the device IP address or FQDN: it corresponds to a network address
It is possible to define a set of targets belonging to a subnet. It is achieved by entering a subnet

instead of the IP address during the creation of device by using a CIDR notation (<network
address>/<number of mask bits>), e.g.: 192.168.0.15/24.
• a description
Note:
Once you have entered the general data in the “General” tab and clicked on “Apply”, you
can access the other tabs of the device creation page.
Figure 10.1. "Devices" page in addition mode
10.1.1.2. Manage services

The “Services” tab allows you to list, add, edit and delete services which can be accessed on this
device.
To add a service, click on the “+ Add” button and select the desired protocol from the list. A window
opens and allows you to select and enter the following fields:
• the service name: this is the name users will use to access the service. The name can be unrelated
to the protocol name and the port number.
• the default port
• a connection policy defining the authentication mechanism for the service on this device. For
further information, refer to Section 12.4, “Connection policies”, page 261.
You can declare a connection scenario for the connection policies based on the TELNET or
RLOGIN protocols. For further information, refer to Section 12.16, “TELNET/RLOGIN connection
scenario on a target device”, page 275.
136
You can declare a startup scenario for the connection policies based on the SSH protocol. For
further information, refer to Section 12.19, “SSH startup scenario on a target device”, page 278.
• a global domain: it is required to select a global domain in order to create targets for applications
and clusters
• a list of proxy options for RDP and SSH connections. For further information, refer to
Section 10.1.6, “SSH specific options”, page 143 and Section 10.1.7, “RDP specific
options”, page 144.
Note:
If you want to add more than one specific service, you can repeat this process as many
times as necessary.
Once you have added a service, you have the possibility to add it to a group in order to configure
a target group for session management through account mapping and/or interactive login. The
resource associations can also be managed from the “Groups” page (for further information, refer
to Section 10.5.1, “Add a target group”, page 183).
To add a service to a group, check the box at the beginning of the line of the concerned service
and click on the “Add to group” button. A window opens and allows you to enter and select the
following fields:
• the group name: you can select an existing group or create a new one
• a description
• the target type: either account mapping or interactive login
• the services
Note:
After clicking on the “Add and continue” button, the data is saved and you have the
possibility to associate the service with another group and/or target type. Otherwise, click
on the “Add and close” button to save the data and close the window.
10.1.1.3. Manage local domains

The “Local domains” tab allows you to list and delete local domains associated with the device.
These local domains are associated with the device from:
• the “Local accounts” tab on the “Devices” page or

• the device account creation page of the “Accounts” page which can be accessed from the
“Targets” menu (for further information, refer to Section 10.4.2, “Add a target account to a
device”, page 175)
10.1.1.4. Manage local accounts

The “Local accounts” tab allows you to list, add, edit and delete local accounts on the device.
To add a local account, click on the “+ Add” button. A window opens and allows you to select and
enter the following fields:
• on the “General” tab:

– the local domain name to associate with the device: you can select an existing local domain
or create a new one
137
– the account name: this is the name users will use to access the local account
– the account login
– a field to associate resources: a resource association is required to create targets for
applications and clusters
– a description
– the checkout policy
– a toggle button to enable or disable the automatic password change for this account
– a toggle button to enable or disable the automatic SSH key change for this account
• on the “Password” tab:
– a password and its confirmation
– a toggle button to enable or disable the manual change of the password and its propagation
on the target
Note:
You have the possibility to delete a password already set for this account by clicking
on the “Delete password” button.
• on the “SSH private key” tab:

For the “Private key generation” page:
– the signature system of the private key
– the corresponding SSH public key in the OpenSSH or ssh.com format
For the “Private key uploading” page:
– the SSH private key in the OpenSSH or PuTTY format
– the corresponding passphrase (if any has been defined)
– a toggle button to enable or disable the manual change of the SSH private key and its
propagation on the target
– the corresponding SSH public key in the OpenSSH or ssh.com format
Note:
You have the possibility to delete an SSH private key already set for this account by
clicking on the “Delete existing SSH private key” button.
Once you have added a local account on the device, you have the possibility to add it to a group
in order to configure:
• a target group for session management from an account (for further information, refer to
Section 10.5.1.2, “Configure a target group for session management from an account in the
vault”, page 184)
• a target group for session management for a scenario account (for further information,
refer to Section 10.5.1.3, “Configure a target group for a scenario account during SSH
session”, page 184)
• a target group for password management from an account (for further information, refer to
Section 10.5.1.6, “Configure a target group for password management from an account in the
vault”, page 186)
138
Note:
The resource associations can also be managed from the “Groups” page (for further
information, refer to Section 10.5, “Target groups”, page 183).
To add a local account to a group, check the box at the beginning of the line to select the concerned
local account, then click on the “Add to group” button. A window opens and allows you to enter and
select the following fields:
• the group name: you can select an existing group or create a new one
• a description
• the target type: either account for session management or scenario account for session
management or account for password management
• the service (if it is required for the selected target type)
• the local accounts
Note:
possibility to associate the local account with another group and/or target type and/or
service. Otherwise, click on the “Add and close” button to save the data and close the
window.
10.1.1.5. Manage the target groups associated with the device

The “Groups” tab allows you to list, edit and delete resource associations which already exist with
the device.
Note:
Target accounts and services must exist for the device to be able to manage associations.
By clicking on a group name, you are redirected to the data modification page of this group. You
can then configure, edit or delete the data related to this group. For further information, refer to
Section 10.5, “Target groups”, page 183.
10.1.1.6. View and delete certificates or keys on the device

From the “Devices” page, click on a device name to display the device data and click on the
“Certificates” tab to view the list of certificates or keys on this device.
To delete a certificate or a key, check the box at the beginning of the line to select the certificate or
the key you wish to delete, then click on the “Delete” button.
Caution:
A user is allowed to display the certificates on the device if the “View” right for the “Targets
& accounts” feature is set in their profile (refer to Section 9.3, “User profiles”, page 87).
A user is allowed to delete the certificates on the device if the “Modify” right for the “Targets
& accounts” feature is set in their profile (refer to Section 9.3, “User profiles”, page 87).
10.1.1.7. Manage the association of tags with the device
139
The “Tags” tab allows you to list, add and delete tags on the device.
These tags allow you to organize your devices in a consistent and relevant way in order to quickly
identify a specific device. For further information, refer to Section 10.1.3, “Use tags to organize
devices”, page 140.
Note:
Each device can have a maximum of 64 tags.
To add a tag, click on the “+ Add” button. A window opens and allows you to select and enter the
following fields:
• “Key”: this is the key of the tag. You can select an existing key or create a new one. The key is
limited to 512 characters.
• “Value”: this is the value of the key. You can select an existing value or create a new one. The
value is limited to 256 characters.
Warning:
It is not possible to add tags with identical keys on the same device.
Keys and values are case sensitive and accept UTF-8 characters. Spaces are forbidden
at the beginning and end of the “Key” and “Value” fields.
Once the fields are selected and entered, click on the “Add and continue” button to save the new
data and to continue the creation of tags. Otherwise, click on the “Add and close” button to save
the data and close the window.
Warning:
A tag cannot be edited. In order to change a key and/or a value, it is necessary to delete
the tag and create a new one.
To delete a tag, check the box at the beginning of the line to select the tag you wish to delete, then
click on the “Delete” button.
Warning:
If you delete a device, the associated tags are also deleted.
10.1.2. Edit a device

From the “Devices” page on the “Targets” menu, click on a device name. The modification page
opens and it is possible to edit the data already entered.
For further information on how to enter data in the tabs, refer to Section 10.1.1, “Add a
device”, page 135.
10.1.3. Use tags to organize devices

From the “Devices” page on the “Targets” menu, you can view all the tags associated to your devices
but also add and remove tags.
140
Theses tags will be used to organize the devices listed in this table and will thus allow you to quickly
identify the devices on which actions must be performed.
Note:
Each device can have a maximum of 64 tags.
10.1.3.1. Add tags

From the “Devices” page on the “Targets” menu, check the box at the beginning of the line of the
device(s) you want to add tags on, then click on the “Add targets” button. The window “Add targets
to devices” opens and allows you to select and enter the following fields:
• “Key”: this is the key of the tag. You can select an existing key or create a new one. The key is
limited to 512 characters.
• “Value”: this is the value of the key. You can select an existing value or create a new one. The
value is limited to 256 characters.
Warning:
It is not possible to add tags with identical keys on the same device.
Keys and values are case sensitive and accept UTF-8 characters. Spaces are forbidden
at the beginning and end of the “Key” and “Value” fields.
A tag cannot be edited. In order to change a key and/or a value, it is necessary to delete
the tag and create a new one.
Once the fields are selected and entered, click on the “Add and continue” button to save the new
data and to continue the creation of tags. Otherwise, click on the “Add and close” button to save
the data and close the window.
10.1.3.2. Filter devices

From the “Devices” page on the “Targets” menu, you can filter devices using tags from the “Tags”
column.
Click on the icon in the header of the “Tags” column to display the search field. By clicking in
this field, you access a list of all the tag keys and tag values existing in WALLIX Bastion. Enter
then select the key or the value of the desired tag and click on the “Search” button. The devices
corresponding to the filter are listed in the table. An active filter is symbolized by the orange icon .
To delete a filter, click on the icon at the top right of the table or click on the icon then on
the “Restore” button.
10.1.3.3. Remove tags

From the “Devices” page on the “Targets” menu, check the box at the beginning of the line of the
device(s) from which you want to remove one or more tags, then click on the “Remove tags” button.
The window “Remove tags from devices” opens and allows you to select the keys or the values you
want to remove. Once selected, click on “Remove and close” button.
10.1.4. Delete a device
141
From the “Devices” page on the “Targets” menu, check the box at the beginning of the line to select
the device(s) you wish to delete, then click on the “Delete” button. WALLIX Bastion displays a
Warning:
You cannot delete a device on which target accounts are declared.
10.1.5. Import devices

From the “CSV” page on the “Import/Export” menu, select the “Devices” check box to import the
related data. The field and list separators can also be configured.
#wab910 resource
Important:
Warning:

O(ptional) value
Device name Text R [aA-zZ], [0-9], '-', '_' N/A
Alias Text O Free text N/A
Network IP/ R [aA-zZ], [0-9], '-', '/', '.' N/A
address FQDN/
Subnet e.g. for subnet: 1.1.1.0/24
Local domain Text O Local domains created via the N/A

association with a device or a target
account
There can be no local domain, one

or several local domains (created on
this device)
Service/ Text O To specify a global domain for a N/A
Protocol/Port/ subprotocol:
Con-nection
Policy/Sub- name/PROTOCOL/port/
protocol connection_poli-cy/
my_global_domain/subprotocol1|
subpro-tocol2
Important: if there is no global

domain, respect the following syntax:
142

O(ptional) value
name/PROTOCOL/port/
connection_policy//subprotocol1|
subprotocol2
name: Free text

(1)
PROTOCOL : Protocol name: see
below
port: Port number (optional)

connection_policy: Connection policy
name
(2)
subprotocol : Subprotocol name
(optional): see below
(1)
PROTOCOL: one of the following values: SSH, TELNET, RLOGIN, RDP, VNC, RAWTCPIP.
(2)
subprotocol for SSH: one of the following values: SSH_SHELL_SESSION,
SSH_REMOTE_COMMAND, SSH_SCP_UP, SSH_SCP_DOWN, SSH_X11, SFTP_SESSION,
SSH_DIRECT_TCPIP, SSH_REVERSE_TCPIP, SSH_AUTH_AGENT,
SSH_DIRECT_UNIXSOCK, SSH_REVERSE_UNIXSOCK. For further information, refer to
Section 10.1.6, “SSH specific options”, page 143.
subprotocol for RDP: one of the following values: RDP_CLIPBOARD_UP,
RDP_CLIPBOARD_DOWN, RDP_CLIPBOARD_FILE, RDP_PRINTER, RDP_COM_PORT,
RDP_DRIVE, RDP_SMARTCARD, RDP_AUDIO_OUTPUT, RDP_AUDIO_INPUT. For further
information, refer to Section 10.1.7, “RDP specific options”, page 144.
If subprotocol is not specified, all the subprotocols are added. The value for the other protocols is
exactly the same as PROTOCOL and can be omitted.
To specify several subprotocols within the same protocol, do not repeat all the structure but separate
subprotocols using a pipe “|” as shown in the example below:
rdp/RDP/3389/RDP//RDP_CLIPBOARD_UP|RDP_CLIPBOARD_DOWN|RDP_PRINTER|RDP_COM_PORT|
RDP_DRIVE|RDP_SMARTCARD
10.1.6. SSH specific options

The following options, which mainly determine the channels authorized for the session, are provided
for the SSH protocol:
• SSH_SHELL_SESSION: starts a shell session

• SSH_REMOTE_COMMAND: runs remote commands
• SSH_SCP_UP: transfers files to a target device (SCP upload from client to server)
• SSH_SCP_DOWN: transfers files from a target device (SCP download from server to client)
• SSH_X11: displays X11 applications running on a target device
143
• SFTP_SESSION: bi-directional transfers of files via SFTP protocol (SFTP session)

• SSH_DIRECT_TCPIP: allows direct TCP/IP port forwarding (from client to server)
• SSH_REVERSE_TCPIP: allows reverse TCP/IP port forwarding (from server to client)
• SSH_AUTH_AGENT: allows agent authentication forwarding (multi-hops auth-agent)
• SSH_DIRECT_UNIXSOCK: allows direct Unix socket forwarding (from client to server)
• SSH_REVERSE_UNIXSOCK: allows reverse Unix socket forwarding (from server to client)
Each of these subprotocols is covered by a specific authorization on WALLIX Bastion.

If you do not have rights for the appropriate subprotocol, you may not be authorized to start a remote
shell session or transfer a file.
Note:
Some clients also need the option SSH_SHELL_SESSION to list the directories when
they are used in SCP mode.
Some session options must be associated with others to be fully operational:
- SSH_X11 must be associated with SSH_SHELL_SESSION or
SSH_REMOTE_COMMAND (at least one of the two)
- SSH_AUTH_AGENT must be associated with SSH_SHELL_SESSION or
SSH_REMOTE_COMMAND (at least one of the two)
- SSH_REVERSE_TCPIP must be associated with SSH_SHELL_SESSION
- SSH_REVERSE_UNIXSOCK must be associated with SSH_SHELL_SESSION
SSH_SHELL_SESSION, SSH_REMOTE_COMMAND, SSH_SCP_UP/DOWN and
SFTP_SESSION allow the opening of session channels. By default, only one session
channel can be open during an SSH connection (or session). To allow the opening of
several session channels, the option “Allow multi channels” must be selected at the
level of the SSH connection policy (which can be accessed from “Session Management”
> “Connection Policies”. For further information, refer to Section 12.4, “Connection
policies”, page 261).
10.1.7. RDP specific options

The following options, which mainly determine the authorized actions for the session, are provided
for the RDP protocol:
• RDP_CLIPBOARD_UP: allows data transfer via the clipboard from the client to the RDP session
• RDP_CLIPBOARD_DOWN: allows data transfer via the clipboard from the session to the RDP
client
• RDP_CLIPBOARD_FILE: allows file transfer from the copy/paste function via the clipboard
• RDP_PRINTER: allows use of local printers in the remote session
• RDP_COM_PORT: allows use of local serial and parallel ports in the remote session
• RDP_DRIVE: allows use of local drives in the remote session
• RDP_SMARTCARD: allows use of local smartcards in the remote session
• RDP_AUDIO_OUTPUT: allows audio playback from the session to the RDP client
• RDP_AUDIO_INPUT: allows audio recording from the client to the RDP session
144
Each of these subprotocols is covered by a specific authorization on WALLIX Bastion.

If you do not have rights for the appropriate subprotocol, you may not be authorized to transfer data
via the clipboard or use your local drive in the remote session.
Note:
Some session options must be associated with others to be fully operational:
- RDP_CLIPBOARD_FILE must be associated with RDP_CLIPBOARD_UP to transfer a
file via the clipboard from the client to the RDP session
- RDP_CLIPBOARD_FILE must be associated with RDP_CLIPBOARD_DOWN to
transfer a file via the clipboard from the session to the RDP client
10.2. Applications
WALLIX Bastion enables you to manage application sessions through a jump server on which
the application itself is installed. The user logs on to WALLIX Bastion and chooses an application
in the selector (refer to the figure 10.2, “Application session flow”, page 145). WALLIX Bastion
then initiates an RDP session and automatically launches the application by providing it with the
necessary account information (user name and password). The application session is then recorded
as an RDP session.
Important:
It is not possible to run an application whose linked target operates under a Windows 10
operating system as the remote desktop service does not support the "alternate shell"
function.
Warning:
In order to allow WALLIX Bastion to manage the connections to an application, the latter
must be able to receive the user name and password to be used for the connection as
command-line arguments.
Figure 10.2. Application session flow

The "Applications" page allows you to:
• list applications
• add/edit/delete an application
145
• import applications from a .csv file which can be used to populate the WALLIX Bastion resource
database
10.2.1. Configure the jump server

Servers from Windows Server 2003 are supported as jump servers. From Windows Server 2008,
the "Terminal Services" or "Remote Desktop" role must be installed.
Warning:
Please note that after the 120-day grace period expires, you must install Client Access
Licenses (CAL) in order to continue to use these services.
You must provide the user with the right to launch the application. This can be done by providing
access to unlisted programs or by adding the application to the authorized programs as described
below.
If you use the session probe mode, it is necessary to publish the command prompt (cmd.exe) as
the RemoteApp program. For further information regarding this mode and the configuration, we
strongly advise you to refer to Section 12.22, “Using the session probe mode”, page 283.
• Providing access to unlisted programs

1. Click on the "Start" menu.
2. Select "All Programs" > "Administrative Tools" > "Remote Desktop Services" and then click
on "RemoteApp Manager".
3. In the "Overview" frame, click on the "Change Terminal Server Settings".
4. On the "Terminal Server" tab, in the "Access to unlisted programs" frame, select "Allow users
to start both listed and unlisted programs on initial connection".
• Adding the application to the listed program

2. Select "All Programs" > "Administrative Tools" > "Remote Desktop Services" and then click
on "RemoteApp Manager".
3. In the "Actions" frame, click on "Add RemoteApp Programs".
4. Choose the application in the list displayed by selecting the related check box and then edit
its properties to allow the use of command line arguments.
We recommend setting the lowest possible value as the maximum period during which a
disconnected user session is kept active on the server running Terminal Server. To do so, you can
proceed as follows:

2. Select "All Programs" > "Administrative Tools" > "Remote Desktop Services" and then click on
"Remote Desktop Session Host Configuration" to set the timeout to 1 minute. To do so:
• in the "Connections" frame, select the "RDP-Tcp" connection
• on the "Sessions" tab, select "Override user settings" and set the value in the "End a
disconnected session" field to 1 minute.
146
You can also use group policies to manage this setting.

You can allow several connections with the same target account on a jump server.
Under Windows Server 2008 or later:

"Remote Desktop Session Host Configuration".
3. In the "Edit settings" frame, under "General", double-click on "Restrict each user to a single
session" and deselect the check box.
Alternatively, you can use the corresponding setting with an account policy.
Under Windows Server 2012 or later, you must set an additional setting in order to allow access to
a client that does not use network-level authentication. To do so:
1. Open the "Server Manager" application and select "Remote Desktop Services".
2. Select the needed collection in "Collections". "Quick Session Collection" corresponds to the
default collection.
3. In the "Properties" frame, select "Edit Properties".
4. In the "Security" section, deselect the "Allow connections only from computers running Remote
Desktop with Network Level Authentication (more secure)" check box.
10.2.2. Configure the application launch using RemoteApp

mode
The RemoteApp mode enables to make applications (as defined via "Targets" > "Applications") that
are accessed remotely through RDP appear as if they are running on the user's local computer.
Thus, this mode allows to start a remote desktop session that appears as a single application
window. Instead of being presented to the user in the desktop of the RDP client, the RemoteApp
application is integrated with the client's desktop. The RemoteApp application runs in its own
resizable window, can be dragged between multiple monitors, and has its own entry in the taskbar.
The RemoteApp mode is enabled by default when accessing applications. This parameter can be
managed via "Configuration" > "Configuration Options" > "GUI (Legacy)", then select/deselect the
option "Rdp remote app mode".
The window resizing is enabled by default for the RemoteApp application. This parameter can be
managed via "Configuration" > "Configuration Options" > "RDP proxy", then select/deselect the
option "Allow resize hosted desktop" below section "remote program". When this functionality is
enabled, a pin icon is displayed on the right upper part of the RemoteApp window hosting the classic
RDP session. The window can be resized when the pin points to the left.
The RemoteApp session closes 20 seconds after the last window or taskbar icon has been closed.
This period can be shortened by defining a time period before the display of a disconnect message
to close the session. This period can be set on the field "Remote programs disconnect message
display" on the configuration page related to the connection policy for the RDP protocol. This page
can be accessed from "Session Management" > "Connection Policies".
On the other hand, it may be necessary to convert RemoteApp session to Alternate Shell session
to be able to access a published RemoteApp application via a jump server for a session initiated
by Access Manager. This can be done by selecting the option “Wabam uses translated remotapp”,
below section “rdp”, on the configuration page related to the connection policy for the RDP protocol.
This page can be accessed from "Session Management" > "Connection Policies".
147
Warning:
This field is displayed when the check box of the "Advanced options" field at the top right
of the page has been selected. It should ONLY be changed upon instructions from the
Important:
The RemoteApp sessions of a user connected simultaneously on one or several
applications are split by default when displayed from the "Current Sessions" and
"Session History" pages below the "Audit" menu). If the option "Rdp enable sessions
split" (accessible from "Configuration" > "Configuration Options" > "GUI (Legacy)" >
"main" section) is deselected, it may be possible to get an overlay view of these sessions.
The client Remote Desktop Connection (MSTSC) connected to Windows Server 2008
or 2012 does not allow several RemoteApp programs to share the same RDP session.
There will be as many RDP sessions created as the number of RemoteApp programs
launched.
Display issues related to the Microsoft client have been reported when using RemoteApp
mode and multiple monitors. Dysfunctions occur when the primary monitor is not located
in the upper left part of the virtual screen. The recommended workaround is to locate
the primary monitor in the upper left part of the virtual screen. Refer to https://
go.microsoft.com/fwlink/?LinkId=191444 for further information on the virtual
screen.
The session probe mode can be used to run the applications defined within the Bastion.
This operating mode provides the benefit of blocking the launch of child processes.
This is not the case when using the RemoteApp native mode. However, the restrictions
defined during the creation of the RemoteApp program in Windows (which may concern
user groups, command-line arguments allowed, etc.) will not apply. This mode can
be managed via "Session Management" > "Connection Policies > "RDP", then select/
deselect the option "Use session probe to launch remote program" below section "rdp".
For further information regarding the "session probe" mode, refer to Section 12.22, “Using
the session probe mode”, page 283.
10.2.3. Automate connections to an application using AutoIt

scripts
Note:
To automate connections to Web applications, refer to Section 10.2.4, “Automate
connections to a Web application using WALLIX Application Driver”, page 149.
Business applications usually implement an authentication screen to allow a user to only access
the needed data. The authentication step checks the login and the password manually entered by
this user. The latter has then the knowledge of this sensitive information.
To restrict disclosing of such information, we recommend using AutoIt scripts. These scripts are
supported by WALLIX Bastion and can be used, in particular, to fill in credential forms automatically.
With this process, the application's credential information is retrieved through the RDP virtual
channel. In such a case, the user has no access to this information.
148
When technical constraint is strong and safety risk is low, the credential information can also be
passed the application to as command line arguments. However, we do not recommend using such
an approach as the application user may easily access the information.
To allow AutoIt scripts retrieving credential information through the RDP virtual channel, the latter
must be enabled from "Configuration" > "Configuration Options" > "RDP proxy" then enter the name
of this virtual channel in the field "Auth channel" below section "mod_rdp". The symbol "*" tells
WALLIX Bastion to use the default name being wablnch. Note that WALLIX Bastion and the AutoIT
script must both use the same virtual channel name to operate properly.
Once the virtual channel is enabled, the AutoIt script must be deployed on the server running
Terminal Server then added to the listed RemoteApp programs:
Note:
The WALLIX Support Team can provide you with a generic AutoIt connection script. Feel
free to contact the Team, should you have any other questions (refer to Chapter 18,
“Contact WALLIX Bastion Support”, page 363).

"RemoteApp Manager".
3. In the "Actions" frame, click on "Add RemoteApp Programs".
4. Choose the path of the AutoIt executable script in the list displayed by selecting the related
check box.
Next, when configuring the application from the "Applications" page on WALLIX Bastion:
• enter the connection URL in the "Parameters" field

• enter the path of the AutoIt executable script in the "Application path" field
Example:
In the above example, the script WABIELogon_VC_64.exe launches Internet Explorer, retrieves
the credential information from the virtual channel and establishes a connection to the application.
Once the application is configured, it can be linked to a target group from "Targets" > "Groups".
10.2.4. Automate connections to a Web application using

WALLIX Application Driver
WALLIX Application Driver is a tool used for accessing Web applications by automatically injecting
credentials (user name and password) into authentication forms.
149
Note:
To automate connections to non Web-based applications, refer to Section 10.2.3,
“Automate connections to an application using AutoIt scripts”, page 148.
Application Driver retrieves the authentication information from the application via an RDP virtual
channel and automatically connects the user.
The authentication forms are thus filled out without user intervention and sensitive data is not
disclosed during the authentication phase.
Application Driver can be used without any specific deployment (refer to Section 10.2.4.1, “Using
WALLIX Application Driver without specific deployment”, page 150) or by manual deployment
(refer to Section 10.2.4.2, “Using WALLIX Application Driver via a manual deployment”, page 151).
Note:
WALLIX Bastion and Application Driver must use the same virtual channel name to
operate properly.
To configure the virtual channel, it is necessary to enter the name of the RDP virtual
channel in the “Auth channel” field located in “Configuration” > “Configuration options” >
“RDP proxy” > [mod_rdp] section.
By default, the symbol “*” is already specified and tells WALLIX Bastion to use the default
virtual channel name: wablnch.
10.2.4.1. Using WALLIX Application Driver without specific deployment
10.2.4.1.1. Prerequisites
The session probe mode must be enabled in order to use Application Driver without specific
deployment.
The prerequisites for the automatic deployment of Application Driver are the same as the
prerequisites for running Session Probe. For further information, refer to Section 12.22, “Using the
session probe mode”, page 283.
10.2.4.1.2. Requirements to launch the Web application
Note:
Please note that __APP_DRIVER_IE__ is no longer maintained. We recommend using
the markers for Google Chrome or Microsoft Edge based on Chromium.
The UI Automation script cannot currently be run on Windows Server 2022 when the
RemoteApp mode is enabled. We recommand:
• using the DevTools script or

• unchecking the “Rdp remote app mode” option in “Configuration options” > “GUI
(Legacy)” > “main” section
150
The setup must be performed from the “Applications” page in the “Targets” menu:
1. In the “Application path” field, enter one of the following values:

• “__APP_DRIVER_IE__” to select the launch of the Web application in Internet Explorer
• “__APP_DRIVER_CHROME_UIA__” to select the launch of the Web application in Google
Chrome with the UI Automation script
• “__APP_DRIVER_EDGE_CHROMIUM_UIA__” to select the launch of the Web application in
Microsoft Edge based on Chromium with the UI Automation script
• “__APP_DRIVER_CHROME_DT__” to select the launch of the Web application in Google
Chrome with the DevTools script
• “__APP_DRIVER_EDGE_CHROMIUM_DT__” to select the launch of the Web application in
Microsoft Edge based on Chromium with the DevTools script
2. In the “Parameters” field, specify the necessary parameters to launch the Web application
according to the selected browser and script. For further information, see Section 10.2.4.3,
“Parameters of WALLIX Application Driver for the launch of the Web application”, page 154.
Example for the launch of the Web application using Internet Explorer:
10.2.4.2. Using WALLIX Application Driver via a manual deployment
Application Driver can be deployed manually through an executable file as well as configuration
scripts provided to the administrators of the jump servers upon request to the Support Team.
Please contact the Team for further information (see Chapter 18, “Contact WALLIX Bastion
Support”, page 363).
However, we recommend using WALLIX Application Driver in connection with the session probe
mode. For further information, refer to Section 10.2.4.1, “Using WALLIX Application Driver without
specific deployment”, page 150. You can, however, deploy Application Driver manually.
151
10.2.4.2.1. Manual deployment
1. Download the AppDriver.exe file and the scripts WABChromeLogonUIA.lua and

WABIELogon.lua provided by the Support Team to the target server used to execute Web
applications.
Note:
The script WABChromeLogonUIA.lua will be used to select the launch of the Web
application using Google Chrome and the script WABIELogon.lua will be used to
select the launch of the Web application using Internet Explorer.
2. Copy the AppDriver.exe file to a dedicated folder, for example: C:\AppDriver

\AppDriver.exe.
3. Copy both scripts to this same folder.
10.2.4.2.2. Requirements to launch the Web application
The setup must be performed from the “Applications” page in the “Targets” menu:
1. In the “Parameters” field, specify either the path to the script WABChromeLogonUIA.lua or
the path to the script WABIELogon.lua according to the selected browser for the launch of
the Web application as well as the necessary parameters. For further information on the latter,
see Section 10.2.4.3, “Parameters of WALLIX Application Driver for the launch of the Web
application”, page 154.
2. In the “Application path”, enter the path to the AppDriver.exe file.
Important:
AppDriver.exe /? must be entered in the “Application path” field to access the
command line help and version number of Application Driver.
Example for the launch of the Web application using Google Chrome:
152
153
10.2.4.3. Parameters of WALLIX Application Driver for the launch of the Web
application
Mandatory parameters
Parameter Description
/lua_file:<Lua script file name> Applies only when using WALLIX
Application Driver via a manual
deployment. Sets the Lua script's path used
to open the Web session.
/e:URL=<URL> Defines the website URL.
Important:
In order to access the command line help and the version number of the Lua script used
by Application Driver, it is necessary to specify the /e:ShowUsage=Yes parameter in
the “Parameters” field, such as:
/lua_file:<Lua script file name> /e:ShowUsage=Yes
Optional parameters for Internet Explorer

/e:EnterInPasswordField=Yes Validates the form by pressing the
return key in the password-input field.
Is ignored when a two-page login is
used. Is not compatible with the option /
e:EnterInsteadClicking=Yes.
/e:EnterInsteadClicking=Yes Validates the form by pressing the return
key in the text-input fields instead of
clicking on the validation button.
/e:FirstPageReadyElementId=<Element ID> Defines a HTML element id determining
that the first Web page is fully loaded and
ready in the case of a two-page login.
/e:PasswordFieldId=<password field ID> Defines the password field id on the login
Web page. Is ignored when a two-page
login is used.
/e:PreSignInLinkClassName=<link class Defines a HTML anchor link class name
name> determining that the page is fully loaded
and ready.
/e:SecondPageReadyElementId=<Element ID> Defines a HTML element id determining
that the second Web page is fully loaded
and ready in the case of a two-page login.
/e:SendInputInsteadSetValue=Yes Simulates keystrokes instead of entering a
value in the text-input field.
/e:SubmitButtonId=<Button Id> Defines the validation button id on the
login Web page. Is ignored when a two-
page login is used.
/e:TwoPageSignIn=Yes Enables a two-page login.
154
Optional parameters for Internet Explorer

/e:UsernameFieldId=<username field ID> Defines user name field id on the login
Web page. Is ignored when a two-page
login is used.
Optional parameters for Google Chrome and Microsoft

Edge based on Chromium with UI Automation script
/e:DisableKioskMode=Yes Prevents the launch of Google Chrome
or Microsoft Edge based on Chromium in
Kiosk mode.
/e:DisablePopupBlocking=Yes Disables the blocking of pop-up windows.
/e:DontUseGuestMode=Yes Disables the Guest mode.
/e:ExtraDelayBeforeFormSubmission= Adds an additional delay (in milliseconds)
<milliseconds> to the base delay of 1000 ms before form
validation.
/e:ExtraDropdown=<option> Fills out an extra drop-down list in the
login Web page.
/e:ExtraTextFieldAutomationIdAndValue= Fills out an extra input field in the login
<AutomationId>;<value> Web page.
/e:HTTPAuthentication=Yes Enables the connection via the HTTP
authentication pop-up.
/e:IgnoreCertificateErrors=Yes Requests Google Chrome or Microsoft
Edge based on Chromium to ignore
certificate check errors.
/e:RemoveDomainFromUsername=Yes Removes @<domain> from the login.
/e:TwoPageSignIn=Yes Enables two-page login.
/e:UseEdgeChromium=Yes Applies only when using WALLIX
deployment. Uses Microsoft Edge based
on Chromium instead of Google Chrome.
/e:UseDefaultUserDataDir=Yes Let the website browser use the existing
profile of the Windows account.
/ Let the UI Automation specify pseudo-
e:PreSignInElement2=<PropertyN>;<ValueN> conditions for finding the element to be
activated in a second pre-sign-in page of
website.

Edge based on Chromium with the DevTools script
/e:DisableKioskMode=Yes Prevents the launch of Google Chrome
or Microsoft Edge based on Chromium in
Kiosk mode.
/e:DisablePopupBlocking=Yes Disables the blocking of pop-up windows.
155

Edge based on Chromium with the DevTools script
/e:DontUseGuestMode=Yes Disables the Guest mode.
/e:ExtraFieldSelectorAndValue= Fills out an extra input field in the login
<selector>;<value> Web page.
/e:IgnoreCertificateErrors=Yes Requests Google Chrome or Microsoft
Edge based on Chromium to ignore
certificate check errors.
/e:PasswordFieldSelector=<selector> Finds the password input field
according to the CSS selector
specified. Must be used with the
UsernameFieldSelector parameter.
/e:PreSignInElementSelector=<selector> Finds the element to activate in the pre-
sign-in page of the website according to
the CSS selector specified.
/e:RemoveDomainFromUsername=Yes Removes @<domain> from the login.
/e:SubmitButtonSelector=<selector> Finds the validation button according
to the CSS selector specified.
Is not compatible with a two-
page login. Must be used with
the UsernameFieldSelector and
PasswordFieldSelector
parameters.
/e:TwoPageSignIn=Yes Enables two-page login.
/e:UseEdgeChromium=Yes Applies only when using WALLIX
deployment. Uses Microsoft Edge based
on Chromium instead of Google Chrome.
/e:UsernameFieldSelector=<selector> Finds the username input field
according to the CSS selector
specified. Must be used with the
PasswordFieldSelector parameter.
/e:UseDefaultUserDataDir=Yes Let the Web browser use the existing
profile of the Windows account.
/e:PreSignInElement2Selector=<selector> Let CSS selectors be specified to find the
element to be activated in a second pre-
sign-in page of website.
10.2.4.4. Using the browser extension with WALLIX Application Drive
By default, “Application Driver” launches the Web browser with a blank user profile. As a result,
browser extensions installed in Windows will not be loaded. This can be an issue for some
applications.
However, it is possible to authorize the use of Google Chrome extensions by using the following
parameters simultaneously:
156
• /e:UseDefaultUserDataDir=Yes: with this parameter, “Application Driver” no longer creates

a unique profile for the Web browser, but uses a copy of the existing Windows account profile;
all installed extensions are therefore available. Note that copying the profile may take some time
as it depends on the amount of data contained in the profile. The WALLIX Bastion administrator
must ensure that this profile is as small as possible.
• /e:DontUseGuestMode=Yes: allows extensions to be loaded when the Web browser is
launched.
Important:
A user can install software components (plugins/extensions) in the user profile of the
Web browser. If this existing profile is used as a template when copying, these software
components will be loaded into the browser of the application session. The browser
behavior may be affected by security vulnerabilities introduced by this method. The
WALLIX Bastion administrator must be aware of these risks.
It is recommended not to give access to the associated Windows account other than
through the website application. It is also recommended to use a password change policy
for the associated Windows account.
10.2.5. Add an application

From the "Applications" page, click on "Add an application" to display the application creation page.
The application creation page consists of the following fields:
• the application name which is internal to WALLIX Bastion

• a description
• the parameters, i.e. the command line arguments. The latter are concatenated to the application
path. To insert the user name, password and application ID into the command line, the variables
${USER}, ${PASSWORD} and ${APPID} are respectively used for the corresponding value.
WALLIX Bastion automatically replaces them with the appropriate information related to the
account selected by the user and the application ID.
• a list of values to select a connection policy defined on the RDP protocol for the connection on
the application target,
• the path of the application executable and the directory in which the application runs. In the case
of a cluster, you must provide these values for each device. For further information, refer to the
section 10.6, “Clusters”, page 196.
To enable users to connect to the application, you must now link the accounts with it as described in
Section 10.4, “Target accounts”, page 171. User access rights, like those of devices, are managed
using authorizations (permissions). The RDP protocol must therefore be used.
157
Figure 10.3. "Applications" page in modification mode
10.2.6. Edit an application

From the "Applications" page, click on an application name and then on "Edit this application" to
display the application modification page.
The fields in this page are the same as those in the application creation page.
10.2.7. Delete an application

From the "Applications" page, check the box at the beginning of the line(s) to select the related
application(s), then click on the trash icon to delete the selected line(s). WALLIX Bastion displays
a dialogue box requesting a confirmation before permanently deleting the line(s).
Warning:
You cannot delete an application on which target accounts are declared.
10.2.8. Add an account to the application

From the "Applications" page, click on an application name to display the application data and
expand the "Accounts on application" area to display the list of the accounts associated with the
application.
Click on "Add an account" to create an account for the application: you access the account
creation page. For further information, refer to Section 10.4.3, “Add a target account to an
application”, page 177.
10.2.9. Manage the resource associations with the

application
From the "Applications" page, click on an application name to display the application data and
expand the "Accounts on application" area to display the list of the accounts associated with the
application.
Each line shows an association and consists of the following fields:
• the target account name
158
• the domain name

• the service
• the resources
Click on "Manage association" to manage the resource associations: you access a page with the
list of the available resource(s) and selected one(s) for the application. Move a resource from the
"Available accounts" frame to the "Selected accounts" one in order to perform the association. And
conversely, move a resource from the "Selected accounts" frame to the "Available accounts" one
in order to remove the association.
10.2.10. Import applications

From the "Applications" page, click on the "Import CSV file" icon at the top right of the page to
import the related data. You are then redirected to the "CSV" page on the "Import/Export" menu:
the "Applications" check box is automatically selected to import the related data. The field and list
separators can also be configured.
#wab910 application
Important:
Warning:

O(ptional) value
Local domain Text O There can be no local domain, one N/A
or several local domains created
on this application
Global domain Text O There can be no global domain, N/A
one or several existing global
domains
Target Text R Format for an application on a N/A
device: account@domain@my_
device:rdp, rdp being the name of
the protocol defined on the device
Format for an application on a

cluster: name of the cluster
Parameters Text O Command line arguments. N/A
The variables ${USER},
159

O(ptional) value
${PASSWORD} and ${APPID}
can be used to insert the user
name, password and application
ID.
Paths Text R For an application on a device: N/A
path of the application
For an application on
a cluster: target1= 'path1'
target2='path2', for each target
of the cluster,with target1 in
format account@domain@my_
device:rdp
Startup Text O For an application on a cluster: N/A
directories
target1='wdir1' target2='wdir2'
Connection Text O Name of the connection policy on RDP
policy the RDP protocol
10.3. Domains
A global domain is a management entity grouping multiple target accounts which can be used to
authenticate across multiple devices. This entity offers the significant advantage of expanding and
synchronizing the password change at once for all the accounts on the devices associated with
the domain.
A global domain can also be associated with a password external vault. In this case, this domain
groups accounts which are managed externally through the association of an external vault plugin.
As a result, a password change mechanism cannot be applied to the related accounts within
WALLIX Bastion. For further information, refer to Section 5.3, “Password external vault”, page 23.
A local domain is a management entity grouping multiple target accounts which can be used to
authenticate on a single device only. This entity offers the significant advantage of expanding and
synchronizing the password change at once for all the accounts associated with the domain.
Local domains are created through the association with a device or a target account. For
further information, refer to Section 10.1, “Devices”, page 135 and Section 10.4, “Target
The "Domains" page allows you to:
• list global or local domains according to a dedicated filter on the domain type
• identify domains which are associated with a Certificate Authority
• identify domains for which the password change is enabled
• identify domains which are associated with an external password vault
• add/edit/delete a global domain
160
• edit a local domain

• import global or local domains from a .csv file which can be used to populate the WALLIX Bastion
resource database
• change the passwords for all the accounts on the global domain
161
10.3.1. Add a global domain

Warning:
Local domains are created through the association with a device or a target account. For
further information, refer to Section 10.1, “Devices”, page 135 and Section 10.4, “Target
From the "Domains" page, make sure that "Global" is selected in the "Display domain type" field on
the top of the page. Click on "Add a global domain" to display the global domain creation page.
The global domain creation page consists of the following fields:
• the domain name: a WALLIX Bastion internal representation of the domain used to display
accounts and targets on the Web user interface or during RDP/SSH sessions
• the domain real name: the name of the external domain if the created domain is a mapping of
an external domain (LDAP, AD, NIS). The domain real name is ignored when password change
is performed on Unix-derived targets.
• a description
• the vault type: choose whether the domain is associated with an external password vault or a
local one
Warning:
This field is only displayed when the “External Vaults” feature is associated with the
license key.
• if the chosen vault type is "Local" or the “External Vaults” feature is not associated with the
license key, options to define an SSH Certificate Authority to be associated with the domain for
the connection. The Certificate Authority (or "CA") is represented by a private/public SSH key
pair. It is possible to:
– generate a key: in this case, select the appropriate key type and length from the list (RSA 2048
by default) or
– browse a path to upload the file containing an existing key (in the OpenSSH or PuTTY key
formats) and specify the corresponding passphrase (if any defined)
For further information, refer to Section 10.3.2, “Associate the domain with an SSH Certificate
Authority”, page 163.
• if the chosen vault type is "Local" or the “External Vaults” feature is not associated with the license
key, an option to enable the password change for the accounts on this domain and, if enabled:
– the password change policy to be selected for this domain. For further information, refer to
Section 11.3, “Password change policies”, page 239.
– the password change plugin to be selected for this domain and the related parameters to be
specified. For further information, refer to Section 11.2, “Password change plugins”, page 223.
Note:
The CA public key is transferred to the target device (for a local domain) or the target
server (for a global domain) when a password change plugin is set on the concerned
domain and the WALLIX Password Manager feature is associated with the license key.
162
• if the chosen vault type is "External", select the vault plugin for this domain and specify the related
parameters. For further information, refer to Section 5.3, “Password external vault”, page 23 and
Section 10.7, “External password vault plugins”, page 198.
Warning:
This field is only displayed when the “External Vaults” feature is associated with the
license key.
• the Kerberos parameters: the Kerberos parameters are only supported by the WindowsService
plugin. When the chosen password change plugin is “WindowsService” and the transport protocol
defined for this plugin is “Kerberos”, then specify the following fields on the global domain page of
the administrator account selected during the definition of the reference (for further information,
refer to Section 11.2.13, “WindowsService plugin”, page 234 and Section 10.4.1.4, “Define
references for service account management”, page 174):
– “Kerberos realm”: specify the Kerberos realm
– “Kerberos KDC”: specify the domain name or the IP address of the KDC server
– “Kerberos port”: specify the port number of the KDC server. The default port is 88.
Figure 10.4. "Domains" page in addition mode
10.3.2. Associate the domain with an SSH Certificate

Authority
A Certificate Authority (or "CA") can be associated with a local (domain type "Local for a device") or
a global domain (when the latter is not associated with an external vault). It is then used to certify
the SSH keys for the target accounts. A CA is defined by an SSH key pair (a private key and a
public one). The CA private key signs the public keys of the target accounts on the domain. These
signed public keys are also called "certificates" and are used by the SSH client to allow connection
to a target server. The certificates are checked against the CA public key by the target server during
connections.
It is no longer necessary to copy the target accounts' public keys to the target servers.
Simply copy the CA public key to /etc/ssh/wallix_ca_user.pub or another file, reference
it in the sshd daemon's configuration file using keyword TrustedUserCAKeys as follows:
TrustedUserCAKeys /etc/ssh/wallix_ca_user.pub then restart the ssh daemon.
When a password change plugin is set on the domain, WALLIX Bastion transfers the CA public key
and the subsequent configuration to the target device (for a local domain) or the target server (for
a global domain). Furthermore, the public SSH key of the administrator account is not signed. To
163
allow SSH authentication using this account, the public key must be present on the target server
(usually in the file authorized_keys located in the home directory of the target account).
When a CA is associated with a domain, the public SSH keys for all the target accounts on this
domain are automatically signed by the CA. The summary page of an account on a domain which is
associated with a CA will therefore allow to download the corresponding signed certificate, instead
of an SSH public key. Furthermore, when a user wishes to check out the credentials of a target
account on a domain associated with a CA, the option to download the certificate is added. The
private key alone is not sufficient for authentication.
10.3.3. Edit a global or a local domain

