Professional Documents
Culture Documents
PAM Wallix Bastion - Admin Guide en 10.0 Hotfix5 - Complete
PAM Wallix Bastion - Admin Guide en 10.0 Hotfix5 - Complete
Reference: https://doc.wallix.com/en/Bastion/10.0/Bastion-admin-guide-en.pdf
Table of Contents
1. Introduction .......................................................................................................................... 12
1.1. Preamble ................................................................................................................... 12
1.2. Copyright & Licenses ................................................................................................ 12
1.3. Third-party components ............................................................................................ 12
1.4. Legend ...................................................................................................................... 12
1.5. About this document ................................................................................................. 13
2. Compatibility and limits ........................................................................................................ 14
3. Glossary ............................................................................................................................... 15
4. Concepts .............................................................................................................................. 17
4.1. General information ................................................................................................... 17
4.2. Positioning of WALLIX Bastion in the network infrastructure ...................................... 17
4.3. The concept of WALLIX Bastion ACLs ...................................................................... 18
4.4. Roll-out ...................................................................................................................... 19
4.5. Rights of the user connected to WALLIX Bastion ...................................................... 19
4.6. Data encryption ......................................................................................................... 19
4.6.1. Administration with HTTPS protocol (Web interface and API) ......................... 20
4.6.2. Administration with SSH protocol ................................................................... 20
4.6.3. RDP (TLS based) primary connection algorithms ........................................... 21
4.6.4. SSH primary connection algorithms ............................................................... 22
4.6.5. Secondary connection algorithms ................................................................... 22
5. Specific features .................................................................................................................. 23
5.1. WALLIX Session Manager ........................................................................................ 23
5.2. WALLIX Password Manager ..................................................................................... 23
5.3. Password external vault ............................................................................................ 23
5.4. High-Availability ......................................................................................................... 24
6. Getting started with WALLIX Bastion ................................................................................... 25
6.1. Pre-configuration of TCP and UDP network ports ..................................................... 25
6.1.1. Communication from WALLIX Bastion ............................................................ 25
6.1.2. Communication to WALLIX Bastion ................................................................ 25
6.2. Using the command line to connect to WALLIX Bastion ............................................ 26
6.3. Browsing through the menu of the Web interface ..................................................... 27
6.4. Availability of specific management features ............................................................. 32
6.4.1. Session management ..................................................................................... 32
6.4.2. Password management .................................................................................. 32
6.5. Managing data search, sort and layout customization in the tables of the Web
interface ........................................................................................................................... 32
6.5.1. Search data ................................................................................................... 32
6.5.2. Sort data ........................................................................................................ 33
6.5.3. Customize layout ............................................................................................ 33
6.5.4. Delete data .................................................................................................... 34
7. Login on the Web interface ................................................................................................. 35
7.1. Access to the Web administration interface .............................................................. 35
7.2. Description of the home page ................................................................................... 37
7.3. Setting your preferences ........................................................................................... 38
7.4. Summary ................................................................................................................... 39
8. Appliance configuration ........................................................................................................ 40
8.1. Interface configuration ............................................................................................... 41
8.1.1. Configuring the Web user interface ................................................................ 41
8.1.2. Configuring the session timeout ..................................................................... 42
8.1.3. Configuring the OEM ..................................................................................... 42
8.1.4. Configuring the display of a banner message ................................................ 44
2
WALLIX Bastion 10.0.5 – Administration Guide
3
WALLIX Bastion 10.0.5 – Administration Guide
4
WALLIX Bastion 10.0.5 – Administration Guide
5
WALLIX Bastion 10.0.5 – Administration Guide
6
WALLIX Bastion 10.0.5 – Administration Guide
12.15. Log configuration of all the keyboard input for RLOGIN, SSH and TELNET
protocols ......................................................................................................................... 275
12.16. TELNET/RLOGIN connection scenario on a target device ................................... 275
12.17. Configuration of cryptographic algorithms supported on target devices ................ 277
12.17.1. SSH cryptographic settings on target devices .......................................... 277
12.17.2. RDP cryptographic settings on target devices .......................................... 277
12.18. Connecting to a VNC session over an SSH tunnel .............................................. 277
12.19. SSH startup scenario on a target device ............................................................. 278
12.19.1. Commands ............................................................................................... 278
12.19.2. Token ....................................................................................................... 279
12.19.3. Startup scenario configuration .................................................................. 281
12.20. Transparent mode configuration for RDP and SSH proxies ................................. 281
12.21. Enabling KeepAlive function for the proxies ........................................................ 282
12.21.1. Enabling KeepAlive function for connection between the RDP proxy and
the RDP client ........................................................................................................ 282
12.21.2. Enabling KeepAlive function for connection between the SSH proxy and
the SSH client ........................................................................................................ 283
12.21.3. Enabling KeepAlive function for connection between the SSH proxy and
the SSH target server ............................................................................................ 283
12.22. Using the session probe mode ............................................................................ 283
12.22.1. Default operating mode ............................................................................ 284
12.22.2. Choice of the launcher ............................................................................. 285
12.22.3. Prerequisites ............................................................................................ 285
12.22.4. Configuration ............................................................................................ 286
12.22.5. Launching the session probe from a specific directory .............................. 290
12.23. Using the session probe mode with the WALLIX BestSafe agent ........................ 291
12.23.1. Enabling the interaction with the WALLIX BestSafe agent ........................ 291
12.23.2. Event logging ........................................................................................... 291
12.23.3. Detection of outbound connections .......................................................... 291
12.23.4. Detection of process launching ................................................................ 291
12.24. Load balancing with Remote Desktop Connection Broker ................................... 291
12.24.1. Prerequisites ............................................................................................ 292
12.24.2. Configuration ............................................................................................ 293
12.25. Connection messages ......................................................................................... 293
13. Dashboards ...................................................................................................................... 295
13.1. Administration dashboard ...................................................................................... 295
13.1.1. View the data on the “Connection data” tab ............................................... 295
13.1.2. View the data on the “Connection indicators” tab ....................................... 296
13.1.3. Common features ....................................................................................... 297
13.2. Audit dashboard .................................................................................................... 297
13.2.1. View the data ............................................................................................. 298
13.2.2. Common features ....................................................................................... 299
14. Authorization management ............................................................................................... 301
14.1. Add an authorization ............................................................................................. 301
14.2. Edit an authorization ............................................................................................. 302
14.3. Delete an authorization ......................................................................................... 302
14.4. Import authorizations ............................................................................................. 302
14.5. View the current approvals .................................................................................... 305
14.6. View the approval history ...................................................................................... 306
14.7. Approval workflow ................................................................................................. 307
14.7.1. Workflow configuration ............................................................................... 308
14.7.2. Workflow steps ........................................................................................... 309
14.8. Time frame configuration ....................................................................................... 309
7
WALLIX Bastion 10.0.5 – Administration Guide
8
WALLIX Bastion 10.0.5 – Administration Guide
17.2.3. Authentication cancellation (either by the client or by the user) ................... 332
17.3. Logs from WALLIX Bastion Web interface ............................................................ 332
17.3.1. Object type: Account .................................................................................. 332
17.3.2. Object type: Account activity (Audit) ........................................................... 333
17.3.3. Object type: Account history (Audit) ........................................................... 333
17.3.4. Object type: Answer from approval request ................................................ 333
17.3.5. Object type: API key .................................................................................. 333
17.3.6. Object type: Application .............................................................................. 333
17.3.7. Object type: Application path ...................................................................... 334
17.3.8. Object type: Approval ................................................................................. 334
17.3.9. Object type: Authorization .......................................................................... 334
17.3.10. Object type: Backup/Restore .................................................................... 335
17.3.11. Object type: Checkout policy .................................................................... 335
17.3.12. Object type: Cluster .................................................................................. 335
17.3.13. Object type: Connection policy ................................................................. 336
17.3.14. Object type: Credential change information .............................................. 336
17.3.15. Object type: Password change policy ....................................................... 337
17.3.16. Object type: Device .................................................................................. 337
17.3.17. Object type: Global domain ...................................................................... 337
17.3.18. Object type: LDAP domain ....................................................................... 338
17.3.19. Object type: LDAP mapping ..................................................................... 338
17.3.20. Object type: Local domain ........................................................................ 338
17.3.21. Object type: Notification ........................................................................... 338
17.3.22. Object type: Period ................................................................................... 339
17.3.23. Object type: Profile ................................................................................... 339
17.3.24. Object type: Local password policy .......................................................... 339
17.3.25. Object type: Recording options ................................................................ 339
17.3.26. Object type: Restriction ............................................................................ 340
17.3.27. Object type: Service ................................................................................. 340
17.3.28. Object type: Session logs ......................................................................... 340
17.3.29. Object type: Target group ......................................................................... 340
17.3.30. Object type: Time frame ........................................................................... 341
17.3.31. Object type: User ..................................................................................... 341
17.3.32. Object type: External authentication ......................................................... 341
17.3.33. Object type: User group ........................................................................... 342
17.3.34. Object type: X509 parameters (CRL) ....................................................... 342
17.4. Logs from the SSH service ................................................................................... 342
17.4.1. Flow of a successful session ...................................................................... 342
17.4.2. Flow of a connection failure: connection denied, machine is powered off or
service unavailable ................................................................................................. 344
17.4.3. Flow of a connection failure: invalid target or access denied ....................... 344
17.4.4. Successful session opening ....................................................................... 345
17.4.5. Session opening failure .............................................................................. 345
17.4.6. Session disconnection ................................................................................ 345
17.4.7. Channel events .......................................................................................... 345
17.4.8. Request events .......................................................................................... 346
17.4.9. Pattern detection on shell or remote command .......................................... 347
17.4.10. Command detection on Cisco devices ..................................................... 347
17.4.11. SFTP actions ............................................................................................ 348
17.4.12. File size restriction on SFTP .................................................................... 348
17.4.13. Beginning of file transfer on SFTP ........................................................... 348
17.4.14. End of file transfer on SFTP with file size and hash .................................. 348
17.4.15. File size restriction on SCP ...................................................................... 348
9
WALLIX Bastion 10.0.5 – Administration Guide
10
WALLIX Bastion 10.0.5 – Administration Guide
11
WALLIX Bastion 10.0.5 – Administration Guide
Chapter 1. Introduction
1.1. Preamble
Thank you for choosing WALLIX Bastion.
The WALLIX Bastion solution is marketed in the form of a dedicated, ready-to-use server or as a
virtual device for the following virtual environments:
This product has been engineered with the greatest care by our teams at WALLIX and we trust that
it will deliver complete satisfaction.
WALLIX
Service Support
250 bis, Rue du Faubourg Saint-Honoré
75008 PARIS
FRANCE
1.4. Legend
prompt $ command to input <parameter to replace>
command output
12
WALLIX Bastion 10.0.5 – Administration Guide
• a Quick Start Guide to guide you through the initial start-up of your device (physical or virtual
appliance) for configuration or give you indication to access images for deployment of WALLIX
Bastion on virtual environments
• a User Guide to help you use WALLIX Bastion to connect to the devices you administer.
13
WALLIX Bastion 10.0.5 – Administration Guide
14
WALLIX Bastion 10.0.5 – Administration Guide
Chapter 3. Glossary
You will encounter the following technical terms as you work with WALLIX Bastion and you go
through the sections of this guide. This list is not exhaustive.
15
WALLIX Bastion 10.0.5 – Administration Guide
Interactive login Mechanism which allows a user to dynamically enter their user
name and enter the secondary password on the selector of the
proxy client (RDP or SSH) to access a resource. The credentials
entered by the user on this selector are then used by the proxy
to authenticate the session on the remote resource. A resource
can be a specific service on a same device, or an application
(running on a jump server or a cluster). As prerequisites, the
user must be authorized to access this specific resource in
interactive login mode and an account with the same user name
and password must exist on the specified resource.
Local authentication Authentication managed by WALLIX Bastion.
Local domain Management entity grouping multiple target accounts which can
be used to authenticate on a single device only. A password
change process (policy and change plugin) can be applied to all
accounts in the local domain.
Lock Mechanism which prevents multiple concurrent use of an
account.
Password Password, SSH key, Kerberos ticket or any other secret data
that allows the account to be authenticated to a system.
Password vault Structure that manages accounts. It allows configuration via
policies and it enforces account usage according to these
policies.
Primary connection See WALLIX Bastion connection
Resource One of the following entities: a device (association of a device
and a service in the context of account mapping), a target or an
account.
Scenario account Target account which can be used by a startup scenario at the
beginning of the SSH session.
Secondary connection See Target connection
Startup scenario Scenario which can be used at the beginning of the SSH Shell
session to perform some actions, such as, assigning the user
the "root" privileges using "su" and "sudo" commands without
having knowledge of the password.
Target See Target application and Target account
Target application A target application is characterized by the association of the
following entities: an application and an account.
Target account A target account is characterized by the association of the
following entities: a device and a service and an account.
Target connection (also called Connection initiated between WALLIX Bastion and a target
"Secondary connection") account.
WALLIX Bastion connection Connection initiated between a user and WALLIX Bastion.
(also called "Primary
connection")
16
WALLIX Bastion 10.0.5 – Administration Guide
Chapter 4. Concepts
4.1. General information
WALLIX Bastion has been developed for the technical teams who administer IT infrastructure
(servers, network and security devices, etc.). This solution has been designed to meet the access
control and traceability needs of system administrators.
WALLIX Bastion includes access control lists (ACLs) and traceability features. It constitutes a
security buffer for administrators who wish to log on to devices by:
WALLIX Bastion also allows you to automate logons to target devices to enhance the security of
the information system by preventing disclosure of server authentication detail.
WALLIX Bastion offers a Web interface (also called "GUI"), compatible with Internet Explorer,
Chrome and Firefox to monitor activity and connections and also configure its components.
The high trust domain is represented by the set of devices isolated by WALLIX Bastion.
These devices and their related accounts are called "target accounts" in the WALLIX Bastion
terminology.
The low trust domain is represented by the population with direct access to WALLIX Bastion:
For users of the solution, access to the target accounts (in the high trust domain) is only possible
through WALLIX Bastion.
17
WALLIX Bastion 10.0.5 – Administration Guide
• users: i.e. physical users of WALLIX Bastion from internal and/or external user directory
• user groups: a set of users
• devices: i.e. physical or virtualized devices to which access is requested via WALLIX Bastion
• target accounts: the accounts declared on a device or an application
• target groups: a set of target accounts
• applications: any type of application and services running on a device or a set of devices
In WALLIX Bastion, an authorization must be set to grant a user the access to a target account.
Authorizations are declared between a group of users and a group of target accounts (which means
that each target account must belong to a target group, and that each user must belong to a user
group).
The authorization allows users in group X to access target accounts in group Y, via protocols A,
B, or C.