From the "Domains" page, select "Global" or "Local for a device" or "Local for an application" in the
"Display domain type" field on the top of the page according to the domain type you wish to modify.
Click on a domain name and then on "Edit this global domain" or "Edit this local domain" to display
the corresponding domain modification page.
The fields in this page are the same as those in the global domain creation page.
When the password change is enabled on the domain, the "Administrator account" field allows you
to select the target account which will be used to change the password on another target account
in the event of a password mismatch between WALLIX Bastion and the device. This process is
called "reconciliation".
Warning:
The administrator account is required on the local domain when using Fortinet FortiGate
or IBM 3270 password change plugin. This account should be first added to the domain
from the "Domain accounts" area on the domain summary page, once the domain
creation step has been completed. For further information, refer to Section 10.3.4, “Add
an account to the global or a local domain”, page 165. Once the "Enable password
change" option has been selected on the domain modification page, select this account
from the list in the "Administrator account" field prior to select the plugin in the "Password
change plugin" field.
When the global domain is associated with an external vault, the related information is displayed on
the domain summary page, from the "External vault plugin" and the "Vault plugin parameters" fields.
If an SSH Certificate Authority has been set for this domain (domain type is "Global" or "Local for
a device"), a line with the CA private key type and length is displayed on the domain modification
page. It is then possible to:
• delete this key and/or

• replace this key:
– either by generating a new one: in this case, select the appropriate key type and length from
the list (RSA 2048 by default)
– or browsing a path to upload the file containing an existing key (in the OpenSSH or PuTTY key
formats) and specify the corresponding passphrase (if any defined)
• download the corresponding public key in the OpenSSH or ssh.com formats on the domain
summary page, from the "CA public key" field
Note:
If the CA private key defined for the domain is changed, then the SSH keys for all the
accounts on this domain are re-signed with the new Certificate Authority.
164
The CA public key is transferred to the target device (for a local domain) or the target
server (for a global domain) when a password change plugin is set on the concerned
domain and the WALLIX Password Manager feature is associated with the license key.
For further information, refer to Section 10.3.2, “Associate the domain with an SSH
Certificate Authority”, page 163.
10.3.4. Add an account to the global or a local domain

From the "Domains" page, select "Global" or "Local for a device" or "Local for an application" in the
"Display domain type" field on the top of the page according to the domain type you wish to display.
Click on a domain name to display the domain data and expand the "Domain accounts" area to
view the list of the existing accounts on the domain.
Click on "Add an account" to create an account on the domain: you access the account
creation page. For further information, refer to Section 10.4.1, “Add a target account to a global
domain”, page 172 to add a global domain account or refer to Section 10.4.2, “Add a target account
to a device”, page 175 to add a device account or refer to Section 10.4.3, “Add a target account
to an application”, page 177 to add an application account.
10.3.5. Change the passwords for all the accounts on the

global domain
From the "Domains" page, make sure that "Global" is selected in the "Display domain type" field on
the top of the page. Select a global domain for which the password change is enabled to display the
domain data. You can expand the "Domain accounts" area to view the list of the existing accounts
on this domain. Click on the "Change passwords" button on the right part of the page to change
instantly the passwords for all the accounts on this domain. WALLIX Bastion displays a dialogue
box requesting a confirmation before performing this action.
Note:
The "Change passwords" button on the right part of the page is displayed when an
administrator account is defined for the domain.
The passwords are changed in accordance with the password change policy selected
for the global domain. For further information, refer to Section 11.3, “Password change
policies”, page 239.
10.3.6. Change the passwords for all the accounts on the

local domain
From the "Domains" page, make sure that "Local for a device" or "Local for an application" is
selected in the "Display domain type" field on the top of the page. Select a local domain for which the
password change is enabled to display the domain data. You can expand the "Domain accounts"
area to view the list of the existing accounts on this domain. Click on the "Change passwords" button
on the right part of the page to change instantly the passwords for all the accounts on this domain.
WALLIX Bastion displays a dialogue box requesting a confirmation before performing this action.
Note:
The "Change passwords" button on the right part of the page is displayed when an
administrator account is defined for the domain.
165
The passwords are changed in accordance with the password change policy selected
for the local domain. For further information, refer to Section 11.3, “Password change
10.3.7. Revoke the signed certificate for the accounts on the

domain associated with a Certificate Authority
From the "Domains" page, make sure that "Global" or "Local for a device" is selected in the "Display
domain type" field on the top of the page. Select a domain which is associated with a Certificate
Authority to display the corresponding data. Expand the "Domain accounts" area to view the list of
the existing accounts on this domain. You can then:
• either revoke the certificates for all the accounts on the domain by clicking on "Revoke all" on
the header column
• or revoke the certificate of a given account by clicking on the "Revoke" button at the end of the
concerned line
A revocation list is automatically generated and transferred to the target server to mention that this
or these certificates can no longer be used for connection.
10.3.8. Delete a global domain

From the "Domains" page, make sure that "Global" is selected in the "Display domain type" field
on the top of the page. Check the box at the beginning of the line(s) to select the related global
domain(s), then click on the trash icon to delete the selected line(s). WALLIX Bastion displays a
Note:
After deleting a global domain, all related global accounts are removed, including
discovered global accounts from the “Onboarding” page on the “Discovered items” and
“Hidden items” views. For further information on global account onboarding, refer to
Section 10.9.3.2.2, “Onboard discovered global accounts”, page 219.
10.3.9. Import global domains

From the "Domains" page, make sure that "Global" is selected in the "Display domain type" field
on the top of the page. Click on the "Import CSV file" icon at the top right of the page to import the
related data. You are then redirected to the "CSV" page on the "Import/Export" menu: the "Global
domains" check box is automatically selected to import the related data. The field and list separators
can also be configured.
#wab910 globaldomain
Important:
166
Warning:

O(ptional) value
Real name Text O Free text N/A
Admin account Text O An existing account on the N/A
domain
This field is only taken into

account when the domain
exists and the account has
been created on this domain.
Empty if an external vault plugin

is defined for the domain
Password change Text R/O Password change policy N/A
policy defined
Required when the
password change Empty if an external vault plugin
is enabled (one of is defined for the domain
the 4 last fields is
entered)
Password change Text R/O Password change plugin N/A
plugin defined
Required when the
password change Empty if an external vault plugin
is enabled (one of is defined for the domain
entered)
Password change Text R/O All the needed arguments for N/A
infos the password change plugin
Required for given defined
plugin types
Required for given plugins
Format: key1=value1
key2=value2
Cisco: host (required),

enable_password (required),
port (optional)
Windows:
domain_controller_address
(required)
167

O(ptional) value
Unix: host (required),
port (optional), root_password
(optional - root password
can only be defined if
an admin_account has been
previously selected)
Oracle: host (required),

port (optional), service_name
(required), admin_mode
(optional and set as "Normal"
by default if not entered).
The possible values for the
admin_mode field are as
follows: "Normal", "SYSDBA",
"SYSOPER" and "SYSASM"
Empty if an external vault plugin

is defined for the domain
168

O(ptional) value
External vault Text O External vault plugin defined N/A
plugin
Empty if the password change
is enabled for the domain
External vault Text Required when All the needed arguments N/A
infos the external vault for the external vault plugin
plugin is defined defined
Format: key1=value1
key2=value2
Bastion: api_url (required),

api_key (optional),
service_login (optional),
service_password (optional)
The API URL must start

with “https://” and end with “/
api/vX.Y”. The minimum API
version supported is 2.3.
Empty if the password change

is enabled for the domain
10.3.10. Import local domains

From the "Domains" page, make sure that "Local for a device" or "Local for an application" is
selected in the "Display domain type" field on the top of the page. Click on the "Import CSV file" icon
at the top right of the page to import the related data. You are then redirected to the "CSV" page
on the "Import/Export" menu: the "Local domains" check box is automatically selected to import the
#wab910 localdomain
Important:
Warning:
169

O(ptional) value
Device Text R/O At least one device or an N/A
application must be defined
Application Text R/O At least one device or an N/A
application must be defined
Admin account Text O An existing account on the N/A
domain
This field is only taken into

account when the domain
exists and the account has
been created on this domain.
Password Text R/O Password change policy N/A
change policy defined
Required when the
password change
is enabled (one of
entered)
Password Text R/O Password change plugin N/A
change plugin defined
Required when the
password change
is enabled (one of
entered)
Password Text R/O All the needed arguments for N/A
change infos the password change plugin
Required for given defined
plugin types
Required for given plugins
Format: key1=value1
key2=value2
Cisco: port (optional),

enable_password (required)
Windows: no specific
parameter to set
Unix: port (optional),

root_password (optional)
For devices:
Oracle: port (optional),

service_name (required),
admin_mode (optional and set
as "Normal" by default if
170

O(ptional) value
not entered). The possible
values for the admin_mode
field are as follows: "Normal",
"SYSDBA", "SYSOPER" and
"SYSASM"
For applications:
Oracle: host (required),

port (optional), service_name
(required), admin_mode
(optional and set as "Normal"
by default if not entered).
The possible values for the
admin_mode field are as
follows: "Normal", "SYSDBA",
"SYSOPER" and "SYSASM"
10.4. Target accounts

An account is an entity (managed by WALLIX Bastion or by an external password vault) that allows
a user to be authenticated to a system and to be granted a defined level of authorization to access
resources on that system, for management purposes. An account belongs to a domain.
A target account is characterized by the association of the following entities: a device and a service
and an account.
It exists three target account types:
• Global account: the account is defined on a global domain and is used to access services
on devices in this domain and to manage service accounts (for further information on the
management of service accounts, refer to Section 10.4.1.4, “Define references for service
account management”, page 174)
• Device account: the account is defined on a device and is only used for accessing a service on
this device
• Application account: the account is defined for an application only (an account to access the jump
server–the target device on which the application is running–might be necessary)
The “Accounts” page on the “Targets” menu allows you to:
• list the target accounts and the domains, devices and applications declared on them
• add, edit and delete an account
It is possible to import target accounts from a .csv file to populate the WALLIX Bastion resource
database. For further information, refer to Section 10.4.8, “Import target accounts”, page 180.
171
10.4.1. Add a target account to a global domain

From the “Accounts” page on the “Targets” menu, select “Global accounts” from the drop-down list
then click on the “+ Add” button to display the global domain account creation page.
This page consists of the following tabs: “General”, “Password”, “SSH private key” and
“References”.

The “General” tab allows you to select and enter the following fields:
• the name of the global domain to which you want to add an account. It will not be possible to edit
the name of the global domain once you have clicked on “Apply”.
• the account name: this is the internal representation of the account in WALLIX Bastion. This
information is displayed on the session selector and on the account's credential checkout page
on the Web interface. This name must be unique within the WALLIX Bastion domain.
Important:
When the account is created on a global domain associated with an external
password vault linked to the Bastion plugin (refer to Section 10.7.1, “Bastion
plugin”, page 199 for further information), its name must be formed as
follows: “account_name\\global_domain” or “account_name\\local_domain\\device” or
“account_name\\local_domain\\application”. Note that “\\” must be used as a separator.
“account_name” corresponds to the name of an account on the remote WALLIX
Bastion.
“global_domain” and “local_domain” correspond respectively to a global and a local
domain on the remote WALLIX Bastion.
“device” and “application” correspond respectively to a device and an application on
the local domain on the remote WALLIX Bastion.
• the account login: this is the user name of the remote account. This information is not displayed
on the session selector or on the account's credential checkout page on the Web interface.
• a field to associate resources: a resource association is required to create targets for applications
and clusters. To associate resources, select a device and a service in the drop-down lists and
click on “+”. Once created, it is possible to delete this association by clicking on the “-” red icon.
You can associate as many resources as necessary.
• a description
• the checkout policy to associate with the account. For further information, refer to Section 10.8,
“Checkout policies”, page 205.
• a toggle button to enable or disable the automatic password change for this account. See
Section 4.6, “Data encryption”, page 19 for the data encryption information related to password
storage.
• a toggle button to enable or disable the automatic SSH key change for this account
• the certificate validity period if the account is defined on a domain associated with a Certificate
Authority. The appropriate format is as follows:
[number of weeks]wk[number of days]d[number of hours]h[number of
minutes]min[number of seconds]s
172
If no value is entered in this field, then the certificate is valid for an unlimited period.
Note:
can access the other tabs of the global domain account creation page.
Figure 10.5. "New global domain account" page
10.4.1.2. Define password

From the “Password” tab, enter and confirm the password of the account.
You also have the possibility to manually change and instantly propagate the password of the
account on the target by using the toggle button “Propagate credential change”.
Once you have defined the password for the account, click on “Apply”.
Note that you can delete a password already set for this account by clicking on the “Delete
password” button.
10.4.1.3. Define SSH private key

From the “SSH private key” tab, you can define the private key for the SSH connection in two ways:
• either by generating a key:

1. Select “Private key generation” from the drop-down list.
2. Choose the appropriate private key signature system in the list entitled “Private key signature
system”.
• or by uploading a key:
1. Select “Private key uploading” from the drop-down list.
2. Drag-and-drop a file or browse a path to upload the file containing an existing private key (in
the OpenSSH or PuTTY key format) in the “Upload SSH private key” section.
3. Specify the corresponding passphrase (if any defined) in the “Passphrase” field.
173
4. Enable the “Propagate credential change” button to change the SSH private key of the
account and instantly propagate it on the target.
Once you have defined the SSH private key for the account, click on “Apply”.
You have now the possibility to download the corresponding SSH public key in the OpenSSH or
ssh.com format from the “Download SSH public key” button.
Note that you can delete the SSH private key defined for this account by clicking on the “Delete
existing SSH private key” button.
10.4.1.4. Define references for service account management

The “References” tab allows you to list, add, edit and delete references to a service account.
Within the context of a service account password change, the password used by a service must
be updated with this new password.
The definition of references allows to simplify the password change process on services. These
references are used by WALLIX Bastion to launch the automatic propagation of the new password
on the device(s) on which the service is deployed.
To add a reference, click on the “+ Add” button. A window opens and allows you to select and enter
the following fields:
• the name of the reference

• a description
• the global domain on which the WindowsService plugin has been selected (for further information,
refer to Section 11.2.13, “WindowsService plugin”, page 234)
• the device or the devices on which the service is deployed
• the global domain on which the administrator account is defined
• the name of the administrator account
Once you have defined the reference, click on “Apply and close”.
Note that by clicking on the link in the “Device status” column, information on the password change
status of the service accounts can be viewed.
To delete a reference, check the box at the beginning of the corresponding line, then click on the
“Delete” button.
Warning:
If you delete a global account, the associated references are also deleted.
10.4.1.5. Associate account with group

Once you have created a global domain account, you have the possibility to add it to a group in
order to create a target account for session management or password management.
Note:
This association type can also be managed from the “Groups” page (for further
174
To add a global domain account to a group, check the box at the beginning of the line to select the
related global account, then click on the “Add to group” button. A window opens and allows you to
enter and select the following fields:
• the group name: select an existing group or create a new one

• the group description
• the target type: select the relevant target type to create the association for session management
or password management
• the field "From": select the desired resource type for the resource association
• the device or application on which the account will be defined
• the service (if it is required)
• the global account
Note:
possibility to manage new resource associations. Otherwise, click on the “Add and close”
button to save the data and close the window.
10.4.2. Add a target account to a device

From the “Accounts” page on the “Targets” menu, select “Device accounts” from the drop-down list
then click on the “+ Add” button to display the device account creation page.
This page consists of the following tabs: “General”, “Password” and “SSH private key”.

• the name of the device to which you want to add an account. It will not be possible to edit the
name of the device once you have clicked on “Apply”.
• the local domain name: you can select an existing local domain or create a new one. It will not
be possible to edit the name of the local domain once you have clicked on “Apply”.
• a field to associate resources: a resource association is required to create targets for applications
and clusters. To associate resources, select a service in the drop-down list and click on “+”. Once
created, it is possible to delete this association by clicking on the “-” red icon. You can associate
as many resources as necessary.
• a description
storage.
• a toggle button to enable or disable the automatic SSH key change for this account
175
Note:
can access the other tabs of the device account creation page.

password” button.
10.4.2.3. Define SSH private key

From the “SSH private key” tab, you can define the private key for the SSH connection in two ways:
• either by generating a key:

1. Select “Private key generation” from the drop-down list.
2. Choose the appropriate private key signature system in the list entitled “Private key signature
system”.
• or by uploading a key:
1. Select “Private key uploading” from the drop-down list.
2. Drag-and-drop a file or browse a path to upload the file containing an existing private key (in
the OpenSSH or PuTTY key format) in the “Upload SSH private key” section.
3. Specify the corresponding passphrase (if any defined) in the “Passphrase” field.
4. Enable the “Propagate credential change” button to change the SSH private key of the
account and instantly propagate it on the target.
Once you have defined the SSH private key for the account, click on “Apply”.
You have now the possibility to download the corresponding SSH public key in the OpenSSH or
ssh.com format from the “Download SSH public key” button.
Note that you can delete the SSH private key defined for this account by clicking on the “Delete
existing SSH private key” button.

Once you have created a device account, you have the possibility to add it to a group in order to
create a target account for session management or password management.
Note:
To add a device account to a group, check the box at the beginning of the line to select the related
device account, then click on the “Add to group” button. A window opens and allows you to enter
and select the following fields:
176

• the local account.
Warning:
The account is displayed in the list as many times as there are services defined on
the device to which it belongs. Make sure to select only the relevant account(s) for the
association to the group.
Note:
possibility to associate the local account with another group and/or target type. Otherwise,
click on the “Add and close” button to save the data and close the window.
10.4.3. Add a target account to an application

From the “Accounts” page on the “Targets” menu, select “Application accounts” from the drop-down
list then click on the “+ Add” button to display the application account creation page.
This page consists of the following tabs: “General” and “Password”.

• the name of the application to which you want to add an account. It will not be possible to edit
the name of the application once you have clicked on “Apply”.
• the local domain name: you can select an existing local domain or create a new one. It will not
be possible to edit the name of the local domain once you have clicked on “Apply”.
• a description
storage.
Note:
can access the “Password” tab of the application account creation page.
177

password” button.

Once you have created an application account, you have the possibility to add it to a group in order
to create a target account for session management or password management.
Note:
To add an application account to a group, check the box at the beginning of the line to select the
related application account, then click on the “Add to group” button. A window opens and allows
you to enter and select the following fields:

• the local account
Note:
possibility to associate the local account with another group and/or target type. Otherwise,
click on the “Add and close” button to save the data and close the window.
10.4.4. Edit a target account

From the "Accounts" page on the “Targets” menu, click on an account name to display the related
modification page. You can then edit the data already entered.
For further information on how to enter data in the tabs, refer to Section 10.4.3, “Add a target account
to an application”, page 177 to edit a global domain account or refer to Section 10.4.2, “Add a
target account to a device”, page 175 to edit a device account or refer to Section 10.4.3, “Add a
target account to an application”, page 177 to edit an application account.
Warning:
You cannot edit the login, password, SSH private key and checkout policy of a target
account on the Web interface or via the REST API when the related credentials are being
178
checked out. The credentials must first be checked in using the “Force check-in option”
to be able to edit the corresponding fields. For further information, refer to Section 12.3.6,
“Account history”, page 256.
When the global domain account is defined on a domain associated with a Certificate
Authority, it is possible to edit the certificate validity period or to enter it if it has not been
defined previously. The appropriate format is as follows:
[number of weeks]wk[number of days]d[number of hours]h[number of

minutes]min[number of seconds]s
However, if this value is edited or defined at this point, the former validity period still
applies and the new validity period for the certificate will apply at next SSH key change.
10.4.5. Change the credentials automatically for one or

several accounts
From the “Accounts” page on the “Targets” menu, you have the possibility to launch the automatic
password and SSH private key change for one or more accounts of the following types: global
domain account, device account and application account.
To do this:
1. Select the desired account type from the drop-down list

2. Check the box at the beginning of the line(s) to select the target account(s) which belong(s) to
a domain enabling the credential change
3. Click on the “Automatic credential change” button
4. Select the credential type(s) you want to change and the relevant account(s) in the new window
5. Click on “Apply and close” to launch the automatic credential change for the account(s).
The credentials are now changed on WALLIX Bastion and on the related target(s).
Note:
The automatic credential change is only possible for accounts belonging to a domain on
which the password change is enabled.
Once this change has been launched, the credentials are instantly changed on WALLIX
Bastion and propagated on the related target(s).
The credentials are automatically changed:
• in accordance with the password change policy selected for the domain. For further
information, refer to Section 11.3, “Password change policies”, page 239.
• when the checkout policy allows the password change at check-in. For further
information, refer to Section 10.8, “Checkout policies”, page 205.
10.4.6. Change the credentials manually for a given target

account
179
From the “Accounts” page on the “Targets” menu, you have the possibility to manually change an
account password and/or SSH private key and to instantly propagate the change on the target.
To do this, select the desired account type from the drop-down list and click on the account name
in order to open the related modification page. You can then:
• on the “Password” tab: enter and confirm the new password of the account and enable the toggle
button “Propagate credential change”
• on the “Private key uploading” page of the “SSH private key” tab: upload the new key and enable
the toggle button “Propagate credential change”
Once you have entered the fields and enabled the propagation toggle button, click on “Apply” to
propagate the new password and/or SSH private key on the target.
Note:
The manual credential change is only possible for accounts belonging to a domain on
which the password change is enabled.
Once this change has been launched, the credentials are instantly changed on WALLIX
Bastion and propagated on the related target(s).
The credentials are changed:
• in accordance with the password change policy selected for the domain. For further
information, refer to Section 11.3, “Password change policies”, page 239.
• when the checkout policy allows the password change at check-in. For further
information, refer to Section 10.8, “Checkout policies”, page 205.
10.4.7. Delete a target account

From the “Accounts” page on the “Targets” menu, check the box at the beginning of the line to select
the target account(s) you wish to delete, then click on the “Delete” button. WALLIX Bastion displays
a dialogue box requesting a confirmation before permanently deleting the line(s).
10.4.8. Import target accounts

From the “CSV” page on the “Import/Export” menu, select the “Accounts” check box to import the
#wab910 account
Important:
Warning:
180

O(ptional) value
Login Text R Free text N/A
Password Text O Free text N/A
Authentication can be
performed either by password
or by a private key or both or
none of them.
When the import is performed

from WALLIX Bastion 6.1:
• if this field is empty, then the

password is deleted during
import
• if this field is filled with the
the existing password is not
modified. Caution! If there is
no existing password for the
at [hidden].
[hidden]keyword, then the
password is updated with
this new value

is empty, then the password is
NOT deleted during import.
Private key Text O Free text N/A
Authentication can be
performed either by password
or by a private key or both or
none of them.
When the import is performed

from WALLIX Bastion 6.1:
• if this field is empty, then the

private key is deleted during
import
181

O(ptional) value
the [hidden] value, then
the existing key is not
modified. Caution! If there
is no existing key for the
at [hidden].
the key is updated with this
new value

is empty, then the key is NOT
deleted during import.
As the private key is a long
length value, it must be entered
between quotes for the import.
Passphrase Text O Free text N/A
Passphrase for the private key.

This field is used when a new
private key is specified in the
"Private key" field.
Automatically Boolean R True or False False
change password
Automatically Boolean R True or False False
change SSH key
Checkout policy Text R Checkout policy defined N/A
Domain Text R For an account on a device: N/A
Device • domain: local domain of the

device
Application
• device: name of the device
Resources/
• resources: related services
Services
(optional and must exist on
the device)
For an account on an
application:
• domain: local domain of the

application
182

O(ptional) value
• application: name of the
application
For an account on a global

domain:
• domain: name of the global

domain
• resources: device on the
domain, expressed with
the syntax device:protocol
(optional)
Example of import syntax for a device, domain and application:
#wab910 account
my_device_user;device_user_login;description;False;P4sSw0rD;;False;default;
local_domain_1;my_device;;my_domain_user;domain_user_login;description;True;
P4sSw0rD;;False;default;my_global_domain;;;device_on_domain:rdpmy_app_user;
app_user_login;description;False;P4sSw0rD;;True;default;local_domain_1;;my_application;
10.5. Target groups

The “Groups” page on the “Targets” menu allows you to:
• list the declared target groups

• add, edit and delete a group
• view the target accounts included in each group
• configure a group for session management and password management
It is possible to import target groups from a .csv file to populate the WALLIX Bastion resource
database. For further information, refer to Section 10.5.4, “Import target groups”, page 194.
10.5.1. Add a target group

From the “Groups” page on the “Targets” menu, click on the “+ Add” button to display the group
creation page.
This page consists of the following tabs: “General”, “Session management targets”, “Password
management targets” and “Restrictions”.
183

The “General” tab allows you to enter the following fields:
• the new target group name

• a description
Note:
can access the other tabs of the group creation page.
10.5.1.2. Configure a target group for session management from an account in

the vault
This procedure consists in defining, within a group, the target accounts which can be accessed
remotely from an RDP or an SSH client.
1. From the “Session management targets” tab, select “Account” from the drop-down list then click
on the “+ Add” button to display the resource association creation page.
2. In the “From” field, select the desired value to perform the association: “A device and related
local accounts”, “A device and global accounts”, “An application and related local accounts” or
“An application and global accounts”.
3. Depending on the chosen value, select the device or the application concerned by the
association in the next field.
4. In the “Service” field, select the service (if necessary) which will be used to access the target
account(s).
5. Once all the fields are entered, the list of available accounts is displayed. Check the box at the
beginning of the line of the desired target account(s) in order to perform the association.
6. Click on the “Add and continue” button to save the data and proceed with the creation of other
associations within the group. Otherwise, click on “Add and close” to save the data and close
the resource association creation page.
Note:
At least one local and/or global account must exist for the device and the application to
be able to manage this association.
At least one service must exist on the device to be able to manage this association.
You can delete an association by checking the box at the beginning of the line of the concerned
account(s) and then by clicking on the “Delete association(s)” button. WALLIX Bastion displays a
10.5.1.3. Configure a target group for a scenario account during SSH session
This procedure consists in defining, within a group, the target accounts which can be used by a
startup scenario once the SSH session has been initiated. These accounts are called “scenario
accounts”. For further information, refer to Section 12.19, “SSH startup scenario on a target
1. From the “Session management targets” tab, select “Scenario account” from the drop-down list
then click on the “+ Add” button to display the resource association creation page.
184
local accounts” or “A global domain and related accounts”.
3. Depending on the chosen value, select the device or the global domain concerned by the
association in the next field.
4. Once the fields are entered, the list of available accounts is displayed. Check the box at the
Note:
At least one local account must exist on the device and/or one global account must exist
on the global domain to be able to manage associations.
10.5.1.4. Configure a target group for session management through account

mapping
The procedure below consists in defining, within a group, the targets which can be accessed through
account mapping.
An access through account mapping can be defined on a resource (device+service or application)

when a service is saved on this resource.
Warning:
The authentication method PASSWORD_MAPPING must be selected in the connection
policy associated with the target to be able to connect to this target using the
account mapping mechanism (for further information, refer to Section 12.4, “Connection
Account mapping with the authentication method PASSWORD_MAPPING is not

functional if the user authenticates via a method with no password exchange such as:
• Kerberos or X509 certificate for WALLIX Bastion

• SAML or X509 certificate for WALLIX Access Manager
1. From the “Session management targets” tab, select “Account mapping” from the drop-down list
services” or “Applications”.
3. If you wish to access a device, select the one concerned by the association in the next field.
4. Once the fields are entered, the list of available services and applications is displayed. Check
the box at the beginning of the line of the desired service(s) or application(s) in order to perform
the association.
185
10.5.1.5. Configure a target group for session management through interactive

login
This procedure consists in defining, within a group, the targets which can be accessed through
interactive login.
An access through interactive login can be defined on a resource (device+service or application)

when a service is saved on this resource.
Note:
The authentication method PASSWORD_INTERACTIVE must be selected at the level of
the connection policy associated with the target to be able to connect to this target using
the interactive login mechanism (for further information, refer to Section 12.4, “Connection
1. From the “Session management targets” tab, select “Interactive login” from the drop-down list
services” or “Applications”.
3. If you wish to access a device, select the one concerned by the association in the next field.
4. Once the fields are entered, the list of available services and applications is displayed. Check
the box at the beginning of the line of the desired service(s) or application(s) in order to perform
the association.
10.5.1.6. Configure a target group for password management from an account in

the vault
This procedure consists in defining, within a group, the target accounts for which the password
can be checked out/viewed. For further information, refer to Section 11.1, “User authorizations on
passwords”, page 221.
1. From the “Password management targets” tab, click on the “+ Add” button to display the
resource association creation page.
local accounts”, “A global domain and related accounts” or “An application and related local
accounts”.
186
3. Depending on the chosen value, select the device, the global domain or the application
concerned by the association in the next field.
4. Once the fields are entered, the list of available account(s) is displayed. Check the box at the
10.5.1.7. Manage the restrictions
10.5.1.7.1. SSH flow analysis / Pattern detection
When creating/editing user groups or target groups, you can define “restrictions” through a set of
actions to apply when certain character sequences are detected in the upward flow from SSH proxy
by enabling/disabling pattern detection. The data analyzed is the data entered by the user.
Note:
A set of allowed commands can be defined as regular expressions for remote command
execution for subprotocol SSH_REMOTE_COMMAND. For further information,
refer to Section 10.5.1.7.1.5, “Patterns of allowed commands for subprotocol
SSH_REMOTE_COMMAND”, page 190.
To add a restriction, click on the “Restrictions” tab then on the “+ Add” button to display the dedicated
creation window. The relevant actions must be selected in the “Action” field and the corresponding
rules must be defined in the “Rules” field.
In the event of detection, the corresponding action will apply: session disconnection for the “Kill”
action or sending of a notification for the “Notify” action.
Warning:
Character sequence detection is only enabled for data sent by the client to the server.
The list of patterns applied is the sum of those present in the user groups and the target groups.
The linked action is the most restrictive: if the “Kill” action is in one of the groups, then this action
will be selected.
The rules must be entered as regular expressions, with one expression per line.
Furthermore, pattern detection is case-sensitive.
E.g.: to prevent files from being deleted, the expressions to enter in the “Rules” field are as follows:
unlink\s+.*
rm\s+.*
10.5.1.7.1.1. Warning for “Kill” actions
By default, the “Kill” action will disconnect the session at first detection.
187
It is however possible to define a detection count with blocking and warning before the session
disconnection.
This can be done through the definition of a global option for SSH proxy: from the “Configuration
Options” page on the “Configuration” menu, select “SSH proxy” in the list to access the SSH proxy
configuration page, then enter a positive integer in the “Warning count” field. This value is “0” by
default.
For example, if you enter “5” in this field, the user will be warned five times upon detection (while
preventing execution of the command) before disconnecting the session at the sixth detection.
Warning:
By default, the keyboard inputs not displayed on the terminal (e.g. passwords) are
not logged within WALLIX Bastion, unless the option “Log all kbd” is enabled on the
configuration page for the related connection policy. However, a malicious user can force
the display permanently during the session using the following command:
stty -echo
In such a case, the session can then be disconnected by defining the following “Kill” rule
in the “Restrictions” tab of the “Groups” page:
10.5.1.7.1.2. File transfers
For subprotocols SFTP_SESSION, SSH_SCP_UP and SSH_SCP_DOWN, it is possible to set a

pattern based on the file size to detect transfer of large files. The syntax is as follows:
$filesize:>X
X is the size expressed in bytes.
A trailing letter (such as “m”, “k”, “g”) can be specified to provide a scaling factor as described in
the table below:
Letter Scaling factor

k 1 000
m 1 000 000
g 1 000 000 000
10
K 1024 (2 )
20
M 1 048 576 (2 )
30
G 1 073 741 824 (2 )
Table 10.1. Scaling factor
10.5.1.7.1.3. Data download restriction
For subprotocols SSH_SHELL_SESSION, SSH_REMOTE_COMMAND, TELNET and RLOGIN, it

is possible to set a pattern based on the definition of a limit for downloading data from the server
to the client's desktop. The syntax is as follows:
$downsize:>X
X is the maximum data amount size expressed in bytes.
188
A trailing letter (such as “m”, “k”, “g”) can be specified to provide a scaling factor as described in
the table below:
Letter Scaling factor

k 1 000
m 1 000 000
g 1 000 000 000
10
K 1024 (2 )
20
M 1 048 576 (2 )
30
G 1 073 741 824 (2 )
Table 10.2. Scaling factor
10.5.1.7.1.4. Detections of Cisco IOS commands
CISCO routers under IOS are quite restrictive for command input but support auto completion and
partial input when command prefixes are unambiguous.
It is therefore necessary to use a specific extension of the rules syntax to forbid or allow some
commands in the most exhaustive way on such a system.
Warning:
A target having this type of detection rules will be considered as a CISCO IOS device.
It should therefore not be used for another kind of device such as Linux/Unix under risk
of malfunction.
This syntax extension can be used with subprotocols SSH_SHELL_SESSION, RLOGIN or TELNET
(according to the kind of connection), for any kind of action.
Two modes are available:
• White list of commands: only the listed commands are allowed. The syntax to use in the “Rules”
field is as follows: $acmd:[command list]
• Black list of commands: any commands are allowed except those in the list. The syntax to use
in the “Rules” field is as follows: $cmd:[command list]
The command list is delimited by square brackets, each command being separated by a comma.
For example: [enable, show kerberos, access-template, configure terminal]
A command can contain a “:” separator to indicate the end of the unambiguous prefix. The
command itself must not contain any “:” character. For example for the commands "en[able]",
"sh[ow] kerb[eros]", "access-t[emplate]", and "conf[igure] t[erminal]" the list would be: [en:able,
sh:ow kerb:eros, access-t:emplate, conf:igure t:erminal]
Example of white list:
$acmd:[en:able, sh:ow kerb:eros, access-t:emplate, conf:igure t:erminal]

$acmd:[sh:ow]
Example of black list:
$cmd:[en:able, sh:ow]
189
In case of multiple declarations, all lists of the same kind are merged.
If both white and black lists are declared together, detection will be done from the white list where
commands from the black list have been removed.
By default, implicitly, the commands “alias” and “prompt” will be added to a black list and the
command “exit” will be added to a white list.
Example of detection using the white list: [w:here, sh:ow ke:rberos, co:nnect]
Input Detection
show Yes
show kerb No
sh ke c No
show kron schedule Yes
show ip arp Yes
config t Yes
where No
w No
alias show display Yes
exit No
Table 10.3. Cisco IOS Detection with white list
Example of detection using the black list: [w:here, sh:ow ke:rberos, co:nnect]
Input Detection
show No
show kerb Yes
sh ke c Yes
show kron schedule No
show ip arp No
config t No
where Yes
w Yes
alias show display Yes
exit No
Table 10.4. Cisco IOS Detection with black list
10.5.1.7.1.5. Patterns of allowed commands for subprotocol SSH_REMOTE_COMMAND
A set of allowed commands can be defined as regular expressions for remote command execution.
A command mismatch will then be detected.
The syntax is as follows:
$allow:<re_1>
190
Commands matching the regular expression <re_1> are thus allowed. The others are detected.
If several expressions prefixed with “allow” are defined, a command matching one of them will be
allowed.
The following sequence:
$allow:<re_1>
$allow:<re_2>
...
$allow:<re_n>
can also be specified as follows:
$allow:<re_1> |<re_2>| ... |<re_n>
Rules defined as standard regular expressions are also checked. Thus, a rule defined as an allowed
regular expression and a standard regular expression will be detected and, the corresponding action
will then be performed.
Example of detection for rule: $allow:abc
Input Detection
abc No
cde Yes
Table 10.5. Commands
Examples of detection for rules:
$allow:abc
$allow:ps.*
Input Detection
abc No
cde Yes
ps aux No
ps aux | grep eggs No
ls Yes
Examples of detection for rules:
$allow:abc
$allow:ps.*
ps.*\|
Input Detection
abc No
191
Input Detection
cde Yes
ps aux No
ps aux | grep eggs Yes
ls Yes
10.5.1.7.2. RDP flows analysis / Pattern detection
When creating/editing user groups or target groups, you can define “restrictions” through a set of
actions to apply when certain character sequences are detected in RDP keyboard flows (the data
analyzed is the data entered by the user) and or the window title bars (the data analyzed is the data
displayed on the screen). This is performed by enabling/disabling pattern detection.
To add a restriction, click on the “Restrictions” tab then on the “+ Add” button to display the dedicated
creation window. The relevant actions must be selected in the “Action” field and the corresponding
rules must be defined in the “Rules” field.
In the event of detection, the corresponding action will apply: session disconnection for the “Kill”
action or sending of a notification for the “Notify” action.
Warning:
Character sequence detection is only enabled for data sent by the client to the server.
The list of patterns applied is the sum of those present in the user groups and the target groups.
The linked action is the most restrictive: if the “Kill” action is in one of the groups, then this action
will be selected.
The rules must be entered as regular expressions, with one expression per line.
Furthermore, pattern detection is case-sensitive.
An expression prefixed with “$kbd:” will only match keyboard input.
An expression prefixed with “$ocr:” or without any prefix will only match the title bars of active
windows (and not those of the inactive windows).
An expression prefixed with “$kbd-ocr:” or “$ocr-kbd:” will match keyboard input and title bars of
active windows.
E.g.: to ensure files are not deleted from the command prompt (cmd.exe), the expressions to enter
in the "Rules" field are as follows:
$kbd:del\s+.*
$kbd:erase\s+.*
To forbid opening the command prompt itself:
$ocr:Command Prompt
$ocr:.*\\cmd.exe
The following prefixes provide basic string searching:
• “$content:” searches for a string
192
• “$exact-content:” searches for an entire string. It becomes “content:” when it is used with “$kbd:”.
• “$regex:” searches for a regular expression. This is the default behavior.
• “$exact-regex:” searches for a regular expression formed with “^pattern$”
E.g.: “$content,ocr:abc.exe” will match all windows containing “abc.exe”.
“.” is not considered as a regular expression character.
“-” is the separator character for “$ocr:” and “$kbd:”. The supported separator characters are “-”
and “,”.
Warning:
If you choose to kill the session when a specific window title bar is displayed, users will
not be able to reconnect until this window is closed or its title changed because their
sessions will be killed again immediately.
10.5.1.7.3. Import/export restrictions for target groups and user groups
You can import the restrictions defined during the creation or modification of user groups
or target groups. These restrictions define the actions to apply when certain character
sequences are detected in the upward flow from proxies (refer to Section 10.5.1.7.1, “SSH flow
analysis / Pattern detection”, page 187 and Section 10.5.1.7.2, “RDP flows analysis / Pattern
detection”, page 192).
From the “CSV” page on the “Import/Export” menu, select the “Restrictions” check box to import the
#wab910 restriction
Important:
Warning:

O(ptional) value
There can only be a single group

name
Type Text R Target / User N/A
Action Text R "Kill" / "Notify" N/A
193

O(ptional) value
Rules Text R Regular expressions, with one N/A
expression per line
There can be rules on both user
groups and target groups on the
same file
Subprotocol Text R Name of the subprotocol N/A
Caution:
A user is allowed to export restrictions if at least the “View” right for the “Targets &
accounts” feature is set in their profile (refer to Section 9.3, “User profiles”, page 87).
If only the “View” right for the “Targets & accounts” feature is set in the profile, then the
user will be able to export restrictions on target groups only.
If the “View” right for the “Users” feature is also set in the profile, then the user will be able
to export the restrictions defined on the user groups he/she is allowed to view (depending
on the limitations set for the profile. For further information, refer to Section 9.3, “User
profiles”, page 87).
If only the “View” right for the “Users” feature is set in the profile, then the user will not
be able to export any restriction.
10.5.2. Edit a target group

From the “Groups” page on the “Targets” menu, click on a group name to display the related
modification page. It is then possible to edit the data already entered.
For further information on how to enter data in the tabs, refer to Section 10.5.1, “Add a target
group”, page 183.
10.5.3. Delete a target group

From the “Groups” page on the “Targets” menu, check the box at the beginning of the line(s) to
select the target group(s) you wish to delete, then click on the “Delete” button. WALLIX Bastion
displays a dialogue box requesting a confirmation before permanently deleting the line(s).
Warning:
You cannot delete a target group linked to active authorizations (refer to Chapter 12,
“Session management”, page 243).
10.5.4. Import target groups
194
From the “CSV” page on the “Import/Export” menu, select the “Target groups” check box to import
the related data. The field and list separators can also be configured.
#wab910 targetsgroup
Important:
Warning:

O(ptional)
There can only be a single group

name
Target Text O Selected target accounts for N/A
accounts session management
There can be no target account, one

or several target accounts defined in
each category or in all categories at
the same time
A target account can be defined on

a global domain (and not on a local
domain)
Format for target accounts:
account@domain@device:protocol
Account Text O Selected account mapping targets N/A
mapping
Format for account mapping
targets:
device:protocol
Interactive Text O Selected interactive login targets N/A
login
Format for interactive login targets:
device:protocol
Accounts Text O Selected target accounts for N/A
password management
195

O(ptional)
Format for target accounts:
account@domain or
account@domain@device or
account@domain@application
Scenario Text O Selected scenario accounts N/A
Format for scenario accounts:
account@domain or
account@domain@device
10.6. Clusters
A cluster is a group of jump servers. The use of a cluster in place of a single device allows application
load sharing and High-Availability. The jump server used to run an application is selected in two
steps. WALLIX Bastion firstly sorts the servers, beginning with the one that has the fewest open
sessions, and then tries to connect to each server until it succeeds.
The "Clusters" page allows you to:
• list the clusters and the target accounts declared on each.