Other elements are added to these primary entities to allow you to define:
You can also define a number of various WALLIX Bastion administrator profiles, with a full access
to the WALLIX Bastion features or limited rights to specific features. As an example, you can define
that WALLIX Bastion auditors will only access audit data or allow WALLIX Bastion administrators
to add/edit users, configure the system administration, manage authorizations, etc.
18
WALLIX Bastion 10.0.5 – Administration Guide
4.4. Roll-out
WALLIX Bastion includes a set of import tools to facilitate roll-out.
However, to ensure WALLIX Bastion is successfully implemented, we recommend inventorying:
• the roles of users who must have access to the target accounts
• the roles of users who must administer WALLIX Bastion
• the target devices and target accounts to be accessed through WALLIX Bastion
You must be able to answer the following questions for each user:
• does this user have the right to administer the solution, and if so, which rights should be assigned
to him or her?
• does this user need to access target accounts?
• when does the user have the right to log on?
• can the user access critical resources?
You must be able to answer the following questions for each target device or target account:
• is this target account or device critical? (then each time a critical device is accessed, a notification
is sent to the administrator)
• should user sessions on this account be recorded?
• which protocol(s) can be used to access this target account or device?
19
WALLIX Bastion 10.0.5 – Administration Guide
Access to targets via the various services (RDP or SSH) generates data that is also encrypted.
Cryptography specifications to secure data gathered in WALLIX Bastion are described here below.
• TLS_AES_256_GCM_SHA384
• TLS_AES_128_GCM_SHA256
• TLS_CHACHA20_POLY1305_SHA256
TLSv1.2 cipher:
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1)
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1)
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1)
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
• curve25519-sha256
• curve25519-sha256@libssh.org
• diffie-hellman-group-exchange-sha256
• ecdsa-sha2-nistp256
• ssh-ed25519
Cipher algorithms:
• aes128-ctr
• aes192-ctr
• aes256-ctr
• aes128-gcm@openssh.com
• aes256-gcm@openssh.com
• chacha20-poly1305@openssh.com
Integrity algorithms:
• hmac-sha2-256-etm@openssh.com
• hmac-sha2-512-etm@openssh.com
• hmac-sha2-256
• hmac-sha2-512
20
WALLIX Bastion 10.0.5 – Administration Guide
TLSv1.3 cipher:
• TLS_AES_256_GCM_SHA384
• TLS_AES_128_GCM_SHA256
• TLS_CHACHA20_POLY1305_SHA256
TLSv1.2 cipher:
• TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
• TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
• TLS_RSA_WITH_AES_256_GCM_SHA384
• TLS_RSA_WITH_AES_256_CBC_SHA256
• TLS_RSA_WITH_AES_128_GCM_SHA256
• TLS_RSA_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
• TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
• TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
• TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
• TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_DHE_RSA_WITH_AES_256_CCM
• TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
• RSA_WITH_AES_256_CCM_8
• RSA_WITH_AES_256_CCM
• RSA_WITH_AES_128_CCM_8
• RSA_WITH_AES_128_CCM
• ECDHE-ARIA256-GCM-SHA384
• ECDHE-ARIA128-GCM-SHA256
• DHE_RSA_WITH_AES_256_CCM_8
• DHE_RSA_WITH_AES_128_CCM_8
• DHE_RSA_WITH_AES_128_CCM
• DHE-RSA-ARIA256-GCM-SHA384
21
WALLIX Bastion 10.0.5 – Administration Guide
• DHE-RSA-ARIA128-GCM-SHA256
• ARIA256-GCM-SHA384
• ARIA128-GCM-SHA256
• curve25519-sha256@libssh.org
• diffie-hellman-group-exchange-sha256
• diffie-hellman-group14-sha256
• diffie-hellman-group16-sha512
• diffie-hellman-group18-sha512
• ecdsa-sha2-nistp256
• ssh-ed25519
• ssh-rsa
• rsa-sha2-256
• rsa-sha2-512
Cipher algorithms:
• aes128-ctr
• aes192-ctr
• aes256-ctr
• aes128-gcm@openssh.com
• aes256-gcm@openssh.com
• chacha20-poly1305@openssh.com
Integrity algorithms:
• hmac-sha2-256
• hmac-sha2-512
• hmac-sha2-256-etm@openssh.com
• hmac-sha2-512-etm@openssh.com
22
WALLIX Bastion 10.0.5 – Administration Guide
• identify the users who are connected to specific devices and monitor their activity: sessions can
be viewed in real-time through the WALLIX Bastion Web administration interface or downloaded
to be viewed locally on the administrator's workstation
• review video-recorded activity from a privileged user session
• get a direct resource access using native clients such as PuTTY, WinSCP, MSTC or OpenSSH
• define and configure connection policies through mechanisms available for RDP, VNC, SSH,
TELNET, RLOGIN and RAW TCP/IP protocols
For further information, refer to Chapter 12, “Session management”, page 243.
For further information, refer to Chapter 11, “Password management”, page 221.
This setup allows a cluster of Bastions to handle sessions and user accesses related to accounts
managed by only one Bastion in the cluster. Account management in this context refers to concepts
such as credential change (password and SSH key) and checkout policy.
The local vault is the default vault. Accounts stored in this vault are managed by the local Bastion.
These accounts can be used either for session or credential access via the Web interface or the
REST API Web Service.
The external vaults are represented in the local Bastion via plugins. The plugins implement the link
allowing the local Bastion to communicate with the external vault.
23
WALLIX Bastion 10.0.5 – Administration Guide
Currently, the “Bastion” external password vault plugin is available to connect and use the password
vault provided by a WALLIX Bastion.
From the local Bastion's point of view, the “Bastion” plugin represents the password vault provided
by the remote Bastion. Accounts stored in this vault are managed by the remote Bastion and are
usable by the local Bastion either for session or credential access via the Web interface or the REST
API Web Service. In order to be used by the local Bastion these accounts need to be imported into
this local Bastion.
The local Bastion uses the remote Bastion's REST API Web Service to establish a secure
communication channel allowing to checkout or check in the accounts' credentials and also extend
the checkout duration (if set on the checkout policy on the remote Bastion).
“CyberArk Enterprise Password Vault”, “HashiCorp Vault” and “Thycotic Secret Server” external
password vault plugins are also embedded in WALLIX bastion to connect and use password vaults
of the privilege management solutions provided by these companies.
External vault accounts are mapped into the local Bastion through global domains acting as external
vault account containers. Several domains may point to the same external vault.
For further information on how to setup the local Bastion to use external vault accounts, refer to
Section 10.3, “Domains”, page 160, Section 10.7, “External password vault plugins”, page 198
and Section 11.1, “User authorizations on passwords”, page 221.
5.4. High-Availability
The High-Availability (HA) feature of WALLIX Bastion 10.0.5 delivers continuous WALLIX Bastion
service through a failover (also called "active/passive") bi-device cluster (access to target devices
and the Web console, session recordings), in the event that the "Master" device becomes
unavailable.
This automatic transfer to the second cluster node (i.e. the "Slave") works by:
• sharing a virtual IP address between the two Bastions in the cluster and hiding the actual IP
addresses from the users
• mirroring the configuration data, the connection logs and the files containing the session
recordings, as well as the WALLIX Bastion configuration files on the second cluster node using
DRBD (Distributed Replicated Block Device)
• an email notification mechanism advising the WALLIX Bastion administrator if:
– service is switched to degraded mode (the "Slave" node has taken over)
– the "Slave" node is unavailable
– a fault is detected (service unavailable, etc.)
– disk synchronization is ended.
24
WALLIX Bastion 10.0.5 – Administration Guide
• SSH: 22
• RDP: 3389
• HTTP/HTTPS: 80/443
• SMTP: 25
• SMTPS: 465
• SMTP+STARTTLS: 587
• NTP: 123
• DNS: 53
• Kerberos external authentication: 88
• LDAP external authentication: 389
• LDAP over SSL external authentication: 636
• RADIUS external authentication: 1812
• TACACS+ external authentication: 49
• NFS network storage: 2049
• SMB/CIFS network storage: 445
• SMB for password management: 139 | 445
• Syslog: 514
• SNMP: 162 for trap notifications
• SSH/SFTP/TELNET/RLOGIN proxy: 22
• RDP/VNC proxy: 3389
• SNMP: 161 for read/write access to OIDs
• WALLIX Bastion administration command line interface (SSHADMIN console): 2242
• WALLIX Bastion administration Web interface (GUI): 443
25
WALLIX Bastion 10.0.5 – Administration Guide
Important:
Please remember your new password as it is the only way to connect again.
When WALLIX Bastion is initially installed, a graphical mode displays dialog boxes to guide you
through the configuration steps.
The procedure below illustrates the main steps to configure the WALLIX Bastion connection.
1. First step: choose the keyboard layout language you wish to use
If the current keyboard layout language is detected, it is then highlighted in the list. If this
language is not in the list, you can select "More options..." to display more choices.
2. Second step: set the password for the "wabadmin" user
The default credentials are as follows:
• Password: SecureWabAdmin
You are requested to change the default password for the "wabadmin" user. Enter and confirm
this new password.
By default, the "wabadmin" user is configured with minimum privileges. Follow next step to
configure the "wabsuper" user to access higher privileges.
3. Third step: set the password for the "wabsuper" user
Once the new password for the "wabadmin" user has been confirmed, you are requested to
enter and confirm the new password for the "wabsuper" user.
The "wabsuper" password can be passed through the "super" command to access higher
privileges, including the ability to get access to "root" privileges using the "sudo" command,
which uses the same password. Once you are logged in as "root", you can use a set of scripts
to manage the day-to-day operation of WALLIX Bastion.
Follow next step to configure the GRUB password.
4. Fourth step: set the password for the "GRUB" user
Once the new password for the "wabsuper" user has been confirmed, you are requested to
change the default password for the "GRUB" user.
You will be given the option to use the same password as the one entered previously for the
"wabsuper" user or set a new password.
Important:
Only ASCII characters are supported. If the password specified for the "wabsuper"
user contains non-ASCII characters, then it cannot be used as the same password
for the "GRUB" user: you are required to set a different password.
26
WALLIX Bastion 10.0.5 – Administration Guide
Warning:
Under VMware, once the initial installation has been performed and after the system
reboot, the input of the password for the "GRUB" user matches by default the US
QWERTY keyboard layout.
Use the following command if you wish to change this password later:
wabsuper@wab$ WABChangeGrub
Beware of special characters and typing errors as the input cannot be corrected.
However, the "Esc" key allows you to fully delete the input.
Follow next step to configure the password for the “wabupgrade” user.
5. Fifth step: set the password for the “wabupgrade” user
Once the new password for the “GRUB” user has been confirmed, you are requested to enter
and confirm the new password for the “wabupgrade” user.
Important:
The “wabupgrade” user can only perform upgrades to higher versions of WALLIX
Bastion or hotfix installations.
Once the new password for the “wabupgrade” user has been defined, you are requested to set
the network configuration.
27
WALLIX Bastion 10.0.5 – Administration Guide
28
WALLIX Bastion 10.0.5 – Administration Guide
29
WALLIX Bastion 10.0.5 – Administration Guide
30
WALLIX Bastion 10.0.5 – Administration Guide
See:
Section 9.1, “User accounts”, page 74,
Section 9.2, “User groups”, page 83,
31
WALLIX Bastion 10.0.5 – Administration Guide
Note:
When long data appears truncated within a table (for example: “abcdefghijk...”), its whole
textual value can be displayed in a tool tip by hovering the mouse over the data for 0.5
second.
Search string Returns only lines with at least one column matching...
rdp* any string starting with the word “rdp” (e.g.: RDPDevice1)
*rdp any string ending with the word “rdp” (e.g.: ServiceRdp)
*rdp* or rdp any string including the word “rdp”, regardless of the position of the keyword
in the character string found.
32
WALLIX Bastion 10.0.5 – Administration Guide
Search string Returns only lines with at least one column matching...
r*p any string starting with “r” and ending with “p”. (e.g.: Rdp, RP)
A search can be saved by activating the “Save search filter” button in the “Table settings” window
accessible via the icon . The search filter is then saved for the active table.
Note:
The search is not case-sensitive.
The search focuses on the entire table and not only on the active view.
The result of a single or multiple search can be deleted by clicking on the icon then on the “Reset”
button or, by clicking on the icon located in the upper right corner of the page.
Note:
The sort applies to all the data contained in the table and not only to those of the active
view.
The table settings can be restored by disabling the “Multiple sorting” button or by clicking on “Reset
table user preferences”. These options are accessible via the icon .
• change the order in which the columns are displayed by using the up and down arrows
• hide or show a column by deselecting or selecting the check box at the beginning of the line of
the relevant column (the columns are checked by default)
Warning:
The first column of a table or any column that contains an access link to another page
of the interface cannot be moved or hidden.
33
WALLIX Bastion 10.0.5 – Administration Guide
The table settings can be restored by clicking on “Reset table user preferences” located in the “Table
settings” window.
To do so, check the box at the beginning of the line of the data you wish to delete and click on the
“Delete” button located in the upper right corner of the page.
To delete all the data from a table, check the box in the table header and click on the “Delete” button
located in the upper right corner of the page.
Warning:
This action only deletes the data of the active view.
Any selection made using the check boxes can be canceled by clicking on the cross displayed
above the table, next to the summary for the number of selected entries.
34
WALLIX Bastion 10.0.5 – Administration Guide
https://bastion_ip_address/ui or https://<bastion_name>/ui
Warning:
Internet Explorer is not supported by the default interface.
For security reasons, WALLIX Bastion checks that the hostname received in the URL
matches its FQDN, hostname or the interface's IP address. If it is not recognized, the
user will be redirected to the IP address of the network interface used. To prevent any
redirection, it is possible to add trusted hostnames and IP addresses via the option
“Trusted hostnames for HTTP_HOST header” accessible from the menu “Configuration”
> “Configuration options” > “Global”, section “main”.
WALLIX Bastion comes as standard with a factory-set administrator account whose default
credentials are as follows:
This default password can be changed. For further information, refer to Section 15.4, “Change
the password of the factory-set administrator account”, page 314.
For security reasons, it is required to change the administrator account password on first login. For
further information, refer to Section 7.3, “Setting your preferences”, page 38.
The login page of WALLIX Bastion supports different authentication methods to enable users to
access the Web interface. For further information on the configuration of these authentication
methods, refer to Section 9.8, “External authentication configuration”, page 109 and Section 9.7,
“X509 certificate authentication configuration”, page 101.
On the other hand, the AD user can be prompted for password change after expiration on this
screen or when connecting to the RDP or SSH sessions. The prerequisites are then as follows:
• the minimum required version for the Active Directory server is Windows Server 2008 R2
• the option “AD user password change” (accessible from the menu “Configuration” >
“Configuration Options” > “Global” > section “main”) must be selected and
35
WALLIX Bastion 10.0.5 – Administration Guide
• at least one encryption protocol (either StartTLS or SSL) must be set on the authentication method
associated with the domain. For further information, refer to Section 9.8.1.3, “Add an LDAP
external authentication”, page 112 and Section 9.9, “Configuration of LDAP, Active Directory or
Azure AD domain mapping”, page 118.