• add/edit/delete a cluster
• import clusters from a .csv file which can be used to populate the WALLIX Bastion resource
database
10.6.1. Add a cluster

From the "Clusters" page, click on "Add a cluster" to display the cluster creation page.
The cluster creation page consists of the following fields:
• the cluster name

• a description
• the targets which can be selected to belong to the cluster: move a target from the "Available
Target accounts" frame to the "Selected Target accounts" one in order to choose the target. And
conversely, move a target from the "Selected Target accounts" frame to the "Available Target
accounts" one in order to remove the association.
You can perform a search among the list of the frames by entering data in the area near the
magnifier icon.
196
You can perform multi-selection among the list of the frames.
Figure 10.6. "Clusters" page in addition mode
10.6.2. Edit a cluster

From the "Clusters" page, click on a cluster name and then on "Edit this group" to display the cluster
modification page.
The fields in this page are the same as those in the cluster creation page.
10.6.3. Delete a cluster

From the "Clusters" page, check the box at the beginning of the line(s) to select the related cluster(s),
then click on the trash icon to delete the selected line(s). WALLIX Bastion displays a dialogue box
10.6.4. Import clusters

From the "Clusters" page, click on the "Import CSV file" icon at the top right of the page to import the
related data. You are then redirected to the "CSV" page on the "Import/Export" menu: the "Clusters"
check box is automatically selected to import the related data. The field and list separators can also
be configured.
#wab910 cluster
Important:
197
Warning:

O(ptional)
Target account Text R/O Target accounts defined N/A
At least one target account or

one account mapping target or
one interactive login target must
be defined
There can be no target, one or

several targets defined in each
category or in all categories in
the cluster
Account Text R/O Account mapping targets N/A
mapping defined

be defined

the cluster
Interactive login Text R/O Interactive login targets defined N/A

be defined

the cluster
10.7. External password vault plugins
198
From the "Password Vault Plugins" page on the "Targets" menu, you can view the list of the plugins
configured in WALLIX Bastion. For further information, refer to Section 5.3, “Password external
vault”, page 23.
Warning:
This page is only displayed when the “External Vaults” feature is associated with the
license key.
An external password vault plugin can be selected during the creation of a global domain (refer to
Section 10.3, “Domains”, page 160) and several parameters can be set depending on the chosen
plugin.
Figure 10.7. "Password Vault Plugins" page
10.7.1. Bastion plugin

This plugin allows access to the password vault of a remote WALLIX Bastion via the REST API
Web service. For further information, refer to Section 5.3, “Password external vault”, page 23.
The parameters to be set for this plugin during the creation of a global domain (refer to Section 10.3,
“Domains”, page 160) are defined as follows:
• API URL: URL of the REST API to access the vault. This parameter is required. This URL must
start with “https://” and end with “/api/vX.Y”. The minimum API version supported is 2.3.
• API key: key to connect to the REST API. If a key is entered, it must be entered again for
confirmation. This key must be generated on the remote WALLIX Bastion.
• Service account login: login of the service account to connect to the REST API. This login must
correspond to the user name of an account on the remote WALLIX Bastion.
• Service account password: password of the service account to connect to the REST API. If a
password is entered, it must be entered again for confirmation.
10.7.2. CyberArk Enterprise Password Vault plugin
199
This plugin allows access to the password vault of the CyberArk Enterprise Password Vault privilege
management solution via the REST API Web service. For further information, refer to Section 5.3,
“Password external vault”, page 23.
• API URL: URL of the REST API to access the vault. This parameter is required. This URL must
start with “https://” and end with “/PasswordVault”.
• Safe name: name of the container in the CyberArk Enterprise Password Vault privilege
management solution into which the secrets are stored. This parameter is required.
correspond to the user name of an account in the CyberArk Enterprise Password Vault privilege
management solution.
• Maximum checkout duration (minutes): maximum time interval, expressed in minutes, during
which checkout can be performed. At the end of this period, an automatic check-in is performed
by the system. If "0" is entered in this field, then no automatic check-in is performed.
10.7.3. HashiCorp Vault plugin

This plugin allows access to the vault of the HashiCorp Vault secret management solution via
the REST API Web service. For further information, refer to Section 5.3, “Password external
vault”, page 23.
10.7.3.1. Configuration in the HashiCorp Vault secret management solution

The following parameters must be set for the vault secret engine:
• Secret Engine Type: Key/Value (KV)

• Engine version: Version 1
The secret data is structured as follows within the solution:
1. Vault root
└── 2. Name of the secret engine
├── 3. Account name in WALLIX Bastion
├── Login (field “login”)
├── Password (field “password”)
├── SSH certificate (field “ssh_certificate”)

└── SSH key (field “ssh_key”)
└── Other account name in WALLIX Bastion
├── Login (field “login”)
├── Password (field “password”)
├── SSH certificate (field “ssh_certificate”)
200
└── SSH key (field “ssh_key”)
Each secret engine is associated with a domain.
Account data within the solution is UTF-8-encoded.
The login and at least one credential (password or SSH key) are required.
The SSH key must be entered in the OpenSSH or PEM formats. The certificate corresponds to the
content of a signed public key which can be downloaded from the Web interface of WALLIX Bastion.
Figure 10.8. Example: Secret data for account “user1” within engine
“engine_one” in HashiCorp Vault secret management solution
10.7.3.2. Configuration in WALLIX Bastion

• API URL: URL of the REST API to access the vault. This parameter is required.
• Vault plugin: select “external” as vault type. This parameter is required.
• Secret engine path: access path to the vault secret engine. This parameter is required.
• Engine version: select the version of the Key/Value secret engine. This parameter is required.
• Token: token to access the vault through the “Token” authentication method. If a token is entered,
it must be entered again for confirmation.
• Username: login of the account to access the vault through the “Userpass” authentication method.
This login must correspond to the user name of an account in the HashiCorp Vault secret
management solution.
• Password: password of the account to access the vault through the “Userpass” authentication
method. If a password is entered, it must be entered again for confirmation.
201
• PKCS#12 file: browse a path to upload a PKCS#12 file so as to provide the private and public
keys to access the vault through the “TLS Certificate” authentication method.
• PKCS#12 file passphrase: passphrase to unlock the keys provided via the PKCS#12 file for the
“TLS Certificate” authentication method. If a passphrase is entered, it must be entered again for
confirmation.
• Role name: name of the role associated with the Certificate Authority (or "CA") on the server of
the HashiCorp Vault secret management solution.
Note:
Mapping occurs between the account name in the WALLIX Bastion solution and the
secret name in the HashiCorp Vault secret management solution. The account name
must therefore correspond to the secret name in the HashiCorp Vault secret management
solution. If the secret name entered is “user1”, this same name must be assigned to the
account name.
It is possible to create an account login in the “Targets” > “Accounts” > “Global accounts”
page and set a password for it, without affecting data mapping between the two solutions.
Figure 10.9. Example: Data for the global domain called

Domain_Vault in the Domain page in addition mode
10.7.4. Thycotic Secret Server plugin
202
This plugin allows access to the vault of the Thycotic Secret Server secret management solution
via the REST API Web service. For further information, refer to Section 5.3, “Password external
vault”, page 23.
This plugin allows checkout and check-in operations on passwords and SSH keys of the target
accounts. However, it does not allow to extend the checkout duration for the credentials.
Some features in the Thycotic Secret Server secret management solution are not supported by
WALLIX Bastion. Therefore, the secrets managed by accounts enabling at least one of the following
features cannot be accessed:
• DoubleLock protection is set

• an approval is required
• a comment is required
10.7.4.1. Plugin parameters

• API URL: URL of the REST API to access the vault. This parameter is required. This URL
must start with “https://” and end with “/SecretServer”, e.g. “https://vault.mycompany.com/
SecretSever”.
correspond to the user name of an account in the Thycotic Secret Server secret management
solution.
• Login field: name of the field storing the account login in the Thycotic Secret Server secret
management solution. This name is case-sensitive. This parameter is required and contains
“Username” as a default value.
Warning:
The “Service account login” and “Service account password” fields are optional. If no
service account is used, the user must then provide a password when authenticating
via RDP or SSH proxies or the Web interface to access the vault of the Thycotic Secret
Server secret management solution. As authentications through X509 certificate, SSH
key or Kerberos ticket do not work in this context, it is required to define a service account.
10.7.4.2. Accessing the vault

The workflow to access the vault and retrieve the secret of an account is as follows:
• If the user has authenticated using a login and a password, then these credentials are used to
access the server of the Thycotic Secret Server secret management solution.
• If the user has authenticated using a Kerberos ticket or an SSH key or X509 certificate (or any
other authentication method without providing a password), the service account is used to retrieve
the secret. In this case, the service account must have at least the same rights as the user.
• If none of these methods works, then access to the vault to retrieve a secret will fail.
203
10.7.4.3. Retrieving the account's secret

In order to be able to retrieve the secret (i.e. the password or the SSH key) of an account in
the Thycotic Secret Server secret management solution, the latter must be mapped into WALLIX
Bastion through a global domain acting as an external vault account container.
The search is done through the specification of the secret ID number of the external vault's account
in the “Login” field of the target account in WALLIX Bastion. This target account is then used to map
the account in the vault of the Thycotic Secret Server secret management solution.
Example: Search for account whose secret ID corresponds to “26”:
- On Thycotic Secret Server solution interface, the parameters of the account are as follows:
The URL mentioned on the above screenshot shows that the secret ID of the concerned account
is “26”.
- On WALLIX Bastion Web interface, the parameters defined for the Thycotic Secret Server plugin
are as follows:
As mentioned on the above screenshot, the value in “Login field” corresponds to the field
name storing the account login in the Thycotic Secret Server secret management solution, i.e.
204
“Username”. The value of the account login stored in the “Username” field is then “root”, as shown
on the previous screenshot.
- On WALLIX Bastion Web interface, the parameters defined for the target account are defined as
follows:
As mentioned on the above screenshot:
• the “Name” field contains the target account name which will be displayed on the selector of the
proxy client, i.e. “SSH_root”
• the “Login” field includes the secret ID number “26” to map the account in the Thycotic Secret
Server solution and retrieve the corresponding secret
Warning:
As the “Login” field includes the secret ID number, the option “copy from name” must
not be selected. This field must not correspond to the user name of the remote account.
10.8. Checkout policies

A checkout policy defines the settings concerning the account checkout process. It can be selected
during the creation or modification of a target account. For further information, refer to Section 10.4,
“Target accounts”, page 171.
During the credential checkout process, the user has access to the following information:
• the login of the account
• the password if it has been defined for the account either on the local or the remote WALLIX
Bastion
• the SSH private key if it has been defined for the account either on the local or the remote WALLIX
Bastion
• the certificate (i.e. the signed SSH public key) if the account is defined on a domain associated
with a Certificate Authority
The “Checkout policies” page on the “Targets” menu allows you to:
• list the checkout policies

• add, edit and delete a checkout policy
Warning:
A default checkout policy called “default” is configured on WALLIX Bastion. You can edit
this policy but you cannot delete it.
205
10.8.1. Add a checkout policy

From the “Checkout policies” page on the “Targets” menu, click on the “+ Add” button to display
the checkout policy creation page.
This creation page consists of the following tabs: “General” and “Accounts”.
The “General” tab allows you to enter:
• the checkout policy name

• a description
• a toggle button to enable the lock of the account during the checkout process to prevent
concurrent use by multiple users
• if the lock is enabled:
– the checkout duration in hours, minutes and seconds. This field must be entered.
– the checkout duration extension in hours, minutes and seconds
– the maximum checkout duration in hours, minutes and seconds
Note:
This field must be entered if both the checkout duration and checkout extension have
been set. Moreover, this duration must be greater than or equal to the sum of the
values defined for the checkout duration and the extension.
If the duration extension is not set, this field must be empty or the value entered must
be the same as the one defined for the checkout duration.
– a check box to enable the password change at check-in
206
Figure 10.10. "Checkout Policies" page in addition mode

The “Accounts” tab allows you to:
• list the accounts associated with the related checkout policy. To do so, select the desired account
type from the drop-down list.
• edit an account associated with the checkout policy. To do so, select the desired account type from
the drop-down list, then click on the name of the account to display the related modification page.
For further information, refer to Section 10.4.1, “Add a target account to a global
domain”, page 172 to edit a global domain account, to Section 10.4.2, “Add a target account
to a device”, page 175 to edit a device account and to Section 10.4.3, “Add a target account to
an application”, page 177 to edit an application account.
• delete accounts linked to the checkout policy. To do so, select the desired account type from the
drop-down list, then check the box at the beginning of the line of the account(s) and click on the
“Delete” button.
10.8.2. Edit a checkout policy

From the “Checkout policies” page on the “Targets” menu, click on a policy name to display the
related modification page. You can edit the data already entered.
For further information on how to enter data in the tabs, refer to Section 10.8.1, “Add a checkout
policy”, page 206.
Warning:
If access to target accounts is not allowed for a profile, then the profile members can
neither delete nor edit a password checkout policy.
10.8.3. Delete a checkout policy
207
From the “Checkout policies” page on the “Targets” menu, check the box at the beginning of the
line of the policy(ies) you wish to delete, then click on the “Delete” button. WALLIX Bastion displays
a dialogue box requesting a confirmation before permanently deleting the selected line(s).
Warning:
You cannot delete a password checkout policy if at least one target account is linked to
this policy.
If access to target accounts is not allowed for a profile, then the profile members can
neither delete nor edit a password checkout policy.
10.9. Discovery
WALLIX Bastion embeds a specific module to provide continuous automatic discovery of assets on
configured networks and Active Directories and onboard the desired results.
The “Discovery” entry in the “Targets” menu allows to:
• configure the scans

• launch the scans manually
• set a periodic scan launch
• view the results of the scan jobs
• view the list of the discovered assets and onboard them within WALLIX Bastion with a configured
password change plugin and password change policy.
Note:
The “Discovery” entry will not be displayed on the Web interface if the “Enable
modules” option, accessible from “Configuration” > “Configuration options” > “Module
configuration”, section “main” is deselected. This option is displayed when the check box
of the “Advanced options” field at the top right of the page has been selected. It should
ONLY be changed upon instructions from the WALLIX Support Team!
The “View” right for the “Targets & accounts” feature with no limitations on target groups
must be set in the user profile to view the pages in the “Discovery” entry.
10.9.1. Scan configuration

10.9.1.1. Configure a network scan for device discovery
Important:
The “Module configuration” option must be activated (for further information, refer to
Section 10.9, “Discovery”, page 208) and the “View” right on “Targets & accounts” and
208
“Settings” features with no limitations on target groups must be set in the user profile
to view the pages in the “Discovery” entry. To edit these pages, the “Modify” right on
“Settings” features must additionally be set in the user profile.
To ensure high performance, a network scan must not be performed on a subnet with
more than 8,192 IP addresses.
From the “Discovery” entry in the “Targets” menu, select “Scan configuration” then click on the “+
Add [Network]” button to display the scan configuration creation page and enter the fields.
• the scan name

• a description
• the option to enable account discovery. Unselect this option in order to discover only devices.
• the subnets specified using a CIDR notation (<network address>/<number of mask bits>), e.g.:
192.168.0.15/24. Once you have entered a valid address, click on the “+ Add field ” button to
add as many subnets as necessary. Once a subnet is added, you have the possibility to delete
it by clicking on the “-” icon.
• the protocol and port associations. To create an association, select a protocol in the dropdown
list then specify the related port. Click on the “+ Add field” button to create as many associations
as necessary. Once created, it is possible to delete this association by clicking on the “-” icon.
• the SSH banner filters specified using regular expressions. Only devices with a banner matching
these regular expressions will be discovered. Once you have entered an expression, click on the
“+ Add field” button to add as many expressions as necessary. Once an expression is added, you
have the possibility to delete it by clicking on the “-” icon.
• the scan periodicity, i.e. the frequency at which the scan is automatically triggered. The
format of the “Periodicity” field corresponds to the cron syntax. This field supports the usual
syntax on 5 fields <Minute> <Hour> <Day_of_the_Month> <Month_of_the_Year>
<Day_of_the_Week> and aliases @.
For example, if 0 0 * * * or @daily is entered in this field, then the scan job is set to
run once a day at midnight. For further information, refer to https://en.wikipedia.org/w/
index.php?title=Cron#CRON_expression.
List of values are available below this field to define clearly this period using the cron syntax.
If this field is left empty, then no periodicity is set.

• an option to enable the periodicity and thus set the automatic scan launch.
• the email addresses of the recipients to be notified at the end of the scan. Once you have entered
an email, click on the “+ Add field” button to add as many emails as necessary. Once an email is
added, you have the possibility to delete it by clicking on the “-” icon.
Once you have entered the fields, click on “Apply” to save the configuration or click on “Apply and
launch” to launch the scan immediately.
10.9.1.2. Configure a network scan for account discovery
Important:
209
To ensure high performance, a network scan must not be performed on a subnet with
more than 8,192 IP addresses.
An administrator account must be configured to discover accounts on new devices. To do so, create
a global domain from the “Domains” page. (For further information, refer to Section 10.3.1, “Add a
global domain”, page 162.) Then create an account on this global domain. (For further information,
refer to Section 10.3.4, “Add an account to the global or a local domain”, page 165.)
Add [Network]” button to display the scan configuration creation page and enter the fields.
• the scan name

• a description
• the option to enable account discovery. Select this option in the “Account discovery” section to
discover devices and related local accounts. From the “Global domain” dropdown list, select
the global domain previously configured. Then from the “Account” dropdown list, select the
administrator account previously configured. Click on the “+ Add field” button to add as many
administrator accounts related to the global domain as previously configured. Click on the “-” icon
to delete a field.
Note:
A maximum number of 5 administrator accounts can be selected.
• the subnets specified using a CIDR notation (<network address>/<number of mask bits>), e.g.:
192.168.0.15/24. Once you have entered a valid address, click on the “+ Add field” button to add
as many subnets as necessary. Once a subnet is added, you have the possibility to delete it by
clicking on the “-” icon.
“+ Add field” button to add as many expressions as necessary. Once an expression is added, you
210
10.9.1.3. Configure an Active Directory scan for device discovery
Important:
Add [Active Directory]” button to display the scan configuration creation page and enter the fields.
• the scan name

• a description
• the option to enable account discovery. Unselect this option in order to discover only devices. A
device must be assigned to an organization in order to be detected by the “Discovery” feature.
• an external authentication. Select an LDAP external authentication using Active Directory in the
dropdown list or click on the link below the field to be redirected to the authentication creation
page. For further information on the creation of an external authentication using Active Directory,
refer to Section 9.8.1.3, “Add an LDAP external authentication”, page 112.
• an LDAP/AD search filter. The default query “(objectClass=Computer)” retrieves all the
computers from the directory. This query can be refined with additional criteria.
• the Distinguished Names (or “DNs”) of the entries in the directory. Once you have entered a DN,
click on the “+ Add field” button to add as many DNs as necessary. Once a DN is added, you
“+ Add field ” button to add as many expressions as necessary. Once an expression is added,
you have the possibility to delete it by clicking on the “-” icon.
211

Warning:
To perform a relevant Active Directory scan for device discovery, make sure the DNS
server is configured in accordance with this scan. The DNS section is accessible
from the menu “System” > “Network”. For further information, refer to Section 8.6,
10.9.1.4. Configure an Active directory scan for account discovery
10.9.1.4.1. Configure an Active Directory scan for local account discovery
Important:
An administrator account must be created to discover local accounts on new devices during the
Active Directory scan. To do so, create a global domain from the “Domains” page. For further
information, refer to Section 10.3.1, “Add a global domain”, page 162. Then create an account for
this global domain. For further information, refer to Section 10.3.4, “Add an account to the global
or a local domain”, page 165.
• the scan name

• a description
• the option to enable account discovery. Select this option in the “Account discovery” section
in order to discover devices and related local accounts. Select “Local account” in the “Type of
account to discover” dropdown list. Select in the “Global domain” dropdown list the global domain
previously configured. Then select in the “Accounts” dropdown list the administrator account
previously configured. Click on the “+ Add field” button to add as many administrator accounts
related to the global domain as previously configured. Click on the “-” icon to delete a field.
Note:
A maximum number of 5 administrator accounts can be selected.
212
click on the “+ Add field” button to add as many DNs as necessary. Click on the “-” icon to delete
a field.
“+ Add field ” button to add as many expressions as necessary. Once an expression is added,
you have the possibility to delete it by clicking on the “-” icon.
Warning:
To perform a relevant Active Directory scan for local account discovery, make sure the
DNS server is configured in accordance with this scan. The DNS section is accessible
from the menu “System” > “Network”. For further information, refer to Section 8.6,
10.9.1.4.2. Configure an Active Directory scan for global account discovery
Important:
213
• the scan name

• a description
• the option to enable account discovery. Select this option in the “Account discovery” section.
Select “Global accounts” in the “Type of account to discover” dropdown list. The “Global domain”
and the “Account” dropdown lists are disabled.
click on the “+ Add field” button to add as many DNs as necessary. Click on the “-” icon to delete
a field.
• the scan periodicity, i.e. the frequency at which the scan is automatically triggered. The format
of the “Scan periodicity” field corresponds to the cron syntax. This field supports the usual
10.9.1.5. Launch a scan manually

From the “Discovery” entry in the “Targets” menu, select “Scan configuration” to display the list of
the configured scans.
To launch one or several scans manually:
1. Check the box at the beginning of the line of the scan(s) you wish to launch.
2. Click on the “Launch manually” button to launch the scan(s) immediately.
10.9.1.6. Set a periodic scan launch

From the “Discovery” entry in the “Targets” menu, select “Scan configuration” to display the list of
the configured scans.
214
To set a periodic launch:
1. Click on the scan name to display the related configuration page.

2. Set the frequency at which the scan is automatically triggered in the “Periodicity” field.
This field supports the usual syntax on 5 fields <Minute> <Hour> <Day_of_the_Month>
<Month_of_the_Year> <Day_of_the_Week> and aliases @.
For example, if 0 0 * * * or @daily is entered in this field, then the scan job is set to run
once a day at midnight. For further information, refer to https://en.wikipedia.org/w/
3. Select the “Enable periodicity” option.
4. Click on the “Apply” button. The scan will then be automatically launched according to the
periodicity.
Note:
The time at which the next scan job will be triggered is displayed in the “Next job”
column in the list of the configured scans.
10.9.2. View the results of a scan job

Important:
“Settings” feature must additionally be set in the user profile.
From the “Discovery” entry in the “Targets” menu, select “Job list” to display the list of the scan jobs.
Each line provides the following information:
• the job start date and time. The calendar icon in the header of the “Start date” column allows the
display of a date picker to select the desired date.
• the job type
• the job status
• the job duration
• the number of discovered devices and/or accounts matching the scan filters
• the scan name
• the subnet information
• the subnets for a network scan
• the Distinguished Names for an Active Directory scan
The “Job list” page allows you to:
• get information on a job by clicking on the data in the “Start date” column: it contains an access link
to a dedicated page. The “General” tab displays the scan configuration properties, the number of
215
discovered devices and discovered local accounts, or the number of discovered global accounts
matching the scan filters, if the account discovery option is enabled. The “Raw results” tab lists
all the discovered assets during a successful job. The “Discovered accounts” column will display
the number of discovered local accounts related to the discovered device. Click on “+” at the
beginning of the line of the device to display the list of accounts related to the device. The
discovered global accounts will be displayed in the “Distinguished Names” and “Account login”
columns.
• cancel a running job if needed. To do so, select the desired job(s) whose status is “Running” by
checking the box at the beginning of the line(s) and click on the “Cancel” button.
• access the scan configuration page to edit the properties by clicking on the link in the “Scan
name” column.
10.9.3. Onboarding
10.9.3.1. Onboard discovered devices in WALLIX Bastion
Important:
Section 10.9, “Discovery”, page 208) and the “View” right on “Targets & accounts”
feature with no limitations on target groups must be set in the user profile to view the pages
in the “Discovery” entry. To edit these pages, the “Modify” right on “ Target & accounts”
feature must additionally be set in the user profile.
From the “Discovery” entry in the “Targets” menu, select “Onboarding” to display the list of the
discovered devices.
By default, from the “Devices / Local accounts” tab, the “Discovered items” view displays the devices
which can be onboarded.
To onboard devices at once:
1. Click on the “Onboard” button in the blue frame. This frame displays the steps to onboard
devices. The first step is “Selection”. It is possible to cancel this action by clicking on the “Cancel”
button in this frame.
2. Check the box at the beginning of the lines of the devices to onboard.
3. Click on the “Next” button in the blue frame. The “Rotation management” step is available only
if local accounts are selected. Click on the “Next” button. The last step is “Summary”. This step
allows you to check all selected devices to onboard. It is possible to modify this selection by
clicking on the “Previous” button.
4. Click on the “Onboard” button. The devices are then onboarded within WALLIX Bastion and can
be managed from the “Devices” page on the “Targets” menu.
Note:
The status of the device is automatically set as “Onboarded” on the “General” tab
(accessible from the “Devices” page on the “Targets” menu).
The page allows you to:
• get information on the related jobs by clicking on the data in the “First discovery” and “Last
discovery” columns: they contain an access link to a dedicated page. The “General” tab displays
216
the scan configuration properties and the number of discovered devices matching the scan filters.
The “Raw results” tab lists all the discovered assets during the job.
• hide irrelevant devices. To do so, click on the “Hide” button in the blue frame. It is possible to
cancel this action by clicking on the “Cancel” button in this frame. Select the devices to hide
by checking the box at the beginning of the lines. Click on the “Next” button in the blue frame.
The last step is “Summary”. This step allows you to check all selected devices you wish to hide.
It is possible to modify the device selection by clicking on the “Previous” button. Then click on
the “Hide” button. The corresponding devices are then listed on the “Hidden items” view. Hidden
devices can also be onboarded if needed by clicking on the “Onboard” button and by following
the procedure described above.
• unhide devices. Hidden devices can be displayed again on the “Discovered items” view. To do
so, from the “Hidden items” view, click on the “Unhide” button in the blue frame. Select the devices
to unhide by checking the box at the beginning of the lines. Click on the “Next” button. The last
step is “Summary”. This step allows you to check all selected devices you wish to unhide. It is
possible to modify the device selection by clicking on the “Previous” button. Then click on the
“Unhide” button.
• delete devices. To do so, click on the “Delete” button in the blue frame. Select the devices to
delete by checking the box at the beginning of the lines. Click on the “Next” button. The last step
is “Summary”. This step allows you to check all selected devices you wish to delete. It is possible
to modify the device selection by clicking on the “Previous” button. Then click on the “Delete”
button. This operation removes the selected devices from the Bastion. As an example, it can be
relevant to delete devices which no longer exist and are still displayed in the “Discovered items”
or “Hidden items” views. They will be displayed again if they are discovered after a new scan.
10.9.3.2. Onboard discovered accounts in WALLIX Bastion
Important:
Section 10.9, “Discovery”, page 208) and the “View” right on “Targets & accounts”
feature with no limitations on target groups must be set in the user profile to view the pages
in the “Discovery” entry. To edit these pages, the “Modify” right on “ Target & accounts”
feature must additionally be set in the user profile.
From the “Discovery” entry in the “Targets” menu, select “Onboarding” to display the list of
the discovered devices and the related number of discovered local accounts, and/or the global
accounts.
By default, from the “Devices / Local accounts” tab, the “Discovered items” view displays the list
of the devices and the number of accounts which can be onboarded. The global accounts are
displayed in the “Global accounts” tab.
10.9.3.2.1. Onboard discovered local accounts
1. In the “Devices / Local accounts” tab, click on the “Onboard” button in the blue frame. This frame
displays the steps to onboard local accounts. The first step is “Selection”. It is possible to cancel
this action by clicking on the “Cancel” button in this frame.
2. Click on “+” at the beginning of the line of the device to display the list of accounts related to
the device. This list of accounts provides the following information:
• Account login
• Status
• Administrator account
217
• Last login
• Groups
• First discovery
• Last discovery
Note:
It is possible to filter the local accounts you wish to onboard by entering the “Account
login”, “Last login” and/or “Group” fields. Then click on the “Search” button.
3. Check the box at the beginning of the line of the local account you wish to onboard.
Note:
To onboard device and local account at once, check the box at the beginning of the
line of the device you wish to onboard. By default, each account of device is selected
to be onboarded. It is possible to deselect accounts to avoid their onboarding.
4. Click on the “Next” button. The second step is “Rotation management”.

5. Select a password change plugin and a password change policy for local accounts in the
“Password change plugin” and “Password change policy” columns. By default, the password
change plugin is set to “Unix” for the devices using SSH services and to “Windows” for the
devices using RDP services. The password change policy is set to “default” for each device to
apply on all the related local accounts. If you wish to disable the password change plugin for
local accounts of a device, select “No rotation plugin” in the “Password change plugin” column.
Example:
Figure 10.11. Example for local account onboarding at rotation management step
6. Click on the “Next” button in the frame. The last step is “Summary”. This step allows you to
check all local accounts and/or devices to onboard. It is possible to modify this selection by
clicking twice on the “Previous” button.
7. Click on the “Onboard” button. The local accounts are then onboarded within WALLIX Bastion
and the password change plugin and password change policy configuration is applied. The local
accounts can be managed from the “Accounts” page on the “Targets” menu.
218
the scan configuration properties and the number of discovered devices and accounts matching
the scan filters. The “Raw results” tab lists all the discovered assets during the job.
• hide irrelevant devices and/or local accounts. To do so, click on the “Hide” button in the blue
frame. It is possible to cancel this action by clicking on the “Cancel” button in this frame. Select
the devices and/or local accounts to hide by checking the box at the beginning of the lines. Click
on the “Next” button in the frame. The last step is “Summary”. This step allows you to check all
selected devices and/or local accounts to hide. It is possible to modify this selection by clicking
on the “Previous” button. Then click on the “Hide” button. The corresponding devices and/or
accounts are then listed on the “Hidden items” view. Hidden devices and/or local accounts can
also be onboarded if needed by clicking on the “Onboard” button and by following the procedure
described above.
• unhide devices and/or local accounts. Hidden devices and/or local accounts can be displayed
again on the “Discovered items” view. To do so, from the “Hidden items” view, click on the “Unhide”
button in the blue frame. Select the devices and/or local accounts to unhide by checking the box
at the beginning of the lines. Click on the “Next” button. The last step is “Summary”. This step
allows you to check all selected devices and/or local accounts to unhide. It is possible to modify
the device selection by clicking on the “Previous” button. Then click on the “Unhide” button.
• delete devices and/or local accounts. To do so, click on the “Delete” button in the blue frame.
Select the devices and/or local accounts to delete by checking the box at the beginning of the
lines. Click on the “Next” button. The last step is “Summary”. This step allows you to check all
selected devices and/or local accounts to delete. It is possible to modify this selection by clicking
on the “Previous” button. Then click on the “Delete” button. This operation removes the selected
devices and/or accounts from the Bastion. As an example, it can be relevant to delete devices
and/or accounts which no longer exist and are still displayed on the “Discovered items” or “Hidden
items” views. They will be displayed again if they are discovered after a new scan.
10.9.3.2.2. Onboard discovered global accounts
1. In the “Global accounts” tab, click on the “Onboard” button in the blue frame. This section
displays the steps to onboard global accounts. The first step is “Selection”. It is possible to
cancel this action by clicking on the “Cancel” button in this frame.
2. Check the box at the beginning of the lines of the global accounts to onboard. Click on the
“Next” button at the top right of the page.
3. Click on the “Onboard” button. The global accounts are then onboarded within WALLIX Bastion.
They can be managed from the “Accounts” page on the “Targets” menu.
Note:
After deleting a global domain, all related global accounts are removed, including
discovered global accounts from the “Onboarding” page on the “Discovered items”
and “Hidden items” views.
the scan configuration properties and the number of discovered accounts matching the scan
filters. The “Raw results” tab lists all the discovered assets during the job.
219
• hide irrelevant global accounts. To do so, click on the “Hide” button in the blue frame. It is possible
to cancel this action by clicking on the “Cancel” button in this frame. Select the global accounts
to hide by checking the box at the beginning of the lines. Click on the “Next” button in the frame.
The last step is “Summary”. This step allows you to check all selected global accounts to hide. It
is possible to modify this selection by clicking on the “Previous” button. Then click on the “Hide”
button. The corresponding global accounts are then listed on the “Hidden items” view. Hidden
global accounts can also be onboarded if needed by clicking on the “Onboard” button and by
following the procedure described above.
• unhide global accounts. Hidden global accounts can be displayed again on the “Discovered
items” view. To do so, from the “Hidden items” view, click on the “Unhide” button in the blue frame.
Select the global accounts to unhide by checking the box at the beginning of the lines. Click on
the “Next” button. The last step is “Summary”. This step allows you to check all selected global
accounts to unhide. It is possible to modify this selection by clicking on the “Previous” button.
Then click on the “Unhide” button.
• delete global accounts. To do so, click on the “Delete” button in the blue frame. Select the global
accounts to delete by checking the box at the beginning of the lines. Click on the “Next” button.
The last step is “Summary”. This step allows you to check all selected global accounts to delete. It
is possible to modify this selection by clicking on the “Previous” button. Then click on the “Delete”
button. This operation removes the selected global accounts from the Bastion. As an example, it
can be relevant to delete accounts which no longer exist and are still displayed in the “Discovered
items” or “Hidden items” views. They will be displayed again if they are discovered after a new
scan.
220
Chapter 11. Password management

Warning:
The "Password Management" menu and the "Passwords" entry in "My Authorizations"
can only be managed if the WALLIX Password Manager feature is associated with the
license key (refer to Section 5.2, “WALLIX Password Manager”, page 23).
Important:
formats.
11.1. User authorizations on passwords

From the "Passwords" page on the "My Authorizations" menu, the user can view the list of the target
accounts for which they are authorized to check out the credentials.
For each account, the user has the possibility to perform the following actions:
• click on "View" at the beginning of the line to display in another page the credentials of the related
account. In this case, the lock has been disabled at the level of the checkout policy associated
with this account: several users can then access the credentials at the same time.
• click on "Check out" at the beginning of the line to display in another page the credentials of
the related account in another page. In this case, the lock has been enabled at the level of the
checkout policy associated with this account: only this user can access the credentials at this
time. For further information, refer to Section 10.8, “Checkout policies”, page 205.
Important:
If an approval is not necessary to access the credentials or has been accepted by
approvers, the user can directly check outs the data. Otherwise, an error message
is displayed and the user must send a request to access the credentials. For
further information, refer to Section 11.1.1, “Password access through an approval
workflow”, page 222.
In the event of an ongoing password change, the concerned account cannot be
checked out. An error message is then displayed informing the user that the account
is temporarily unavailable for checkout.
• click on "Check out remotely" at the beginning of the line to display in another page the credentials
of the related external vault account.
• identify the account being locked consequently to an ongoing checkout. In this case, no action
can be performed until the release of this lock.
• send a request to approvers to access the account's credentials by clicking on "Request" in the
"Approval" column at the end of the line. For further information, refer to Section 11.1.1, “Password
access through an approval workflow”, page 222.
When the user has access to the page listing the account's credentials, they can view:
• the name of the account being checked out mentioned above the frame
221
• the login of the account

• the credentials of the account, which can be:
– the password if it has been defined for the account either on the local or the remote WALLIX
Bastion
– the SSH private key if it has been defined for the account either on the local or the remote
WALLIX Bastion. This key can be downloaded in the OpenSSH or PuTTY key formats and can
be encrypted with a passphrase entered in the dedicated field.
– the certificate (i.e. the signed SSH public key) if the account is defined on a domain associated
with a Certificate Authority. This certificate can be downloaded in the OpenSSH or ssh.com
formats.
On the page listing the account's credentials, the user can also:
• click on the "Check in" button to end check out. The user is then redirected to the page listing
the authorized target accounts. If the lock has been enabled in the checkout policy associated
with this account, this action also releases the lock of the account. For further information, refer
to Section 10.8, “Checkout policies”, page 205.
• click on the "Extend checkout" button if a checkout extension has been defined in the checkout
policy associated with the account. Otherwise this button is not displayed. This action extends the
checkout duration and can then be performed several times as long as the maximum duration has
not been reached. For further information, refer to Section 10.8, “Checkout policies”, page 205.
When the lock has been enabled in the checkout policy associated with this account, the latter
remains locked for the period defined within this policy. It is then necessary to click on the "Check
in" button to release the lock of the account before the end of checkout duration. Nonetheless,
the account is automatically checked in at the end of this duration and the user is redirected
to the page listing the authorized target accounts. The remaining time before automatic check-
in is displayed below the credentials. For further information, refer to Section 10.8, “Checkout
11.1.1. Password access through an approval workflow

If an approval workflow has been defined to be authorized to access the target credentials, the
user can send a request for approval to the approvers by clicking on "Request" in the "Approval"
column. The "Approval request" page is then displayed and the request start date, time and duration
must be entered. A comment to enter the reason for approval request and a ticket reference may
also be displayed and entered respectively in the "Comment" field and the "Ticket reference" field if
the corresponding options were enabled during the authorization definition. For further information,
refer to Section 14.7, “Approval workflow”, page 307.
Once the request is performed, the user is redirected on the "Passwords" page and then he/she
can view the status of the sent approval requests on the bottom table.
• the target for which a request is demanded

• the request start date and time
• the request duration
• the ticket reference associated with the request
• the current quorum
• the status of the request
• the answers of the approvers
222
The user can click on the notepad icon at the beginning of the line to get a detailed view of the
request. The page provides a "Cancel request" button to cancel the approval requests which are
still valid.
Note:
A script can be called during the approval request creation, but also at the beginning and
end of each session within the request duration period, to manage the approval in an
external ticketing system. To do so, the path to this script is to be entered in the "Ticketing
interface path" field via "Configuration" > "Configuration Options" > "Global".
The script must be uploaded to the /usr/local/bin directory for which the “wabuser”
user has execution rights. To upload a file to this directory, the user must be logged in
with “root” privileges.
The script is then systematically called even if a ticket number is not specified in the
"Ticket" field. When the script writes on the standard output a ticket number expected in
format: "ticket=1234", WALLIX Bastion takes into account this number and not the one
specified in the "Ticket" field.
Figure 11.1. "My Authorizations" menu - "Passwords" page
11.2. Password change plugins

From the "Password Change Plugins" page on the "Password Management" menu, you can
view the list of the plugins configured in WALLIX Bastion and the credential changes supported
(password or SSH key) for each domain type.
A password change plugin can be selected during the creation/modification of a global or local
domain (refer to Section 10.3, “Domains”, page 160) and several parameters can be set depending
on the chosen plugin.
Figure 11.2. "Password Change Plugins" page
223
11.2.1. Plugin matrix

The Table 11.1, “Plugin matrix - Part 1”, page 224 below illustrates the main credential change
characteristics for each plugin.
Plugin Plugin Supported Domain

Target product name Target type
name version target versions type
All Cisco products All LTS versions Global/
Cisco 1.0.2 Device
using Cisco IOS currently supported Local
All Dell products All LTS versions Global/
Dell iDRAC 1.1 Device
with iDRAC currently supported Local
Fortinet Dedicated to All LTS versions Global/
1.0 Device
FortiGate FortiGate product line currently supported Local
All IBM products
All LTS versions
IBM 3270 1.0.0 supporting the Local Device
currently supported
TN3270 protocol
Juniper Dedicated to Juniper All LTS versions
1.0 Local Device
SRX SRX product line currently supported
All products
implementing the All LTS versions Global/
LDAP 1.0 Device
Open LDAP standard/ currently supported Local
Free IPA solution
All LTS versions Global/ Device/
MySQL 1.0.3 -
currently supported Local Application
Dedicated to Oracle All LTS versions Global/ Device/
Oracle 1.0.2
database product line currently supported Local Application
Palo Alto Dedicated to All LTS versions
1.0 Local Device
PA-500 PA-500 product line currently supported
Debian/Ubuntu/ All LTS versions Global/
Unix 1.1.1 Device
CentOS/Red Hat currently supported Local
Dedicated to Windows, All LTS versions Global/
Windows 1.0.1 Device
Windows server and AD currently supported Local
All Windows
services available
from the Windows
Windows All LTS versions Global/
1.0 panel (%windir% Device
Service currently supported Local
\system32\services.msc)
dedicated to
service account
Cisco All LTS versions Global/
1.0.0 Cisco Nexus product line Device
Nexus currently supported Local
All LTS versions Global/
HP-ILO 1.0.0 All HP products with ILO Device
currently supported Local
All Checkpoint products All LTS versions
Checkpoint 1.0.0 Local Device
using Gaia OS currently supported
Ultra VNC 1.0.0 Ultra VNC application Device
224
Plugin Plugin Supported Domain

Target product name Target type
name version target versions type
All products All LTS versions Global/
AIX 1.0.0 Device
using IBM AIX currently supported Local
All LTS versions Global/ Device/
Citrix ADC 1.0.0 Citrix ADC product line
currently supported Local Application
VMWare ESX/ All LTS versions Global/
Esx 1.0.0 Device
ESXi product line currently supported Local
F5 1.0.0 F5 BIG IP product line Device
Table 11.1. Plugin matrix - Part 1
11.2.2. Cisco plugin

Field description
The parameters to be set for this plugin during the creation/modification of a global or local domain
(refer to Section 10.3, “Domains”, page 160) for a device are defined as follows:
• “Host”: device hostname or IP address. This parameter is only required for a global domain.
• “Port”: device port number (SSH default port: 22).
• “Enable password”: privilege elevation password of the "enable" command. This parameter is
required.
Supported rotation
• Password
Administrator account description
• An administrator account is not required on domain.

• The administrator account is a user with "superuser" privileges / administrator account set for
a device.
Specific plugin information
• There is no host key shared with proxies.

• For further information on plugin version and supported target versions, refer to Table 11.1, “Plugin
matrix - Part 1”, page 224.
11.2.3. Dell iDRAC plugin

Field description
for a device (refer to Section 10.3, “Domains”, page 160) are defined as follows:
• “Port”: device port number (SSH default port: 22)
• “Index”: index of the privileged account. By default, it corresponds to index 2. This parameter is
required.
• “iDRAC version”: device version. By default, it corresponds to Dell iDRAC8. This parameter is
required.
225
Supported rotation
• Password

• The administrator account is a root user with "Administrator" account privileges.

11.2.4. Fortinet FortiGate plugin

Field description
• “Configuration”: character string referring to the section of the configuration. Only the
configuration for the default "System admin" is currently supported.
Supported rotation
• Password
• SSH key (on local domain only)
• An administrator account is required on global domain.

• The administrator account is an "admin" account with the "super_admin" account profile.
Warning:
The administrator account is required on the local domain for this plugin. This
account should be first added to the domain from the "Domain accounts" area on
the domain summary page, once the domain creation step has been completed. For
further information, refer to Section 10.3.4, “Add an account to the global or a local
domain”, page 165. Once the "Enable password change" option has been selected on the
domain modification page, select this account from the list in the "Administrator account"
field prior to select the Fortinet FortiGate plugin in the "Password change plugin" field.
• There is a host key shared with proxies.

11.2.5. IBM 3270

Field description
226
The parameters to be set for this plugin during the creation/modification of a local domain for a
device only (refer to Section 10.3, “Domains”, page 160) are defined as follows:
• “Port”: system port number (3272 over TLS default port: 623). This parameter is required.
• “Scenario”: scenario labelled in plain text played by the plugin to change passwords. This
parameter is required.
This scenario includes the following commands and also accepts comments and empty lines:
• EXPECT: expects to receive a specific character string at a given offset which must be absolute,
starting from line 1 in the upper part of the terminal
• IF EXPECT/ELSE/FI: expects to receive a specific character string at a given offset which must
be absolute, starting from line 1 in the upper part of the terminal. If the string is found, the condition
in the TRUE block element is executed. Otherwise, the condition in the ELSE block element is
executed if the latter exists.
• MOVE_TO: moves the cursor to a given position starting from line and column 1 in the upper part
of the terminal (for example, command MOVE_TO:5:18 moves the cursor to line 5 column 18)
• PUT: writes a specific character string at the cursor position
• SEND_ENTER | SEND_PF3 | SEND_PF4 | SEND_PF5 | SEND_PF6 | SEND_PF7 | SEND_PF8: these
commands send the specific key (e.g. ENTER or PF7) to the terminal
• LOG_ERROR: writes the message specified as a parameter into the error logs
• LOG_SCREEN: writes the whole 3270 terminal screen and cursor position into the error logs
• QUIT: ends the session. The password is considered as unchanged.
The following variables are interpreted at runtime:
• $admin_login: sends the administrator user name

• $admin_password: sends the administrator password
• $account: sends the target account name for which the password is currently being changed
• $old_password: sends the old password
• $new_password: sends the new password. The password is considered as changed if the script
for the scenario has been executed successfully.
Scenario example:
An AS/390 emulator with 3270 capabilities can be found at http://www.canpub.com/teammpg/de/
sim390/.
#######
# Script for MUSIC AS/390 emulator
# with TN3270 support
#######
####
# Welcome screen
EXPECT:16:Multi-User System for
SEND_ENTER
####
# Login screen
EXPECT:3:MUSIC Userid:
PUT:$account
MOVE_TO:5:18
227
PUT:$old_password
SEND_ENTER
####
# Login errors
IF EXPECT:7:Password incorrect
LOG_ERROR:Bad password !
QUIT
FI
IF EXPECT:7:Userid is not authorized

LOG_SCREEN
LOG_ERROR:Bad username
QUIT
FI
####
#
EXPECT:1:Userid last signed
SEND_ENTER
####
# Change password
EXPECT:12:Change password
PUT:7
SEND_ENTER
EXPECT:17:Enter your current MUSIC sign-on password

PUT:$old_password
SEND_ENTER
EXPECT:19:Enter a new MUSIC sign-on password

PUT:$new_password
SEND_ENTER
EXPECT:23:Please enter the new password again

PUT:$new_password
SEND_ENTER
####
# End of changing password
IF EXPECT:4:SELECT OPTION
PUT:X
ELSE
# Quit with an error
LOG_ERROR:Password has not been changed
# Print the terminal screen to syslog
LOG_SCREEN
QUIT
FI
# End of script. If reached, password has been successfully changed
Supported rotation
• Password
228
• An administrator account is not required on global domain.

• The administrator account is a user allowed to change passwords.
Warning:
The administrator account is required on the local domain for this plugin when the
variables $admin_login and $admin_password are specified in the scenario. This
account should be first added to the domain from the "Domain accounts" area on
domain”, page 165. Once the "Enable password change" option has been selected on the
domain modification page, select this account from the list in the "Administrator account"
field prior to select the IBM 3270 plugin in the "Password change plugin" field.

11.2.6. Juniper SRX plugin

Field description
The parameter to be set for this plugin during the creation/modification of a local domain for a device
only (refer to Section 10.3, “Domains”, page 160) are defined as follows:
Supported rotation
• Password

• The administrator account is an "admin" user with "super-user" privileges.

11.2.7. LDAP plugin

Field description
• “Host”: server hostname or IP address. This parameter is required.
229
• “Port”: server port number (default port: 389). This parameter is required.
• “Encryption”: encryption protocol to use: STARTTLS (default value), TLS or None. This parameter
is required.
• “Active Directory”: option to select if the password change is associated with Active Directory.
• “Network timeout”: maximum time period expressed in seconds for connection attempt to the
server.
• “Administrator Bind DN | Administrator password”: Bind DN and password of the administrator
allowed to connect to the LDAP or Active Directory. These parameters are required.
e.g. for LDAP Bind DN: “CN=administrator, DC=mycompany, DC=com”
e.g. for Active Directory Bind DN: “administrator@mycompany.com”
Warning:
If an administrator account has been set on the domain for this plugin, then the
parameters of this account will be used to connect to the LDAP or Active Directory.
Those defined in the “Administrator Bind DN” and “Administrator password” fields are
then not considered.
This account should be first added to the domain from the "Domain accounts" area on
domain”, page 165. Once the "Enable password change" option has been selected on
the domain modification page, select this account from the list in the "Administrator
account" field prior to select the LDAP plugin in the "Password change plugin" field.
• “Password attribute”: password attribute required for password change. It corresponds to the
LDAP attribute “userPassword” by default. This parameter is required.
• “User DN format”: syntax of the user DN used to specify the account concerned by password
change. By default, it corresponds to the string “CN=${USER},DC=dev,DC=example,DC=com”
where parameter “${USER}” will be replaced by the user name. This format is also used for the
administrator account which may be set on the domain for this plugin. This parameter is required.
• “Custom parameters”: additional custom attributes to be specified for password change.
These parameters may be required by the server and depend on its configuration. Each
“parameter=value” pair must be labelled on a single line.
Supported rotation
• Password

• The administrator account is a user allowed to change passwords.