Note:
The logo image, the product name as well as the display of the copyright notice
on the login screen can be managed from the menu “Configuration” > “Configuration
Options” > “GUI” > “oem” section. For further information, refer to Section 8.1, “Interface
configuration”, page 41.
The warning message on the login screen can be managed from the menu “Configuration”
> “Connection messages”. For further information, refer to Section 12.25, “Connection
messages”, page 293.
Once you have successfully logged on, the following page is displayed:
36
WALLIX Bastion 10.0.5 – Administration Guide
Figure 7.2. WALLIX Bastion home page (displayed for an administrator profile)
Note:
The administrator can configure an alert, an information or a warning message to be
displayed on the header of the Web administration and user interfaces and also on
the RDP and SSH selectors, from “Configuration” > “Configuration options” > “Global”,
section “banner”. For further information, refer to Section 8.1.4, “Configuring the display
of a banner message”, page 44.
• a header containing:
– the name of the user who is logged on. When hovering the mouse over the user name area, a
contextual menu displays the entry for the “My preferences” page, the “Legacy interface” icon
to access the legacy interface, and the logout icon.
Note:
Any logout made from this interface is only effective on WALLIX Bastion. Thus, a user
authenticated via SAML external authentication on Azure AD will not be disconnected
from their session on this tenant.
– the icon providing a menu to access the technical documentation delivered as a contextual
on-line help
– the icon providing an access to the possible notifications (the approval requests for the user
with the approver profile and the password expiration warning)
37
WALLIX Bastion 10.0.5 – Administration Guide
• a vertical menu on the left of the screen from which you can access all the WALLIX Bastion
administration functions. The layout of the Web interface is subdivided vertically and horizontally
so as to clearly structure it.
• a working area on which is displayed a welcome message. The information introduced by this
message can be hidden by clicking on the “Do not show again” button.
• a dashboard located at the bottom of the screen which provides the shortcuts to the most used
administration functions.
• “Profile”: to change the email address and to select the preferred language
• “Password”: to change the password (only if the user has been declared locally with a
“local_password” authentication)
• “SSH public key”: to drag-and-drop, upload or enter manually an SSH public key using RSA,
ED25519 or ECDSA algorithm, or to delete an existing SSH public key (only if the user has been
declared locally with a “local_sshkey” authentication)
Warning:
In the “SSH public key” tab, it is not possible to drag-and-drop, upload or enter manually
a key if no algorithm is allowed for the SSH key on the “Local Password Policy” page
from the “Configuration” menu. For further information, refer to Section 9.6, “Local
password policy configuration”, page 99.
This key must be in the OpenSSH format. Otherwise an error message is displayed.
If you use PuTTYgen to generate the key, you must save in a text file the public key
displayed in the OpenSSH format during the generation. As an example, this key is
labelled as follow:
“ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA0yR9lBQov6[.....]c3xu9p/xNjw==
rsa-key-20151204”
You can then upload this key on the “SSH public key” tab.
If a key already exists, you can load a private key using Puttygen in order to generate
the corresponding public key in the appropriate format.
• “GPG key”: to drag-and-drop, upload or display a GPG key, or delete an existing GPG key
Warning:
If the GPG key is not specified for the user with the “product_administrator” or
“operation_administrator” profile, then a warning email is sent daily to notify the user
of the missing declaration of the GPG key.
The sending of this warning email can be managed via the “Missing GPG key warning
email” option in the menu “Configuration” > “Configuration options” > “Global”. By
default, this option is enabled.
38
WALLIX Bastion 10.0.5 – Administration Guide
7.4. Summary
In the modification pages of the Web interface, a summary is displayed on the right part of your
screen. It gives an overview of the data previously defined.
By clicking on the main entries of the summary, you are redirected to the concerned pages and
you can enter, add, edit or delete data. Note that you have the possibility to hide and show this
summary at any time.
39
WALLIX Bastion 10.0.5 – Administration Guide
The “Configuration Options” page on the “Configuration” menu allows advanced configuration of
global WALLIX Bastion parameters.
Click on the needed option in the list to display the related parameters which can be configured
on the dedicated page for:
• the data retention policy. For further information, refer to Section 9.4, “User data retention
policy”, page 94.
• the global parameters
• the Web interface (“GUI”). For further information, refer to Section 8.1, “Interface
configuration”, page 41.
• the legacy Web interface (“GUI (Legacy)”)
• the license configuration
• the logger
• the configuration of the external modules
• the OEM (“OEM (Legacy GUI)”)
• the RDP proxy
• the RDP proxy session manager
• the REST API
• the options regarding session log retention. For further information, refer to Section 15.21, “Export
and/or purge session recordings automatically”, page 320 and Section 15.24, “Check integrity
of session log files”, page 322.
• the SSH proxy
• the Watchdog
On each of these pages, a useful description can be displayed for all the fields by selecting the
check box of the “Help on options” field at the top right of the page. This description includes the
appropriate format to be specified in the concerned field.
Warning:
The options displayed when the check box of the “Advanced options” field at the top right
of the page is selected should ONLY be changed upon request of the WALLIX Support
Team! An orange exclamation mark is displayed near the concerned fields.
40
WALLIX Bastion 10.0.5 – Administration Guide
Figure 8.1. "Configuration Options" page for SSH proxy with field descriptions
If “current” is selected, then the user will be redirected to the login page of the default interface.
However, they will still have access to the legacy interface via the link “Legacy interface” that
appears when hovering over the user name at the top of the page.
If “legacy” is selected, then the user will be redirected to the login page of the legacy interface.
However, they will still have access to the default interface via the link “Switch to the default interface”
located at the top of the page or to both interfaces via:
41
WALLIX Bastion 10.0.5 – Administration Guide
Note:
If the configuration option “Link switch default interface” (accessible from “Configuration”
> “Configuration options” > “GUI (Legacy)”) is deselected, then the link “Switch to the
default interface” will not be displayed on the home page of the legacy interface. The user
will then not be able to access the default interface.
The session timeout value is set by default to 900 seconds. The timeout value cannot be lower
than 300 seconds.
• the product name displayed on the pages of the interface as well as on the Web browser tab
(“Product name”)
• the short version of the product name (“Product name short”)
• the name of the Support Team (“Product support name”)
• the display of WALLIX copyright on the login page (“Copyright login”)
• the small site icon displayed on the Web browser tab (“Favicon”)
• the logo displayed at the top of the left sidebar menu (“Logo”)
• the small version of the logo displayed at the top of the left sidebar menu when collapsed (“Logo
small”)
• the logo displayed on the login page (“Login page logo”)
• the welcoming title of the login page for each language supported by WALLIX Bastion (“Login
page title”)
• the color of the welcoming title and connection message displayed on the login page (“Login
page info color”)
• the background color of the login page's right side panel (“Login page background color”)
• the background image of the login page's left side panel (“Login page background image”)
Note that the images must be in PNG format and that it is possible to restore the default WALLIX
Bastion images by checking the box “Restore default image”.
42
WALLIX Bastion 10.0.5 – Administration Guide
Figure 8.2. "Configuration options" page for Web interface configuration (GUI) - Part 1
43
WALLIX Bastion 10.0.5 – Administration Guide
Figure 8.3. "Configuration options" page for Web interface configuration (GUI) - Part 2
According to the banner type selected, the message will be displayed in a given font weight or color
on the RDP or the SSH selectors and in a specific background color on the Web interface.