11.2.8. MySQL plugin
230
Field description
(refer to Section 10.3, “Domains”, page 160) for a device or an application are defined as follows:
• “Host”: database hostname or IP address. This parameter is only required for a global domain.
• “Port”: database port number
Supported rotation
• Password

• The administrator account is a superuser account with full privileges.

11.2.9. Oracle plugin

Field description
This plugin allows you to change the Oracle database password.
for a device and an application (refer to Section 10.3, “Domains”, page 160) are defined as follows:
• “Host”: database hostname or IP address. This parameter is only required for a global domain.
• “Port”: database port number
• “Service name”: database service name (SID). This parameter is required.
• “Admin mode”: connection mode for the administrator account. The relevant mode can be
selected from the list of values. This parameter is set to implement reconciliation. When
reconciliation is implemented, the password is changed and the locked account is released.
Supported rotation
• Password

• The administrator account is a user with the "ALTER USER" system privilege.

11.2.10. Palo Alto PA-500 plugin
231
Field description
The parameter to be set for this plugin during the creation/modification of a local domain for a device
only (refer to Section 10.3, “Domains”, page 160) is defined as follows:
• “Port”: server port number (SSH default port: 22)
Supported rotation
• Password

• The administrator account is an administrative account with superuser privileges.

11.2.11. Unix plugin

Field description
• “Host”: system hostname or IP address. This parameter is only required for a global domain.
• “Port”: system hostname or IP address (SSH default port: 22)
• “Root password”: password to connect as "root".
The root account may not be able to connect to the target to perform the password change via
SSH under certain circumstances, for security reasons. In this case, the plugin will refer to the
administrator account set for the domain to connect to the target and then use the root password
via the "su" command.
When reconciliation is needed, the authentication with password or SSH key is attempted for the
administrator account.
Supported rotation
• Password
• SSH key
• SSH CA certificate

• The administrator account is an account with the right to execute “sudo”, “passwd” commands.
232
11.2.12. Windows plugin

Field description
• “Domain controller address”: domain controller hostname or IP address. This parameter is only
required for a global domain.
• “Administrator login and administrator password”: login and password of a privileged account
which is allowed to change passwords of other accounts. These parameters are optional but note
that WALLIX Bastion cannot define the new password of an account if the former one is unknown.
These parameters correspond to the credentials of the account selected in the "Administrator
account" field defined on the domain page (refer to Section 10.3, “Domains”, page 160) and are
set to implement reconciliation.
To allow full operation of the automatic password change process on a standalone Windows
Server, this privileged account must be included in the administrator group.
To allow full operation of the automatic password change process on a Windows Server
configured with Active Directory, this privileged account must have the "Reset password" right
set for the other accounts on the domain. For further information on how to delegate permission
to reset passwords of Active Directory user accounts, refer to https://www.petri.com/delegate-
permission-reset-ad-user-account-passwords.
Warning:
To allow full operation of the automatic password change process in WALLIX Bastion, we
strongly recommend changing the default value set for the minimum password age at the
level of the Windows password policy. This value should be set to "0":
• on a standalone Windows Server, the minimum password age should be changed in

the Windows security settings for local accounts at the level of the local policy via "Local
Security Policy" > "Account Policies" > "Password Policy" > "Minimum password age".
• on a Windows Server configured with Active Directory, the minimum password age
should be changed in the Windows security settings at the level of the group
policy for accounts on domains via "Group Policy Management Editor" > "Computer
Configuration" > "Windows Settings" > "Security Settings" > "Account Policies" >
"Password Policy" > "Minimum password age".
On the other hand, to avoid any timeout error when performing password change
on a target under Windows Server 2012, we recommend enabling the rule “Netlogon
Service(NP-In)” in the Windows firewall advanced settings.
Supported rotation
• Password
233
• The administrator account is the local administrator account or domain account with the "Reset
password" right set for the other accounts on the domain.

11.2.13. WindowsService plugin

This plugin allows the automatic propagation of a new password on a Windows Service following
the password change of a service account. For further information on the management of service
accounts, refer to Section 10.4.1.4, “Define references for service account management”, page 174.
Warning:
To allow full operation of the password change process on a Windows service, the
installation of PowerShell 3.0 or later and the activation of WinRM are required on the
Windows server.
Field description
(refer to Section 10.3, “Domains”, page 160) for a device are as follows:
• “Name”: name of the Windows Service for which the password must be changed. This parameter
is required.
• “Transport”: transport protocol used to authenticate to the WinRM server: Kerberos (default
value), CredSSP or NTLM. This parameter is required.
Warning:
If the transport protocol defined for this plugin is Kerberos, then the fields “Kerberos
realm”, “Kerberos KDC” and “Kerberos port” must be specified on the global domain
page of the administrator account selected during the definition of the reference. For
further information, refer to Section 10.3.1, “Add a global domain”, page 162.
• “Restart the service”: option to select if the Windows Service must be restarted after the password
change. When the Windows Service is deployed on multiple Windows servers, this service is
restarted successively on each server after the password change, in order to avoid an interruption
of the service.
Supported rotation
• Password
• An administrator account is required on domain.

• The administrator account is an administrator account with Remote Management (WinRM)
enabled.
234

11.2.14. Cisco Nexus plugin

Field description
• “Port”: device port (SSH default port: 22).
Supported rotation
• Password

• The administrator account is an administrator account allowed to launch the specific password
change commands.

11.2.15. HP-ILO plugin

Field description
• “Port”: SSH server port (default: 22).
Supported rotation
• Password

• The administrator account is an administrator account allowed to launch the specific change
password commands.

235
11.2.16. Checkpoint plugin

Field description
N/A
Supported rotation
• Password

11.2.17. Ultra VNC plugin

Field description
• “Port”: system port (SSH default port: 22).
• “Connection Account”: account used for SSH connection.
• “Account Password”: password for SSH account.
• “Path of setpasswd.exe”: full path of setpasswd.exe in unix format. E.g., /drives/c/Program Files/
uvnc bvba/UltraVNC/setpasswd.exe
Supported rotation
• Password

• The administrator account is a Windows local administrator.
• Prerequisite: a Cygwin or an SSH connection to the Windows server hosting Ultra VNC is
necessary.
11.2.18. AIX plugin

Field description
236
• “Port”: system port (SSH default port: 22)
• “Root password”: password to connect as "root".
The root account may not be able to connect to the target to perform the password change via
SSH under certain circumstances, for security reasons. In this case, the plugin will refer to the
administrator account set for the domain to connect to the target and then use the root password
via the "su" command.
When reconciliation is needed, the authentication with password or SSH key is attempted for the
administrator account.
Supported rotation
• Password
• SSH key
• An administrator account is not required on domain if the user has a password command access.
• The administrator account is an administrator account with "sudo", "passwd", "pwdadm" rights.

11.2.19. Citrix ADC plugin

Field description
(refer to Section 10.3, “Domains”, page 160) for a device or an application are defined as follows:
Supported rotation
• Password

password commands.
237
11.2.20. Esx plugin

Field description
Supported rotation
• Password

password commands and with shell access.

11.2.21. F5 plugin
Field description
• “Port”: Sytem port (SSH default port: 22)
• “Group name”: Devices group name (for Sync)
Supported rotation
• Password

password commands.

238
11.3. Password change policies

A password change policy defines the password (i.e. password, SSH key or both) change
settings and can be selected during the creation/modification of a global/local domain. For further
information, refer to Section 10.3, “Domains”, page 160.
Warning:
All passwords for which automatic change is configured, as described in Section 10.4.5,
“Change the credentials automatically for one or several accounts”, page 179, will be
replaced. You must therefore check that the emails containing the new passwords have
indeed been received and can be unencrypted. You are recommended to do so by testing
the process on a single, non-administrator account.
WALLIX Bastion's performances can be affected by a large number of password changes.

This number can be set in the “Credential change thread pool dimension” field, accessible
from “Configuration” > “Configuration options” > “Global” > “Main” section. This field is
displayed when the “Advanced options” check box at the top right of the page is selected
and should ONLY be changed upon instructions from the WALLIX Support Team!
From the “Password change policies” page on the “Password management” menu, you can list,
add, edit or delete password change policies.
Warning:
A default password change policy called “default” is configured in WALLIX Bastion. This
policy can neither be deleted nor edited.
11.3.1. Add a password change policy

From the “Password change policies” page, click on “+ Add” to display the password change policy
creation page.
• the policy name

• a description
• the password change periodicity, i.e. the frequency at which the password change is automatically
triggered. The format of the “Change periodicity” field corresponds to the cron syntax. This
field supports the usual syntax on 5 fields <Minute> <Hour> <Day_of_the_Month>
<Month_of_the_Year> <Day_of_the_Week> and aliases @.
For example, if 0 0 * * * or @daily is entered in this field, then the password change job is set
to run once a day at midnight. For further information, refer to https://en.wikipedia.org/
w/index.php?title=Cron#CRON_expression.
List of values are available below this field to define clearly this period using cron syntax.
If this field is left empty, then no period of change is set.
239
• a dropdown list to indicate if the policy concerns either a change of password or SSH key or both
When the selected policy concerns a password change, the “Password generation” section
becomes accessible and lists the following fields:
• the password length, i.e. the number of characters the password must contain
• the number of non-alphanumeric ASCII characters (or special characters) which must be present
in the password
• the number of lowercase letters which must be present in the password
• the number of uppercase letters which must be present in the password
• the number of digits which must be present in the password
• the characters which must be excluded from the password. Once you have entered a character
in the field, click on “+” to add it to the forbidden character list. Once a character is added, you
have the possibility to delete it from the list by clicking on the “-” red icon.
When the selected policy concerns an SSH key change, the “SSH key generation” section becomes
accessible and lists the following fields:
• a list of values to select the SSH key type and

• depending on this selection, a list of values to specify the key size
You will find below a summary table of the SSH key types and the corresponding sizes allowed:

RSA 1024 bits | 2048 bits | 4096 bits | 8192 bits
DSA 1024 bits
ECDSA 256 bits | 384 bits | 521 bits
ED25519 N/A
When the selected policy concerns a password change and an SSH key change as well, both
sections become accessible and list the fields described above.
Figure 11.3. "Password Change Policies" page in addition mode
240
11.3.2. Edit a password change policy

From the “Password change policies” page, click on a policy name to display the related modification
page. It is then possible to edit the data already entered.
Warning:
If the target account access is not allowed for a profile, then the profile members can
neither delete nor edit a password change policy.
11.3.3. Delete a password change policy

From the “Password change policies” page, check the box at the beginning of the line(s) to select the
password change policy(ies) you wish to delete, then click on the “Delete” button. WALLIX Bastion
Warning:
neither delete nor edit a password change policy.
11.4. "Break glass" mechanism configuration

WALLIX Bastion implements a "break glass" mechanism which allows a user to get the credentials
of the target groups gathered in the Bastion, i.e. login, cn (“common name”), passwords and SSH
keys. This may be useful in the event of the unavailability of WALLIX Bastion.
Credentials in the bastion are automatically sent to the user every night at 2:34 a.m. in the time
zone in which WALLIX Bastion is located (as defined in the "Time Service" page on the "System"
menu): they receive an encrypted email containing the list of all the credentials for the target groups
gathered in the Bastion, depending on the scope of the limitations set for their profile.
Furthermore, the user receives an encrypted email containing the new password and/or SSH key
for the target account whenever the latter is changed (automatically or manually), depending on
the password change and checkout policies linked to the account. For further information, refer to
Section 10.4.5, “Change the credentials automatically for one or several accounts”, page 179 and
Section 10.4.6, “Change the credentials manually for a given target account”, page 179.
Important:
The user is notified when the following conditions are fulfilled:
• a public GPG key is declared for the user (refer to Section 7.3, “Setting your
preferences”, page 38)
• the user has the right to get the list of all the credentials in WALLIX Bastion: the
"Execute" right for the "Credential recovery" feature is set in their profile (refer to
Section 9.3, “User profiles”, page 87)
• the change (either automatic or manual) must be enabled:
– at the level of the domain: a password change policy and a password change
plugin must be linked to the domain. For further information, refer to Section 10.3,
241
“Domains”, page 160, Section 11.3, “Password change policies”, page 239 and
Section 11.2, “Password change plugins”, page 223.
– at the level of the target account: a checkout policy must be linked to the account
and the automatic password and/or SSH key change must be set, if so. For further
information, refer to Section 10.4, “Target accounts”, page 171 and Section 10.8,
Note:
The email containing the list of all the credentials can be decrypted using a PGP-
compatible tool. It is then required to decrypt the attachment separately and use a CSV
or JSON-compatible tool to open the attachment in this format.
Notifications related to successive credential changes at check-in and notifications which

were not sent due to network failures are grouped to be sent by email within the next
15 minutes.
242
Chapter 12. Session management

Warning:
The "Session Management" menu and the "Sessions" entry in "My Authorizations" can
only be managed if the WALLIX Session Manager feature is associated with your license
key (refer to Section 5.1, “WALLIX Session Manager”, page 23).
A latency period can occur when displaying the “Sessions” page in the “My authorizations”
menu due to a large volume of sessions existing in the Bastion. To improve the page
load performance, it is necessary to deselect the option “Session last connection date”
accessible from “Configuration” > “Configuration options” > “GUI (Legacy)” > section
“main”. Note that when the option “Session last connection date” is deselected, the data
in the “Last connection” column is no longer displayed.
Important:
formats.
12.1. User authorizations on sessions

From the "Sessions" page on the "My Authorizations" menu, the user can view the list of the targets
to which he/she is authorized to access.
The user can access the target by clicking on one of the following icons at the beginning of the
concerned line:
• : this icon allows the user to download an RDP configuration file or a shell script with the SSH
command (WALLIX-PuTTY on Windows or SSH on other systems) he/she can save to establish a
connection from an RDP or an SSH client (filename suffix .puttywab or .xsh or .rdp under Windows
and .sh or .remmina under Linux). In this case, the WALLIX Bastion password is required for the
connection.
• : “Instant access (one-time password, limited in time)”: this icon allows the user to open the file
to immediately establish a connection from an RDP client (filename suffix .rdp under Windows
and .sh or .remmina under Linux). In this case, no password is required but the access is granted
for a limited period of time. This icon is also displayed for the connection to an application.
• : “Instant access with WALLIX-PuTTY (one-time password, limited in time)”: this icon allows
the user to open the file to immediately establish a connection from an SSH client (filename suffix
.puttywab or .xsh under Windows and .sh under Linux). In this case, no password is required but
the access is granted for a limited period of time. For SSH authentication, see also Section 12.2,
“Target connection in interactive mode for SCP and SFTP protocols”, page 247.
Note:
The display of icons, and consequently the access to the file to establish a connection,
depends on the parameters set for the connection and file types related to RDP and SSH
according to the operating system via "Configuration" > "Configuration Options" > "GUI
(Legacy)", in the following fields:
243
• “Rdp connection links” and “Ssh connection links”

• “Rdp windows filetype” and “Rdp other os filetype”
• “Ssh windows filetype” and “Ssh other os filetype”
When the authorization concerns a RAWTCPIP service, only the application WALLIX-
PuTTY allows the user to download or open the file to establish the connection (filename
suffix .puttywab). For further information on WALLIX-PuTTY, refer to Section 12.1.1,
“Specific options for SSH sessions”, page 244.
Note:
In a load balancing process, it is possible to specify the WALLIX Bastion's FQDN or IP
address to which the user will be redirected to when accessing a target via "Configuration"
> "Configuration Options" > "GUI (Legacy)":
• in the field "Connection file fqdn standard": when the target is accessed by downloading
the configuration file
• in the field "Connection file fqdn otp": when the target is instantly accessed with one-
time password method.
12.1.1. Specific options for SSH sessions

The downloadable file type on Windows platforms for SSH sessions can be selected from
"Configuration" > "Configuration Options" > "GUI (Legacy)", then select the appropriate value in
"Ssh windows filetype".
To use the .puttywab files on Windows, the application WALLIX-PuTTY has to be downloaded and
installed from the link "Download WALLIX-PuTTY" displayed at the top of the page. This link is
only displayed when the workstation is running under Windows and the user is also authorized to
connect to at least one SSH target. The installation sets the file association so that the application
is started automatically. The installation does not require administrative privileges. However, the
installation is only operational for the logged user and not for all users of the workstation.
12.1.2. Specific options for RDP sessions

The link "Download RDP configuration file" displayed at the top of the page allows the user
to download an RDP configuration file with the RemoteApp mode enabled. The user can then
save the file to establish a connection to an application in interactive mode via the RDP client
selector. This link is only displayed when the RemoteApp mode is enabled and the user is also
authorized to connect to at least one application. The RemoteApp mode is enabled by default when
accessing applications (as defined via "Targets" > "Applications"). This parameter can be managed
via "Configuration" > "Configuration Options" > "GUI (Legacy)", then select/deselect the option "Rdp
remote app mode".
The "Options" area at the top left of the page allows the user to select the resolution and the color
depth for the RDP client window. The settings are saved for the workstation being used. Thus a user
can establish an RDP connection through a desktop or a laptop with different resolution settings
for each workstation.
For further information on RemoteApp mode, refer to Section 10.2.2, “Configure the application
launch using RemoteApp mode”, page 147.
244
Warning:
The RemoteApp sessions of a user connected simultaneously on one or several
applications are split by default when displayed from the "Current Sessions" and
"Session History" pages below the "Audit" menu). If the option "Rdp enable sessions
split" (accessible from "Configuration" > "Configuration Options" > "GUI (Legacy)" >
"main" section) is deselected, it may be possible to get an overlay view of these sessions.
The client Remote Desktop Connection (MSTSC) connected to Windows Server 2008
or 2012 does not allow several RemoteApp programs to share the same RDP session.
There will be as many RDP sessions created as the number of RemoteApp programs
launched.
Display issues related to the Microsoft client have been reported when using RemoteApp
mode and multiple monitors. Dysfunctions occur when the primary monitor is not located
in the upper left part of the virtual screen. The recommended workaround is to locate
the primary monitor in the upper left part of the virtual screen. Refer to https://
go.microsoft.com/fwlink/?LinkId=191444 for further information on the virtual
screen.
On the other hand, to allow glyphs support between iOS client and the RDP proxy and thus display
text properly on the selector when accessing sessions from mobile devices, the option "Bogus ios
glyph support level" is selected by default. This parameter can be managed via "Configuration" >
"Configuration Options" > "RDP proxy" > section "client".
Moreover, as the support of Unicode character set for keyboard event is necessary to operate
the Remote Desktop Connection client under iOS, the option "Unicode keyboard event support" is
selected by default. This parameter can be managed via "Configuration" > "Configuration Options"
> "RDP proxy" > section "globals".
As the keyboard behavior for VNC sessions depends on the target server environment, options
allow to declare this environment and allow the corresponding behavior. These options can be
managed below the "vnc" section on the configuration page related to the connection policy for the
VNC protocol. This page can be accessed from "Session Management" > "Connection Policies":
• when "Server unix alt" is selected

– on a Unix environment, the target server can receive any Unicode character sent by the client
– on a Windows environment, the target server forbids any Unicode character but allows special
characters using AltGr+€ key combination
• the option "Server is macos" should only be selected to support the keyboard specificities related
to old versions of Apple Mac OS VNC servers. Note that the French PC keyboard (FR) is
supported for the connection to a VNC target on a Macintosh environment if this keyboard is
installed and selected on the target server.
12.1.3. Session access through an approval workflow

If an approval workflow has been defined to be authorized to access the target, the user can send
a request for approval to the session access by clicking on "Request" in the "Approval" column.
The "Approval request" page is then displayed and the request start date, time and duration must
be entered. A comment to enter the reason for approval request and a ticket reference may also
be displayed and entered respectively in the "Comment" field and the "Ticket reference" field if
the corresponding options were enabled during the authorization definition. For further information,
refer to Section 14.7, “Approval workflow”, page 307.
245
Once the request is performed, the user is redirected on the "Sessions" page and then he/she can
view the status of the sent approval requests on the bottom table.

The user can click on the notepad icon at the beginning of the line to get a detailed view of the
request. The page provides a "Cancel request" button to cancel the approval requests which are
still valid.
Note:
A script can be called during the approval request creation, but also at the beginning and
end of each session within the request duration period, to manage the approval in an
external ticketing system. To do so, the path to this script is to be entered in the "Ticketing
interface path" field via "Configuration" > "Configuration Options" > "Global".
The script must be uploaded to the /usr/local/bin directory for which the “wabuser”
user has execution rights. To upload a file to this directory, the user must be logged in
with “root” privileges.
The script is then systematically called even if a ticket number is not specified in the
"Ticket" field. When the script writes on the standard output a ticket number expected in
format: "ticket=1234", WALLIX Bastion takes into account this number and not the one
specified in the "Ticket" field.
When this script is called, it receives as a parameter the path to a file providing all the
session information.
Example of information provided in the file during the approval request creation:
[request]
user=johndoe
target=target1@local@repo:SSH
date=2017-09-22 10:12:19
duration=300
ticket=1234
comment=I have to install patches
session_id=
session_start=0
session_end=0
target_host=
Example of information provided in the file at the beginning of the session:
[request]
user=johndoe
246
date=2017-09-22 10:12:00
duration=300
ticket=1234
session_id=15ea8a529008635d5254006c3e07
session_start=2017-09-22 10:12:29
session_end=0
target_host=host1.mydomain.lan
Example of information provided in the file at the end of the session:
[request]
user=johndoe
date=2017-09-22 10:12:00
duration=300
ticket=1234
session_id=15ea8a529008635d5254006c3e07
session_start=2017-09-22 10:12:30
session_end=2017-09-22 10:12:34
target_host=host1.mydomain.lan
Figure 12.1. "My Authorizations" menu - "Sessions" page
12.2. Target connection in interactive mode for

SCP and SFTP protocols
As SCP and SFTP protocols do not allow a secondary interactive mode, it is necessary to add
specific options during primary connection (i.e. the connection initiated between a user and WALLIX
Bastion) to be prompted for target connection information, displayed as prompts or dialog boxes,
using primary interactive keyboard ("keyboard interactive"). This system assumes that the client
supports the interactive keyboard authentication method ("keyboard interactive").
The question mark “?” is a forbidden character in the user name (or login) but it can be used as
a separator to specify options (on the right) requesting clearly a prompt to enter the login and/or
a password to connect to the target.
The “p” option requests the target password.
The “l” option requests the target login.
The question mark “?” without any option requests the target password by default.
247
Examples:
Login: “wabuser”: no additional prompt
Login: “wabuser?”: target password is prompted
Login: “wabuser?p”: target password is prompted
Login: “wabuser?l”: target login is prompted
Login: “wabuser?lp”: target login is prompted first then target password is prompted
The password is required when the authentication method PASSWORD_INTERACTIVE has been
selected at the level of the connection policy associated with the target (for further information, refer
to Section 12.4, “Connection policies”, page 261).
12.3. Audit data

The "Audit" menu allows the auditor to view WALLIX Bastion audit data and mainly connection
histories.
An auditor is a user who has been designated by a WALLIX Bastion administrator with the right
to audit: the "View" right for the "Session audit" feature is set in their profile (refer to Section 9.3,
“User profiles”, page 87).
12.3.1. Current sessions

From the "Current Sessions" page on the "Audit" menu, the auditor can view the list of the active
connections during which RDP or SSH sessions were initiated from WALLIX Bastion and are still
on-going. Note that active connections on the Web interface during which sessions are not initiated
are then not shown on this list.
Note:
The generic term "connection" will be used throughout this section to refer to both SSH
and RDP connections.
On the top of the page, the auditor can choose to enable/disable automatic refresh of current session
data. When the corresponding option is enabled, you can set the refresh frequency. This may be
particularly useful when selecting the active connections to close.
• the user (set as follows: user@machine(ip))

• the target accessed (set as follows: account@target:service)
• the target host or IP address
• the description of the source (RDP or SSH) and destination protocols
Note:
Specific keywords must be entered in the “Search:” field above the table header to
search for RDP sessions:
– the rdp:app keyword to search for application sessions
– the rdp:notapp keyword to search for sessions which are not application sessions
248
• the connection start time

• the connection duration
The auditor can also close one or more connections on this page: to do so, it is necessary to check
the box at the beginning of the line(s) to select the related connection(s), then click on the red
icon, on the column header, to close the corresponding connection(s). WALLIX Bastion displays a
dialogue box requesting a confirmation before permanently closing the connections(s).
Users connected through RDP or SSH are then informed that the connection has been closed by
the administrator, as shown below:
Figure 12.2. SSH connection closed by the administrator
Note:
When closing a connection, the auditor can prevent the local user from connecting again.
This action can be set via "Configuration" > "Configuration Options" > "GUI (Legacy)",
then select the option "Audit kill session lock user". This option is deselected by default:
the function is disabled.
12.3.2. Current sessions in real-time view

From the "Current Sessions" page on the "Audit" menu, the auditor can view the current RDP or
SSH sessions in real-time when the session recording option has been enabled at the level of
the authorization defined for the user group and the target group. For further information, refer to
Chapter 14, “Authorization management”, page 301.
The auditor can click on the magnifying glass icon at the beginning of the concerned line in the
list to open a window to view the session in real-time. He/she can click again on this icon to close
the window.
Note:
The auditor can view the current SSH session even if the session recording option has
not been enabled at the level of the authorization defined for the user group and the target
group.
249
In the context of an RDP session, the auditor can enable the “Allow rt without recording”
option accessible from “Configuration” > “Configuration options” > “RDP proxy” > section
“video” to view the current RDP session for which the session recording option has not
been enabled in the authorization defined for the user group and the target group.
By enabling the “Enable osd 4 eyes” option accessible from “Configuration” >
“Configuration options” > “RDP proxy” > section “client”, a message is displayed for the
user to inform him/her that the session is being audited as soon as the auditor starts
viewing the RDP session in real-time.
12.3.3. Session sharing and remote control on RDP current

sessions
From the "Current Sessions" page on the "Audit" menu, the auditor can initiate a process to remotely
control a current RDP session shared by the user.
Warning:
Session sharing and remote control on RDP current sessions are available through
WALLIX Bastion for targets under Windows Server 2012 and later versions supporting
“Remote Desktop Shadowing” feature for remote control.
The advanced configuration option “Session shadowing support” (accessible from
"Configuration" > "Configuration Options" > "RDP proxy" then section "mod_rdp") must
be enabled to allow session sharing and remote control on RDP current sessions through
WALLIX Bastion.
During this process, the auditor's session is recorded only if the user's session is also
recorded.
The process sequence is as follows:

1. First, the user connects to an RDP target and initiates a session.
2. From the "Current Sessions" page on the "Audit" menu, the auditor can then click on the session
remote control icon at the beginning of the concerned line in the list. This action launches
the download of a file on the workstation which will allow the auditor to immediately establish a
connection to the user's session from an RDP client (filename suffix .rdp under Windows and .sh
or .remmina under Linux).
3. Remote control requires the user's permission: a window is then displayed on the user's session
to request approval for a limited period of time.
4. The auditor can execute the downloaded file to immediately establish a connection to the user's
session from the RDP client.
Note:
Only a single remote control request can be sent during the user's session.
The auditor will not be able to remotely control the user's session as long as the latter
has not accepted the request on the dedicated window.
12.3.4. Session history
250
From the "Session History" page on the "Audit" menu, the auditor can view the history of all
connections to targets made through WALLIX Bastion and also visualize the session recordings
(refer to Section 12.3.5, “Session recordings”, page 252).
Caution:
An auditor with limitations set on their profile can see the session history only if they are
allowed to view the authorization set for the session. This authorization is defined for a
user group and a target group they are allowed to view.
Warning:
This page shows only the closed sessions on targets. To get the view on the current
sessions, refer to Section 12.3.1, “Current sessions”, page 248.
This page does not show user authentications and thus user authentication failures
due to access rights. To get this information, refer to Section 12.3.8, “Authentication
history”, page 258. SIEM messages provide more information on authentications and
access rights. For further information, refer to Chapter 17, “SIEM messages”, page 331.
Figure 12.3. "Session History" page

• the user name and source IP for the connection (set as follows: name@ipsource)
• the target accessed (set as follows: account@target:service)
• the target host or IP
• the source and destination protocols
Note:
Specific keywords must be entered in the “Search:” field above the table header to
search for RDP sessions:
– the rdp:app keyword to search for application sessions
– the rdp:notapp keyword to search for sessions which are not application sessions
• the connection start time

• the connection end time
• the connection duration
• the file size of the session recording. For further information, refer to Section 12.3.5, “Session
recordings”, page 252.
251
Note:
The file size of the session recording is not displayed when session has been initiated
from a version earlier than WALLIX Bastion 6.2.
• an icon representing the result of the connection. In the event of a failure, an auditor can get
more detail on the connection issue (e.g. wrong password, authentication to target failed, target
resource not available, session killed by the administrator or by a “Kill” action, etc.) by clicking
on the icon. This description can be updated if needed. In case of success, an auditor can add a
description in a dedicated area by clicking on the icon. The addition of comments into this area
is logged in the WALLIX Bastion audit log (i.e. "wabaudit"). For further information regarding this
log, refer to Section 8.5, “System logs”, page 49.
•
the icon is displayed when the session has been shared between the user and the auditor
with remote control. The information can then be displayed by hovering the mouse over the icon:
it corresponds either to the auditor's remote control session or the user's controlled session.
Filters can be defined on the top of the page to facilitate the search and restrict the display to relevant
records. The available filters are based on:
• a sort on the display of either all data or only the existing device or only the existing application
• the definition of a period
• the definition of the last N days
• a search for text occurrences in the columns. For further information, refer to Section 6.5.1,
“Search data”, page 32.
Note:
Only the last 1,000 records are displayed in the Web user interface. The occurrence filter
is applied to these 1,000 records. Older sessions can only be retrieved through the date
range filter.
All data in this page can be downloaded as a .csv file.
12.3.5. Session recordings

A session video viewer is embedded in WALLIX Bastion and allows a direct access to the RDP or
SSH session recordings without requiring any specific browser plugin, application or video codec
to be installed.
Session recordings are stored in partition /var/wab/recorded/ (for local storage) or /
var/wab/remote/recorded/ (for remote storage) and can be archived or purged using a
dedicated script. For further information, refer to Section 15.20, “Export and/or purge session
recordings manually”, page 318 and Section 15.21, “Export and/or purge session recordings
automatically”, page 320.
Encryption and signature of session recordings can be set on the "Recordings Options" page from
the "Session Management" menu. For further information, refer to Section 12.5, “Session recording
options”, page 264.
From the "Session History" page on the "Audit" menu, the auditor can view and download the RDP
or SSH session recordings. To do so, the session recording option has been enabled beforehand at
the level of the authorization defined for the user group and the target group. For further information,
refer to Chapter 14, “Authorization management”, page 301.
252
Some icons may be displayed at the beginning of the lines to allow specific actions:
• : this icon allows the auditor to download the session recording in the unprocessed format
ttyrec for the SSH session or in the pcap format (which can be viewed with the packet analyzer
Wireshark) for the RAWTCPIP session
• : this icon allows the auditor to download the visible content of the SSH session in a flat text
format (txt)
• : this icon allows the auditor to display the page to view the recording of the session. Then a
viewer allows to go through the session video. The session information is displayed on the top
of the page.
When viewing an SSH session, it is possible to get the transcription of the video and the session
metadata but also download the files transferred during the session in the dedicated areas below
the viewer.
Figure 12.4. "Session History" page - SSH session view
253
When viewing an RDP session, it is possible to:

– generate then download the whole film by first clicking on the "Generate" button below the
viewer, then by clicking on the icon displayed as soon as generation is completed.
Note:
When replaying the video of a RemoteApp application session, the area of the
content displayed in the RDP viewer can be set. This parameter can be managed
from "Configuration" > "Configuration Options" > "RDP proxy" then below section
"video", select the appropriate value in "Smart video cropping".
The recording for a session based on the RDP protocol includes both video and
automatic OCR of the applications running on the remote machine by detecting title
bars.
The algorithm used to detect the title bar content is very fast and thus allows real-time
execution. However, it only works with "Windows Standard" windows and a default
font size of 96PPP with a colour depth of 15 bits or more (15, 16, 24 or 32 bits, it does
not work in 8-bit mode). In its current version, the OCR function will not work if the
title bar style is changed, even to a style that is visually very similar, for example to
"Windows classic", or if the title bar colour, style, font size or resolution is changed. In
addition, OCR is configured to detect only the title bars of applications closed using
254
the three icons: close icon, minimize icon and maximize icon. If the title bar contains
an icon, this will generally be replaced by question marks before the recognized text.
Figure 12.5. Viewer

– browse quickly through the film in the viewer, from a given period, by clicking on the thumbnails
on the "Screenshot list" area.
Figure 12.6. "Screenshot list" area

– download the session data by clicking on the icon on the "Session data" area. If the OCR
option is enabled, the titles of applications detected in the film by the OCR module are indexed
255
and displayed in this area. It is then possible to click on the entries in this list to browse quickly
through the film in the viewer.
Figure 12.7. "Session data" area

– download the files transferred during the session from the area "Transferred files".
• : this icon allows the auditor to display a detailed page of the approval request (with all
the approvers’ answers et comments included). This icon is displayed on the line when the
corresponding session went through an approval workflow. For further information, refer to
Section 14.7, “Approval workflow”, page 307.
12.3.6. Account history

From the "Account History" page on the "Audit" menu, the auditor can:
• check the activity on the accounts

• view the password change history
• force a check-in operation on the account's credentials
On the "Activity" column, the auditor can click on "Show" to view the activity history for the account
on a dedicated page. This page displays a table listing the check-in and checkout operations on
the account's credentials recorded at a given date and time.
Caution:
An auditor with limitations set on their profile can see the activity history for the account
only if they are allowed to view both groups in the authorization set to view the account's
credentials.
On the "History" column, the auditor can click on "Show" to view the password change history for
the account on a dedicated page. This page displays information related to the password or SSH
key changes for the account at a given date and time.
Caution:
An auditor with limitations set on their profile can see the password change history for
the account only if they are allowed to view the related account.
On the "Actions" column, the "Force check-in" option is available for the accounts which are checked
out by users. The auditor can click on this option to check-in the credentials for the related account.
Note that the current RDP or SSH session will not be closed when the account's credential check-
in is forced.
256
Note:
The "Force check-in" option is always available for the accounts defined on a global
domain associated with an external password vault. In this case, the "External vault"
column contains a check mark for the relevant accounts.
The following account activities are stored in /var/log/vault-activity.log:
• checkout
• checkout duration extension
• check-in and automatic check-in
• forced check-in
This information can be sent to a SIEM software if the routing is configured on WALLIX Bastion.
For further information, refer to Section 8.9, “SIEM integration”, page 54.
Note:
Some system logs saved in partition /var/log are stored for a maximum time period
of 5 weeks.
Figure 12.8. "Account History" page
12.3.7. Approval history

From the "Approval History" page on the "Audit" menu, you can view all the approval requests
(pending or expired) sent to access sessions. For further information on approvals, refer to
Section 14.7, “Approval workflow”, page 307.
When the auditor displays the detail of a "pending" request, this action is logged in the WALLIX
Bastion audit log (i.e. "wabaudit"). For further information regarding this log, refer to Section 8.5,
“System logs”, page 49.
Caution:
An auditor with limitations set on their profile can see the approval history only if they are
allowed to view the authorization set to demand an approval request. This authorization
is defined for a user group and a target group they are allowed to view.
257

• the definition of the last N days
Note:
range filter.

• the demanding user
• the request end date and time
A click on the notepad icon at the beginning of the line allows the auditor to get a detailed view
of the request.
Figure 12.9. "Approval History" page
12.3.8. Authentication history

From the “Authentication History” page on the “Audit” menu, the auditor can view the authentication
attempts on the proxy’s RDP and SSH interfaces (respectively on ports 3389 and 22).
258
Filters can be defined at the top of the page to facilitate searches and restrict the display to relevant
data. The available filters are based on:
• the definition of a date range

• the definition of the last N days, weeks or months
Note:
Only the last 1,000 records are displayed in the Web interface. The occurrence filter is
applied to these 1,000 records. Older sessions can only be retrieved by defining a date
range.
Each line displays the following information:
• the event date

• the user name provided: the WALLIX Bastion user name
Note:
Authentication attempts with an expired OTP are not attributed to a user and are logged
as [unknown username].
• the source IP address

• the result of the authentication in the form of a success or failure icon
• the diagnosis which provides more detail on the authentication result
Figure 12.10. "Authentication History" page
12.3.9. Connection statistics

From the "Connection Statistics" page on the "Audit" menu, the auditor can view statistical
information on connections made through WALLIX Bastion for a given period of time. This period
may be a date range or a number of days before the current date.
259
At the top left of the page, the auditor can select the type of statistical information he/she wishes to
view in the list of values: either "Statistics" or "Unused resources".
If "Statistics" (by default) is selected by the auditor, the display can be restricted to the most/less
frequently occurring events (target connections by device or by user or by date, etc.): a maximum
number of 35 elements can be displayed.
The following options can be selected for the report generation:
• the number of target connections by device

• the number of target connections by target account
• the number of WALLIX Bastion connections by user
• the number of target connections by user
• the target connections by duration
• the total target connection duration by user
• the number of target connections by date
• the maximum parallel target connections by date
Filters can be defined at the bottom of the page to facilitate the search and restrict the display to
relevant records. The available filters are based on the selection among the WALLIX Bastion users
and/or devices and/or targets.
Once the charts have been generated, the auditor can click on those related to the WALLIX Bastion
and target connections to get the corresponding detail on the "Authentication History" page (refer
to Section 12.3.8, “Authentication history”, page 258) or the "Session History" page (refer to
Section 12.3.4, “Session history”, page 250).
A table in the header of the generated graphs lists the selected filters and a button below the graphs
allows to download a .csv file presenting the related data.
If "Unused resources" is selected by the auditor, he/she can view the unused users or targets for a
given period of time. This period may be a date range or a number of days before the current date.
The data can either be displayed as a list directly on the current page or downloaded as a .csv file.
Figure 12.11. "Connection Statistics" page
260
Figure 12.12. Example of statistical report
12.4. Connection policies

From the "Connection Policies" page on the "Session Management" menu, you can add, edit or
delete connection policies. The latter are defined as the authentication mechanisms available in
WALLIX Bastion.
261
The mechanisms available for RDP, VNC, SSH, TELNET, RLOGIN and RAW TCP/IP protocols are
predefined in WALLIX Bastion and can neither be deleted nor edited.
A connection policy can be selected during the creation/modification of a device and is

associated with a specific service on the device. For further information, refer to Section 10.1,
“Devices”, page 135.
On each of these pages, a useful description can be displayed for all the fields by selecting the check
box of the "Help on options" field on the right of the page. This description includes the required
format to be specified when entering data in the concerned field.
Warning:
The specific options displayed when the check box of the "Advanced options" field at
the top right of the page is selected should ONLY be changed upon instructions from
the WALLIX Support Team! An icon representing an exclamation mark on an orange
background is displayed near the concerned fields.
Figure 12.13. "Connection Policies" page
12.4.1. Add a connection policy

From the "Connection Policies" page, you can add a connection policy:
• by clicking on "Add a connection policy" to display the policy creation page

• by duplicating an existing policy in order to use its parameters: click on the icon in the "Action"
column on the right of the concerned line in the table to display the policy creation page with the
parameters inherited from the chosen policy. In this case, only the "Policy name" and "Description"
are not inherited from the chosen policy and are empty.
The connection policy creation page consists of the following fields:
• the connection policy name

• a description
• the selection of the relevant protocol (automatically entered if you create a policy from the
parameters of an existing one)
• the selection of the policy type
• the selection of the authentication methods and the parameters specific to the chosen protocol
262
• the definition of a transformation rule to get a login for secondary connection. For further
information, refer to Section 12.7, “Transformation rule to get a login for secondary
connection”, page 267.
• the definition of a transformation rule to get the credentials of an account in the vault. For further
information, refer to Section 12.8, “Transformation rule to retrieve the credentials of an account
in the vault of WALLIX Bastion”, page 267.
For the connection policies based on the TELNET or RLOGIN protocols, a sequence of commands
must be entered in the "Scenario" field to define an authentication. A connection scenario is defined
by default but it can be modified. For further information, refer to Section 12.16, “TELNET/RLOGIN
connection scenario on a target device”, page 275.
For the connection policies based on the SSH protocol, a startup scenario can be entered in the
"Scenario" field (below the "startup scenario section) to perform specific actions at the beginning
of the session. For further information, refer to Section 12.19, “SSH startup scenario on a target
The session probe can be enabled for the connection policies based on the RDP protocol. For
further information, refer to Section 12.22, “Using the session probe mode”, page 283.
For the connection policies based on the VNC protocol, an SSH tunnel can be created to secure
the connections to VNC sessions.. For further information, refer to Section 12.18, “Connecting to
a VNC session over an SSH tunnel”, page 277.
Figure 12.14. "Connection Policies" page in addition mode for RLOGIN protocol
12.4.2. Edit a connection policy

From the "Connection Policies" page, click on a policy name and then on "Edit this connection
policy" to display the connection policy modification page.
The fields in this page are the same as those in the connection policy creation page, except the
"Protocol" field which cannot be accessed.
Warning:
neither delete nor edit a connection policy.
12.4.3. Delete a connection policy
263
From the "Connection Policies" page, check the box at the beginning of the line(s) to select the
related policy(ies), then click on the trash icon to delete the selected line(s). WALLIX Bastion
Warning:
You cannot delete a connection policy when the latter is linked to a device (at the level
of the service on the "Devices" page). For further information on how to link a connection
policy on a device, refer to Section 10.1.1, “Add a device”, page 135.
neither delete nor edit a connection policy.
12.5. Session recording options

From the "Recordings Options" page on the "Session Management" menu, you can set or unset
encryption and signature of session recordings.
These records can be viewed from the "Session History" page on the "Audit" menu. For further
information, refer to Section 12.3.4, “Session history”, page 250 and Section 12.3.5, “Session
The encrypted recordings can only be read by the WALLIX Bastion instance which created them.
The encryption algorithm used is AES 256 CBC. Signature is done by calculating an HMAC SHA
256 fingerprint. The fingerprint is checked at playback.
Figure 12.15. "Recording Options" Page
12.6. Universal Tunneling sessions (RAWTCPIP)

Universal Tunneling (or UT, previously called RAWTCPIP) allows the user to redirect TCP traffic
from their workstation to the target.
The main use cases are the following:
• the redirection of a fat client traffic in an IT environment (such as MySQL client)

• the redirection of a fat client traffic in an OT environment (such as Siemens TIA Portal client)
All application protocols based on TCP for the transport layer in the Open Systems Interconnection
model (OSI model) can be managed by Universal Tunneling. An SSH tunnel is used between
the user's workstation and WALLIX Bastion to encrypt and protect the data. For each Universal
Tunneling session, a PCAP file can be generated to ensure traceability after the session.
264
12.6.1. Prerequisites
UT sessions are compatible with the user workstations running under:
• Windows XP, Windows 7, Windows 8, Windows 10 for the redirection to the local address mode
and the redirection to a temporary interface mode
• any Linux distribution with OpenSSH, only for the redirection to the local address mode
The targets must have a port open on the network for a TCP-compatible protocol.
12.6.2. Specific options

12.6.2.1. Redirection modes
Two modes are available:
• the redirection to the local address: the fat client must be configured to redirect its traffic to the local
address (127.0.0.1) and a user-defined access port. The traffic will then be redirected through
the SSH tunnel. This mode does not require any specific privileges from the user.
• the redirection to a temporary interface: the fat client does not need to be configured as a
temporary network interface will be created on the user's workstation using the IP of the target.
The traffic sent on this interface will then be redirected through the tunnel. This mode requires
specific privileges from the user.
12.6.2.2. NAT (Network Address Translation)

If the target is behind a NAT (Network Address Translation) solution, it is necessary to add
a specific connection policy (for further information, refer to Section 12.4.1, “Add a connection
policy”, page 262) with the following configuration:
265
1. Select “RAWTCPIP” in the “Protocol” field.

2. Enable and specify the fields in the “nat_redirection” section.
Note:
By enabling this option, the target address of each packet now matches the IP
address of the NAT in the PCAP file.
12.6.3. Configuration to access an IT or OT target

To allow a user to access an IT or OT target with a fat client, the following steps must be performed:
1. Add a device with a RAWTCPIP service whose port is the opened port on the target that
is usually accessed by the fat client. For further information, refer to Section 10.1.1, “Add a
Examples:
If the target is the MySQL database exposed on 192.168.0.1:3306 and accessible from a
MySQL client, the IP address of the device will be 192.168.0.1 and the port of the RAWTCPIP
service will be 3306.
If the target is a Siemens Programmable Logic Controller exposed on 192.168.0.1:102 and

accessible from a Siemens Totally Integrated Automation Portal (TIA Portal), the IP address of
the device will be 192.168.0.1 and the port of the RAWTCPIP service will be 102.
2. Add the new device to a target group for session management through interactive login. For
further information, refer to Section 10.5.1, “Add a target group”, page 183.
3. Add a new authorization so that a user group can access the target group. For further
information, refer to Section 14.1, “Add an authorization”, page 301. Configure the
authorization as follows:
• check the box “Enable sessions”
• select “RAWTCPIP” in “Protocols/subprotocols”
• check the “Enable session recording” box if the generation of a PCAP file is necessary
If the target is behind a NAT (Network Address Translation) solution, a specific connection policy
must be configured. For further information, refer to Section 12.6.2.2, “NAT (Network Address
Translation)”, page 265.
12.6.4. Audit
The Universal Tunneling session can be recorded. Session recordings can be viewed at the end of
the session. For further information, refer to Section 12.3.5, “Session recordings”, page 252.
The recording of a Universal Tunneling session consists of a PCAP file containing all the traffic
exchanged between the user's client and the target through the session. This PCAP file can be
analyzed with a packet analyzer such as Wireshark, a free and open-source tool.
To facilitate the analysis:
• the client address of each packet is filled in with the IP of the system from which the tunnel was
established (the IP of the user's workstation, or the IP of the Access Manager in the case of a
session initiated from WALLIX Access Manager)
266
• the remote address of each packet is filled in with the IP of the target or with the NAT IP of the
configured option (refer to Section 12.6.2.2, “NAT (Network Address Translation)”, page 265)
Note that if the data transmitted above the TCP layer is encrypted between the user and the target,
this data will appear encrypted in the PCAP file.
12.7. Transformation rule to get a login for

secondary connection
A transformation rule based on a character string can be defined to get a login for connection on
a target account through a mapping from:
• a user account login if the target account is included in a group configured for account
mapping (for further information, refer to Section 10.5.1.4, “Configure a target group for session
management through account mapping”, page 185)
• a login of an account in the vault of WALLIX Bastion it the target account is included in a group
configured for session management from accounts in the vault (for further information, refer to
Section 10.5.1.2, “Configure a target group for session management from an account in the
vault”, page 184).
This rule is set in the "Transformation rule " field on the configuration page for the related connection
policy, accessible from "Session Management" > "Connection Policies".
The character string includes the required field ${LOGIN} and possibly the optional field ${DOMAIN}
in an LDAP mapping context.
The transformation rule returns the string and replaces the fields ${LOGIN} and ${DOMAIN} with
the appropriate values (i.e. the login and domain).
The result corresponds to the login for connection on the target.
Note:
The transformation rule defined is ignored if the target account is included in a
group configured for interactive login (for further information, refer to Section 10.5.1.5,
“Configure a target group for session management through interactive login”, page 186).
Example 12.1. Examples of transformation rules:

'${DOMAIN}WIN2k3\${LOGIN}': addition of a suffix in the domain
'${LOGIN}': login forcing without any domain
'${LOGIN}@DOMAIN1': use of a different domain
12.8. Transformation rule to retrieve the

credentials of an account in the vault of WALLIX
Bastion
A character string-based transformation rule can be defined to retrieve the credentials of an existing
account in the vault of WALLIX Bastion for a target account configured for account mapping.
Therefore, this transformation rule is used to map a user account to an account located in the vault.
267
This transformation rule applies only when:
• the target account is in a group configured for account mapping (for further information,
refer to Section 10.5.1.4, “Configure a target group for session management through account
mapping”, page 185)
• the PUBKEY_VAULT and/or PASSWORD_VAULT authentication method must be selected in the
connection policy associated with the target
This rule is set in the “Vault transformation rule” field on the configuration page of the connection
policy, accessible from “Session management” > “Connection policies”.
The character string can include the following fields:
• ${USER}: this field is substituted by the user login

• ${DOMAIN}: this field is substituted by the user domain in the context of LDAP mapping
• ${USER_DOMAIN}: this field is substituted by the user login + “@” + user domain. If there is no
user domain, then ${USER_DOMAIN} is only substituted by the user login .
• ${GROUP}: this field is substituted by the user group concerned by the authorization
• ${DEVICE}: this field is substituted by the device name
A regular expression (or “regex”) can be specified for the transformation using this syntax: ${USER:/
regex/substitution}. For example, all user logins starting with “A” will be substituted by “B” if the
${USER} variable is specified as follows: ${USER:/Â/B}.
The transformation rule returns the string and substitutes the fields with the appropriate values.
The result corresponds to the account in the vault for which the credentials are to be retrieved. This
result can be viewed on the “Syslog” page in the “System” menu.
There are two types of accounts in the vault: local domain account and global domain account.
Their syntax is defined as follows:
• Local domain account: <Account_Name>@<Domain_Name>@<Device_Name>

– <Account_Name>: name of the account in the vault
– <Domain_Name>: name of the local domain in which the vault account is configured
– <Device_Name>: name of the device linked to the vault account
• Global domain account:
<Account_Name>@<Domain_Name>
– <Account_Name>: name of the account in the vault
– <Domain_Name>: name of the global domain in which the vault account is configured
Example 12.2. Examples of transformation rules:

Syntax for a local domain account:
${USER:/^bastion_/}_adm@local@${DEVICE}
The syntax is a regular expression which can be read as follows:
• ${USER: the transformation process applies to the user login

• /^bastion_: the check is performed on the login starting with “bastion_”
• /}: if the previous condition is fulfilled, then the field concerning the login is removed
268
• @local@: this field indicates the domain type

• ${DEVICE}: this field is substituted by the device name
If the login of the user is “bastion_user1” and the device of the target in account mapping is
“winprod”, then the result of the transformation is the vault account: user1@local@winprod.
Syntax for a global domain account:
${USER:/âdm_/adm_domain1_}@domain1
The syntax is a regular expression which can be read as follows:
• ${USER: the transformation process applies to the user login

• /âdm_: the check is performed on the login starting with “adm_”
• /adm_domain1_: if the previous condition is fulfilled, then the field concerning the login is
substituted by this value
• @domain1: this suffix is added after the substituted variable
If the login of the user starts with “adm_”, “adm_” is then substituted by “adm_domain1_” and
“@domain1” is added to the end of the login. Thus, if a user login is “adm_jdoe” then the result of
the transformation is the global domain account “adm_domain1_jdoe@domain1” in the vault.
12.9. Using an antivirus software or a DLP (Data

Loss Prevention) solution with ICAP
Connections to ICAP servers provided by antivirus software or DLP (Data Loss Prevention)
solutions can be configured to verify the validity of files transferred during RDP and SSH sessions.
The files which can be verified are those transferred via subprotocols SFTP and SCP
(SFTP_SESSION, SSH_SCP_UP and SSH_SCP_DOWN) during SSH session and from the copy/
paste function via the clipboard (RDP_CLIPBOARD_FILE) during RDP session.
File verification does not interfere with file transfer. The status returned by the ICAP server is logged:
• in the session metadata displayed from the "Session History" page on the "Audit" menu,
in the "Session metadata" area. For further information, refer to Section 12.3.4, “Session
history”, page 250 and Section 12.3.5, “Session recordings”, page 252.
• in SIEM messages, if the routing to a SIEM software is configured on WALLIX Bastion. For
further information, refer to Section 8.9, “SIEM integration”, page 54 and Chapter 17, “SIEM
12.9.1. Configuration of connection to ICAP servers

An ICAP server can be configured for each protocol (RDP and SSH) and for each transfer direction,
i.e.:
• for the files transferred as an “upload” operation from client to server (e.g. an antivirus software)
and
• for the files transferred as a “download” operation from server to client (e.g. a DLP solution)
The settings of ICAP servers can be defined from "Configuration" > "Configuration Options" > "RDP
proxy" (for RDP protocol) or "SSH proxy" (for SSH protocol) within the following sections:
269
• [icap_server_up] to configure the ICAP server for files transferred as an “upload” operation and
• [icap_server_down] to configure the ICAP server for files transferred as an “download” operation
For each ICAP server, these settings are as follows:
• “Host”: IP address or FQDN of the ICAP server

• “Port”: port of the ICAP server
• “Service name”: service name on the ICAP server
• “Tls”: option to select if TLS is enabled on the ICAP server
12.9.2. Enabling file verification

File verification can be enabled or disabled from "Session Management" > "Connection Policies" >
"RDP" (for RDP protocol) or "SSH" (for SSH protocol). By default, file verification is disabled.
In section [file_verification], the parameters to be entered are as follows:
• “Enable up”: option to select to enable verification of files transferred as an “upload” operation
by the ICAP server. The latter is configured in section [icap_server_up] from the configuration
options of the related proxy (accessible from "Configuration" > "Configuration Options" > "RDP
proxy" or "SSH proxy").
• “Enable down”: option to select to enable verification of files transferred as a “download” operation
by the ICAP server. The latter is configured in section [icap_server_down] from the configuration
options of the related proxy (accessible from "Configuration" > "Configuration Options" > "RDP
proxy" or "SSH proxy").
When the connection policy is defined on the RDP protocol, the section [file_verification] also
allows to enter the following parameters:
• “Clipboard text up”: option to select to enable verification of text transferred as an “upload”
operation from the copy/paste function via the clipboard by the ICAP servers. The “Enable up”
option must be selected to allow this verification.
• “Clipboard text down”: option to select to enable verification of text transferred as a “download”
operation from the copy/paste function via the clipboard by the ICAP servers. The “Enable down”
option must be selected to allow this verification.
12.9.3. Blocking file transfer on invalid verification

When file verification is enabled from the connection policy defined on the RDP or the SSH protocol
(see Section 12.9.2, “Enabling file verification”, page 270), the transfer of files detected as invalid
during verification can be blocked. This action can be carried out when using file copy/paste function
on the RDP protocol or during file transfer via SCP or SFTP on the SSH protocol (using FileZilla,
OpenSSH or WinSCP clients).
To do so, on the configuration page for the related connection policy, the parameters to be entered
in section [file_verification] are as follows:
• “Block invalid file up”: option to select to block file transfer for an “upload” operation when files
have been detected as invalid during verification
• “Block invalid file down”: option to select to block file transfer for a “download” operation when
files have been detected as invalid during verification
270
12.9.4. Enabling file storage on invalid verification

When file verification is enabled from the connection policy defined on the RDP or the SSH protocol
(see Section 12.9.2, “Enabling file verification”, page 270), the invalid transferred files can be
stored.
To do so, on the configuration page for the related connection policy, the option “On invalid
verification” in the field “Store file” below section [file_storage] must be selected.
The invalid transferred files can be viewed and downloaded from the "Session History" page on
the "Audit" menu, in the "Transferred files" area. For further information, refer to Section 12.3.4,
“Session history”, page 250 and Section 12.3.5, “Session recordings”, page 252.
Note:
Session recording must be enabled for the authorization defined (see Section 14.1, “Add
an authorization”, page 301) to allow the auditor to view and download the transferred
files from the "Session History" page on the "Audit" menu.
12.10. Enabling storage of files transferred

during the RDP or SSH session
The files transferred during the RDP or SSH session can be stored.
To do so, on the configuration page for the related connection policy, accessible from "Session
Management" > "Connection Policies" > "RDP" (for RDP protocol) or "SSH" (for SSH protocol), the
option “Always” in the field “Store file” below section [file_storage] must be selected.
The transferred files can be viewed and downloaded from the "Session History" page on the "Audit"
menu, in the "Transferred files" area. For further information, refer to Section 12.3.4, “Session
Note:
Session recording must be enabled for the authorization defined (see Section 14.1, “Add
an authorization”, page 301) to allow the auditor to view and download the transferred
files from the "Session History" page on the "Audit" menu.
12.11. Enabling smart card authentication on

targets for RDP protocol
WALLIX Bastion offers users the possibility to authenticate to Windows targets via the RDP protocol
with smart cards connected on the client desktop and the associated PIN code.
Please refer to the Release Notes document to view the list of smart cards compatible with WALLIX
Bastion.
Note:
The smart card authentication is only possible for the connection to targets through the
interactive login mechanism.
271
To enable this authentication method, it is necessary to:
• select the “RDP SMARTCARD” proxy option for the RDP service associated with the related
device from the menu “Targets” > “Devices” then “Services” tab
• select the “Force smartcard authentication” option accessible from “Session management” >
“Connection policies” > “RDP”, [rdp] section.
Warning:
After enabling this option, Network Level Authentication (NLA) will be disabled.
The credentials of a possible associated target account can no longer be used.
12.12. Setting up an AD authentication silo

12.12.1. General description
Silos provide a way to define a relationship between accounts in an AD domain (e.g. users,
computers) and enforce an anthentication strategy for the related accounts. Defining this
relationship assigns the related accounts to a silo. The main purpose of silos is to prevent privileged
user accounts from logging on computers of a lower trust level. By assigning users and computers
to a silo, users from the silo will only be allowed to log on computers that are part of the same silo.
The silo to be set up on the AD and then configured in the Bastion contains:
• The trusted target server: e.g. server2019.example.com

• The privileged user account: e.g. admin-t0
• The service account of the trusted computer (Bastion): e.g. service-t0
12.12.2. Procedure
12.12.2.1. Add the global domain
1. Create a global domain. This global domain will manage the global accounts which will be
used on AD silo: the privileged user account and the service account. To do so, from the
menu “Targets” > “Domains”, click on “+ Add a global domain”. For further information, refer to
Section 10.3.1, “Add a global domain”, page 162.
2. Enter the corresponding fields. As an example, enter “ad-win2019” in the “Name” field and
“example.com” in the “Real name” field.
3. Click on “Apply”.
12.12.2.2. Add the global accounts

1. Add the first global account to the global domain. To do so, from the menu “Targets” > “Accounts”
> “Global accounts”, click on “+ Add”. For further information, refer to Section 10.3.4, “Add an
account to the global or a local domain”, page 165.
2. Enter the corresponding fields to create the privileged user account. As an example, enter
“admin-t0” in the “Account name” field.
4. Add the second global account to the global domain.
272
5. Enter the corresponding fields to create the service account. As an example, enter “service-t0”
in the “Account name” field and “service-t0$” in the “Account login” field.
Warning:
Add the “$” symbol at the end of the service account login to identify this account as
a Bastion service account.
12.12.2.3. Add a Kerberos-Password external authentication

1. Create a Kerberos-Password external authentication from the “External authentications” page
in the “Configuration” menu. For further information, refer to Section 9.8.1.2, “Add a Kerberos-
Password external authentication”, page 111.
2. Enter the corresponding fields. As an example, enter “ad-kerb” in the “Name” field,
“EXAMPLE.COM” in the “Realm name” field and “ad-win2019.example.com” in the “Key
distribution center” field. The latter is the FQDN of the domain controller. The parameter
configuration of this external authentication will be used by the AD silo feature to initiate the
session of the privileged user account on the target for the secondary connection.
3. Add the keytab file.
Warning:
To create a Kerberos external authentication, the keytab file must be valid. This file
is generated on the key distribution center described above.
12.12.2.4. Add an RDP connection policy

1. Add an RDP connection policy from the “Connection policies” page in the “Session
management” menu. For further information, refer to Section 12.4.1, “Add a connection
policy”, page 262. This new RDP connection policy will be configured to support “Kerberos
armoring”.
2. Enter the “Policy name” field.
3. Check the box of the “Advanced options”.
4. Check the box to enable kerberos in the “[rdp]” section.
5. Enter the following fields:
• “Krb armoring account”: e.g. “service-t0@ad-2019”
• “Krb armoring realm”: e.g. “EXAMPLE.COM”
• “Krb armoring fallback user”
• “Krb armoring fallback password”
12.12.2.5. Add a device

1. Add a device from the “Devices” entry in the “Targets” menu. For further information, refer to
Section 10.1.1, “Add a device”, page 135.
273
2. Enter the corresponding fields in the “General” tab. As an example, enter “server2019” in the
“Name” field and “server2019.example.com ” in the “IP address or FQDN” field.
4. Add a service in the “Services” tab by clicking on the “+ Add [RDP]” button.
5. Enter the “Service name” field and the “Connection policy” field in accordance with the RDP
connection policy previously created for silo.
6. Click on “Apply and close”.
12.12.2.6. Create the target accounts

1. Add a target group from the “Groups” entry in the “Targets” menu. For further information, refer
to Section 10.5.1, “Add a target group”, page 183.
2. Enter the “Name” field in the “General” tab.
4. Select “Account” in the dropdown list of the “Session management targets” tab to add the first
target account.
5. Select “A device and global accounts” in the dropdown list of the “From” field.
6. Enter the fields to add this first target account related to the privilege user account (e.g. admin-
t0).
7. Click on “Add and close”.
8. Select “Scenario account” in the dropdown list of the “Session management targets” tab to add
the second target account.
9. Select “A global domain and related accounts” in the dropdown list of the “From” field.
10. Enter the fields to add this second target account related to the service account (e.g. service-
t0$).
11. Click on “Add and close”.
12. The AD authentication silo is configured. Create a user group and an authorization using the
target group previously configured to allow authorized users to connect to the target. For further
information, refer to Section 14.1, “Add an authorization”, page 301.
12.13. Configuration of recorded sensitive data

in logs for RDP protocol
It is possible to configure the display or hiding of given sensitive data in logs during the recorded
RDP session.
Thus, the option “Keyboard input masking level”, accessible from “Session Management” >
“Connection Policies” > “RDP”, below section “session log” allows to configure if keyboard inputs,
passwords or unidentified texts are displayed or hidden in the session metadata.
This information can be viewed from the "Session History" page on the "Audit" menu, in the "Session
metadata" area. For further information, refer to Section 12.3.4, “Session history”, page 250 and
Section 12.3.5, “Session recordings”, page 252.
12.14. Allowing or rejecting dynamic virtual

channels for RDP protocol
274
Dynamic virtual channels can be open during connection to the RDP session to transfer any type
of data.
It is possible to configure the dynamic virtual channels which can be allowed or rejected during the
RDP session.
These channels can be specified in the fields "Allowed dynamic channels" and "Denied dynamic
channels" below the "rdp" section on the configuration page related to the RDP connection policy.
By default, all dynamic virtual channels are allowed. The configuration in the field "Denied dynamic
channels" has precedence over the one set in the field "Allowed dynamic channels".
When attempting to open a dynamic virtual channel, the information related to its authorization or
rejection is logged:
• in the session metadata displayed from the "Session History" page on the "Audit" menu,
in the "Session metadata" area. For further information, refer to Section 12.3.4, “Session
• in SIEM messages, if the routing to a SIEM software is configured on WALLIX Bastion. For
further information, refer to Section 8.9, “SIEM integration”, page 54 and Chapter 17, “SIEM
Warning:
Rejecting dynamic virtual channels may disturb RDP connections.
12.15. Log configuration of all the keyboard

input for RLOGIN, SSH and TELNET protocols
The log of all keyboard input, whether displayed or not on the terminal, can be configured for all the
connection policies based on RLOGIN, SSH and TELNET protocols.
This full log can be enabled by selecting the option "Log all kbd" on the configuration page for the
related connection policy, accessible from "Session Management" > "Connection Policies".
When this option is disabled, then only keyboard input displayed on the terminal is logged.
This information can be viewed from the "Session History" page on the "Audit" menu, in the "Session
metadata" area. For further information, refer to Section 12.3.4, “Session history”, page 250 and
Section 12.3.5, “Session recordings”, page 252.
Warning:
When this option is enabled, the passwords entered during session are logged and then
displayed as plain text.
12.16. TELNET/RLOGIN connection scenario on

a target device
275
An authentication sequence can be declared by specifying the "Scenario" field on the configuration
page related to the connection policy for the TELNET or RLOGIN protocol. This page can be
accessed from "Session Management" > "Connection Policies". For further information, refer to
Section 12.4, “Connection policies”, page 261.
This sequence can be used to interpret commands sent by an interactive shell and to automate
logon. This pseudo language includes the following syntax:
• SEND: sends a character string

• EXPECT: expects to receive a character string within the next 10 seconds. This value must be
labelled in the server's language.
• (?i): ignores the case
• $login: sends a user name
• $password: sends a password
The following sequence (supported on a 3Com Superstack switch accessible via TELNET):
SEND:\r\n
EXPECT:(?i)login:
SEND:$login\r\n
EXPECT:(?i)Password:
SEND:$password\r\n
is interpreted as follows:
• sends a carriage return

• expects to receive the "login" string (ignoring the case)
• sends the user name followed by a carriage return
• expects to receive the "password" string (ignoring the case)
• sends the password followed by a carriage return
This sequence should also work for TELNET servers running under Windows.
For TELNET servers running under Unix or Linux, you should rather use the following sequence:
EXPECT:(?i)login:
SEND:$login\n
SEND:$password\n
For RLOGIN devices, only the password is expected. As an example, the following authentication
sequence has been tested for a RLOGIN connection to a Debian 5.0 lenny system:
SEND:$password\n
Note:
As a rule of thumb, login is already provided for SSH connections (in keyboard interactive
mode) and RLOGIN connections. It is necessary to provide it in the sequence only for
TELNET connections.
276
12.17. Configuration of cryptographic

algorithms supported on target devices
The cryptographic algorithms supported on target devices can be configured in the pages related
to the connection policies for the RDP or SSH protocols as detailed in the following sections.
12.17.1. SSH cryptographic settings on target devices

The cryptographic algorithms allowed on target devices can be declared by specifying them in the
fields below the "algorithms" section on the configuration page related to the connection policy for
the SSH protocol. This page can be accessed from "Session Management" > "Connection Policies".
When no algorithm is entered, then all algorithms supported by the SSH proxy are allowed on the
target devices.
By default, no algorithm is listed in the fields to ensure highest compatibility with target servers.
Warning:
This section is displayed when the check box of the "Advanced options" field at the top
right of the page has been selected. It should ONLY be changed upon instructions from
the WALLIX Support Team!
12.17.2. RDP cryptographic settings on target devices

The cryptographic algorithms allowed on target devices can be declared by specifying them in
specific fields below the "rdp" section on the configuration page related to the connection policy for
the RDP protocol. This page can be accessed from "Session Management" > "Connection Policies".
These fields are as follows:
• “Tls min level”: minimum TLS version level supported. By default, no minimum level is set in this
field to ensure highest compatibility with target servers.
• “Tls max level”: maximum TLS version level supported. By default, no maximum level is set in
this field to ensure highest compatibility with target servers.
• “Cipher string”: additional cryptographic algorithms used for TLSv1.2 connections supported
by client. By default, no value is specified in this field to apply system-wide configuration
corresponding to SSL security level 2. The value “ALL” must be set to support all cryptographic
algorithms and ensure highest compatibility with target servers.
• “Show common cipher list”: option to select to show in log files the list of common algorithms
supported by client and server
12.18. Connecting to a VNC session over an

SSH tunnel
An unencrypted connection to a VNC server can be secured by tunneling the VNC connection over
an SSH tunnel.
For this to work, it is required to use an SSH server on which a TCP forwarding tunnel is enabled
(e.g.: the “AllowTcpForwarding” option for OpenSSH). It is also recommended that the VNC server
is only available in local.
277
The VNC connection over an SSH tunnel can be enabled from the configuration page related to the
connection policy for the VNC protocol. This page can be accessed from “Session management” >
“Connection policies” > “VNC” > section [vnc_over_ssh].
This section consists of the following fields:
• “Enable”: this check box allows you to enable or disable the VNC connection over an SSH tunnel.
By default, this option is disabled.
• “Ssh port”: the SSH port number to establish the connection. By default, the port is 22 and can
be modified if needed.
• “Tunneling credential source”: the source of the credentials needed to create and establish the
SSH tunnel; either the credentials of the connection policy (“static_login”) or the credentials of
the scenario account (“scenario_account”)
• “Ssh login” and “Ssh password”: the credentials of the SSH server provided in the connection
policy to be entered when the “static_login” option is selected in “Tunneling credential source”
• “Scenario account name”: the name of the scenario account to be entered when the
“scenario_account” option is selected in “Tunneling credential source”. The recommended
syntaxes for this field are:
– “account@global_domain” for a scenario account on a global domain
– “account@local_domain@” for a scenario account on a local domain
Important:
It is recommended to associate the global domain (when not associated with an
external vault) or the local domain (domain type “Local for a device”) with an SSH
Certificate Authority to use the certificate-based authentication. If the association has
not been made, the key-based authentication will be used. For more information, refer
to Section 10.3.1, “Add a global domain”, page 162.
12.19. SSH startup scenario on a target device

A startup scenario can be declared by specifying the "Scenario" field below the "startup scenario"
section on the configuration page related to the connection policy for the SSH protocol. This page
can be accessed from "Session Management" > "Connection Policies".
For example, it can be used at the beginning of the SSH Shell session to assign the user the "root"
privileges using "su" and "sudo" commands without having knowledge of the password.
Note:
A startup scenario can also be used for Shell sessions on TELNET and RLOGIN
protocols. It can be declared by specifying the “Scenario” field below the “startup
scenario” section on the configuration page related to the connection policy defined for the
TELNET or RLOGIN protocol. This page can be accessed from “Session management”
> “Connection policies”.
12.19.1. Commands
A scenario is a sequence of commands separated by a carriage return: a line of the scenario
corresponds to a command.
278
A command is defined by a type and value pair separated by a colon ':' TYPE:VALUE.
A command starting with # will be ignored.
This startup scenario consists of a sequence of commands based on response request and data
sending. These commands are executed at the beginning of a Shell session related to an SSH
target. The syntax includes the following commands:
• SEND: this command sends the value associated with the server and goes ahead with the
scenario.
The associated value may include a token (refer to Section 12.19.2, “Token”, page 279).
See the example below to send the interactive "sudo" command:
SEND:exec sudo -i
• EXPECT: this command waits for a response from the server in relation to the associated value
before continuing the execution of the scenario.
The associated value is a regular expression. It may include a token (refer to Section 12.19.2,
“Token”, page 279) which will be interpreted before the regular expression. This value must be
labelled in the server's language.
See the example below to wait for a command prompt:
EXPECT:.*@.*:~$
If after a given period of time, no response from the server corresponds to the associated value,
then the scenario fails.
A scenario failure ends the session.

During the scenario execution, no action from the user is permitted except the use of CTRL+C or
CTRL+D to stop the process. This causes the scenario failure and ends the session.
The user takes over the terminal when the scenario has been successfully completed.
Warning:
If no EXPECT command is used, the scenario will execute the SEND command once the
connection is established and will not wait for a data output.
If sensitive data is used, it is strongly recommended to use EXPECT commands.
Even if the “Show output” box is unchecked, it is necessary to use the EXPECT command
to avoid displaying data output in the terminal.
12.19.2. Token
The value of a command may include a token.
A token is a part of the value which will be replaced by an attribute provided by the SSH proxy or
WALLIX Bastion.
A token is represented by the following syntax: ${type} or ${type:param} and is defined by a
type and an optional parameter.
The following token types can be used: login, password and user.
279
There is no parameter to provide for the user token type.

If no parameter is provided for the token types login and password, then the attribute will be the
one of the target account in the current session.
• ${login}: login of the current target account

• ${password}: password of the current target account
• ${user}: login of the primary account, i.e. login of the WALLIX Bastion user
If a parameter is provided, it specifies the account in WALLIX Bastion for which the parameters
("login" and "password") are to be retrieved.
• ${login:account@domain}: login of a global domain account

• ${password:account@domain}: password of a global domain account
• ${login:account@domain@}: login of an account on the current local domain for a device
• ${password:account@domain@}: password of an account on the current local domain for a
device
It is also possible to use placeholder attributes in the token parameter to specify a given scenario
account. The following placeholder attributes can be used:
• <user>: user name

• <user_group>: user group name of the current authorization
• <target_group>: target group name of the current authorization
• <authorization>: name of the current authorization
• <account>: account name of the current target
• <account_domain>: account's domain name of the current target
• <device>: device name of the current target
• <service>: device's service name of the current target
As an example, the token ${password:<user>_root@domain} for the user “wabuser” will be

superseded by ${password:wabuser_root@domain} and then replaced by the password of
the scenario account wabuser_root@domain (global account).
As an example, the token ${login:<account>_<device>@sqldomain} for a user
connected to the target admin@local@sqldevice:SSH:adminauth will be superseded by
${login:admin_sqldevice@sqldomain} and then replaced by the login of the scenario
account admin_sqldevice@sqldomain (global account).
The scenario fails if no attribute has been retrieved for the token.
See the example below of a script for privilege elevation using the "sudo" command:
SEND:exec sudo -i
EXPECT:password.*:
SEND:${password}
See the example below of a script for switching user on a "root" account on the same device using
the "su" command:
SEND:exec su - root
EXPECT:Password:
SEND:${password:root@local@}
280
See the example below of an interactive access to a MySQL database on a global domain in WALLIX
Bastion:
SEND:exec mysql -u ${login:<account>_<device>@sqldomain} -p mybdd

EXPECT:password:
SEND:${password:login:<account>_<device>@sqldomain}
12.19.3. Startup scenario configuration

A startup scenario configured in the section "startup_scenario" for the connection policies based
on the SSH protocol.
This mode can be enabled by selecting the "Enable" check box on the configuration page related to
the connection policy for the SSH protocol. This page can be accessed from "Session Management"
> "Connection Policies".
This section consists of the following fields:
• "Enable": this check box allows to enable or disable the startup scenario. By default, this option
is disabled.
• "Scenario": a startup scenario can be declared in this field.
• "Show output": this check box allow to display or hide inputs/outputs on the Shell during the
scenario execution. By default, this option is enabled.
• "Timeout": this field allows to define the time period (expressed in seconds) before the failure of
an EXPECT command.
Warning:
This field is displayed when the check box of the "Advanced options" field at the top
• "Ask startup": this check box allows to enable or disable a prompt to ask the user if he/she wishes
to run the scenario. By default, the scenario is necessarily executed.
Warning:
This field is displayed when the check box of the "Advanced options" field at the top
12.20. Transparent mode configuration for RDP

and SSH proxies
The transparent mode allows the proxy to intercept network traffic for a target even when the user
specifies the target's address directly, instead of using the WALLIX Bastion address.
This mode can be enabled from "Configuration" > "Configuration Options":
• on the "RDP proxy" configuration page by selecting "Enable transparent mode" below section
"globals"
281
• on the "SSH proxy" configuration page by selecting "Enable transparent mode" below section
"main"
In order to use the transparent mode, the network should be configured in a way that the RDP or
SSH traffic going to the targets is first redirected to a WALLIX Bastion user network interface. It
could be achieved using routing rules. WALLIX Bastion then acts as a gateway.
The proxy intercepts the traffic sent to the TCP port 3389 (for RDP and VNC protocols). Any traffic
not destined to WALLIX Bastion but intercepted by the WALLIX Bastion on any other port (other
that 3389) is lost.
The proxy picks up automatically the target by looking at the destination IP address of the
connection. When only a single target is identified by the address, the connection is performed
automatically without the display of the selector. In the other cases, the selector displays the list of
targets matching this address.
Moreover, it is possible to define a set of targets belonging to a subnet. This is achieved by entering
a subnet instead of an IP address in the "Device host" field during the creation of the device, from
the "Devices" page, by using a CIDR notation (<network address>/<number of mask bits>). For
further information on this configuration, refer to Section 10.1.1, “Add a device”, page 135.
If the destination IP address of the connection corresponds to several targets and at least of one
these is defined by an IP address (or FQDN), then the targets defined by subnets are ignored.
When only a single target is identified by the address, the connection is performed automatically
without the display of the selector.
Once the RDP or SSH transparent mode is enabled, the following parameters can be set to control
the proxy behavior:
• The option "Auth mode passthrough" (accessible from "Configuration" > "Configuration Options"
> "SSH proxy" for SSH; or "Configuration" > "Configuration Options" > "RDP proxy sesman"
for RDP) enables or disables authentication delegation. The latter prevents WALLIX Bastion
from performing the authentication when it receives a connection request. The request is
then forwarded directly to the target and WALLIX Bastion authorizes the connection if the
authentication by the target is successful. It allows to deploy WALLIX Bastion in an environment
where only the target knows the credentials; this is the case for some configurations of VMware
Horizon View for instance.
• The "Default login" field (accessible from "Configuration" > "Configuration Options" > "SSH proxy"
for SSH; or "Configuration" > "Configuration Options" > "RDP proxy sesman" for RDP) allows to
specify WALLIX Bastion user different from the RDP or SSH identity. In this case, the sessions and
their records will be associated to this WALLIX Bastion user. The RDP or SSH identity information
is registered in the target field when available.
12.21. Enabling KeepAlive function for the

proxies
The KeepAlive function allows to keep a session open even if there is no network traffic between
WALLIX Bastion and the client or the target server. A message is then sent by WALLIX Bastion to
the client or the target server to keep the connection between them.
12.21.1. Enabling KeepAlive function for connection

between the RDP proxy and the RDP client
282
This function is enabled when the time interval between two KeepAlive messages is set. This interval
is expressed in milliseconds. This parameter can be managed via "Configuration" > "Configuration
Options" > "RDP proxy", then specify the appropriate value in the option "Rdp keepalive connection
interval". This value is set to "0" by default: the function is then disabled.
Warning:
RDP clients based on FreeRDP may conflict with KeepAlive messages.

between the SSH proxy and the SSH client
This function is enabled when the time interval between two KeepAlive messages is set. This interval
is expressed in seconds. This parameter can be managed via "Configuration" > "Configuration
Options" > "SSH proxy", then specify the appropriate value in the option "Client keepalive". This
value is set to "120" by default: the function is then enabled for a time interval set to 2 minutes
between two KeepAlive messages.
Warning:

between the SSH proxy and the SSH target server
This function is enabled by specifying the following fields below the “session” section on the
configuration page related to the connection policy for the SSH protocol, accessible from "Session
Management" > "Connection Policies":
• "Server keepalive type": this option enables the sending of the Keepalive message to the server
and also allows to choose the packet type to send. The value "none" is selected by default: the
function is then disabled.
• "Server keepalive interval": this option allows to specify the time interval in seconds between two
KeepAlive messages, when the function has been enabled by selecting the packet type to send
from the option "Server keepalive type". This value is set to "0" by default: the function is then
disabled.
Warning:
These fields are displayed when the check box of the "Advanced options" field at the top
right of the page has been selected. They should ONLY be changed upon instructions
12.22. Using the session probe mode

The session probe allows the collection of a rich set of session metadata related to the activity of
users. This information can be sent to a SIEM software to identify significant events. For further
information, refer to Section 8.9, “SIEM integration”, page 54.
283
The session probe requires no specific deployment. It runs in the user's RDP session according to
their privileges. Consequently, it does not increase the attack surface of the information system.
This mode can be enabled by selecting the option "Enable session probe" on the configuration page
related to the connection policy for the RDP protocol. This page can be accessed from "Session
Management" > "Connection Policies".
Metadata collected by the session probe refers to the following events:
• change of active window

• operation on a button in a window
• selection of a radio button or a check box in a window
• change of content in a text field on a window
• change of the layout of the keyboard keys
• starting and ending of a process
• exchange of files via the clipboard
• exchange of files via redirected local drives
The session probe can also block the TCP jump connections. A jump connection passes through a
WALLIX Bastion target to access another machine on the internal network. The session probe can
then detect and stop this type of connection.
The session probe provides protection of the passwords entered in the session by detecting the
input cursor into password input fields or a UAC (User Account Control) window. When such an
event occurs in the session, the session probe informs WALLIX Bastion so that the latter can pause
the collection of keyboard input data.
12.22.1. Default operating mode

The session probe is enabled by default on the configuration page related to the connection policy
for the RDP protocol, which can be accessed from "Session Management" > "Connection Policies".
If startup fails, WALLIX Bastion can be configured to try a new connection without using session
probe. This catch-up mechanism ensures the access to a usable RDP session but lengthens the
time required to set up the connection. The default operation mode has been designed for the
parameter setting phase and should not be used for production purpose.
If the session probe stops for any reason, WALLIX Bastion will stop the current session.
As for a classic RDP session, if the user disconnects without closing a session using the session
probe, the session will continue to operate through the remote desktop service (for a predetermined
period). During this time interval, the user can return to the session exactly where they left it.
To ensure security, the session probe implements a mechanism which prevents the user from
recovering an incompatible session instead of the current one.
The discrepancies which may prevent a session to be recovered by another one are as follows:
• a difference in primary account

• a difference in the target type ("device" or "application")
• a difference in the target application
If WALLIX Bastion detects that it is not possible to recover the RDP session, the current connection
is closed and a new one will take over in a transparent way for the user.
284
12.22.2. Choice of the launcher

The smart launcher is used by default for a normal RDP session. However, the standard launcher
can be used by editing the connection policy, which can be accessed from "Session Management"
There is an exception: when the RDP client has specified a program to run at connection startup,
then the standard launcher is used for the session probe.
The connection to an application (as defined via "Targets" > "Applications") can only be made
through the standard launcher. This selection is automatically performed by the RDP proxy.
The session probe operates under a Windows operating system with the Remote Desktop services
supporting the "alternate shell" function.
Environments under Windows XP and servers from Windows Server 2003 support the smart
launcher.
When the smart launcher is used:
• the redirection of clipboard must be allowed by Remote Desktop Services (or Terminal Services)
on the target. This is the default setting.
• the keyboard shortcut Windows+R must be enabled at the level of the group policies for
the target (this is the default setting). Keyboard shortcuts can be disabled via "Local Group
Policy Editor" > "User Configuration" > "Administrative Templates" > "Windows Components" >
"Windows Explorer" or "File Explorer" > "Turn off Windows+X hotkeys" or "Turn off Windows Key
hotkeys".
The standard launcher only operates on targets under Windows Server and Windows XP
environments. It does not support targets under Windows 7, 8.x and 10.
From Windows Server 2008 and only when the standard launcher is used, it is
necessary to publish the "Command Prompt" (cmd.exe) as the RemoteApp program.
For further information, refer to https://technet.microsoft.com/en-gb/library/
cc753788.aspx. Moreover, all command line parameters must be allowed for this
program by selecting the radio button "Allow any command-line parameters" in the
"Remote Desktop Connection Program properties" dialog box. For further information, refer
to https://blogs.technet.microsoft.com/infratalks/2013/02/06/publishing-
remoteapps-and-remote-session-in-remote-desktop-services-2012/.
The redirection of local disks must be allowed by Remote Desktop Services (or Terminal Services)
on the target. This is the default setting.
The temporary folder of the secondary account (Windows account) must allow at least 5MB free
disk space.
The Windows user account must be able to launch batch script and executables from his own
temporary directory (this is the default setting). It is possible to set a software restriction via "Local
Group Policy Editor" > "Computer configuration" > "Windows Settings" > "Security Settings" >
"Software Restriction Policies" by adding a new rule in "Additional Rules".
When opening a new RDP session, applications that launch automatically at startup and require a
user account control (UAC) confirmation request may block the session probe. We recommend not
configuring the automatic launch of applications requiring a UAC confirmation request.
285
12.22.4. Configuration
The configuration of the session probe is set on the configuration page related to the connection
policy for the RDP protocol, which can be accessed from "Session Management" > "Connection
Policies". The section "session probe" lists the following parameters:
"Enable session probe" field
Select/deselect the check box to enable/disable the session probe.
"Use smart launcher" field
Select/deselect the check box to enable/disable the use of the Smart Launcher when launching
the session probe.
Warning:
The smart launcher is only available for standard RDP sessions.
When connecting to an application, only the standard launcher is used. The RDP proxy
automatically chooses to launch the standard launcher.
Unlike the standard launcher, the smart launcher does not require the command prompt
(cmd.exe) to be published as a RemoteApp program.
The redirection of clipboard must be enabled by Terminal Services to be able to use the
smart launcher (this is enabled by default).
"Enable launch mask" field
The session probe is loaded by a batch script. Without WALLIX Bastion, this script will cause the
display of a non-user friendly black console window in the RDP session. Moreover, the user may
interact with it and disrupt the loading process. Enabling the launch mask can block the display as
well as mouse and keyboard inputs during the loading of the session probe loading phase. As a
consequence, the console window becomes invisible.
Data displayed in the console window is useful to diagnose any loading problem concerning the
session probe. This is the reason why the user has the possibility to disable the launch mask.
Warning:
"On launch failure" field
Select the desired behavior in the event of a failed launch of the session probe.
The option "0: ignore failure and continue" may not operate properly under some versions of
Windows.
"Launch timeout" field
This field is used when the behavior selected in the "On launch failure" field corresponds to "1:
disconnect user". It allows to specify the waiting time (expressed in milliseconds) before WALLIX
Bastion considers the failure of the session probe launch.
286
Warning:
"Launch fallback timeout" field
This field is used when the behavior selected in the "On launch failure" field corresponds to "0:
ignore failure and continue" or "2: reconnect without Session Probe". It allows to specify the waiting
time (expressed in milliseconds) before WALLIX Bastion considers the failure of the session probe
launch.
Warning:
"Start launch timeout timer only after logon" field
Select the check box to optimize the launching of the session probe.
Warning:
Only servers from Windows Server 2008 and above are supported!
"Keepalive timeout" field
This field allows to specify the maximum waiting time (expressed in milliseconds) between the
issue from WALLIX Bastion of a request from KeepAlive to the session probe and the receipt of
the corresponding response.
WALLIX Bastion sends KeepAlive messages to the session probe on a regular basis. Without a
response from the latter and at the expiration of the period defined here, WALLIX Bastion will
consider that the session probe is no longer active and will stop the connection.
WALLIX Bastion can also stop the connection when the behavior selected in the "On keepalive
timeout" field corresponds to "1: disconnect user".
Warning:
"On keepalive timeout" field
Select the desired behavior when a loss of response to the KeepAlive message is detected.
The option "2: freeze session and wait for next keepalive response" freezes the current session
and displays an error message. The session will be reactivated upon receipt of the response to the
KeepAlive message.
287
"End disconnected session" field
If this check box is selected then disconnected sessions will be automatically closed by the session
probe.
Warning:
A network failure may cause the disconnection of the current RDP sessions. If this option
is enabled, any unsaved data will be lost.
"Enable log" field
If this check box is selected then the log files for the Windows session are stored on the user's
temporary directory.
We recommend not keeping this log active for a long period as it may be rather verbose and cause
hard disk saturation.
Warning:
"Enable bestsafe interaction" field
Select/deselect the check box to enable/disable the interaction of the session probe with the
WALLIX BestSafe agent. For further information, refer to Section 12.23, “Using the session probe
mode with the WALLIX BestSafe agent”, page 291.
"Public session" field
If this check box is selected then a disconnected session (i.e. which has not been signed off by the
user) can be recovered by another user.
"Outbound connection monitoring rules" field
This field allows to specify the rules for blocking TCP jump connections.
These rules are generally formed as follows: <$prefix:><connection address:port>.
The rules are separated between them by a comma (",").
The following formats are allowed for the destination port:
• a specific port, e.g.: "3389"

• any port. In this case: "0" or "*"
• an inclusive port range, e.g.: "1024-65535". One of the two range values can be omitted. In this
case, "1" is the default value for the range beginning and "65535" is the default one for the range
end.
An authorization rule is formed with the $allow prefix. It allows the connection to remote hosts.
A notification rule is formed with the $notify prefix. It allows the connection to remote hosts and
the generation of a notification.
288
A prohibition rule is formed with the $deny prefix. It prohibits the connection. The $deny prefix
can be omitted. A rule formed with the $deny prefix has precedence over a rule formed with the
$notification prefix for the same connection address.
As an example, to prohibit all RDP jump connections, the following rule can be entered:
"$deny:0.0.0.0/0:3389" or "0.0.0.0/0:3389".
"Process monitoring rules" field
This field allows to specify the monitoring rules when processes are launched.
These rules are generally formed as follows: <$prefix:><search pattern>.
The rules are separated between them by a comma (",").
A notification rule is formed with the $notify prefix. It allows to generate a notification.
E.g.: $notify:notepad.exe: the opening of the application notepad.exe is notified but not forbidden.
A prohibition rule is formed with the $deny prefix. In addition to notification, it allows to stop the
process. The $deny prefix can be omitted. A rule formed with the $deny prefix has precedence
over a rule formed with the $notification prefix.
E.g. 1: $deny:notepad.exe: the opening of the application notepad.exe is forbidden and notified.
E.g. 2: notepad.exe,cmd.exe: the opening of the applications notepad.exe and cmd.exe is
forbidden and notified.
E.g. 3: $notify:notepad.exe,$deny:notepad.exe: same result as for E.g. 1 above.
Moreover, the rules formed with <$prefix:><@> apply to all the child processes of the application
(as defined via "Targets" > "Applications"). Thus, if this rule is:
• $deny:@, then the opening of any child process (whatever the name) is forbidden and notified
• $notify:@, then the opening of any child process (whatever the name) is notified but not forbidden
"Extra system processes" field