8.2. License
The use of WALLIX Bastion is controlled by a license key. This key contains the elements included
in the sales contract and is provided by WALLIX. It is entered in WALLIX Bastion by the client via
the Web user interface.
From the "License" page on the "Configuration" menu, you can display the license properties and
update the license key.
• the license type for a perpetual license agreement (“Legacy Bastion license”)
44
WALLIX Bastion 10.0.5 – Administration Guide
Note:
When notifications are enabled for the license expiration warning, an email will be sent
15 days, 10 days, 5 days and 1 day before the license expiration date. For further
information, refer to Section 9.5, “Notification configuration”, page 95.
Note:
Connections of the administrator account with the "product_administrator" profile are
not counted.
Note:
Each target is only counted once, regardless of the number of groups into which it is
included.
Target accounts which can be used as scenario accounts are not counted.
• when WALLIX Password Manager is associated with the license key, the number of targets
included in groups which can be declared to check out the accounts' credentials
Note:
Each target is only counted once, regardless of the number of groups into which it is
included.
• when WALLIX Password Manager is associated with the license key, the number of
clients using WALLIX Application-to-Application Password Manager (also called “WAAPM”).
Documentation related to WAAPM can be downloaded from WALLIX Support portal (https://
support.wallix.com [https://support.wallix.com/]).
To obtain a license, a context file must be created and sent to WALLIX Support (https://
support.wallix.com/). To do so, click on the “Download context file” button to generate and
download a context file and send it to the WALLIX Support Team which will provide you with a
license key update.
Once you have received the license update file, upload or drag-and-drop it in the “License update”
section and click on the “Apply” button.
45
WALLIX Bastion 10.0.5 – Administration Guide
It is possible to revoke the licenses installed on WALLIX Bastion by clicking on the “Revoke” button.
The legacy licenses (“Legacy Bastion license”) are revoked immediately. The current licenses
(“WALLIX license”) will become invalid 15 days after performing the revocation.
Warning:
When a subscription license expires, access to WALLIX Bastion is still possible if a trial
license is valid. If all licenses have expired, then only the administrator account associated
with the “product_administrator” profile can connect to the WALLIX Bastion interface to
upload a new license. Please make sure to renew your license before it expires to ensure
continuity of service.
In the context of a perpetual license (“Legacy Bastion license”), the latter is bound to the
MAC addresses of the first two interfaces of the Bastion (when more than one interface
is declared). If WALLIX Bastion is deployed on a virtual environment using two virtual
machines on two different nodes, make sure the MAC addresses are cloned to provide
redundancy. Moreover, we strongly recommend defining static MAC addresses to avoid
any change at reboot.
wab2:~# WABGetLicenseInfo
wab2:~# WABSetLicense -d
Warning:
The legacy licenses (“Legacy Bastion license”) are revoked immediately. The current
licenses (“WALLIX license”) will become invalid 15 days after performing the revocation.
8.3. Encryption
46
WALLIX Bastion 10.0.5 – Administration Guide
The encryption of WALLIX Bastion secures your sensitive data (such as target accounts' credentials,
local users' passwords, Web interface connections, RDP and SSH connections, etc.) by using a
strong cryptographic algorithm. For further information on the cryptography specifications to secure
data gathered in the Bastion, refer to Section 4.6, “Data encryption”, page 19.
This algorithm uses an encryption key which is secret and unique to your WALLIX Bastion and
totally hidden from users.
• when restoring the configuration of WALLIX Bastion (refer to Section 8.13, “Backup and
Restoration”, page 62). If you loose the passphrase, you will no longer be able to access your
data stored on remote storage.
• when rebooting the system. As long as the passphrase is not entered by the administrator with
the “product_administrator” profile in the Web administration interface, the “System” configuration
menu will be hidden and connections using WALLIX Bastion proxies will not be usable.
• when changing the passphrase. If you wish to change your passphrase, you have to enter the
current passphrase to be able to set a new one.
Important:
For security reasons, the passphrase can only be defined during the installation of
WALLIX Bastion. It will be impossible to define it afterwards.
Once a passphrase has been set, it can no longer be deleted. However, an existing
passphrase can be modified.
Once the encryption is configured, you can go back at any time to the “Encryption” page on the
“Configuration” menu either to check that your WALLIX Bastion is ready and secured or to change
the passphrase.
47
WALLIX Bastion 10.0.5 – Administration Guide
Note:
It corresponds to the list of active connections on the "Current Sessions" page
displayed from the "Audit" menu.
Note:
The RAM usage does not include the system cache.
All log and debugging information files can be downloaded as a .zip archive by clicking on the button
"Download debug information" on the bottom of the page.
48
WALLIX Bastion 10.0.5 – Administration Guide
All the files for these logs (with the .log extension) can be downloaded as a .zip archive by clicking
on the dedicated icon on the right part of the concerned page.
• "syslog" displayed from the "Syslog" page on the "System" menu. This log shows the session logs,
i.e. the majority of messages on proxy operation or the use of the Web administration interface.
• "dmesg" displayed from the "Boot Messages" page on the "System" menu. This log shows the
system start log.
• "wabaudit" displayed from the "Audit Logs" page on the "Configuration" menu. This log shows
the connections and operations performed by the auditors and the administrators.
Furthermore, all log and debugging information files can be downloaded from the "Status" page on
the "System" menu.
Note:
Some system logs saved in partition /var/log are stored for a maximum time period
of 5 weeks.
8.6. Network
From the “Network” page on the “System” menu, you can define and edit the network configuration
of the appliance.
49
WALLIX Bastion 10.0.5 – Administration Guide
Important:
The eth1 interface (port 2 on appliances) is reserved for high-availability (HA)
interconnection. No other services can be mapped to this interface. For further
information, refer to Section 8.11.1, “Service mapping”, page 59.
When enabling an IPv6 network interface, it is required to select an IPv6 configuration
method from the list in the “IPv6 method” field. Five methods are available:
– “Automatic”: allows SLAAC and the DHCPv6 server to assign IPv6 addresses, the
router to set routes and the DHCPv6 server to set the DNS parameters
– “Stateful DHCPv6 only”: allows the DHCPv6 server to assign an IPv6 address and
set the DNS parameters, and the router to define routes
– “SLAAC address only”: allows SLAAC to auto-configure IPv6 addresses and only
set the default and on-link routes
– “Manual”: allows to manually assign a static IPv6 address and the subnet prefix
length
– “Link-local only”: allows only to auto-assign the link-local IPv6 address (with the prefix
FE80::/64)
Important:
The eth1 interface (port 2 on appliances) is reserved for high-availability (HA)
interconnection. It cannot be selected for interface bonding.
An interface can only be disabled by deselecting the the “Enable IPv4” or “Enable IPv6”
option when it is not mapped to any service on the “Service Control” page. For further
information, refer to Section 8.11, “Service control”, page 59.
To perform interface bonding, the “slave” physical interface cannot be linked to a VLAN,
a virtual interface or a route.
For further information on the “active-backup” and “802.3ad (LACP)” modes supported
for interface bonding, refer to https://www.kernel.org/doc/Documentation/
networking/bonding.txt.
• add routes
• define the default IPv4 and IPv6 egress interfaces and the related gateways
50
WALLIX Bastion 10.0.5 – Administration Guide
To define IP source routing and thus enable inputs and outputs on the same physical interface,
it is required to check the box of the “Enable IP source routing” option in the “Routes” frame.
Routing is then enabled for the physical and VLAN interfaces via the “Enable IPv4” or “Enable
IPv6” options in the “Interfaces” frame.