This field allows to specify the processes which must be ignored at end of application detection.
The processes are separated between them by a comma (",").
"Childless window as unidentified input fied" field
If this check box is selected then the data entered (such as passwords) in top-level windows of
applications are masked when no graphic component has been detected.
These windows are then considered as unidentified input fields.
Warning:
This parameter only works if the value “2: passwords and unidentified texts are masked”
has been selected in “Keyboard input masking level” below section “session log”, for
information display in the session metadata.
"Windows of these applications as unidentified input fied" field

If application executable files (e.g. "chrome.exe") are specified in this field, then the data entered
in the windows generated by these applications are masked.
These windows are then considered as unidentified input fields.
289
The executable files are separated between them by a comma (",").
Warning:
This parameter only works if the value “2: passwords and unidentified texts are masked”
has been selected in “Keyboard input masking level” below section “session log”, for
information display in the session metadata.
“Disabled feature” field
This field allows you to enter values to disable certain technologies used by the session probe mode,
such as “MS Active Accessibility” and “MS UI Automation”. Disabling these technologies helps to
overcome compatibility issues and limit the CPU load generated by the session probe mode.
Please note that when these technologies are disabled, passwords entered in the dedicated
application fields may be visible in the session logs.
These technologies can only be safely disabled together in an application session running a Java
application.
12.22.5. Launching the session probe from a specific

directory
By default, the session probe is executed automatically from the temporary directory of the Windows
user account when connecting to the target to perform an RDP session. However, hardware
restrictions may sometimes prevent this execution. It is then possible to define another directory
from which the session probe will be launched.
To enable the launch of the session probe from another location than the temporary directory of the
Windows user account, the procedure is as follows:
1. Create a new directory on the target which will be used as the startup directory by the session
probe.
Important:
All Windows users must have write permission.
2. Set an environment variable for all Windows users on the target pointing to this new directory.
Important:
The maximum length of the environment variable name is restricted to 3 characters.
3. Specify the name of this environment variable in the field “Alternate directory environment
variable” (displayed as an advanced option) below section “session probe” on the configuration
page related to the connection policy for the RDP protocol. This page can be accessed from
“Session Management” > “Connection Policies”.
Warning:
The session probe executable file will thus remain in the directory. This file will be
overwritten on next connection.
290
12.23. Using the session probe mode with the

WALLIX BestSafe agent
When the agent WALLIX BestSafe is deployed on a Windows target, it may interact with the session
probe to improve its collection of session metadata.
Note:
The interaction is supported from WALLIX BestSafe Enterprise version 4.0.0.
12.23.1. Enabling the interaction with the WALLIX BestSafe

agent
The session probe is enabled by default on the configuration page related to the connection policy
for the RDP protocol, which can be accessed from "Session Management" > "Connection Policies".
By default, the interaction with the WALLIX BestSafe agent is disabled. This parameter can be
managed via "Session Management" > "Connection Policies" > "RDP", then select the option
"Enable bestsafe interaction" below section "session probe".
12.23.2. Event logging

The session probe receives notifications of all events detected and/or generated by the WALLIX
BestSafe agent deployed on Windows targets. These notifications are then transferred and logged
to WALLIX Bastion through the session metadata and the SIEM messages.
12.23.3. Detection of outbound connections

The session probe automatically creates a monitoring rule from the WALLIX BestSafe agent in
order to be notified of outbound connections. When a notification is received from the agent,
the session probe responds according to the rules (allow, deny, or notify) set in the "Outbound
connection monitoring rules" field. For further information on this field, refer to Section 12.22.4,
“Configuration”, page 286. The initial operation is always provided on Windows targets on which
the WALLIX BestSafe agent is not deployed.
12.23.4. Detection of process launching

The session probe automatically creates a privilege rule from the WALLIX BestSafe agent in
order to be notified when processes are launched. When a notification is received from the
agent, the session probe responds according to the rules (allow, deny, or notify) set in the
"Process monitoring rules" field. For further information on this field, refer to Section 12.22.4,
“Configuration”, page 286. The initial operation is always provided on Windows targets on which
the WALLIX BestSafe agent is not deployed.
12.24. Load balancing with Remote Desktop

Connection Broker
Remote Desktop Connection Broker (RD Connection Broker) is a role service on Windows Server
2012 and 2016 operating systems providing the specific functionalities to:
291
• allow users to reconnect to their existing sessions in a load-balanced RD Session Host server
farm
• enable you to evenly distribute the session load among RD Session Host servers in a load-
balanced RD Session Host server farm
• provide users access to virtual desktops hosted on RD Virtualization Host servers and to
RemoteApp programs hosted on RD Session Host servers through RemoteApp and Desktop
Connection.
Figure 12.16. Load balancing
WALLIX Bastion supports Remote Desktop Connection Broker with the following configuration:
• at least one server must have access to the role service RD Connection Broker
• at least one server must have access to the role service RD Licensing
• at least one server must have access to the role service RD Web Access
• role services RD Connection Broker, RD Licensing and RD Web Access can share the same
server
• several servers must have access to the role service RD Session Host
Caution:
We recommend not installing the role service RD Session Host on a server having access
to the role service RD Connection Broker.
RD Connection Broker cannot be used with a WALLIX Bastion cluster as a result of
interferences between both services. We strongly recommend giving priority to RD
Connection Broker in the context of load balancing.
It is not necessary to choose among Remote Desktop or RemoteApp collections when resources
are accessed via the WALLIX Bastion Web interface. Indeed, WALLIX Bastion uses RemoteApp
collections for all connections.
RD Connection Broker must be set on RD Session Host servers. This can be performed locally (on
each RD Session Host) with Local Group Policy Editor (gpedit.exe).
292
The values to edit are located on the following subfolders:
• Local Computer Policy

• Computer Configuration
• Administrative Templates
• Windows Components
• Remote Desktop Services
• Remote Desktop Session Host and
• RD Connection Broker
These values are as follows:
• Join RD Connection Broker

• Configure RD Connection Broker farm name
• Configure RD Connection Broker server name and
• Use RD Connection Broker load balancing
12.24.2. Configuration
RD Connection Broker must be declared on WALLIX Bastion as a target.
In order to reach directly RD Connection Broker (and not one of the RD Session Host), the field "Load
balance info" must be specified at the level of the RDP connection policy, via "Session Management"
This field must be entered with the information retrieved from the field "loadbalanceinfo:s:" in the .rdp
file saved from the Work Resources page on RD Web Access (https://<ip-rd_web_access>/
rdweb/).
Here is an example of such information: tsv://MS Terminal Services Plugin.1.Sessions.
For further information on connection policies, refer to Section 12.4, “Connection

12.25. Connection messages

From the “Connection messages” page on the “Configuration” menu, you can view and edit the
banner messages displayed to the users on primary and secondary connections according to their
preferred language. These messages are displayed on:
• the Web interface login screen

• the RDP proxy login screen
• the SSH terminal during authentication
Note:
These messages are not displayed to users for the following sessions: SFTP, SCP
or remote command (SSH_REMOTE_COMMAND) with an SSH key for primary
authentication or a Kerberos ticket.
293
Figure 12.17. "Connection messages" page
294
Chapter 13. Dashboards

The “Dashboards” menu provides a detailed analysis of all the connections made through WALLIX
Bastion in an administration or audit context, in the form of numerical data, tabular views and charts
over a given period of time.
Note:
The “Dashboards” entry will not be displayed on the Web interface if the “Enable
modules” option, accessible from “Configuration” > “Configuration options” > “Module
configuration”, section “main” is deselected. This option is displayed when the check box
of the “Advanced options” field at the top right of the page has been selected. It should
ONLY be changed upon instructions from the WALLIX Support Team!
The language selected on the “Profile” tab of the “My preferences” page does not affect
the language in which the dashboards are displayed. The dashboards are available in
English only.
13.1. Administration dashboard

From the “Administration” page on the “Dashboards” menu, it is possible to generate charts from
statistical data defined on the “Connection data” tab, or to obtain a detailed view of the numerical
data in the form of indicators on the “Connection indicators” tab.
The data viewable from this dashboard corresponds primarily to user connections and target
connections.
Important:
Only the user whose profile is associated with the “Administration” dashboard is allowed
to view the “Administration” entry in the “Dashboards” menu.
By default, the user associated with the “product_administrator” or
“operation_administrator” profile can access this menu entry.
13.1.1. View the data on the “Connection data” tab

The “Connection data” tab allows the user to generate charts based on the data entered in the filter
areas displayed at the top of the page:
• The “Time filter” area allows the user to define the period of time for which they want to view
the data. By default, this period corresponds to the last 7 days and can be edited by clicking on
the “Last week” value under “Time range”. A window is then displayed: it is possible to select
a predefined period on the “Defaults” tab or to define a date range or a number of days before
the current date on the “Custom” tab. It is then necessary to click on “OK” to generate the charts
corresponding to this period.
• The “User group filter” area allows the user to restrict the display in the charts by selecting one
or more user groups, according to the selected period of time.
295
• The “Target group filter” area allows the user to restrict the display in the charts by selecting one
or more target groups, according to the selected period of time.
Each filter area displays an icon on the top right indicating the number of corresponding active
filters. It is possible to click on this icon to view the active filters under the “Applied filters” section in
a dedicated window. This window may also display the unset filters under the “Unset filters” section.
A click on each type of filters in these sections redirects to the corresponding filter area at the top
of the page to edit and/or add one or more criteria.
Once the relevant data is entered in the filter areas, a set of charts is displayed on the page and
the following actions are possible:
• highlight the desired data by clicking on the legend entry above the chart
• display the numerical data for a given day by hovering the mouse pointer over the chart
• edit the filters by clicking on the icon on the top right of the chart.
Figure 13.1. “Administration” page - “Connection data” tab
13.1.2. View the data on the “Connection indicators” tab

The “Connection indicators” tab provides a view of the numerical data in the form of indicators,
including:
• the number of users connected over the defined period, the number of devices and accounts
declared and managed within WALLIX Bastion
• the number of users connected, devices and accounts used for sessions over the last 7 days
compared to the previous week
296
• the number of users who have been inactive for 180 days and the number of devices and accounts
which have never been used for sessions.
A tabular view presents also the oldest connections by user groups and by target account groups.
Figure 13.2. “Administration” page - “Connection indicators” tab
13.1.3. Common features

On the top right corner of the dashboard page, a contextual menu offers the following actions:
• “Refresh dashboard”: this feature allows the user to instantly refresh all the components of the
dashboard
• “Set auto-refresh interval”: this feature allows the user to select a time interval between each
automatic refresh of the dashboard. This time interval is only saved for the current session.
• “Download as image”: this feature allows the user to download the dashboard in JPG format.
On the top right corner of each component of the “Connection data” and “Connection indicators”
tabs, a contextual menu offers the following actions:
• “Force refresh”: this feature allows the user to instantly refresh the data. The last refresh is also
indicated.
• “Maximize chart”: this feature allows the user to display the full screen view of the chart. It is
possible to return to the condensed view by clicking on the “Minimize chart” entry from this same
contextual menu.
• “Download as image”: this feature allows the user to download the chart in JPG format
• “Export CSV”: this feature allows the user to download the data of the chart as a .csv file.
13.2. Audit dashboard
297
From the “Audit” page on the “Dashboards” menu, it is possible to generate charts and tables from
statistical data defined in the filter areas.
The data viewable from this dashboard corresponds primarily to account, session, user group and
target account group activities.
Important:
Only the user whose profile is associated with the “Audit” dashboard is allowed to view
the “Audit” entry in the “Dashboards” menu.
By default, the user associated with the “product_administrator” or “auditor” profile can
access this menu entry.
13.2.1. View the data

At the top of the page, the filter areas allow the user to define relevant data to generate charts
and tables:
• The “Time filter” area allows the user to define the period of time for which they want to view
the data. By default, this period corresponds to the last 7 days and can be edited by clicking on
the “Last week” value under “Time range”. A window is then displayed: it is possible to select
a predefined period on the “Defaults” tab or to define a date range or a number of days before
the current date on the “Custom” tab. It is then necessary to click on “OK” to generate the charts
corresponding to this period.
• The “User group filter” area allows the user to restrict the display in the chart by selecting one or
more user groups, according to the selected period of time.
• The “Target group filter” area allows the user to restrict the display in the chart by selecting one
or more target groups, according to the selected period of time.
Each filter area displays an icon on the top right indicating the number of corresponding active
filters. It is possible to click on this icon to view the active filters under the “Applied filters” section in
a dedicated window. This window may also display the unset filters under the “Unset filters” section.
A click on each type of filters in these sections redirects to the corresponding filter area at the top
of the page to edit and/or add one or more criteria.
Once the relevant data is entered in the filter areas, a set of charts and tables is displayed on the
page. These charts and tables include:
• the activities of the accounts and sessions

• the rankings of sessions, user groups, target account groups and devices.
It is possible to perform the following actions:
• highlight the desired data by clicking on the legend entry above the chart
• display the numerical data for a given day by hovering the mouse pointer over the chart
• edit the filters by clicking on the icon on the top right of the chart.
298
Figure 13.3. “Audit” page
13.2.2. Common features

On the top right corner of the dashboard page, a contextual menu offers the following actions:
• “Refresh dashboard”: this feature allows the user to instantly refresh all the components of the
dashboard
• “Set auto-refresh interval”: this feature allows the user to select a time interval between each
automatic refresh of the dashboard. This time interval is only saved for the current session.
• “Download as image”: this feature allows the user to download the dashboard in JPG format.
On the top right corner of each component of the “Audit” dashboard, a contextual menu offers the
following actions:
299
• “Force refresh”: this feature allows the user to instantly refresh the data. The last refresh is also
indicated.
• “Maximize chart”: this feature allows the user to display the full screen view of the chart. It is
possible to return to the condensed view by clicking on the “Minimize chart” entry from this same
contextual menu.
• “Download as image”: this feature allows the user to download the chart in JPG format
• “Export CSV”: this feature allows the user to download the data of the chart as a .csv file.
300
Chapter 14. Authorization management

WALLIX Bastion allows you to define authorizations. These authorizations determine which target
accounts and protocols users can use to access devices.
Authorizations are applied to user groups linked to target groups. All users in the same group inherit
the same authorizations.
From the "Manage Authorizations" page on the "Authorizations" menu, you can:
• list the declared authorizations

• add/edit/delete an authorization
• import authorizations from a .csv file which can be used to populate the WALLIX Bastion
authorization database
Figure 14.1. "Manage Authorizations" page
14.1. Add an authorization

From the "Manage Authorizations" page, click on "Add an authorization" to display the authorization
creation page.
An authorization is a link created between a user group and a target group. You can create several
authorizations between these two groups.
The authorization creation page consists of the following fields:
• the user group

• the target group
• the authorization name (note that character “&” is not allowed)
• a description
• a check box to indicate whether the targets concerned by the new authorization are critical or not
(a notification can be sent each time a critical target is accessed)
• a check box to enable or disable remote sessions. This option is selected by default for the new
authorization. In this case, you can select in the list of the frame below the protocols which can be
associated with a given user group and a given target group. Move a protocol from the "Available
protocols/subprotocols" frame to the "Selected protocols/subprotocols" one in order to choose
the protocol. And conversely, move a protocol from the "Selected protocols/subprotocols" frame
to the "Available protocols/subprotocols" one in order to remove the association.
301
• a check box to enable or disable session recording. The type of recording depends on the protocol
to access the device.
• a check box to enable or disable password checkout. This option is selected by default for the
new authorization.
• a check box to enable or disable an approval workflow for the new authorization. For further
information, refer to Section 14.7, “Approval workflow”, page 307.
Figure 14.2. "Manage Authorizations" page in addition mode
14.2. Edit an authorization

From the "Manage Authorizations" page, click on the notepad icon at the beginning of the desired
line to display the authorization modification page.
The fields in this page are the same as those in the authorization creation page, except the "User
group" and "Target group" fields which cannot be accessed.
14.3. Delete an authorization

From the "Manage Authorizations" page, check the box at the beginning of the line(s) to select the
related authorization(s), then click on the trash icon to delete the selected line(s). WALLIX Bastion
14.4. Import authorizations
302
From the "Manage Authorizations" page, click on the "Import CSV file" icon at the top right of the
page to import the related data. You are then redirected to the "CSV" page on the "Import/Export"
menu: the "Authorizations" check box is automatically selected to import the related data. The field
and list separators can also be configured.
#wab910 authorization
Important:
Warning:

O(ptional)
Name Text R Name of the authorization N/A
created
User group Text R User group defined N/A
Target group Text R Target group defined N/A
(1)
Subprotocol Text R if Authorize Subprotocol name : see below N/A
sessions = True
There can be one or several
subprotocols
Is critical Boolean R True or False False
Is recorded Boolean R True or False False
Authorize Boolean R True or False False
password
checkout
Authorize Boolean R True or False False
sessions
Approval Boolean R True or False False
required
Has comment Boolean R True or False False
False if Approval
required = False
True if
Mandatory
comment = True
Mandatory Boolean R True or False False
comment
303

O(ptional)
False if Approval
required = False
Has ticket Boolean R True or False False
False if Approval
required = False
True if
Mandatory ticket
= True
Mandatory Boolean R True or False False
ticket
False if Approval
required = False
Approver Text R if Approval Approver groups defined N/A
groups required = True
There can be one or several Empty if
approver groups Approval
required = False
Active quorum Integer R Integer number between 0 and "0"
number the number of approvers in
groups
At least one quorum (active or

inactive) must be defined and
greater than 0
Inactive Integer R Integer number between 0 and "0"
quorum number the number of approvers in
groups
At least one quorum (active or

inactive) must be defined and
greater than 0
Single Boolean O True or False False
connection
False if Approval
required = False
Approval Integer O The value is set in minutes. "0"
timeout number
(1)Subprotocol: one of the following values:
SSH_SHELL_SESSION, SSH_REMOTE_COMMAND, SSH_SCP_UP, SSH_SCP_DOWN,

SSH_X11, SFTP_SESSION, RDP, VNC, TELNET, RLOGIN, SSH_DIRECT_TCPIP,
SSH_REVERSE_TCPIP, SSH_AUTH_AGENT, SSH_DIRECT_UNIXSOCK,
SSH_REVERSE_UNIXSOCK, RDP_CLIPBOARD_UP, RDP_CLIPBOARD_DOWN,
RDP_CLIPBOARD_FILE, RDP_PRINTER, RDP_COM_PORT, RDP_DRIVE, RDP_SMARTCARD,
RDP_AUDIO_OUTPUT, RDP_AUDIO_INPUT, RAWTCPIP
For further information, refer to Section 10.1.6, “SSH specific options”, page 143 and Section 10.1.7,
“RDP specific options”, page 144.
304
Example of import syntax:
#wab910 authorization
Group_users1;target_group1;SSH_SHELL_SESSION SFTP_SESSION;False;False;True;True;
description;False;False;False;False;False;group_approvers;1;2False;0
14.5. View the current approvals

From the "My Current Approvals" page, the approver can view all the current approval requests
sent from users to access targets or target credentials and to which they must provide an answer.

Figure 14.3. "My Current Approvals" page
On the top of the page, the approver can choose to enable/disable automatic refresh of current
approval data. When the corresponding option is enabled, you can set the refresh frequency.
By clicking on the notepad icon at the beginning of the line, the approver is redirected to the approval
request detail page:
305
Figure 14.4. "My Current Approvals" - Approval request detail page

On this page, the approver can:
• click on the "Notify approvers" button to notify approvers again

• view the answers from the other approvers
• indicate in the "Comment" area the reason of their approval/rejection regarding the request
• reduce the request period by changing the value in the "Duration" field
• reduce the timeout set for the connection by changing the value in the "Timeout" field. If the
user has not connected to the target and this timeout has been reached, then the status of the
"accepted" request automatically switches to "closed".
• click on the "Cancel", "Reject" or "Approve" button to perform the corresponding action
Since a session or the target credentials can still be accessed as long as an accepted request has
not expired, the approver can cancel a request before its expiration to inhibit further access from a
user to the target by clicking on the "Cancel" button.
For further information, refer to Section 14.7, “Approval workflow”, page 307.
14.6. View the approval history

From the "My Approval History" page, the approver can view all the approval requests which are
no longer pending for approval.

• the definition of the last N days, weeks or months
Note:
range filter.
306

Figure 14.5. "My Approval History" page

By clicking on the notepad icon at the beginning of the line, the approver is redirected to a detailed
view of all the answers for the request.
Since a session or the target credentials can still be accessed as long as an accepted request has
not expired, the approver can cancel a request before its expiration to inhibit further access from a
user to the target by clicking on the "Cancel request" button.
For further information, refer to Section 14.7, “Approval workflow”, page 307.
Figure 14.6. "My Approval History" - Approval request history detail page
14.7. Approval workflow

WALLIX Bastion supports dynamic authorizations using workflows. This mechanism is based on the
time frames defined for accessing targets or target credentials. Workflows endorse administrators to
further refine the access to sensitive resources and permit access outside the defined time frames.
When a user wants to initiate a connection to a target or access the target credentials, a request
is first sent to the approvers.
307
An approver is a user who has been designated by a WALLIX Bastion administrator with the right to
approve: the "Modify" right for the "Manage Approvals" feature is set in the approver's profile (refer
to Section 9.3, “User profiles”, page 87).
Note:
By default, an approver is allowed to approve their own requests. This behavior can
be managed via the option “Allow self approvals” from the menu “Configuration” >
“Configuration options” > “Global”. If this option is deselected, then the approver cannot
view their own requests on the “My approval history” page from the “Authorizations” menu.
Their requests will only be viewed by the other members of the approver group.
Approvers can decide to allow or reject the connection to a target or the access to the target
credentials. A request is approved when a quorum has been reached. The quorum is the minimum
number of favorable answers required for a particular authorization.
14.7.1. Workflow configuration

Approval workflows are set at the level of the defined authorizations. For further information, refer
to Section 14.1, “Add an authorization”, page 301.
If the "Enable approval workflow" check box is selected during the authorization definition, a user
will have to obtain access to the target or the target credentials by demanding an approval request.
Approvers are then designated to answer requests for the defined authorizations by selecting the
appropriate groups of users: to do so, move the user groups from the "Available approver groups"
frame to the "Selected approver groups" one in order to choose the groups. And conversely, move
a user group from the "Selected approver groups" frame to the "Available approver groups" one in
order to remove the association.
The "Modify" right for the "Manage Approvals" feature must be set for all users in the selected
groups in their user profile.
Upon approval requests issued by users wishing to connect to a target or access the target
credentials concerned by the authorization, all approvers in the selected groups are notified by
email. The latter contains a direct link for the approver to "My Current Approvals" page in the
"Authorizations" menu where the request can be answered. This feature is available for approvers
through the interface dedicated to the "User & audit features" service group. For further information,
refer to Section 8.11.1, “Service mapping”, page 59).
A request for a target is defined by at least the start date and time and the expected duration of the
session. It is also possible to define, optionally, a ticket number and a comment. For the defined
authorization, these attributes can be asked, always or never, depending on the option selected in
the "Comment" and "Ticket" fields during the authorization configuration.
It is possible to set the number of approvers needed to accept a request. This is configured by
setting a quorum. A quorum should be equal to or less than the number of available approvers.
During the authorization configuration, a quorum can be set:
• for active periods, by specifying a value in "Quorum in authorized time frames". A quorum for the
active periods equal to 0 means that approvals are not required for active periods.
• for inactive periods, by specifying a value in "Quorum outside authorized time frames". A quorum
for inactive periods equal to 0 means that no connections are ever possible during inactive
periods.
A single connection can be defined for the approval. The user is then restricted to connect only
once during the approval duration.
308
A timeout in format [hours]h[mins]m can be defined for the approval. If the user has not
connected to the target and this timeout has been reached, then the status of the "accepted" request
automatically switches to "closed". When the approver accepts the request, this value is set as the
maximum value in the "Timeout" field on the form. The approver can reduce this value.
14.7.2. Workflow steps

A user requests an approval either from the "My Authorizations" menu on the WALLIX Bastion Web
interface (for immediate or future access) or when connecting to an RDP or an SSH client (for
immediate access). All the approvers are notified by email. Approvers can then accept or reject a
request via the WALLIX Bastion Web interface.
The statuses of a valid request (its duration has not expired) can be either of the following:
• a request is marked as "accepted" when the quorum has been reached
Note:
When the first approver accepts the request and the start date and time have been
reached:
– the start date and time of the request are then updated with the start date and time
of this action
– the end date and time are then extended for the request duration from this action
• a request is marked as "rejected" and subsequently dismissed as soon as an approver rejects it.
The user is then notified by email of the reason for the rejection.
• a request is "pending" as long as the quorum has not been reached and it has not been rejected.
If the request is no longer valid (i.e. its duration has expired), it is then marked as "closed "and it
is no longer possible for an approver to answer the request. Likewise, it is not possible to answer
requests that have been accepted or rejected.
Note:
A request is also marked as "closed" if one of the following elements has been deleted:
the requesting user and/or the concerned target and/or the concerned authorization.
An "accepted" request switches automatically to the "closed" status if the user has not
connected to the target and the timeout defined for the approval has been reached.
Each approver is given the possibility to reduce the duration of a request. The duration is
incrementally decreased: a subsequent approver, when answering the same request, sees the
reduced period and not the original one.
Users can view approval statuses for their requests on the "My Authorizations" menu.
When the quorum is reached, the user is notified by email. The session can then be started or the
target credentials can then be accessed for the allocated duration. If the session is disconnected
before the end of the duration, the user can start a new session without a new approval as long
as the end of the period specified by the duration of the initial approval is not elapsed. In order to
prevent a user to reconnect after the initial session, approvers can cancel a request.
14.8. Time frame configuration
309
The time frames which can be defined in WALLIX Bastion are used to set the periods during which
a user is allowed to connect to targets.
A time frame is linked to one or more user groups. For further information, refer to Section 9.2,
“User groups”, page 83.
From the “Time frames” page on the “Configuration” menu, you can add, edit or delete time frames.
Warning:
A default time frame called “allthetime” is configured in WALLIX Bastion. It allows users
to connect to targets on any day and at any time. This time frame cannot be deleted.
The time reference used is the local time of WALLIX Bastion.
14.8.1. Add a time frame

From the “Time frames” page on the “Configuration” menu, click on the “+ Add” button to display
the time frame creation page.
The time frame creation page consists of the following fields:
• the time frame name

• a description
• a check box to disable the automatic disconnection at the end of the time period
• two tabs to add one or more time periods:
– from the “Weekly schedule” tab, you can configure a time period and then define the times and
days of the week during which users can connect to targets during this period
– from the “Date range” tab, you can configure the start and end dates and times of the period
during which users can connect to targets without interruption.
Figure 14.7. "Time frames" page in addition mode
310
14.8.2. Edit a time frame

From the “Time frames” page on the “Configuration” menu, click on a time frame name to display
the corresponding modification page.
The fields in this page are the same as those in the time frame creation page.
14.8.3. Delete a time frame

From the “Time frames” page on the “Configuration” menu, check the box at the beginning of the
line to select the time frame(s) you wish to delete, then click on the “Delete” button. WALLIX Bastion
displays a dialogue box requesting a confirmation before permanently deleting the selected time
frame(s).
Warning:
You cannot delete a time frame linked to a user group.
311
Chapter 15. Specific commands

The following sections present some commands which may be useful when administrating WALLIX
Bastion. All specific commands are not provided so we encourage you to contact the WALLIX
Support Team, should you have any other questions (refer to Chapter 18, “Contact WALLIX Bastion
Support”, page 363).
The table below summarizes the information detailed in the corresponding sections:
Command / Script Refer to...

bastion-crypto init Section 15.5, “Set encryption key of WALLIX
Bastion”, page 314
bastion-crypto unlock Section 15.6, “Unlock encryption key of WALLIX
bastion-traceman Section 15.22, “Move local session recordings to remote
storage”, page 321
WABBackupPurge Section 8.13.4, “Automatic backup purge”, page 66
WABChangeGrub Section 15.11, “Change the GRUB
password”, page 316
WABChangeKeyboard Section 15.9, “Change the keyboard layout”, page 315
WABConsole Section 15.18, “Use WABConsole to change the user
password”, page 318
WABExecuteBackup Section 8.13.3, “Automatic backup
WABGetGuiUrl Section 15.10, “Get the GUI URL”, page 315
WABGetLicenseInfo Section 15.17, “Manage the license key”, page 317
WABCRLFetch Section 15.30, “Update the CRL (Certificate Revocation
List)”, page 326
WABGuiCertificate Section 15.28, “Change self-signed certificates of
services”, page 324
WABHASetup and WABHAStatus Section 15.15, “Configure High-Availability
(HA)”, page 317
WABInitReset Section 15.2, “Restore WALLIX Bastion to factory
settings”, page 313
WABJournalCtl Section 15.19, “Display the content of "journalctl"
logs”, page 318
WABNetworkConfiguration Section 15.12, “Change the network
WABResetCrypto Section 15.7, “Reset data encryption in WALLIX
WABRestoreDefaultAdmin Section 15.3, “Restore the factory-set administrator
account”, page 314 and Section 15.4, “Change
the password of the factory-set administrator
account”, page 314
WABSecurityLevel Section 15.13, “Change the security level
312
Command / Script Refer to...

WABServices Section 15.14, “Configure services”, page 317
WABSessionLogExport Section 15.20, “Export and/or purge session
recordings manually”, page 318; see also
Section 15.21, “Export and/or purge session recordings
automatically”, page 320
WABSessionLogImport Section 15.23, “Re-import archived session
recordings”, page 322
WABSessionLogIntegrityChecker Section 15.24, “Check integrity of session log
files”, page 322
WABSetLicense Section 15.17, “Manage the license key”, page 317
WABSshServerGenRsaKey.sh Section 15.28, “Change self-signed certificates of
services”, page 324
WABVersion Section 15.8, “Get the version information of WALLIX
wallix-config-backup.py Section 8.13.2, “Backup/Restoration from the command
line”, page 64
wallix-config-restore.py Section 8.13.2, “Backup/Restoration from the command
line”, page 64
15.1. Use the command line to connect to

WALLIX Bastion
For further information, refer to Section 6.2, “Using the command line to connect to WALLIX
Bastion”, page 26.
15.2. Restore WALLIX Bastion to factory

settings
You can execute the following command when logged in as "root" to restore WALLIX Bastion to
its factory settings:
# WABInitReset
A message is then displayed to request confirmation before restoring the settings. By default, this
command only restore the configuration for the keyboard layout, the GRUB menu and the users.
It is possible to restore all settings or a specific one using option --reset, as shown below:
# WABInitReset ––reset interfaces
When option --reset is used, no message is displayed to request confirmation before restoring
the settings.
The option -h shows the help message listing the arguments which can be used to perform this
action.
313
15.3. Restore the factory-set administrator

account
You can execute the following command when logged in as "root" to restore the factory-set
administrator account of WALLIX Bastion:
# WABRestoreDefaultAdmin
The default credentials of the factory-set administrator account are as follows:
• User name: admin

• Password: admin
This default password can be changed. For further information, refer to Section 15.4, “Change
the password of the factory-set administrator account”, page 314.
15.4. Change the password of the factory-set

administrator account
You can execute the following command when logged in as "root" to change the default password
of the factory-set administrator account of WALLIX Bastion:
# WABRestoreDefaultAdmin -c
Note:
The previous default password is not requested when performing this action.
15.5. Set encryption key of WALLIX Bastion

Once the initial installation has been performed and after the system reboot on the shell
administration console, you can execute the following command when logged in as “root” to set the
encryption key of WALLIX Bastion and thus access the Web interface:
# bastion-crypto init
The passphrase to secure the encryption key must be entered in the “Enter WALLIX Bastion
Passphrase” dialog box.
The encryption key can also be set using the following command lines:
echo <passphrase>|bastion-crypto init --security-level high
The --security-level high option is used to secure the encryption key with a passphrase.
bastion-crypto init --security-level low
The --security-level low option is used when no passphrase is to be set for the encryption
key.
15.6. Unlock encryption key of WALLIX Bastion
314
Once the initial installation has been performed and after the system reboot on the shell
administration console, you can execute the following command when logged in as “root” to unlock
the encryption key of WALLIX Bastion and thus access the Web interface:
# bastion-crypto unlock
The passphrase which has been set to secure the encryption key must be entered in the “WALLIX
Bastion Passphrase unlocking” dialog box.
15.7. Reset data encryption in WALLIX Bastion

You can execute the following command when logged in as "root" to restore the encryption key of
WALLIX Bastion:
# WABResetCrypto
A message is then displayed to request confirmation before resetting encryption.
Caution:
All data in WALLIX Bastion (user accounts, session recordings, etc.) is deleted when
encryption is reset!
It is therefore highly recommended to back up a copy of WALLIX Bastion configuration
BEFORE resetting encryption. For further information, refer to Section 8.13, “Backup and
Restoration”, page 62.
15.8. Get the version information of WALLIX

Bastion
You can execute the following command to get the version, build number and build date of WALLIX
Bastion:
# WABVersion
The history of all the installation operations (installation and upgrades of your WALLIX Bastion but
also installation or removal of Hotfixes) can be displayed when executing the following command:
# WABVersion -H
15.9. Change the keyboard layout

You can execute the following command to choose another keyboard layout language:
# WABChangeKeyboard
15.10. Get the GUI URL

You can execute the following command to get the URL of the Web interface:
# WABGetGuiUrl
315
15.11. Change the GRUB password

You can execute the following command to modify the GRUB password:
# WABChangeGrub
15.12. Change the network configuration

You can execute the following command to modify the network configuration set in WALLIX Bastion:
# WABNetworkConfiguration
However, the advanced configuration can only be performed from the "Network" page on
the "System" menu on the Web interface. For further information, refer to Section 8.6,
Note:
When WALLIX Bastion is configured in HA (or « High-Availability ») mode, this command
can only be executed on the "Master" node.
15.13. Change the security level configuration

You can execute the following command to modify the security level configuration set in WALLIX
Bastion:
# WABSecurityLevel
The security level set via this command affects both the HTTP and the SSH servers.
The default security level for the HTTP server is set to a high value. Only the following cryptographic
algorithms can then be used:
• ECDHE-ECDSA-AES256-GCM-SHA384
• ECDHE-RSA-AES256-GCM-SHA384
• ECDHE-ECDSA-CHACHA20-POLY1305
• ECDHE-ECDSA-AES128-GCM-SHA256
• ECDHE-RSA-AES128-GCM-SHA256
• ECDHE-ECDSA-AES256-SHA384
• ECDHE-RSA-AES256-SHA384
• ECDHE-ECDSA-AES128-SHA256
• ECDHE-RSA-AES128-SHA256
Only the following Diffie-Hellman groups can then be used:
• P-256
• P-384
• brainpoolP256r1
• brainpoolP384r1
• brainpoolP512r1
316
The default security level for the SSH server is set to a low value, allowing any cryptographic
algorithms to be used.
The security level set via this command is preserved during upgrade.
Caution:
When WALLIX Bastion is configured in HA (or « High-Availability ») mode, the security
level for the SSH server set via this command is only spread out to the Slave node when
the latter is switching from Slave to Master.
15.14. Configure services

You can execute the following command to configure services:
# WABServices
For further information, refer to Section 8.11.2, “Service activation”, page 60.
15.15. Configure High-Availability (HA)

You can execute the following command to configure HA:
wabsuper$ WABHASetup
Note:
This command can only be executed on the "Master" node.
To check the current state of a node, you can use the following maintenance command:
wabsuper$ /opt/wab/bin/WABHAStatus
For further information, refer to Section 8.14, “High-Availability”, page 67.
15.16. Generate the report on the system status

A program allows you to get the information related to the status of WALLIX Bastion. It can be useful
to execute this program and send the generated report to the WALLIX Support Team when needed.
To get this program, log on to WALLIX Support portal (https://support.wallix.com

[https://support.wallix.com/]) then click on the "Downloads" tab and download the file
"sysinfo" below section "WALLIX Sysinfo".
Next, launch this program and send the file sysinfo.txt in the generated archive (sysinfo.gz)
to the WALLIX Support Team.
15.17. Manage the license key

You can execute the following command to display the license information:
# WABGetLicenseInfo
317
You can execute the following command to generate the license context file:
# WABSetLicense -c -f <License context file>
You can execute the following command to import a new license:
# WABSetLicense -u -f <License update file>
You can execute the following command to delete the license:
# WABSetLicense -d
For further information, refer to Section 8.2, “License”, page 44.
15.18. Use WABConsole to change the user

password
WALLIX Bastion 10.0.5 provides a command line interface allowing an administrator or a user to
execute specific operations.
The available commands are filtered according to the user profile.
To log on to the console, you can:
• either execute the following command:
# WABConsole
• or connect to the Bastion using an SSH client as follows:
$ ssh -t admin@wab.mycorp.lan console

admin@wab.mycorp.lan password:
wab> help
To obtain the list of commands, simply enter help on the console prompt.
Help is available for each command by entering either help or -h.
The command currently available for a user with the "product_administrator" profile is:
change_user_password.
The command currently available for a regular user is: change_password.
15.19. Display the content of "journalctl" logs

You can execute the following command to display the content of "journalctl" logs:
# WABJournalCtl
15.20. Export and/or purge session recordings

manually
You can execute the following script to export and/or purge session recordings:
# /opt/wab/bin/WABSessionLogExport -h
318
action.
Use this script to create an .archive file, saved in /var/wab/recorded/export_sessions,
including for the period defined:
• all RDP and SSH sessions

• a .csv file containing the export of the data viewed on the "Session History" page (refer to
Section 12.3.4, “Session history”, page 250).
Note:
Local archives are to be moved manually by the administrator to remote storage in /var/
wab/remote/recorded/export_sessions. However, a script allows to archive and/
or purge session recordings automatically. You can define options on the Web interface
of WALLIX Bastion to configure the actions which will be carried out by this script.
For further information, refer to Section 15.21, “Export and/or purge session recordings
All sessions for the period defined will also be removed, unless option -p has been used.
It is possible to archive and/or purge sessions according to their IDs using option --sessions.
It is possible to archive and/or purge only uncorrupted sessions using option --good-only.
It is possible to archive and/or purge only corrupted sessions using option -w or --wrong-only.
It is possible to archive and/or purge sessions depending on a given status (e.g. failed sessions,
interrupted sessions, etc.) using option --status.
It is possible to archive and/or purge only sessions stored on local storage using option --local-
storage.
It is possible to archive and/or purge only sessions stored on remote storage using option --
remote-storage.
It is possible to archive and/or purge traces related to targets under a given protocol (SSH, RDP,
etc.) using option --protocol.
It is possible to archive and/or purge only non-critical sessions using option --non-critical.
It is possible to archive and/or purge traces related to specific user(s) using option --user.
It is possible to archive and/or purge traces related to users in specific user group(s) using option
--user-group.
It is possible to archive and/or purge traces related to specific target(s) using option --target.
It is possible to archive and/or purge traces related to targets in specific target group(s) using option
--target-group.
It is possible not to archive traces using option -a. In this case, information on the concerned session
is displayed at the command line.
It is possible not to purge traces using option -p. In this case, information on the concerned session
is displayed at the command line.
It is possible to display orphan files related to purged sessions using option --show-orphans.
These files can be deleted using option -P or --purge-orphans. In this case, these files will not
be archived even if an archive is created.
319
It is possible to specify a passphrase for the archive using option --passphrase. The latter should
however not be used as the passphrase is displayed as a string on the command-line.
It is possible to specify a file descriptor to get the archive passphrase from using option --
passphrase-fd.
It is possible to specify a path to a file to get the archive passphrase from using option --
passphrase-file.
You can execute the following script to re-import the generated archive files:
# /opt/wab/bin/WABSessionLogImport -h
The option -h shows the help message listing the arguments which can be used to
perform this action. For further information, refer to Section 15.23, “Re-import archived session
A script allows to archive and/or purge session recordings automatically. You can define options
on the Web interface of WALLIX Bastion to configure the actions which will be carried out by
this script. For further information, refer to Section 15.21, “Export and/or purge session recordings
Another script also allows to move session recordings from a local storage to a remote
one. For further information, refer to Section 15.22, “Move local session recordings to remote
storage”, page 321.
15.21. Export and/or purge session recordings

automatically
A script launched in a cron job allows to archive and/or purge session recordings stored
in partition /var/wab/recorded/ (for local storage) or /var/wab/remote/recorded/ (for
remote storage). This script is executed by default every day at 4:00 a.m. in the time zone in which
WALLIX Bastion is located, as defined in the "Time Service" page on the "System" menu. For further
information, refer to Section 8.7, “Time service”, page 52.
The actions carried out by this script can be configured via the options in section "Retention Policy"
from "Configuration" > "Configuration Options" > "Session log policy":
• if a value is entered in the field “Remove sessions older than”, then all sessions older than this
value expressed in number of days (with suffix “d”, e.g. “20d” for 20 days) or in number of months
(with suffix “m”, e.g. “36m” for 36 months) are removed. If no suffix is entered, then the value is
considered by default as expressed in number of days.
• all the orphan files on remote storage are removed
• if a value is entered in the field “Archive sessions older than”, then all sessions older than this
value expressed in number of days (with suffix “d”, e.g. “20d” for 20 days) or in number of months
(with suffix “m”, e.g. “36m” for 36 months) are archived. If no suffix is entered, then the value is
considered by default as expressed in number of days. This operation applies to sessions on
both local and remote storage.
• if a path to a script is entered in the field “Post archive script”, then it is called to export archives.
Otherwise, archives are transferred on remote storage, if present.
• the elements on local storage are removed, starting from the oldest to the most recent and by
type, until a given size of free disk space is reached. This value is to be entered in the field
“Remove sessions below free space”. This size is expressed in bytes (with suffixes “kb”, “kib”,
320
“Mb”, “Mib”, “Gb” and “Gib”) or in percentage of disk space in partition /var/wab. This removal
is carried following the steps below:
– first, archives older than 24h
– next, non-critical sessions which are older than the value entered in the field “Prefer sessions
older than”
– then, critical sessions which are older than the value entered in the field “Prefer sessions older
than”
– then, non-critical sessions older than 24h
– then, critical sessions which are older than the value entered in the field “Keep critical newer
than” or older than 24h
– next, non-critical sessions newer than 24h
– then, archives newer than 24h
– lastly, critical sessions newer than 24h if no value is entered in the field “Keep critical newer
than”
• a notification is sent with the list of the archived and removed elements. A notification is also sent
when the value related to the size of available free disk space has not been reached.
Archives are removed regardless of the critical or non critical context for sessions.
Furthermore, it is also possible to modify the default passphrase defined in the field “Archive key”.
This passphrase is used to encrypt the archived elements.
15.22. Move local session recordings to remote

storage
WALLIX Bastion moves automatically the recordings of recently terminated sessions from local
storage to remote storage. By default, this action is made through a cron job scheduled to run every
5 minutes.
You can also execute the following script to perform this action manually:
# /opt/wab/bin/bastion-traceman -h
action.
The following subcommands can be used:
• info: this subcommand allows to display the status of the available disk space on the remote
storage
Syntax example for the info subcommand:
# bastion-traceman info
• move local: this subcommand allows to move session recordings from the remote storage
onto the local one
Syntax example for the move local subcommand:
# bastion-traceman move local
• move remote: this subcommand allows to move session recordings from the local storage onto
the remote one
321
Syntax example for the move remote subcommand:
# bastion-traceman move remote
The available selection criteria are the same as those which can be used to export and/or
purge session recordings manually, except for the options --local-storage and --remote-
storage. For further information, refer to Section 15.20, “Export and/or purge session recordings
manually”, page 318.
Note:
When the session recordings are moved, the related folders are deleted when they
become empty. The following folders are considered:
• /var/wab/recorded/ssh/<YYYY-MM-DD>
• /var/wab/recorded/rdp/<YYYY-MM-DD>
• /var/wab/remote/recorded/ssh/<YYYY-MM-DD>
• /var/wab/remote/recorded/rdp/<YYYY-MM-DD>
Note that the folder related to the current day is never deleted.
From the "Remote Storage" page on the "System" menu, you can configure the export
of session video recordings to an external file system. For further information, refer to
Section 8.8, “Remote storage”, page 53.
15.23. Re-import archived session recordings

You can execute the following script to re-import session recordings archived during the execution
of the WABSessionLogExport script:
# /opt/wab/bin/WABSessionLogImport -h
action.
It is possible to only list the content of the archive using option --list. The archive will not be
re-imported.
15.24. Check integrity of session log files