Important:
The eth1 interface (port 2 on appliances) is reserved for high-availability (HA)
interconnection. It cannot be selected for IP source routing.
The default IPv4 and IPv6 egress interfaces can be selected from a list of physical
and VLAN interfaces enabled via the “Enable IPv4” or “Enable IPv6” options in the
“Interfaces” frame.
An interface can only be disabled by deselecting the “Enable IPv4” or “Enable IPv6”
option when it is not mapped to any service on the “Service Control” page. For further
information, refer to Section 8.11, “Service control”, page 59.
The IP address specified for the gateway must match the subnet configured for
the selected egress interface. If the default gateway is not specified, then outbound
connections from the Bastion may fail.
To set ICMP redirect, it is required to check the box of the “Enable ICMP redirect” option in the
“Routes” frame.
• define entries in the “hosts” file
• add the DNS servers
Warning:
Before changing the WALLIX Bastion IP address used to communicate with the file server
configured with remote storage, we recommend disabling the remote storage and re-
enabling it after the IP address is changed. For further information, refer to Section 8.8,
“Remote storage”, page 53.
51
WALLIX Bastion 10.0.5 – Administration Guide
• date and time in WALLIX Bastion must be synchronized with the Kerberos authentication servers
• WALLIX Bastion is the time reference for escalated audit information and time frame management
52
WALLIX Bastion 10.0.5 – Administration Guide
Note:
By default, the time service is active and synchronized with the Debian project time
servers.
Note:
WALLIX Bastion moves automatically the recordings of recently terminated sessions from
local storage to remote storage. For further information, refer to Section 15.22, “Move
local session recordings to remote storage”, page 321.
When remote storage is enabled but the file server is temporarily unavailable, the
various features of WALLIX Bastion can still be accessed. The session recordings are
nonetheless kept on local storage during server unavailability.
• the remote file system type: SMB/CIFS, NFS and Amazon EFS are supported
• the protocol version
Note:
If “Automatic” is selected, then WALLIX Bastion will try to detect the version
automatically.
For SMB/CIFS, “Automatic” detection does not support protocol versions prior to
SMBv2.1.
For NFS, “Automatic” detection does not support protocol versions NFSv4.1 and
NFSv4.2.
53
WALLIX Bastion 10.0.5 – Administration Guide
For Amazon EFS, only “Automatic” detection is available and selected by default.
Warning:
This page is only displayed when the “SIEM” feature is associated with the license key.
Specify the following information to set up the routing through a SIEM server:
Note:
It is also possible to configure the TLS client by adding of a specific configuration
file. For further information, refer to Section 15.27, “Configure TLS client for SIEM
integration”, page 323.
54
WALLIX Bastion 10.0.5 – Administration Guide
Note:
When upgrading from a version earlier than WALLIX Bastion 6.2.3, the RFC 3164
format is applied by default to all servers previously configured on this page.
The RFC 3164 format always applies to backups created only on WALLIX Bastion
version 6.x.
• the filters to select the logged information categories to send to the server. These filters
correspond to the object types in the logs.
Note:
When upgrading from a version earlier than WALLIX Bastion 8.2, all the logged
information categories are selected by default for all servers previously configured on
this page.
The logs will be sent to the selected IP address, port and via the selected transmission protocol
and will also be stored on the local file system so that they are always available in the “Audit logs”
page, on the “Configuration” menu. For further information on this log, refer to Section 8.5, “System
logs”, page 49.
For further information on data export, refer to Chapter 17, “SIEM messages”, page 331.
8.10. SNMP
WALLIX Bastion includes an embedded SNMP agent with the following properties:
55
WALLIX Bastion 10.0.5 – Administration Guide
Note:
Port 161 should be opened to allow communication to WALLIX Bastion for read/write
access to OIDs.
Port 162 should be opened to allow communication from WALLIX Bastion for trap
notifications.
A default minimum value set to 20 parallel connections is required for each port.
From the "SNMP" page on the "System" menu, you can configure this agent by defining the related
settings.
The "General Settings" section consists of the following fields:
• "Sysname": enter the name of the system, e.g., "WALLIX Bastion 10.0.5"
• "Syscontact": enter the email address of the system administrator, in format "root@yourdomain"
• "Syslocation": enter the system location
• "Sysdescr": enter a description, if needed. This field is empty by default.
• "Status": choose to enable or disable the SNMP agent. The agent is disabled by default.
• "Enable trap notifications": select the check box to enable SNMP trap notifications. Trap
notifications are disabled by default.
• "Trap sink": enter the address of the receiver. This field is displayed and required when trap
notifications are enabled.
• "Disable SNMPv2": select the option to disable the SNMP protocol version 2c
• "Community": enter the community name used to connect to WALLIX Bastion. This field is
displayed and required when the SNMP protocol version 2c has been enabled.
• "Trap community": enter the community name used when trap messages are sent. This field is
displayed and required when trap notifications and the SNMP protocol version 2c have been
enabled.
• "Authentication passphrase": enter and confirm the authentication passphrase. This field must
be longer than 8 characters. The authentication passphrase must be set at the same time as the
encryption passphrase.
• "Encryption passphrase": enter and confirm the secret key for encryption. This field must be longer
than 8 characters. The encryption passphrase must be set at the same time as the authentication
passphrase.
• "Trap receiver configuration": this sub-section is displayed when trap notifications have been
enabled and the SNMP protocol version 2c has been disabled. It consists of the following fields:
– "Trap user": enter the user name used to authenticate on the trap receiver. This field is empty
by default.
56
WALLIX Bastion 10.0.5 – Administration Guide
– "Security level": select the appropriate security level and specify the related fields depending
on the selection.
If "Authentication only" is selected, enter and confirm the authentication passphrase and select
the authentication ciphering scheme (SHA or MD5).
If "Authentication and encryption" is selected, enter and confirm both the authentication
and encryption passphrases and select the related ciphering schemes (SHA or MD5 for
authentication and AES or DES for encryption).
The "Threshold values ( % )" section allows to specify the values above which notifications are
triggered. It consists of the following fields:
• "Disk consumption": update the percentage value related to the disk consumption, if needed.
Notifications are sent when the disk consumption exceeds this value.
• "Average CPU load": update the percentage values related to the average CPU load for 1-minute,
5-minute and 15-minute time slices, if needed. Notifications are sent when these values are
exceeded.
The values entered in this section can be reset by clicking on the button "Reset default threshold
values" on the bottom-left of the section.
Warning:
By default, the SNMP agent is disabled and it can only be enabled via the Web interface.
By default, trap notifications are disabled and they can only be enabled via the Web
interface. When enabled, only acknowledged traps (i.e. INFORM traps) are sent.
By default, the SNMP protocol version 2c is disabled on a fresh WALLIX Bastion and can
only be enabled via the Web interface.
The SNMP protocol version 3 is always enabled. However, both authentication and
encryption passphrases must be set at the same time for proper operation.
When Bastions are configured in HA mode, the SNMP agent monitors all the nodes via
the virtual IP address.
57
WALLIX Bastion 10.0.5 – Administration Guide
Warning:
The system OIDs are defined in the MIB "SNMPv2-MIB". Please make sure this MIB is
installed on your client environment.
The SNMP agent can trace some specific data of WALLIX Bastion. A list of the variables
showing the data is available by downloading the following files:
• /usr/share/snmp/mibs/wallix/WALLIX-SMI and
• /usr/share/snmp/mibs/wallix/WALLIX-BASTION-MIB. This file WALLIX-
BASTION-MIB includes the descriptions of the variables and can be open with a text
editor.