You can execute the following command to check the integrity of session log files stored in /var/
wab/:
# /opt/wab/bin/WABSessionLogIntegrityChecker -h
action.
The available trace selection criteria are the same as those which can be used to export and/or
purge session recordings manually. For further information, refer to Section 15.20, “Export and/or
purge session recordings manually”, page 318.
When notifications are enabled for integrity errors, the email summarizes errors for sessions older
than 3 days by default. It is however possible to set another value for this number of days. This
322
parameter can be managed via "Configuration" > "Configuration Options" > "Session log policy",
then enter a positive integer in the field "Summarize error older than" below section "Integrity
Checker". If "0" is entered in this field, then there is no error summary on the notification email.
15.25. Change target servers identification

When you connect to a target server via a secure protocol (such as RDP or SSH), WALLIX Bastion
will check that the certificate or key presented to the proxy by the server corresponds to the one
known for this server.
If this certificate or key is different, the WALLIX Bastion proxy will close the connection as it could
be considered as an attack. It is therefore necessary to inform WALLIX Bastion when this certificate
or key has been changed. To do so, you can delete the declared certificate or key on the device
and the new one will be automatically saved at the next access to the device through the RDP or
SSH proxy. For further information, refer to Section 10.1.1.6, “View and delete certificates or keys
on the device”, page 139.
15.26. Configure TLS options for LDAP external

authentication
It is possible to configure the allowed TLS session's handshake algorithms and options. These
parameters can be managed via "Configuration" > "Configuration Options" > "Global", then specify
the allowed cipher suites according to the syntax of the GnuTLS priority strings in the field "Ldap
tls cipher suite". For further information regarding this syntax, refer to https://gnutls.org/
manual/html_node/Priority-Strings.html#Priority-Strings.
Warning:
15.27. Configure TLS client for SIEM integration

It is possible to configure the TLS client to allow the routing of information to network devices through
SIEM solutions by adding the file /etc/syslog-ng/conf.d/tls_siem.conf.
The following placeholders must be specified in the content of the file as described below:
• <SIEM_SERVER>
• <SIEM_PORT>
• <CA_DIR>
• <CLIENT_KEY>
• <CLIENT_CERT>
cat /etc/syslog-ng/conf.d/tls_siem.conf
destination d_rltp {
syslog( <SIEM_SERVER>
323
transport("tls")
port(<SIEM_PORT>)
tls(
peer-verify(required-trusted) ca_dir(<CA_DIR>)
key_file(<CLIENT_KEY>)
cert_file(<CLIENT_CERT>)
)
);
};
log {
source(s_src);
destination(d_rltp);
};
A TLS configuration can also be performed from the Web interface. For further information, refer
to Section 8.9, “SIEM integration”, page 54.
15.28. Change self-signed certificates of

services
15.28.1. Change the certificate for the Web interface and the
API
Replace the following certificate files in the directory /var/wab/apache2/ssl.crt:
• ca.crt (root authority certificate)
Note:
The new certificate generated as a .pem file must be converted into a .crt file prior to
be replaced in the directory.
• server.pem (public key)

• server.key (private key)
• and possibly crl.pem (certificate revocation list). If there is no need to revocate a site, then do
not replace the default crl.pem file.
Once the files have been replaced, it may be necessary to restart the Apache service by entering
the following command:
# systemctl restart apache2
Note:
These files are also modified by applying the X509 authentication configuration
procedure. For further information, refer to Section 9.7, “X509 certificate authentication
If High-Availability is set, the directory into which the certificates are gathered is shared
between both nodes. The procedure is to be applied on the active node only.
You could later generate back a self-signed certificate with the following command:
324
# WABGuiCertificate selfsign -f
15.28.2. Change the RDP proxy certificate

To install your certificate, copy it on the Bastion in PEM format, with its associated private key. Then,
on the SSH console (2242), execute the following command replacing the parameters by the full
path of the corresponding files:
# rdpcert --key --inkey=./<2048_bit_rsa_private_key_file>.key --x509

--inx509=./<X509_certificate_file>.pem --force
Once the files have been replaced, restart RDP proxy by entering the following command:
# systemctl restart redemption
Note:
You could later generate back a self-signed certificate with the following command:
# rdpcert --key --force
15.28.3. Change the SSH proxy host key

To install your host key using RSA +PEM format, copy it on WALLIX Bastion in the directory /var/
wab/etc/ssh/server_rsa.key location.
The host key must use RSA algorithm and a minimum 4,096-bit length is recommended.
To install your host key using ED25519 format, copy it on WALLIX Bastion in the directory /var/
wab/etc/ssh/server_ed25519.key location.
Note:
You can generate an SSH proxy host key on WALLIX Bastion by deleting the current host
keys and executing the generator script with the following command:
# rm /var/wab/etc/ssh/server_rsa.key
# rm /var/wab/etc/ssh/server_ed25519.key
# WABSshServerGenRsaKey.sh
15.29. Cryptographic configuration of services

15.29.1. Configure the security level to restore RDP protocol
compatibility
Old RDP clients may not be compatible by default with WALLIX Bastion. However, we recommend
rather using a modern client, such as the client MSTSC connected to Windows Server 2008 R2 (at
least), to keep a satisfactory security level.
325
To restore compatibility and therefore allow connections, it is then necessary to perform the following
actions at the level of the RDP proxy configuration from the "Configuration Options" page on the
"Configuration" menu, below the "client" section:
• for clients under Windows Server 2000 or lower: select the option "Tls fallback legacy"
• for clients supporting TLS from Windows XP: allow the minimum supported version for TLS
protocol by entering "0" in the "Tls min level" field and delete the value in the "Ssl cipher list" field.
Warning:
We remind you that these actions will lower the security level of the WALLIX Bastion
services.
15.29.2. Configure the security level to restore SSH protocol

compatibility
The cryptographic algorithms allowed by the SSH proxy can be declared by specifying them in the
following fields related to the SSH proxy configuration from the "Configuration Options" page on
the "Configuration" menu:
• below the "main" section: “Hostkeys”, “Client kex algos”, “Client cipher algos”, “Client integrity
algos”, “Client compression algos”
• below the "front_algorithms" section: “Dh modulus min size”
We recommend keeping the default configuration for these algorithms to ensure the highest security
level with SSH clients.
Warning:
These fields are displayed when the check box of the "Advanced options" field at the top
right of the page has been selected. They should ONLY be changed upon instructions
15.29.3. Restore default cryptographic settings

To change the settings of the GUI Web server, edit the following file as described below:
# vim.tiny /etc/apache2/sites-enabled/wab-httpd.conf
1. Uncomment the following lines:
SSLProtocol TLSv1.2
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:HIGH:!MD5:!aNULL:!EDH
2. Comment out all other lines with the same keys.
15.30. Update the CRL (Certificate Revocation

List)
To update the CRL certificate, you can:
326
• either copy the file on the WALLIX Bastion in PEM format. Then, execute the following command:
# WABCRLFetch -f CRL_FILE
• or from the SSH console (port 2242), execute the following command replacing parameters by
the relevant data and the full path of the local CRL file:
client$ nc -l -p A_LOCAL_PORT -c "cat MY_LOCAL_CRL_FILE" &

client$ ssh -p 2242 -R A_WAB_PORT:localhost:LOCAL_PORT_ABOVE wabadmin@wab
wabadmin@wab$ super
wabsuper@wab$ nc localhost WAB_PORT_ABOVE|sudo /opt/wab/bin/WABCRLFetch [-n
NAME]
Example:
client$ nc -l -p 43210 -c "cat wallix_crls/2020/wallix-2020-02-29.crl" &

client$ ssh -p 2242 -R 54321:localhost:43210 wabadmin@wab
wabadmin@wab$ super
wabsuper@wab$ nc localhost 54321|sudo /opt/wab/bin/WABCRLFetch -n
wallix-2020-02-29.crl
Note:
The CRL files are stored in the directory /var/wab/apache2/ssl.crl/.
An uploaded file gathering several CRLs will be divided into several unit CRL files.
An uploaded CRL will only replace an old one if the number corresponding to the
“CRLNumber” is greater than or equal to the one of this former version.
This list can also be updated using the Web interface. For further information, refer to
Section 9.7.2, “CRL management”, page 103.
15.31. Change the Redis password
There are two main options for changing the Redis password: generate and change.
Generate will create a 24-character password composed of numbers and letters.
the --quiet option will execute the command without feedback.
# bastion-change-redis-password generate [--quiet]
Change asks the administrator to manually choose a password.
Important:
This command can only be run as root.
# bastion-change-redis-password change [--quiet]
Once the password has been changed, some WALLIX services are restarted, which may cause
WALLIX Bastion users to log out.
327
A good practice is to run one of these scripts as soon as WALLIX Bastion is initialized.
328
Chapter 16. REST API Web Services

WALLIX Bastion includes two APIs which can be used to provide an access to the resources and
also perform basic operations (such as data creation, update and deletion).
These APIs use a REST protocol based on JSON.
16.1. WALLIX Bastion REST API documentation

Documentation for the last version of this service (3.8) is available online at this address:
https://bastion_ip_address/api/doc
The changelog for this version is available online at this address:
https://bastion_ip_address/api/doc/APIChangelog.html
Documentation of version 3.7 is available online at this address:
https://bastion_ip_address/api/v3.7/doc
The changelog for version 3.7 is available online at this address:
https://bastion_ip_address/api/v3.7/doc/APIChangelog.html
Documentation of version 3.6 is available online at this address:
https://bastion_ip_address/api/v3.6/doc
The changelog for version 3.6 is available online at this address:
https://bastion_ip_address/api/v3.6/doc/APIChangelog.html
Note:
The REST API version 3.5 is deprecated and then no longer available for this version
of WALLIX Bastion.
16.2. SCIM REST API documentation

Documentation for the last version of this service (2.0) is available online at this address:
https://bastion_ip_address/scim/doc
16.3. REST API key management

A REST API key is required to authenticate a request.
From the “API keys” page of the “Configuration” menu, you can:
• list declared REST API keys

• generate/edit/delete a REST API key
• view the IP addresses from which the connection is authorized for a given key
329
Important:
Only the administrator whose profile includes all rights together with transferable rights
(such as the “product_administrator” profile) can view the “API keys” entry in the
“Configuration” menu.
16.3.1. Generate an API key

From the “API keys” page, click on the “+ Add” button to display the API key creation page.
The API key creation page consists of the following fields:
• the name to identify the API key

• the IP address from which the connection is authorized for this key. You can add several
authorized IP addresses for the key.
Once the fields are specified and applied, a window opens and displays the generated API key.
Warning:
After closing the window, it will no longer be possible to view the API key.
Figure 16.1. Page "API keys" - Key generation
16.3.2. Edit an API key

From the “API keys” page, click on an API key name to display the related modification page.
The fields of this page are the same as those on the API key creation page.
16.3.3. Delete an API key

From the “API keys” page, check the box at the beginning of the line(s) to select the related API
key(s) you wish to delete, then click on the “Delete” button. WALLIX Bastion displays a dialogue
box requesting a confirmation before permanently deleting the line(s).
330
Chapter 17. SIEM messages

WALLIX Bastion 10.0.5 uses syslog messages to send data to SIEM solutions from the system, but
also from actions on the Web interface or the RDP or SSH services.
The following sections list log examples and are not exhaustive.
17.1. Logs from WALLIX Bastion boot/reboot

Message are formatted as follows:
[boot] action=”[ACTION]”
Example:
[boot] action="boot"
17.2. Logs from authentication

Messages are formatted as follows:
[wabauth] action=”authentify” user=”[USER NAME]” client_ip=”[USER IP
ADDRESS]” status=”[AUTHENTICATION STATUS]” infos=”diagnostic [INFOS]”
The possible values for the “user” field are as follows:
• the user name when used as login

• the value “[unknown username]” if the user name is not used as login (as for example, when
authenticating through a X509 certificate or via a Kerberos ticket).
The possible values for the “status” field are as follows:
• “started”: the user identification step has been successful

• “success”: the authentication step has been successful
• “failure”: the authentication step has failed
• “cancel”: the user has requested to cancel the authentication attempt in progress
The stream provides messages for the events described in following sections.
17.2.1. Successful authentication

Example of successful local authentication:
[wabauth] action="authentify" user="user01" client_ip="10.10.10.10"
status="started" infos="diagnostic [Authentication started: identified
with local(LOCAL).]"
status="success" infos="diagnostic [Authentication success: identified
with local(LOCAL).]"
Example of successful authentication from an LDAP directory:
with external-auth-ad(LDAP).]"
331

status="success" infos="diagnostic [Authentication success: identified
with external-auth-ad(LDAP), authentified with: external-auth-ad(LDAP).]"
17.2.2. Authentication failure

Example of failed authentication from an LDAP directory:

with external-auth-ad(LDAP).]"

status="failure" infos="diagnostic [Authentication failed]"
17.2.3. Authentication cancellation (either by the client or by

the user)
status="cancelled" infos="diagnostic [Authentication cancelled]"
17.3. Logs from WALLIX Bastion Web interface

Messages are formatted as follows:
[wabaudit] action=”[ACTION]” type=”[OBJTYPE]” object=”[UID/CN/NAME]”

user=”[WHO]” infos=”[INFOS]”
Example:
[wabaudit] action="edit" type="User" object="jdoe" user="admin"

client_ip="192.168.140.1" infos="UserAuths [Add < win2k16.acme.net >]"
The stream provides messages for the various object types described in following sections.
17.3.1. Object type: Account

Actions: add, edit, delete
Examples:
[wabaudit] action="add" type="Account"

object="account_with_approval@DOMAIN_SIMPLE" user="admin"
client_ip="10.10.45.212" infos="name [account_with_approval], login
[account_with_approval], autoChangePassword [True], autoChangeSSHKey
[True], isExternalVault [False]"
[wabaudit] action="edit" type="Account"

object="account_154954837938@local1@application_154954837837"
user="ADMIN" client_ip="10.10.45.212" infos=""
[wabaudit] action="delete" type="Account"

object="account_154954844398@local1@application_154954844399"
332
17.3.2. Object type: Account activity (Audit)

Action: list
Example:
[wabaudit] action="list" type="accountactivity"
object="168c1c48f141e911005056b60af6" user="admin"
client_ip="10.10.43.84" infos=""
17.3.3. Object type: Account history (Audit)

Action: list
Example:
[wabaudit] action="list" type="accounthistory"
object="168c1c48f141e911005056b88ag7" user="admin"
17.3.4. Object type: Answer from approval request

Action: add
Example:
[wabaudit] action="add" type="Answer" object="<Answer (uid: None,
user: USER_APPROVER_1, approved: True, text: some comment)>"
user="USER_APPROVER_1" client_ip="10.10.45.212" infos="username
[USER_APPROVER_1], creation [2019-02-07 15:08:38.577548], text [some
comment], approved [True]"
17.3.5. Object type: API key

Actions: add, delete
Examples:
[wabaudit] action="add" type="Apikey" object="apikey_154954880399"
user="ADMIN" client_ip="10.10.45.212" infos="cn [apikey_154954880399],
apikey [********], ipLimitation []"
[wabaudit] action="delete" type="Apikey" object="apikey_154954882800"
17.3.6. Object type: Application

Actions: add, delete, edit
Examples:
[wabaudit] action="add" type="Application" object="APP_DUMMY"
user="admin" client_ip="10.10.45.212" infos="target
[account@local@DEVICE_DUMMY_WIN:RDP]"
[wabaudit] action="delete" type="Application"
object="application_154954836612" user="ADMIN" client_ip="10.10.45.212"
infos=""
333
[wabaudit] action="edit" type="Application"

object="application_154954842057" user="ADMIN" client_ip="10.10.45.212"
infos=""
17.3.7. Object type: Application path

Examples:
[wabaudit] action="add" type="Apppath"
object="account@local@DEVICE_DUMMY_WIN:RDP[<C:\Program Files
(x86)\Mozilla Firefox\firefox.exe>:<C:\>]" user="admin"
client_ip="10.10.45.212" infos="program [C:\Program Files (x86)\Mozilla
Firefox\firefox.exe], workingdir [C:\]"
[wabaudit] action="delete" type="Apppath"
object="account_154954841440@local1@device_154954841439:rdp[<None>:<C:
\Program Files (x86)\Mozilla Firefox\firefox.exe>]" user="ADMIN"
client_ip="10.10.45.212" infos=""
17.3.8. Object type: Approval

Actions: add, delete, edit, list
Examples:
[wabaudit] action="add" type="Approval" object="<Approval(uid=
\'168c849f0378d7f4005056b69255\', status=3, begin=2019-02-07 15:08:00,
end=2019-02-07 15:18:00, quorum=1)>\n" user="user_154954851465"
client_ip="10.10.45.212" infos="status [3], begin [2019-02-07
15:08:00], creation [2019-02-07 15:08:35.382824], duration [600],
end [2019-02-07 15:18:00], username [user_154954851465], targetname
[user_1@local@DEVICE_WITH_APPROVAL_OPTIONAL_COMMENT_AND_TICKET:SSH],
quorum [1], email [notify@mydomain.com], language [en]"
[wabaudit] action="delete" type="Approval" object="<Approval(uid=
\'168c849f0378d7f4005056b69255\', status=4, begin=2019-02-07
15:08:00, end=2019-02-07 15:18:00, quorum=1)>\n" user="OPERATOR"
[wabaudit] action="edit" type="Approval" object="<Approval(uid=
\'168c849fa6a347bd005056b69255\', status=1, begin=2019-02-07 15:08:00,
end=2019-02-07 15:18:00, quorum=1)>\n" user="USER_APPROVER_1"
client_ip="10.10.45.212" infos="status ['3' to '1']"
[wabaudit] action="list" type="Approval" user="ADMIN"
client_ip="10.10.45.212" infos=""
17.3.9. Object type: Authorization

Examples:
[wabaudit] action="add" type="Authorization"
object="USER_GROUP_UNIX:DEVICE_GROUP_UNIX" user="admin"
334
client_ip="10.10.45.212" infos="cn [unix_group], targetGroupIdentifier

[DEVICE_GROUP_UNIX], isRecorded [True], isCritical [False], userAccess
[False], proxyAccess [True], subprotocols [SSH_SHELL_SESSION,
SSH_REMOTE_COMMAND, SSH_SCP_UP and 7 other(s)], approvalRequired
[False], hasComment [False], mandatoryComment [False], hasTicket [False],
mandatoryTicket [False], activeQuorum [0], inactiveQuorum [0]"
[wabaudit] action="delete" type="Authorization"

object="user_group_154954865272:target_group_154954865373" user="ADMIN"
client_ip="10.10.45.212" infos=""
[wabaudit] action="edit" type="Authorization"

object="user_group_154954869778:target_group_154954869779" user="ADMIN"
client_ip="10.10.45.212" infos=""
17.3.10. Object type: Backup/Restore

Actions: backup, download, restore
Examples:
[wabaudit] action="backup" type="Backup/Restore" user="admin"

client_ip="192.168.0.12" infos="Backup ['wab-6.0-
cspn_2019-02-04_16-59-11.wbk' saved]"
[wabaudit] action="download" type="Backup/Restore" user="admin"

cspn_2019-02-04_16-59-11.wbk' downloaded]"
[wabaudit] action="restore" type="Backup/Restore" user="admin"

cspn_2019-02-04_16-59-11.wbk' restored]"
17.3.11. Object type: Checkout policy

Examples:
[wabaudit] action="add" type="CheckoutPolicy"

object="CHECKOUT_POLICY_LOCK" user="admin" client_ip="10.10.45.212"
infos="enableLock [True], duration [600], extension [0], maxDuration
[600], checkinChange [0]"
[wabaudit] action="delete" type="CheckoutPolicy"

object="checkout_policy_154954874456" user="ADMIN"
client_ip="10.10.45.212" infos=""
[wabaudit] action="edit" type="CheckoutPolicy"

object="checkout_policy_154954875282" user="ADMIN"
client_ip="10.10.45.212" infos=""
17.3.12. Object type: Cluster

335
Examples:
[wabaudit] action="add" type="Cluster" object="cluster_154954837225"
user="ADMIN" client_ip="10.10.45.212" infos="member_targets
[account_154954837122@local1@device_154954837021:rdp,
account_154954837224@local1@device_154954837123:rdp]"
[wabaudit] action="delete" type="Cluster" object="cluster_154954875802"
[wabaudit] action="edit" type="Cluster" object="cluster_154954878267"
17.3.13. Object type: Connection policy

Examples:
[wabaudit] action="add" type="ConnectionPolicy"
object="CONNECTION_POLICY_SSH_AGENT_FORWARDING" user="admin"
client_ip="10.10.45.212" infos="cn
[CONNECTION_POLICY_SSH_AGENT_FORWARDING], protocol [SSH], services
[], methods [PASSWORD_VAULT, PUBKEY_VAULT, PUBKEY_AGENT_FORWARDING
and 1 other(s)], Data [server_pubkey[server_pubkey_check]:
'1', server_pubkey[server_pubkey_create_message]: '1',
server_pubkey[server_access_allowed_message]: '0',
server_pubkey[server_pubkey_success_message]: '0',
server_pubkey[server_pubkey_failure_message]: '1',
server_pubkey[server_pubkey_store]: 'True', trace[log_all_kbd]: 'False',
startup_scenario[ask_startup]: 'False', startup_scenario[show_output]:
'True', startup_scenario[enable]: 'False', startup_scenario[timeout]:
'10', startup_scenario[scenario]: '', general[transformation_rule]:
'', session[inactivity_timeout]: '0', session[allow_multi_channels]:
'False', algorithms[kex_algos]: '', algorithms[compression_algos]: '',
algorithms[cipher_algos]: '', algorithms[integrity_algos]: '']"
[wabaudit] action="edit" type="ConnectionPolicy" object="SSH"
user="admin" client_ip="10.10.45.212" infos="methods [Add <
PASSWORD_VAULT, PUBKEY_VAULT, PASSWORD_INTERACTIVE and 1 other(s) >,
Remove < PUBKEY_VAULT, PASSWORD_MAPPING, PASSWORD_VAULT and 1 other(s)
>], Data [session[allow_multi_channels]: 'False' => 'on']"
[wabaudit] action="delete" type="ConnectionPolicy"
object="connection_policy_154954884812" user="ADMIN"
client_ip="10.10.45.212" infos=""
17.3.14. Object type: Credential change information

Examples:
[wabaudit] action="add" type="CredChgInfo" object="local1/None"
user="ADMIN" client_ip="10.10.45.212" infos="service_name ['None' to
'XE'], host ['None' to 'my.db.hostname'], port ['None' to '1234']"
336
[wabaudit] action="delete" type="CredChgInfo" object="<CredChgInfo(uid=

\'168c849848928a52005056b69255\')>\n" user="ADMIN"
client_ip="10.10.45.212" infos=""
[wabaudit] action="edit" type="CredChgInfo" object="local1/None"
17.3.15. Object type: Password change policy

Examples:
[wabaudit] action="add" type="CredChgPolicy"
object="PASSWORD_CHANGE_POLICY" user="admin" client_ip="10.10.45.212"
infos="pwdLength [8], specialChars [1], changePeriod []"
[wabaudit] action="delete" type="CredChgPolicy"
object="password_change_policy_name_154954918141" user="ADMIN"
client_ip="10.10.45.212" infos=""
[wabaudit] action="edit" type="CredChgPolicy"
object="password_change_policy_name_154954918865" user="ADMIN"
client_ip="10.10.45.212" infos=""
17.3.16. Object type: Device

Examples:
[wabaudit] action="add" type="Device" object="DEVICE_SSH_SHELL_SESSION"
user="admin" client_ip="10.10.45.212" infos="Host [10.10.45.148], Alias
[DEVICE_SSH_SHELL_SESSION_ALIAS]"
[wabaudit] action="delete" type="Device" object="device_154954886966"
[wabaudit] action="edit" type="Device" object="device_154954892089"
17.3.17. Object type: Global domain

Examples:
[wabaudit] action="add" type="Globaldomain" object="DOMAIN_SIMPLE"
user="admin" client_ip="10.10.45.212" infos="cn [DOMAIN_SIMPLE], name
[DOMAIN_SIMPLE]"
[wabaudit] action="delete" type="Globaldomain"
object="global_domain_154954904181" user="ADMIN"
client_ip="10.10.45.212" infos=""
[wabaudit] action="edit" type="Globaldomain"
object="global_domain_154954904486" user="ADMIN"
client_ip="10.10.45.212" infos="credchgplugin ['None' to 'Windows'],
337
credchgpolicy ['None' to 'default'], adminAccount ['None' to

'account_154954904487...']"
17.3.18. Object type: LDAP domain

Examples:
[wabaudit] action="add" type="Ldapdomain" object="DOMAIN_1" user="admin"
client_ip="10.10.45.212" infos="description [], ldapDomain [domain1],
defaultLanguage [en], defaultEmailDomain [wallix], groupAttribute
[memberOf], snAttribute [displayName], emailAttribute [mail],
languageAttribute [preferredLanguage], isDefaultDomain [True]"
[wabaudit] action="delete" type="Ldapdomain"
object="domain_154955334782" user="admin" client_ip="192.168.122.1"
infos=""
[wabaudit] action="edit" type="Ldapdomain" object="domain_154955334798"
user="admin" client_ip="10.10.45.212" infos="description ['some
description' to 'updated'], snAttribute ['' to 'updated']"
17.3.19. Object type: LDAP mapping

Examples:
[wabaudit] action="add" type="LdapMapping" object="<DOMAIN_1,
OU=Group> in user_group_154954913825 GROUP" user="ADMIN"
client_ip="10.10.45.212" infos="ldapGroup [OU=Group], domain [DOMAIN_1],
group [user_group_154954913825]"
[wabaudit] action="delete" type="LdapMapping" object="<DOMAIN_1,
OU=Group> in user_group_154954913825 GROUP" user="ADMIN"
client_ip="10.10.45.212" infos=""
17.3.20. Object type: Local domain

Examples:
[wabaudit] action="add" type="Localdomain" object="local"
user="admin" client_ip="10.10.45.212" infos="cn [local], device
[DEVICE_SSH_SHELL_SESSION]"
[wabaudit] action="delete" type="Localdomain" object="local1"
[wabaudit] action="edit" type="Localdomain" object="local1"
user="ADMIN" client_ip="10.10.45.212" infos="adminAccount ['None' to
'account_154954837938...']"
17.3.21. Object type: Notification

338
Examples:
[wabaudit] action="add" type="Notification"
object="notification_154955208543" user="ADMIN" client_ip="10.10.45.212"
infos="dest [notify@mydomain.com], flag [0], isNotificationEnable [True],
type [EMAIL]"
[wabaudit] action="delete" type="Notification"
infos=""
[wabaudit] action="edit" type="Notification"
infos="flag ['16' to '0']"
17.3.22. Object type: Period

Examples:
[wabaudit] action="add" type="Period" object="<2030-01-01 to 2099-12-31 ,
00:00:00 to 23:59:00, 127>" user="ADMIN" client_ip="10.10.45.212"
infos="startDate [2030-01-01], endDate [2099-12-31], startTime
[00:00:00], endTime [23:59:00], weekmask [127]"
[wabaudit] action="delete" type="Period" object="<2010-01-01 to
2020-01-01 , 09:30:00 to 18:30:00, 124>" user="ADMIN"
client_ip="10.10.45.212" infos=""
17.3.23. Object type: Profile

Examples:
[wabaudit] action="add" type="Profile" object="PROFILE_IP_FORBIDDEN"
user="admin" client_ip="10.10.45.212" infos="ip_limitation [1.1.1.1],
habilitationFlag [1], groups_limitation [], groups_member []"
[wabaudit] action="delete" type="Profile" object="profile_154954924847"
[wabaudit] action="edit" type="Profile" object="profile_154954927022"
17.3.24. Object type: Local password policy

Action: edit
Example:
[wabaudit] action="edit" type="PwdPolicy" object="default" user="admin"
client_ip="10.10.45.212" infos="pwdMinLowerLetter ['1' to '0'],
rsaMinLength ['4096' to '1024']"
17.3.25. Object type: Recording options

Action: edit
339
Example:
[wabaudit] action="edit" type="Recording Options" user="admin"
client_ip="10.10.43.28" infos="Recording Options ['No encryption, with
checksum' to 'No encryption, no checksum']"
17.3.26. Object type: Restriction

Examples:
[wabaudit] action="add" type="Restriction" object="<kill, Kill.
+Softly, SSH_SHELL_SESSION> in GROUP USER_GROUP_UNIX_KILL" user="admin"
client_ip="10.10.45.212" infos="action [kill], data [Kill.+Softly],
groups [USER_GROUP_UNIX_KILL], subprotocol [SSH_SHELL_SESSION]"
[wabaudit] action="delete" type="Restriction" object="<notify,
command_1, SSH_SHELL_SESSION> in GROUP ssh_grp" user="user_admin"
17.3.27. Object type: Service

Examples:
[wabaudit] action="add" type="Service"
object="DEVICE_SSH_SHELL_SESSION:SSH" user="admin"
client_ip="10.10.45.212" infos="protocol [SSH], port [22], subprotocols
[SSH_SHELL_SESSION], connectionPolicy [SSH]"
[wabaudit] action="delete" type="Service"
object="device_154954928856:ssh" user="ADMIN" client_ip="10.10.45.212"
infos=""
[wabaudit] action="edit" type="Service" object="device_154954931097:ssh"
17.3.28. Object type: Session logs

Action: list
Example:
[wabaudit] action="list" type="sessionlog" user="OPERATOR"
client_ip="127.0.0.1" infos="Current sessions"
17.3.29. Object type: Target group

Examples:
[wabaudit] action="add" type="Targetgroup" object="DEVICE_GROUP_UNIX"
user="admin" client_ip="10.10.45.212" infos="Users [], Targets
[__WIL__@am_il_domain@DEVICE_TELNET:TELNET,
__WAM__@am_il_domain@DEVICE_SSH_SCP_DOWN:SSH,
340
pubkey_account_without_password@local@DEVICE_SSH_FORWARDING:SSH and 35
other(s)], Profiles_limit [], Timeframes [allthetime]"
[wabaudit] action="delete" type="Targetgroup"
object="target_group_154954938767" user="ADMIN" client_ip="10.10.45.212"
infos=""
[wabaudit] action="edit" type="Targetgroup"
object="target_group_154954945465" user="ADMIN" client_ip="10.10.45.212"
infos="Description ['some desc' to 'some other desc']"
17.3.30. Object type: Time frame

Examples:
[wabaudit] action="add" type="TimeFrame" object="timeframe_154954856399"
user="ADMIN" client_ip="10.10.45.212" infos="description [],
isOvertimable [False]"
[wabaudit] action="delete" type="TimeFrame"
object="timeframe_154954953374" user="ADMIN" client_ip="10.10.45.212"
infos=""
[wabaudit] action="edit" type="TimeFrame"
object="timeframe_154954954305" user="ADMIN" client_ip="10.10.45.212"
infos=""
17.3.31. Object type: User

Examples:
[wabaudit] action="add" type="User" object="USER_IP_FORBIDDEN"
user="admin" client_ip="10.10.45.212" infos="email
[notify@mydomain.com], preferredLanguage [en], host [1.1.1.1], profile
[user], groups [USER_GROUP_UNIX], forceChangePwd [False], userPassword
[********], userauths [local]"
[wabaudit] action="edit" type="User" object="user_154954924239"
user="user_154954924239" client_ip="10.10.45.212" infos="email
['notify@mydomain.com...' to 'notify+1@mydomain.c...']"
[wabaudit] action="delete" type="User" object="UNKNOWN_USER" user="ADMIN"
client_ip="10.10.45.212" infos=""
17.3.32. Object type: External authentication

Examples:
[wabaudit] action="add" type="UserAuth" object="USER_AUTH_KERBEROS"
user="admin" client_ip="10.10.45.212" infos="wabAuthType [KERBEROS],
description [], port [88], host [10.10.45.148], kerDomControler
[DOMAIN.IFR.LAN]"
341
[wabaudit] action="delete" type="UserAuth"

object="auth_LDAP_154955198487" user="ADMIN" client_ip="10.10.45.212"
infos=""
[wabaudit] action="edit" type="UserAuth" object="auth_LDAP_154955202505"
user="ADMIN" client_ip="10.10.45.212" infos="description ['None' to
'updated while used b...']"
17.3.33. Object type: User group

Examples:
[wabaudit] action="add" type="Usergroup" object="USER_GROUP_UNIX"
user="admin" client_ip="10.10.45.212" infos="Users [], Profiles_limit [],
Timeframes [allthetime]"
[wabaudit] action="delete" type="Usergroup"
object="user_group_154954962345" user="ADMIN" client_ip="10.10.45.212"
infos=""
[wabaudit] action="edit" type="Usergroup"
object="user_group_154954965326" user="ADMIN" client_ip="10.10.45.212"
infos="Description ['some desc' to 'some other desc']"
17.3.34. Object type: X509 parameters (CRL)

Examples:
[wabaudit] action="add" type="X509 Parameters" user="admin"
client_ip="192.168.0.12" infos="CRL [url fetched hourly]"
[wabaudit] action="delete" type="X509 Parameters" user="admin"
client_ip="192.168.0.12" infos="CRL [deleted]"
[wabaudit] action="edit" type="X509 Parameters" user="admin"
client_ip="192.168.0.12" infos="CRL [file updated]"
17.4. Logs from the SSH service

17.4.1. Flow of a successful session

17.4.1.1. Successful connection
sshproxy: [sshproxy] psid="15493629957933" type="INCOMING_CONNECTION"
src_ip="10.10.43.84" src_port="54446"
sshproxy: [sshproxy] psid="15493629957933" user="user01"
type="AUTHENTICATION_TRY"
pubkey_hash="2aab6ee7ace610650e14de24d318fa9defefe984377923e382daae6c4b648ebb"
method="SSH Key" pubkey_type="ssh-ed25519"
342

type="AUTHENTICATION_FAILURE"
pubkey_hash="2aab6ee7ace610650e14de24d318fa9defefe984377923e382daae6c4b648ebb"
method="SSH Key" pubkey_type="ssh-ed25519"
type="AUTHENTICATION_TRY" method="Password"
wabengine: [wabauth] action="authentify" user="user01"
client_ip="10.10.43.84" status="started" infos="diagnostic
[Authentication started: identified with external-auth-ad(LDAP).]"
client_ip="10.10.43.84" status="success" infos="diagnostic
[Authentication success: identified with external-auth-ad(LDAP),
authentified with: external-auth-ad(LDAP).]"
type="AUTHENTICATION_SUCCESS" method="Password"
Note:
The psid number is the same for all actions logged during the same session.
17.4.1.2. Display of the proxy selector

type="TARGET_CONNECTION" login="root" host="10.10.47.53"
session_id="168bd3b417f437ae005056b60af6"
target="root@local@10.10.47.53:ssh:SSH_ALL" port="22"
sshproxy: [SSH Session] session_id="168bd3b417f437ae005056b60af6"
client_ip="10.10.43.84" target_ip="10.10.47.53" user="user01"
device="10.10.47.53" service="ssh" account="root"
type="SESSION_ESTABLISHED_SUCCESSFULLY"
device="10.10.47.53" service="ssh" account="root" type="KBD_INPUT"
data="exit"
type="TARGET_DISCONNECTION" session_id="168bd3b417f437ae005056b60af6"
target="root@local@10.10.47.53:ssh:SSH_ALL"
Note:
17.4.1.3. Return to the proxy selector

device="10.10.47.53" service="ssh" account="root"
type="SESSION_DISCONNECTION" duration="0:00:05"
343

type="DISCONNECTION"
Note:
17.4.2. Flow of a connection failure: connection denied,

machine is powered off or service unavailable
type="TARGET_CONNECTION" login="root" host="10.10.47.53"
session_id="168bd4545a2dba16005056b60af6"
target="root@local@10.10.47.53:TELNET:SSH_ALL" port="23"
sshproxy: [SSH Session] session_id="168bd4545a2dba16005056b60af6"

device="10.10.47.53" service="TELNET" account="root"
type="CONNECTION_FAILED"

type="TARGET_CONNECTION_FAILED"
session_id="168bd4545a2dba16005056b60af6" reason="Connection failed"
login="root" host="10.10.47.53"
target="root@local@10.10.47.53:TELNET:SSH_ALL" port="23"

type="TARGET_DISCONNECTION" session_id="168bd4545a2dba16005056b60af6"
target="root@local@10.10.47.53:TELNET:SSH_ALL"
Note:
17.4.3. Flow of a connection failure: invalid target or access

denied
ssh -t roota@local@10.10.47.53:ssh:SSH_ALL:user01@10.10.47.20


type="TARGET_ERROR" reason="Invalid target"
target="roota@local@10.10.47.53:ssh:SSH_ALL"

type="DISCONNECTION"
Note:
344
17.4.4. Successful session opening

[SSH Session] type=”SESSION_ESTABLISHED_SUCCESSFULLY”
session_id="002ac1d68450742e1928b88df3ca15385d710b33"
client_ip="192.168.1.10" target_ip="192.168.1.200" user="maint"
device="debian" service="ssh" account="admin"
17.4.5. Session opening failure

[SSH Session] type=”CONNECTION_FAILED”
device="debian" service="ssh" account="admin"
17.4.6. Session disconnection

[SSH Session] type=”SESSION_DISCONNECTION”
session_id=”002ac1d68450742e1928b88df3ca15385d710b33”
client_ip=”192.168.1.10” target_ip=”192.168.1.200” user=”maint”
device=”debian” service=”ssh” account=”admin” duration=”9:12:12”
Note:
The session duration format (“duration”) is as follows:
h:mm:ss
“h”: the number of hours. Note that it is only labelled on a single digit from “0” to “9”.
“mm”: the number of minutes is always labelled on 2 digits
“ss”: the number of seconds is always labelled on 2 digits
Examples:
duration="0:00:07"
duration="2:15:01"
duration="16:23:16"
duration="88:02:01"
duration="157:45:59"
17.4.7. Channel events

17.4.7.1. Open / Close X11 channel
[SSH Session] type="CHANNEL_EVENT"
device="debian" service="ssh" account="admin" data="Open X11 Channel"
channel_id="C0001"

345

device="debian" service="ssh" account="admin" data="Close X11 Channel"
channel_id="C0001"
17.4.7.2. Open / Close AuthAgent channel

device="debian" service="ssh" account="admin" data="Open AuthAgent
Channel" channel_id="C0001"

device="debian" service="ssh" account="admin" data="Close AuthAgent
17.4.7.3. Open / Close direct TCP/IP channel

device="debian" service="ssh" account="admin" data="Open Direct
TCPIP Channel" channel_id="C0001" src="127.0.0.1" src_port="45678"
dst="localhost" dst_port="1234"

device="debian" service="ssh" account="admin" data="Close Direct TCPIP
17.4.7.4. Open / Close reverse TCP/IP channel

device="debian" service="ssh" account="admin" data="Open Reverse
TCPIP Channel" channel_id="C0001" src="127.0.0.1" src_port="45678"
dst="localhost" dst_port="1234"

device="debian" service="ssh" account="admin" data="Close Reverse TCPIP
17.4.8. Request events

17.4.8.1. X11 request
[SSH Session] type="REQUEST_EVENT"
346

device="debian" service="ssh" account="admin" data="Request X11"
17.4.8.2. AuthAgent request

device="debian" service="ssh" account="admin" data="Request AuthAgent"
17.4.8.3. Reverse TCP/IP socket request

device="debian" service="ssh" account="admin" data="Request Reverse TCPIP
Socket"
device="debian" service="ssh" account="admin" data="Cancel Reverse TCPIP
Socket"
17.4.9. Pattern detection on shell or remote command

[SSH Session] type="NOTIFY_PATTERN_DETECTED"
device="debian" service="ssh" account="admin" pattern="tail"
[SSH Session] type="KILL_PATTERN_DETECTED"
device="debian" service="ssh" account="admin" pattern="rm"
[SSH Session] type="WARNING_PATTERN_DETECTED"
device="debian" service="ssh" account="admin" pattern="tail"
17.4.10. Command detection on Cisco devices

[SSH Session] type="NOTIFY_COMMAND_DETECTED"
device="cisco" service="ssh" account="admin" command="access-template"
[SSH Session] type="KILL_COMMAND_DETECTED"
device="cisco" service="ssh" account="admin" command="configure terminal"
[SSH Session] type="WARNING_COMMAND_DETECTED"
347

device="cisco" service="ssh" account="admin" command="access-template"
17.4.11. SFTP actions

The actions are: stat, lstat, opendir, remove, mkdir, rmdir, rename, readlink, symlink, link, status.
[SSH Session] type=”SFTP_EVENT”
device="debian" service="ssh" account="admin" data=”lstat /home/admin/”
17.4.12. File size restriction on SFTP

[SSH Session] type=”KILL_SIZELIMIT_DETECTED”
device="debian" service="ssh" account="admin" data=”Restriction: /var/
log/syslog file too big”
[SSH Session] type=”NOTIFY_SIZELIMIT_DETECTED”
device="debian" service="ssh" account="admin" data=”Restriction: /var/
log/syslog file too big”
17.4.13. Beginning of file transfer on SFTP

device="debian" service="ssh" account="admin" data=”get /var/log/syslog
begin”
17.4.14. End of file transfer on SFTP with file size and hash
device="debian" service="ssh" account="admin" data=”get /
var/log/syslog done, length= 338079, sha256 =
711cf730055826274d76ebb0505e13973f69d1b55d81199385362f5f319e9453”
17.4.15. File size restriction on SCP

[SSH Session] type="KILL_SIZELIMIT_DETECTED"
device="debian" service="ssh" account="admin" data="Restriction: /var/
log/syslog file too big"
[SSH Session] type="SCP Event" session_id="sssss" user="uuuuu"
device="ddddd" service="SSSSS" account="aaaaa" data="Kill Restriction:
<filename> file too big"
348
17.4.16. Beginning of file transfer on SCP

[SSH Session] type=”SCP_EVENT”
device="debian" service="ssh" account="admin" data=”get /var/log/syslog
begin”
17.4.17. End of file transfer on SCP with file size and hash
[SSH Session] type=”SCP_EVENT”
device="debian" service="ssh" account="admin" data=”get /
var/log/syslog done, length= 338079, sha256 =
711cf730055826274d76ebb0505e13973f69d1b55d81199385362f5f319e9453”
17.4.18. User typed keyboard input

[SSH Session] type=”KBD_INPUT”
device="debian" service="ssh" account="admin" data=”ls -al”
17.4.19. Export group membership for target account in

session metadata
[SSH Session] type=”GROUP_MEMBERSHIP” session_id=”SESSIONID-0000”
device=”debian” service=”ssh” account=”tartempion” groups="foo,bar,mod"
Note:
This can be enabled by selecting the option "Log group membership" below the "trace"
section on the configuration page related to the connection policy for the SSH protocol.
17.4.20. File verification by ICAP server

17.4.20.1. Verification of a valid file
[SSH Session] session_id=”SESSIONID-0000” client_ip=”192.168.1.10”
target_ip=”192.168.1.200” user=”maint” device=”win2k8” service=”sshd”
account=”doe” type="FILE_VERIFICATION" direction="UP" filename="/home/
doe/viruses/abc" status="OK"
17.4.20.2. Verification of an invalid file

doe/viruses/abc" status="Forbidden"
349
Note:
The status may change depending on the ICAP server.
17.4.20.3. Connection error to the ICAP server

account=”doe” type="FILE_VERIFICATION_ERROR" icap_service="avscan"
status="Unable to connect to ICAP server"
17.5. Logs from the RDP service

17.5.1. Flow of a connection failure: connection denied,

machine is powered off or service unavailable
rdpproxy: [rdpproxy] psid="154937229523480" user="user01@Active
Directory Domain" type="TARGET_CONNECTION"
session_id="168bdc90a110d2b5005056b60af6" target="Administrator"
host="1.1.1.1" port="3389"
rdpproxy: [rdpproxy] psid="154937229523480" user="user01@Active
Directory Domain" type="TARGET_CONNECTION_FAILED"
session_id="168bdc90a110d2b5005056b60af6" target="Administrator"
host="1.1.1.1" port="3389" reason="All trials done"
rdpproxy: [RDP Session] session_id="168bdc90a110d2b5005056b60af6"
client_ip="10.10.43.84" target_ip="1.1.1.1" user="user01@Active
Directory Domain" device="win_Invalid" service="RDP"
account="Administrator" type="CONNECTION_FAILED"
Note:
17.5.2. Flow of a connection failure: invalid target or access

denied
rdpproxy: [rdpproxy] psid="15496397758462" type="INCOMING_CONNECTION"
src_ip="10.10.43.84" src_port="35302"
rdpproxy: [rdpproxy] psid="15496397758462" user="user01"
type="AUTHENTICATION_TRY" method="Password"
client_ip="10.10.43.84" status="success" infos="diagnostic [\'Active
Directory\' -password- authentication succeeded]"
client_ip="10.10.43.84" status="started" infos="diagnostic
[Authentication started: identified with external-auth-ad(LDAP).]"
350

client_ip="10.10.43.84" status="success" infos="diagnostic
[Authentication success: identified with external-auth-ad(LDAP),
authentified with: external-auth-ad(LDAP).]"


type="TARGET_ERROR" target="Administrator@local" reason="Target not found
in user rights"
rdpproxy: [rdpproxy] psid="15496397758462" user="user01" type="LOGOUT"
rdpproxy: [rdpproxy] psid="15496397758462" type="DISCONNECT"
Note:
17.5.3. Successful session opening

[RDP Session] type=”SESSION_ESTABLISHED_SUCCESSFULLY”
session_id=”SESSIONID-0000” client_ip=”192.168.1.10”
target_ip=”192.168.1.200” user=”maint” device=”win2k8” service=”rdp”
account=”Maintenance”
17.5.4. Upload file via clipboard

[RDP Session] type=”CB_COPYING_PASTING_FILE_TO_REMOTE_SESSION”
target_ip=”192.168.1.200” user=”maint” device=”win2k8”
service=”rdp” account=”Maintenance” file_name=”20160725-183530_659.log”
size=”42816744”
sha256=”5933e6ca43514b5b4108ca07be7b040f161c5331b4455449a204cc9c502f9c0a”
17.5.5. Download file via clipboard

[RDP Session] type=”CB_COPYING_PASTING_FILE_FROM_REMOTE_SESSION”
service=”rdp” account=”Maintenance” file_name=”20160725-183530_659.log”
size=”42816744”
sha256=”45d6f2826b24d69faed524e5f42020c917e29c9deaf162845f7c441b0d5561d8”
17.5.6. Upload data via clipboard (such as image, sound,

etc. except Unicode text format or local data)
[RDP Session] session_id=”SESSIONID-0000” client_ip=”192.168.1.10”
account=”Maintenance” type=”CB_COPYING_PASTING_DATA_TO_REMOTE_SESSION”
format=”Preferred DropEffect” size=”4”
351
17.5.7. Download data via clipboard (such as image, sound,

etc. except Unicode text format or local data)
account=”Maintenance” type=”CB_COPYING_PASTING_DATA_FROM_REMOTE_SESSION”
format=”Preferred DropEffect” size=”4”
17.5.8. Upload data via clipboard (such as Unicode text

format or local data)
type=”CB_COPYING_PASTING_DATA_TO_REMOTE_SESSION_EX”
format=”CF_UNICODETEXT” size=”32” partial_data=”This is a test!”
17.5.9. Download data via clipboard (such as Unicode text

format or local data)
type=”CB_COPYING_PASTING_DATA_FROM_REMOTE_SESSION_EX”
format=”CF_UNICODETEXT” size=”32” partial_data=”This is a test!”
17.5.10. Reading workstation file from server

17.5.10.1. Non-sequential or partial access to the file
account=”Maintenance” type=”DRIVE_REDIRECTION_READ” file_name=”home/
out.txt”
17.5.10.2. Sequential or full access to the file

account=”Maintenance” type=”DRIVE_REDIRECTION_READ_EX” file_name=”home/
out.txt size=”4281”
sha256=”5933e6ca43514b5b4108ca07be7b040f161c5331b4455449a204cc9c502f9c0a”
17.5.11. Writing workstation file by server

17.5.11.1. Non-sequential or partial access to the file
352
account=”Maintenance” type=”DRIVE_REDIRECTION_WRITE” file_name=”home/

out.txt”
17.5.11.2. Sequential or full access to the file

service=”rdp” account=”Maintenance” type=”DRIVE_REDIRECTION_WRITE_EX”
file_name=”home/out.txt size=”5423”
sha256=”45d6f2826b24d69faed524e5f42020c917e29c9deaf162845f7c441b0d5561d8”
17.5.12. Target disconnected the session

[RDP Session] type=”SESSION_DISCONNECTION” session_id=”SESSIONID-0000”
device=”win2k8” service=”rdp” account=”Maintenance” duration=”9:12:12”
Note:
h:mm:ss
Examples:
duration="0:00:07"
duration="2:15:01"
duration="16:23:16"
duration="88:02:01"
17.5.13. Session ended by proxy

[RDP Session] type=”SESSION_DISCONNECTION” session_id=”SESSIONID-0000”
device=”win2k8” service=”rdp” account=”Maintenance” duration=”9:12:12”
Note:
h:mm:ss
353
Examples:
duration="0:00:07"
duration="2:15:01"
duration="16:23:16"
duration="88:02:01"
17.5.14. Session ending in progress

[RDP Session] type=”SESSION_ENDING_IN_PROGRESS”
Note:
This log is displayed when session ending is slow and then exceeds the timeout of the
RDP proxy.
17.5.15. Window title bars as detected by the Session Probe

Data can contain the title and the process command line.
[RDP Session] type=”TITLE_BAR” session_id=”SESSIONID-0000”

device=”win2k8” service=”rdp” account=”Maintenance” source=”Probe”
window=”out.txt - Bloc-notes”
17.5.16. Window title bars as detected by OCR

[RDP Session] type=”TITLE_BAR” session_id=”SESSIONID-0000”
device=”win2k8” service=”rdp” account=”Maintenance” source=”OCR”
window=”out.txt - Bloc-notes”
17.5.17. User typed keycodes translated using the current

layout
[RDP Session] type=”KBD_INPUT” session_id=”SESSIONID-0000”
device=”win2k8” service=”rdp” account=”Maintenance” data=” to connect to
remote TCP host.”
17.5.18. Click on a button in a window

The message contains the window title and the button name.
[RDP Session] type=”BUTTON_CLICKED” session_id=”SESSIONID-0000”

354
device=”win2k8” service=”rdp” account=”Maintenance” windows=”\"Bloc-

notes\",\"\",\"\"” button=”Ne pas en&registrer'”
17.5.19. Text edition in a text field in a window

The message contains the window title and the text field name.
[RDP Session] type=”EDIT_CHANGED” session_id=”SESSIONID-0000”
device=”win2k8” service=”rdp” account=”Maintenance”
windows=”\"Propriétés de : id.txt\",\"Général\"” edit=”Nom du fichier :”
17.5.20. Focus in and out on a password text box

[RDP Session] type=”PASSWORD_TEXT_BOX_GET_FOCUS”
account=”Maintenance” status=”yes”
17.5.21. Focus in and out on an unidentified input field

[RDP Session] type=”UNIDENTIFIED_INPUT_FIELD_GET_FOCUS”
17.5.22. New active windows detected by the Session Probe

The message contains the window title, the window class name and the process command line.
[RDP Session] type=”FOREGROUND_WINDOW_CHANGED”
service=”rdp” account=”Maintenance” text=”PuTTY Configuration”
class_name=”PuTTYConfigBox” command_line=”\"C:\\Users\\Maintenance\
\Desktop \\putty.exe\"”
17.5.23. Change of keyboard layout

The message contains the sub-language name.
[RDP Session] type=”INPUT_LANGUAGE” session_id=”SESSIONID-0000”
device=”win2k8” service=”rdp” account=”Maintenance” identifier=”0x040C”
display_name=”French (France)”
17.5.24. Creation of a new process

[RDP Session] type=”NEW_PROCESS” session_id=”SESSIONID-0000”
device=”win2k8” service=”rdp” account=”Maintenance” command_line=”C:
\\Windows\\system32\\DllHost.exe /Processid:{49F171DD- B51A-40D3-9A6C-
2D674CC729D}”
355
17.5.25. Process ended

[RDP Session] type=”COMPLETED_PROCESS” session_id=”SESSIONID-0000”
device='win2k8' service='rdp' account=”Maintenance” command_line=”C: \
\Windows\\system32\\TSTheme.exe -Embedding”
17.5.26. Process blocked

[RDP Session] type=”PROCESS_BLOCKED” session_id=”SESSIONID-0000”
device='win2k8' service='rdp' account=”Maintenance” rule=”$deny:cmd”
app_name=”cmd.exe” app_cmd_line=”\”C:\\Windows\\system32\\cmd.exe\” ”
17.5.27. VNC session initiated

[VNC Session] type=”SESSION_ESTABLISHED_SUCCESSFULLY”
target_ip=”192.168.1.210” user=”maint” device=”win2k3” service=”vnc”
account=”vncuser”
17.5.28. VNC session ended

[VNC Session] type=”SESSION_DISCONNECTION” session_id=”SESSIONID-0000”
device=”win2k3” service=”vnc” account=”vncuser" duration=”9:12:12”
Note:
h:mm:ss
Examples:
duration="0:00:07"
duration="2:15:01"
duration="16:23:16"
duration="88:02:01"
17.5.29. UAC prompt displayed

[RDP Session] type=”UAC_PROMPT_BECOME_VISIBLE”
356
17.5.30. X509 server certificate match

[RDP Session] type=”SERVER_CERTIFICATE_MATCH_SUCCESS”
account=”Maintenance” description=”X.509 server certificate match”
17.5.31. Connection to server allowed

[RDP Session] type=”CERTIFICATE_CHECK_SUCCESS”
account=”Maintenance” description="Connexion to server allowed"
17.5.32. New X509 certificate created

[RDP Session] type=”SERVER_CERTIFICATE_NEW” session_id=”SESSIONID-0000”
device=”win2k8” service=”rdp” account=”Maintenance” description=”New
X.509 certificate created”
17.5.33. X509 server certificate match failure

[RDP Session] type=”SERVER_CERTIFICATE_MATCH_FAILURE”
account=”Maintenance” description=”X.509 server certificate match
failure”
17.5.34. X509 server certificate internal error

[RDP Session] type=”SERVER_CERTIFICATE_ERROR”
account=”Maintenance” description=”X.509 server certificate internal
error: \"No such file or directory\"”
17.5.35. Kerberos ticket creation

[RDP Session] type="KERBEROS_TICKET_CREATION"
encryption_type="AES256_CTS_HMAC_SHA1_96(18)"
client_name="user01@mydomain.com" server_name="host/
ad01.mydomain.com@MYDOMAIN.COM" start_time="2018/12/05 17:51:56"
end_time="2018/12/06 03:51:56" renew_time="2018/12/12 17:51:56"
flags="[name_canonicalize | ok_as_delegate | pre_authent | renewable |
forwardable](0x40a50000)"
17.5.36. Kerberos ticket deletion

[RDP Session] type="KERBEROS_TICKET_DELETION"
encryption_type="AES256_CTS_HMAC_SHA1_96(18)"
client_name="user01@mydomain.com" server_name="host/
357
ad01.mydomain.com@MYDOMAIN.COM" start_time="2018/12/05 17:51:56"

end_time="2018/12/06 03:51:56" renew_time="2018/12/12 17:51:56"
flags="[name_canonicalize | ok_as_delegate | pre_authent | renewable |
forwardable](0x40a50000)"
17.5.37. State of check boxes in metadata collected by the

Session Probe
The message contains the state of a check box once an action has been performed.
[RDP Session] type=”CHECKBOX_CLICKED” session_id=”SESSIONID-0000”

device=”win2k8” service=”rdp” account=”Maintenance” windows=”\"Remote
Desktop Connection\",\"\",\"\"” checkbox=”Allow me to save credentials'”
state="checked"
The possible values for the “state” field are as follows:
• “checked”: the check box is selected

• “indeterminate”: the check box is an intermediate state, when there are three possible states for
the check box
• “unchecked”: the check box is deselected
• “unavailable”: the state of the check box could not be read
17.5.38. Web navigation data collected from the Session

Probe
Data can be collected from the following browsers: Internet Explorer, Microsoft Edge, Mozilla Firefox
and Google Chrome.
[RDP Session] type=”WEB_BEFORE_NAVIGATE” session_id=”SESSIONID-0000”

device=”win2k8” service=”rdp” account=”Maintenance” url=”https://
fr.wikipedia.org/” post="no"
[RDP Session] type=”WEB_DOCUMENT_COMPLETE” session_id=”SESSIONID-0000”

fr.wikipedia.org/” title="Wikipédia, l'encyclopédie libre"
[RDP Session] type=”WEB_NAVIGATE_ERROR” session_id=”SESSIONID-0000”

fr.wikipedia.org/todoist” title="Not found" code="404"
display_name="NOT_FOUND"
[RDP Session] type=”WEB_ENCRYPTION_LEVEL_CHANGED”

account=”Maintenance” identifier="6" display_name="Secure128Bit"
[RDP Session] type=”WEB_ATTEMPT_TO_PRINT” session_id=”SESSIONID-0000”

358

fr.wikipedia.org/” title="Wikipédia, l'encyclopédie libre"
[RDP Session] type=”WEB_THIRD_PARTY_URL_BLOCKED”
account=”Maintenance” url=”https://www.download.org/”
[RDP Session] type=”WEB_PRIVACY_IMPACTED” session_id=”SESSIONID-0000”
device=”win2k8” service=”rdp” account=”Maintenance” impacted="no"
[RDP Session] type=”WEB_NAVIGATION” session_id=”SESSIONID-0000”
fr.wikipedia.org/”
Data related to this last message cannot be collected from Internet Explorer.
17.5.39. Export group membership for target account in

session metadata
[RDP Session] type=”GROUP_MEMBERSHIP” session_id=”SESSIONID-0000”
device=”win2k8” service=”rdp” account=”Maintenance”
groups="None,All,Users,Remote Desktop Users,REMOTE INTERACTIVE
LOGON,INTERACTIF,LOCAL"
17.5.40. File verification by ICAP server

17.5.40.1. Verification of a valid file
doe/viruses/abc" status="OK"
17.5.40.2. Verification of an invalid file

doe/viruses/abc" status="Forbidden"
Note:
The status may change depending on the ICAP server.
17.5.40.3. Verification of a valid text transferred from the copy/paste function via
the clipboard
359
account=”doe” type="TEXT_VERIFICATION" direction="UP" copy_id="003"

status="OK"
17.5.40.4. Verification of an invalid text transferred from the copy/paste function

via the clipboard
account=”doe” type="TEXT_VERIFICATION" direction="UP" copy_id="005"
status="OK"
17.5.40.5. Connection error to the ICAP server

account=”doe” type="FILE_VERIFICATION_ERROR" icap_service="avscan"
status="Unable to connect to ICAP server"
17.5.41. Opening of dynamic virtual channel

17.5.41.1. Dynamic virtual channel allowed
[RDP Session] type="DYNAMIC_CHANNEL_CREATION_ALLOWED"
session_id="SESSIONID-0000" client_ip="192.168.1.10"
target_ip="192.168.1.200" user="maint" device="win2k8" service="rdp"
account="Maintenance" channel_name="SocksChannel"
17.5.41.2. Dynamic virtual rejected

[RDP Session] type="DYNAMIC_CHANNEL_CREATION_REJECTED"
session_id="SESSIONID-0000" client_ip="192.168.1.10"
target_ip="192.168.1.200" user="maint" device="win2k8" service="rdp"
account="Maintenance" channel_name="SocksChannel"
17.6. Logs from the system

The stream provides messages for the activities described in following sections.
17.6.1. Integrity of session log files

17.6.1.1. Integrity check successful
[integrity] session_uid="168bd4814f18ce92005056b60af6" status="OK"
type="SSH_SHELL_SESSION" user="user01@Active Directory
Domain@10.10.43.84" target=root@local@10.10.47.53:ssh" begin="2019-02-05
11:50:44" end="2019-02-05 11:50:49"
[integrity] session_uid="168bd4dbaf97a9fd005056b60af6" status="OK"

type="RDP" user="user01@Active Directory Domain@10.10.43.84"
target=Administrator@local@winAD:rdp" begin="2019-02-05 11:56:55"
end="2019-02-05 11:57:26"
360
17.6.1.2. Integrity error: session log file corrupted

[integrity] session_uid="168bdad7ef8916bd005056b60af6" status="failed"
type="RDP" user="user01@Active Directory Domain@10.10.43.84"
target=Administrator@local@winAD:rdp" begin="2019-02-05 13:41:31"
end="2019-02-05 13:41:43" files=[
"/var/wab/recorded/
rdp/168bdad7ef8916bd005056b60af6,user01@ActiveDirectoryDomain@10.10.43.84,
Administrator@winAD,20190205-134130,BASTION-DEV,2131.log",
"/var/wab/recorded/
rdp/168bdad7ef8916bd005056b60af6,user01@ActiveDirectoryDomain@10.10.43.84,
Administrator@winAD,20190205-134130,BASTION-DEV,2131.mwrm" ]
17.6.2. System configuration changes

17.6.2.1. Network configuration
Examples:
[sysaudit] action="add" type="route" object="eth0<10.10.0.0>"
[sysaudit] action="delete" type="route" object="eth0<10.10.0.0>"
[sysaudit] action="edit" type="route" object="eth0<10.10.0.0>"
infos="changed netmask from None to 255.255.255.0"
17.6.2.2. SIEM server configuration

Examples:
[sysaudit] action="add" object="1.1.1.1" type="siem-dest"
[sysaudit] action="delete" object="1.1.1.1" type="siem-dest"
[sysaudit] action="edit" object="1.1.1.1" type="siem-dest" infos="SIEM
destination enabled"
[sysaudit] action="edit" object="1.1.1.1" type="siem-dest" infos="changed
port from 514 to 2514"
[sysaudit] action="edit" object="1.1.1.1" type="siem-dest" infos="changed
remote protocol from udp to tls"
17.6.2.3. Remote storage configuration

Action: edit
Examples:
[sysaudit] action="edit" type="remote-storage" infos="remote storage
enabled"
361
[sysaudit] action="edit" type="remote-storage" infos="changed remote

storage type from cifs to nfs"
17.6.2.4. Service mapping configuration

Action: edit
Examples:
[sysaudit] action="edit" type="service-mapping" infos="iptables rules

enabled"
[sysaudit] action="edit" type="service-mapping" infos="changed the limit
of parallel connections per IP from 10 to 5"
[sysaudit] action="edit" type="service-mapping" infos="changed HA

interface mapping from ['eth1'] to ['eth1.0']"
17.7. Logs from vault activities

The stream provides messages for the following account activities:
• checkout
• checkout duration extension
• check-in and automatic check-in
• forced check-in
• credential change
Examples:
[Vault Activity] action="checkout" user="administrator"

account="limited_user@local@device1" session="False" result="Checkout
successful"
[Vault Activity] action="extend checkout" user="administrator"

account="limited_user@local@device1" session="False" result="Checkout
extension successful"
[Vault Activity] action="checkout" user="OPERATOR"

account="limited_user@local@device1" session="False" result="Force
checkin successful"
[Vault Activity] action="credential change"

account="limited_user@local@bastion" credential type="any"
result="failed" reason="missing new credentials from account"
362
Chapter 18. Contact WALLIX Bastion

Support
Our WALLIX Bastion Support Team is available to help you during hours defined in your support
contract:
Web: https://support.wallix.com/
Telephone: (+33) (0)1 70 36 37 50 for Europe, Middle East and Africa and (+1) 438-814-0255 for
the Americas
363
Index AutoIt scripts, 148

delete, 158
edit, 158
import, 159
A jump server configuration, 146
Account history manage resource associations, 158
audit, 256 menu, 145
menu, 256 RemoteApp mode, 147
Account mapping Approval history
configure target groups, 185 audit, 257
Accounts menu, 257, 306
add/list/delete a reference, 174 Approval workflow, 307
application accounts, 177 configuration, 308
checkout policies, 205 steps, 309
define references, 174 Audit
discovery account history, 256
configure a network scan, 209 approval history, 257
configure an Active Directory scan, 212 authentication history, 258
onboard discovered accounts, 217 connection statistics, 259
global accounts, 172 current sessions, 248
local accounts, 137, 175 current sessions in real-time view, 249
Accounts (targets) RDP current session remote control, 250
menu, 171 RDP current session sharing, 250
Accounts (user) recording options, 264
menu, 74 session history, 250
ACLs session management, 248
presentation, 18 session recordings, 252
administration interface Audit data, 248
access, 35 Audit logs
AIX plugin, 236 logs, 49
Algorithms menu, 49
data encryption, 19 Authentication
Antivirus smart card, 271
configuration for verification of files transferred X509 certificate authentication, 101
with ICAP for RDP and SSH, 269 Authentication domains
API key add for Azure AD, 125
delete, 330 add for LDAP/Active Directory, 119
edit, 330 delete, 129
generate, 330 edit, 128
Application accounts, 177 import, 129
delete, 180 import mappings, 132
edit, 178 menu, 118
Application Driver, 149 Authentication history
browser extension, 156 audit, 258
configuration menu, 258
automatic deployment, 150 Authorization
manual deployment, 151 passwords, 221
parameter list, 154 sessions, 243
virtual channel, 149 Authorizations, 301
Applications, 145 add, 301
accounts, 177 approval workflow, 307
add, 157 delete, 302
add an account, 158 edit, 302
364
import, 302 Checkpoint plugin, 236

view approval history, 306 CIDR, 136, 209, 210
view current approvals, 305 notation, 282
AutoIt Cisco Nexus plugin, 235
scripts, 148 Cisco plugin, 225
Automatic backup Citrix ADC plugin, 237
configuration, 65 Clusters, 196
purge, 66 add, 196
Automatic credential change, 179 delete, 197
Azure AD edit, 197
import domains, 129 import, 197
import mappings, 132 menu, 196
Azure AD domains, 118 Commands, 312
add, 125 Configuration
delete, 129 applications, 145
edit, 128 authorizations, 301
import, 129 AutoIt scripts, 148
Azure AD mappings automatic backup, 65
import, 132 Azure AD domain, 118
backup, 62
B break glass mechanism, 241
Backup, 62, 63, 64, 65, 66 checkout policies, 205
automatic backup, 65 clusters, 196
automatic backup purge, 66 configuration options, 40
purge, 66 banner, 44
Backup/restoration OEM, 42
automatic backup, 65 session timeout, 42
automatic backup purge, 66 user interface, 41
command line, 64 connection messages, 293
configuration files, 63 connection policies, 261
menu, 62 devices, 135
Banner discovery, 208
configuration, 44 domains, 160
Bastion plugin, 199 encryption, 46
bastion-crypto init, 314 external authentications, 109
bastion-crypto unlock, 315 high-availability, 67
Boot messages jump server, 146
logs, 49 KeepAlive, 282
menu, 49 LDAP/Active Directory domain, 118
Break glass license, 44
configuration , 241 local password policy, 99
Browser extension network, 49
Application Driver, 156 notifications, 95
Notifications
C add, 96
customize, 97
Certificates
delete, 97
devices, 139
edit, 97
change, 327
passphrase, 47
Checkout policies, 205
password policy, 99
add, 206
preferences, 38
delete, 207
Remote Desktop Connection Broker, 293
edit, 207
remote storage, 53
menu, 205
365
RemoteApp mode, 147 session probe, 283

restoration, 62 SSH startup scenario, 278
service activation, 60 TELNET/RLOGIN connection scenario, 276
service control, 59 transformation rule to get a login, 267
service mapping, 59 transformation rule to get credentials, 267
session probe, 286 VNC session over an SSH tunnel, 277
SIEM integration, 54 WALLIX BestSafe, 291
smart card authentication, 271 Connection scenario
SMTP server, 61 TELNET/RLOGIN, 276
SNMP, 55 Connection statistics
target accounts, 171 audit, 259
target groups, 183 menu, 259
time frames, 309 Credential checkout
time service, 52 add a policy, 206
transparent mode, 281 delete a policy, 208
user account mapping, 118 edit a policy, 207
user accounts, 74 Credentials
user data retention policy, 94 automatic change for a target account, 179
user groups, 83 checkout policies, 205
user profiles, 87 manual change for a target account, 179
X509 configuration, 101 CRL, 103
Configuration options, 40 Cryptographic settings
AutoIt scripts, 148 RDP, 277
banner, 44 SSH, 277
configuration for verification of files transferred CSV
with ICAP for RDP and SSH, 269 import applications, 159
KeepAlive, 282 import authorizations, 302
OEM, 42 import Azure AD domains, 129
RemoteApp mode, 147 import Azure AD mappings, 132
session timeout, 42 import clusters, 197
transparent mode, 281 import devices, 142
user interface, 41 import global domains, 166
virtual channel, 149 import LDAP/Active Directory domains, 129
Configurations options import LDAP/Active Directory mappings, 132
menu, 40 import local domains, 169
Connection messages import target accounts, 180
menu, 293 import target groups, 195
Connection policies import user groups, 86
add, 262 import user profiles, 90
allowing or rejecting dynamic virtual channels, import users, 78
275 import/export restrictions, 193
configuration for verification of files transferred import/export restrictions for target groups, 193
with ICAP for RDP and SSH, 269 import/export restrictions for user groups, 193
configuration of log for keyboard input, 275 Current sessions
configuration of log for recorded sensitive data, audit, 248
274 menu, 248, 249, 250
configuration of RDP cryptographic settings, 277 RDP current session remote control, 250
configuration of SSH cryptographic settings, 277 RDP current session sharing, 250
delete, 263 real-time view, 249
edit, 263 Current sessions in real-time view
file storage, 271 audit, 249
menu, 261 CyberArk Enterprise Password Vault plugin, 200
Remote Desktop Connection Broker, 291
366
D DLP
Dashboards, 295 configuration for verification of files transferred
administration, 295 with ICAP for RDP and SSH, 269
audit, 297 Domains, 160
Dell iDRAC plugin, 225 add, 162
Device accounts add an account, 165
delete, 180 associate with a CA, 163
edit, 178 associate with an SSH Certificate Authority, 163
Devices, 135 change the passwords for all the accounts, 165,
accounts, 175 165
add, 135 delete, 166
add tags, 141 edit, 164
add/list/delete a tag, 139 import, 166, 169
add/list/edit/delete a local account, 137 local domains, 137
add/list/edit/delete a service, 136 menu, 160
configuration of RDP cryptographic settings, 277 revoke the signed certificate for the accounts,
configuration of SSH cryptographic settings, 277 166
delete, 141 Dynamic virtual channels
delete certificates, 139 allowing for RDP, 274
discovery, 208 rejecting for RDP, 275
configure a network scan, 208
configure an Active Directory scan, 211 E
launch a scan manually, 214 Encryption, 46
onboard discovered devices, 216 Algorithms, 19
set a periodic scan launch, 214 menu, 46
discovery) passphrase, 46
view the results of a scan job, 215 presentation, 19
edit, 140 Esx plugin, 238
filter devices, 141 External authentications, 109
import, 142 add, 110
local accounts, 137 add for Kerberos, 110
local domains, 137 add for Kerberos-Password, 111
manage local accounts, 137 add for LDAP using Active Directory, 113
manage local domains, 137 add for LDAP without Active Directory, 112
manage services, 136 add for PingID, 115
manage target group associations, 139 add for RADIUS, 116
manage the tag association, 139 add for SAML, 117
menu, 135 delete, 118
RDP specific options, 144 edit, 118
remove tags, 141 menu, 109
SSH specific options, 143 External password vault
SSH startup scenario, 278 plugins, 199
tags, 140
TELNET/RLOGIN connection scenario, 275 F
Discovery, 208 F5 plugin, 238
configure a network scan, 208, 209 File storage
configure an Active Directory scan, 211, 212 connection policies, 271
launch a scan manually, 214 Fortinet FortiGate plugin, 226
menu, 208
onboard discovered accounts, 217 G
onboard discovered devices, 216 GDPR, 94
set a periodic scan launch, 214 General concepts, 17
view the results of a scan job, 215 General data protection regulation, 94
367
generate, 327 local domains, 169

Global accounts, 172 profiles, 90
Global domain accounts target accounts, 180
delete, 180 target groups, 195
edit, 178 user groups, 86
Global domains user profiles, 90
accounts, 172 users, 78
Glossary, 15 Import/export
Groups (targets) restrictions, 193
add, 183 Interactive login
configure for password management configure target groups, 186
account in the vault, 186 Interface
configure for session management access, 35
account in the vault, 184 menu presentation, 27
account mapping, 185
interactive login, 186 J
scenario account, 184 Jump server
delete, 194 configuration, 146
edit, 194 Juniper SRX plugin, 229
import, 195
manage restrictions for RDP session, 192 K
manage restrictions for SSH session, 187 KeepAlive
menu, 183 configuration, 282
Groups (users) RDP, 282
menu, 83 SSH, 283, 283
Keyboard input
H configuration of log for RLOGIN, SSH and
HashiCorp Vault plugin, 200 TELNET, 275
High-Availability, 67
configuration, 67 L
presentation, 24 LDAP plugin, 229
Home page, 37 LDAP/Active Directory
HP-ILO plugin, 235 import domains, 129
import mappings, 132
I import users, 81
IBM 3270 plugin, 226 LDAP/Active Directory domains, 118
ICAP add, 119
blocage du transfert des fichiers, 269 delete, 129
configuration for file transfer verification, 269 edit, 128
file storage, 269 import, 129
file verification, 269 LDAP/Active Directory mappings
ICAP servers import, 132
configuration for file transfer verification, 269 License, 46
Import command line, 46
applications, 159 menu, 44
authorizations, 302 obtain a key, 44
Azure AD domains, 129 revoke a license, 44
Azure AD mappings, 132 update a key, 44
clusters, 197 Local accounts, 137, 175
devices, 142 Local domains
global domains, 166 manage, 137
LDAP/Active Directory domains, 129 Local password policy, 99
LDAP/Active Directory mappings, 132 menu, 99
368
Log profiles (users), 87

keyboard input, 275 recording options, 264
recorded sensible data, 274 remote storage, 53
Log for keyboard input service control, 59
configuration for RLOGIN, SSH and TELNET, session history, 250, 252
275 SIEM integration, 54
Log for recorded sensitive data SMTP server, 61
configuration for RDP, 274 SNMP, 55
Login, 35 syslog, 49
interface, 35 system status, 48
Logs time frames, 309
audit logs, 49 time service, 52
boot messages, 49 X509 configuration, 101
syslog, 49 MIBs, 55
My current approvals
M menu, 305
Manage authorizations My preferences
menu, 301 menu, 38
Manual credential change, 179 MySQL plugin, 230
Menu
account history, 256 N
accounts (targets), 171 Network, 49
accounts (user), 74 menu, 49
applications, 145 Network infrastructure
approval history, 257, 306 positioning of WALLIX Bastion, 17
audit logs, 49 Notifications, 95
Authentication domains, 118 add, 96
authentication history, 258 customize, 97
backup/restoration, 62 delete, 97
boot messages, 49 edit, 97
checkout policies), 205 menu, 95
clusters), 196
configuration options, 40 O
connection messages, 293 OCSP, 104
connection policies, 261 OEM
connection statistics, 259 configuration, 42
current sessions, 248, 249, 250 Onboarding
devices, 135 local accounts
discovery), 208 password rotation, 217
domains, 160 Oracle plugin, 231
encryption, 46
external authentications, 109 P
groups (targets), 183 Palo Alto PA-500 plugin, 231
groups (users), 83 Passphrase, 46
license, 44 Password
local password policy, 99 add a change policy, 239
manage authorizations, 301 add a checkout policy, 206
my current approvals, 305 authorizations, 221
my preferences, 38 automatic change for a target account, 179
network, 49 change policies, 239
notifications, 95 checkout policies, 205
password change plugins, 223 delete a change policy, 241
password vault plugins, 199 delete a checkout policy, 208
369
edit a change policy, 241 Plugins

edit a checkout policy, 207 password change, 223
external vault, 23 password vault, 199
manual change for a target account, 179 Ports
password change plugins, 223 configuration, 25
password vault plugins, 199 Profiles (users)
Password change plugins menu, 87
AIX, 236 Proxy options
Checkpoint, 236 RDP, 144
Cisco, 225 SSH, 143
Cisco Nexus, 235 Purge
Citrix ADC, 237 automatic backup, 66
Dell iDRAC, 225
Esx, 238 R
F5, 238 RAWTCPIP
Fortinet FortiGate, 226 Universal Tunneling, 264
HP-ILO, 235 RDP
IBM 3270, 226 allowing or rejecting dynamic virtual channels,
Juniper SRX, 229 275
LDAP, 229 Application Driver, 149
matrix, 224 AutoIt scripts, 148
menu, 223 configuration of log for recorded sensitive data,
MySQL, 230 274
Oracle, 231 proxy specific options, 144
Palo Alto PA-500, 231 Remote Desktop Connection Broker, 291
Ultra VNC, 236 RemoteApp mode, 147
Unix, 232 session probe, 283
Windows, 233 WALLIX BestSafe, 291
WindowsService, 234 RDP cryptographic settings
Password change policies connection policies, 277
add, 239 RDP current session remote control
delete, 241 audit, 250
edit, 241 RDP current session sharing
Password external vault audit, 250
presentation, 23 RDP protocol
Password management, 221 specific options, 144
break glass mechanism, 241 RDP session
configure target groups from an account in the kill, 192
vault, 186 notify, 192
password change plugins, 223 Reconciliation
password change policies, 239 definition, 164, 231, 233
add, 239 Recorded sensible data
delete, 241 configuration of log for RDP, 274
edit, 241 Recording options
user authorizations, 221 audit, 264
Password policy, 99 menu, 264
Password vault plugins References, 174
Bastion, 199 Remote Desktop Connection Broker
CyberArk Enterprise Password Vault, 199 configuration, 293
HashiCorp Vault, 200 prerequisites, 292
menu, 199 Remote storage, 53
presentation, 23 menu, 53
Thycotic, 202 RemoteApp mode
370
configuration, 147 configure target groups for interactive login, 186

REST API, 329 configure target groups for startup scenario, 184
delete a key, 330 configure target groups from an account in the
documentation, 329, 329 vault, 184
edit a key, 330 connection messages, 293
generate a key, 330 connection policies, 261
key management, 329 connection statistics, 259
Restoration, 62, 63, 64 connection via SCP and SFTP, 247
Restrictions current sessions, 248
import/export, 193 current sessions in real-time view, 249
RDP session kill, 192 RDP current session remote control, 250
RDP session notify, 192 RDP current session sharing, 250
SSH session kill, 187, 187 recording options, 264
SSH session notify, 187 session history, 250
RLOGIN session recordings, 252
configuration of log for keyboard input, 275 target connection in interactive mode, 247
user authorizations, 243
S Session probe
Scan configuration configuration, 286
configure a network scan, 208, 209 connection policies, 283
configure an Active Directory scan, 211, 212 default operating mode, 284
Scenario interaction with WALLIX BestSafe, 291
RLOGIN, 278 launching from a specific directory, 290
SSH, 184, 278 prerequisites, 285
TELNET, 278 Session recordings, 264
TELNET/RLOGIN, 276 audit, 252
Scenario account Session Shadowing, 250
target groups, 184 Session timeout
SCIM REST API, 329 configuration, 42
SCP SFTP
target connection in interactive mode, 247 target connection in interactive mode, 247
Scripts SIEM
AutoIt, 148 logs from authentication, 331
Service accounts, 174 logs from boot/reboot, 331
Service activation, 60 logs from external vault, 362
Service control, 59 logs from RDP service, 350
menu, 59 logs from SSH service, 342
service activation, 60 logs from system, 360
service mapping, 59 logs from Web interface, 332
Service mapping, 59 messages, 331
Services, 59, 136 SIEM integration, 54, 331
Session configure TLS client, 323
authorizations, 243 menu, 54
Session history Smart card, 271
audit, 250 Smart card authentication, 271
menu, 250, 252 SMTP server, 61
Session management, 243 menu, 61
account history, 256 SNMP, 55
approval history, 257 menu, 55
audit data, 248 MIB files, 55
authentication history, 258 Specific commands, 312
configure target groups for account mapping, change self-signed certificates, 324
185 change target servers identification, 323
371
change the GRUB password, 316 notify, 187

change the keyboard layout, 315 SSH startup scenario
change the network configuration, 316 connection policies, 278
change the password of the factory-set Startup scenario
administrator account, 314 configure target groups, 184
Change the Redis password, 327 RLOGIN, 278
change the security level configuration, 316 SSH, 184, 278
check integrity of session log files, 322 target groups, 184
configure High-Availability (HA), 317 TELNET, 278
configure services, 317 Subnet, 136, 282
configure TLS client for SIEM integration, 323 Summary, 39
configure TLS options for LDAP external Syslog
authentication, 323 logs, 49
cryptographic configuration of services, 325 menu, 49
display the content of journalctl, 318 System
export session recordings automatically, 320 backup, 62
export session recordings manually, 318 logs, 49
generate the report on the status of WALLIX network, 49
Bastion, 317 remote storage, 53
get the GUI URL, 315 restoration, 62
get version information of WALLIX Bastion, 315 service control, 59
manage the license key, 317 SIEM integration, 54
move session recordings to remote storage, 321 SMTP server, 61
purge session recordings automatically, 320 SNMP, 55
purge session recordings manually, 318 status, 48
re-import archived session recordings, 322 time service, 52
reset data encryption in WALLIX Bastion, 315 System logs, 49
restore the factory-set administrator account, System status, 48
314 menu, 48
restore WALLIX Bastion to factory settings, 313
set encryption key of WALLIX Bastion, 314 T
unlock encryption key of WALLIX Bastion, 314 Tables
update CRL, 326 customize layout, 33
use the command line to connect to WALLIX delete data, 34
Bastion, 313 search data, 32
use WABConsole to change the user password, sort data, 33
318 Tags, 139, 140
SSH filter devices, 141
configuration of log for keyboard input, 275 Target account on a global domain
proxy specific options, 143 add, 172, 175
SSH cryptographic settings Target account on an application
connection policies, 277 add, 177
SSH key Target accounts, 171
add a checkout policy, 206 change the credentials automatically, 179
automatic change for a target account, 179 change the credentials manually, 179
checkout policies, 205 change the passwords automatically, 179
delete a checkout policy, 208 change the passwords manually, 179
edit a checkout policy, 207 delete, 180
manual change for a target account, 179 edit, 178
SSH protocol import, 180
specific options, 143 Target groups, 183
SSH session add, 183
kill, 187, 187 configure for account mapping, 185
372
configure for interactive login, 186 list/delete a local domain, 137

configure for password management from an manage target group associations, 139
account in the vault, 186 RDP specific options, 144
configure for session management from an remove tags, 141
account in the vault, 184 SSH specific options, 143
configure for startup scenario during SSH SSH startup scenario, 278
session, 184 tags, 140
delete, 194 TELNET/RLOGIN connection scenario, 276
edit, 194 discovery, 208
import, 195 domains, 160
import/export restrictions, 193 add, 162
pattern detection in SSH flow, 187 add an account, 165
RDP flows analysis/pattern detection in RDP associate with a CA, 163
flow, 192 associate with an SSH Certificate Authority,
scenario account, 184 163
startup scenario, 184 change the passwords for all the accounts,
Targets 165, 165
accounts delete, 166
add/list/delete a reference, 174 edit, 164
applications, 145 import, 166, 169
add, 157 revoke the signed certificate for the accounts,
add an account, 158 166
AutoIt scripts, 148 password vault plugins, 198
delete, 158 target account on a device
edit, 158 add, 175
import, 159 target account on a global domain
jump server configuration, 146 add, 172
manage resource associations, 158 target account on an application
RemoteApp mode, 147 add, 177
checkout policies, 205 target accounts, 171
add, 206 change the credentials automatically , 179
delete, 208 change the credentials manually, 179
edit, 207 delete, 180
clusters, 196 edit, 178
add, 196 import, 180
delete, 197 target groups, 183
edit, 197 add, 183
import, 197 configure for account mapping, 185
devices, 135 configure for interactive login, 186
add, 135 configure for password management from an
add tags, 141 account in the vault, 186
add/list/delete a tag, 139 configure for session management from an
add/list/edit/delete a local account, 137 account in the vault, 184
add/list/edit/delete a service, 136 configure for startup scenario during SSH
configuration of RDP cryptographic settings, session, 184
277 delete, 194
configuration of SSH cryptographic settings, edit, 194
277 import, 194
delete, 141 import/export restrictions, 193
delete certificates, 139 pattern detection in SSH flow, 187
edit, 140 RDP flows analysis/pattern detection in RDP
filter devices, 141 flow, 192
import, 142 TCP/UDP
373
port configuration, 25 view members, 86

TELNET user profiles, 87
configuration of log for keyboard input, 275 add, 88
TELNET/RLOGIN connection scenario default profiles, 87
connection policies, 276 delete, 90
Terminology, 15 edit, 89
Thycotic plugin, 203 import, 90
Time frames, 309
add, 310 V
delete, 311 Virtual channel, 149
edit, 311 VNC session over an SSH tunnel
menu, 309 connection policies, 277
Time service, 52
menu, 52
Transformation rule W
connection policies, 267, 267 WABChangeGrub, 316
Transparent mode WABChangeKeyboard, 315
configuration, 281 WABConsole, 318
WABCRLFetch, 326
WABGetGuiUrl, 315
U WABGetLicenseInfo, 317
Ultra VNC plugin, 236 WABHASetup, 317
Universal Tunneling WABInitReset, 313
IT, 264 WABJournalCtl, 318
OT, 264 WABNetworkConfiguration, 316
RAWTCPIP, 264 WABResetCrypto, 315
Unix plugin, 232 WABRestoreDefaultAdmin, 314, 314
User account mapping WABSecurityLevel, 316
configuration, 118 WABServices, 317
User accounts, 74 WABSessionLogExport, 318
User data retention policy, 94 WABSessionLogImport, 322
User groups, 83 WABSessionLogIntegrityChecker, 322
User interface WABSetLicense, 317
configuration, 41 WABVersion, 315
User profiles, 87 WALLIX Bastion REST API, 329
Users WALLIX Bastion terminology, 15
data retention, 94 WALLIX BestSafe
user accounts, 74 interaction with session probe, 291
add, 75 WALLIX Password Manager
delete, 77 management, 32
edit, 77 password management, 221
import, 78 presentation, 23
import from .csv file, 78 WALLIX Session Manager
import from LDAP/AD directory, 81 management, 32
view accessible applications, 78 presentation, 23
view accessible device, 78 session management, 243
view accessible target accounts, 78 Web Services
view rights on the GUI, 77 REST API, 329
user groups, 83 Welcome page, 37
add, 84 Windows plugin, 233
delete, 85 Windows Service, 174
edit, 85 WindowsService plugin, 234
import, 86
import/export restrictions, 193
374
X
X509, 101
X509 certificate authentication, 101
configuration, 101
CRL management, 103
disable, 108
OCSP management, 104
unset, 108
user configuration, 105
X509 authentication, 106
X509 configuration
menu, 101
375

PAM Wallix Bastion - Admin Guide en 10.0 Hotfix5 - Complete

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PAM Wallix Bastion - Admin Guide en 10.0 Hotfix5 - Complete

Uploaded by

Copyright:

Available Formats

BASTION DOCUMENTATION

WALLIX Bastion 10.0

Copyright © 2023 WALLIX

8.2. License ..................................................................................................................... 44

9.5.1. Add a notification ........................................................................................... 96

10.3.9. Import global domains ................................................................................ 166

11.2.16. Checkpoint plugin ..................................................................................... 236

14.8.1. Add a time frame ....................................................................................... 310

17.4.16. Beginning of file transfer on SCP ............................................................. 349

17.7. Logs from vault activities ....................................................................................... 362

• Amazon Web Services (AWS)

1.2. Copyright & Licenses

1.3. Third-party components

on one or more lines

1.5. About this document

The following documents are also provided by WALLIX:

They can be downloaded from the WALLIX Support portal (https://support.wallix.com

Chapter 2. Compatibility and limits

We do not recommend modifying your system configuration or installing an additional software as

ACL Acronym for "Access Control List". This is a system to manage

• checking the authentication detail provided by the user

Protocols currently supported are as follows:

• SSH (and its sub-systems)

4.2. Positioning of WALLIX Bastion in the

• the company’s personnel

Figure 4.1. WALLIX Bastion in the network infrastructure

4.3. The concept of WALLIX Bastion ACLs

• connection time frames

4.5. Rights of the user connected to WALLIX

4.6. Data encryption

• primary authentication information, i.e. information related to WALLIX Bastion authentication

All sensitive data is encrypted to ensure security.

4.6.1. Administration with HTTPS protocol (Web interface

4.6.2. Administration with SSH protocol

Server host key algorithms:

4.6.3. RDP (TLS based) primary connection algorithms

4.6.4. SSH primary connection algorithms

Host key algorithms:

4.6.5. Secondary connection algorithms

Chapter 5. Specific features

This feature allows the administrator to:

5.2. WALLIX Password Manager

This feature allows the administrator to:

• secure target account passwords and SSH keys

5.3. Password external vault

For further information, refer to Section 8.14, “High-Availability”, page 67.

Chapter 6. Getting started with WALLIX

6.1.2. Communication to WALLIX Bastion

6.2. Using the command line to connect to

The default credentials are as follows:

6. Lastly, sixth step: define the network configuration

6.3. Browsing through the menu of the Web

See Section 7.3, “Setting your

See Section 12.1, “User authorizations on

See Section 11.1, “User authorizations on

Menu Sub-menu Actions

See Section 12.3.1, “Current sessions”, page 248

See Section 12.3.4, “Session history”, page 250

See Section 12.3.6, “Account history”, page 256

See Section 12.3.7, “Approval history”, page 257

See Section 9.1, “User accounts”, page 74

See Section 9.2, “User groups”, page 83