These MIB files can also be downloaded as a .zip archive by clicking on the button
“Download MIB files” on the the top-right of the page.
The following command shows all the available variables:
58
WALLIX Bastion 10.0.5 – Administration Guide
The "User & audit features" service group includes the access to targets and also historical data
and session recordings.
In order to be able to select the desired services, the network interfaces must be
previously configured on the "Network" page. For further information, refer to Section 8.6,
“Network”, page 49.
Important:
The interface eth1 (port 2 on appliances) is devoted, if present, to high-availability (HA)
interconnection. No other service can be mapped to it and the "High-Availability" service
cannot be mapped to any other interface. Therefore, the "High-Availability" service cannot
be selected if this interface is not present.
59
WALLIX Bastion 10.0.5 – Administration Guide
By default, the features specific to users (such as the target account access rights) and auditors
(such as the session audit rights) are not available on the Web administration interface but these can
be released by selecting the following check boxes: "User features (target account access rights)"
and "Audit features (session audit rights)".
A firewall is embedded in WALLIX Bastion, among other features, to protect WALLIX Bastion against
DDoS attacks. It is possible to restrict the parallel connections per IP to the Bastion to a pre-defined
number by selecting the option "Limit the number of parallel connections per IP" and specifying the
appropriate value in the field "Number of connections". The default value of this field is set to 10 and
the number of allowed parallel connections cannot exceed 999 connections per IP. As an example,
if the value entered in this field is "30" then a user can only perform 30 parallel connections to the
Bastion from their workstation.
The option "Enable path reverse filtering" is only relevant when WALLIX Bastion has two non-HA
interfaces configured with two different subnets (i.e. eth0 with subnet X and eth2 with subnet Y) and
the default route is set to one of the two interfaces (i.e. eth0).
By default, when a packet with a source IP address not belonging to subnet Y comes in through
interface eth2, WALLIX Bastion does not reply (no packet is going out through any of the two non-
HA interfaces). This is due to a reverse path filtering configuration set with the grsec kernel. For
further information on reverse path filtering, refer to http://tldp.org/HOWTO/Adv-Routing-
HOWTO/lartc.kernel.rpf.html.
If WALLIX Bastion should reply to the incoming packet (through the eth2 interface), then the reverse
path filtering should be unset.
When the option "Enable path reverse filtering" is selected, there is no reply from WALLIX Bastion
(on packets originating from a subnet different from the ingress interface).
When the option "Enable path reverse filtering" is deselected (by default), WALLIX Bastion replies
to all incoming packets (through the ingress interface).
When installing WALLIX Bastion, these services are automatically enabled by default.
In case of a restricted use of WALLIX Bastion, the administrator can activate/deactivate services
using a command line tool on the console or through the "ssh" command line interface (port 2242):
60
WALLIX Bastion 10.0.5 – Administration Guide
sshadmin : ENABLED
The option "--help" lists the arguments which can be used to perform the configuration.
actions:
list list services status
enable enable a service
disable disable a service
The administrator must enter the following command to deactivate the GUI service:
Then, the administrator must enter the following command to activate it again:
Caution:
The address specified in this field may also be used as a recipient for some system
alert emails.
61
WALLIX Bastion 10.0.5 – Administration Guide
To test the configuration, enter one or more destination addresses in the "Recipient email(s) for
test" field then click on the "Test" button.
Caution:
When WALLIX Bastion is configured in HA (or « High-Availability ») mode, the SMTP
server configuration is only spread out to the Slave node when the latter is switching from
Slave to Master.
Warning:
• Only backups created from WALLIX Bastion version 6.0 or later can be restored
• Session recordings are not saved during a backup/restore operation
• All data edited or added after a backup will be lost if the backup is restored
• The administrator will be logged off. He/she must log on again with one of the accounts
included in the backup, which might be different from those in the system before the
backup/restore was performed
• It is possible to set the number of days during which backups are kept. This parameter
can be managed via "Configuration" > "Configuration Options" > "Global", then enter
a positive integer in the field "Remove backup older than". All backups older than this
value expressed in number of days are then removed.
• When restoring a backup in which an X509 certificate is not approved yet by the user's
browser, a security error message may be displayed in the “Backup/Restore” page.
Please refresh the page in order to approve it.
62
WALLIX Bastion 10.0.5 – Administration Guide
• The maximum size of a backup performed via the Web interface is 50 MB. For backups
larger than 50 MB, it is necessary to use the command line.
To use these elements, you will have to delete the current configuration files and rename in their
place the files restored from the backup which bare as an additional extension the name of the
backup followed by a timestamp set to the restoration time.
After renaming the files by removing the additional extension, you must restart the corresponding
services by entering the following commands:
However, most of configuration files specific to given services, keys and certificates are overwritten
in the current configuration during restoration.
/var/wab/apache2/x509_ready
– the Apache server keys, certificates and CRLs for X509 authentication:
/var/wab/apache2/ssl.crt/*
63
WALLIX Bastion 10.0.5 – Administration Guide
/var/wab/apache2/ssl.crl/*
• /var/wab/etc/, as for example:
– the RDP proxy configuration:
/var/wab/etc/rdp/rdpproxy.ini
/var/wab/etc/rdp/*.pem
/var/wab/etc/rdp/rdpproxy.key
/var/wab/etc/rdp/rdpproxy.crt
/var/wab/etc/ssh/*
Caution:
Note that properties related to the license, the FQDN and the MySQL database
password in /var/wab/etc/wabengine.conf/ are not overwritten during
restoration.
Options:
-h, --help show this help message and exit
-d DIRECTORY, --directory=DIRECTORY
Directory where you want to store your backup.
-s, --sdcard Set this option to store the Backup in the sdcard.
DIRECTORY is the directory path in which the backup file will be created.
Option -s can be used to create a copy on an external drive (SD Card or USB).
Restores WALLIX Bastion backup from the specified file or from the sdcard. The
64
WALLIX Bastion 10.0.5 – Administration Guide
Options:
-h, --help show this help message and exit
-f FILENAME, --file=FILENAME
Provide the full path of the Backup file (.wbk).
Conflicts with -s
-s, --sdcard Enter in interactive mode to select file on SDcard.
Conflicts with -f
-a, --aes Set this option to force use of AES256 instead of GPG
symmetric cipher (for compatibility with old backup
files).
-b, --blowfish Set this option to force use of Blowfish instead of
GPG symmetric cipher (for compatibility with old
backup files). Overridden by -a
-S, --nosystem Set this option to not restore any system settings.
-N, --nonetwork Set this option to never restore network and HA
settings. Overridden by -S
--forcenetwork Set this option to force restoration of network and HA
settings. (Not recommended). Overridden by -S
65
WALLIX Bastion 10.0.5 – Administration Guide
You can change the time and frequency of the backups in /etc/cron.d/wabcore by changing
the line that runs the WABExecuteBackup command.
The fields are crontab fields, namely MINUTE, HOUR, DAY_OF_MONTH, MONTH and DAY_OF_WEEK.
The values authorized in each field are as follows:
• MINUTE: from 0 to 59
• HOUR: from 0 to 23
• DAY_OF_MONTH: from 1 to 31
• MONTH: from 1 to 12
• DAY_OF_WEEK: from 0 to 7 (0 or 7 for Sunday)
Each field can also be filled with an asterisk "*" corresponding to all possible values. Lists are also
permitted, with the values separated by commas and intervals, separating the range with a hyphen,
e.g. "1,2,5-9,12-15,21".
You can also change the path and the value of the key used by editing the file /opt/wab/bin/
WABExecuteBackup and changing the DIR and KEY values at the beginning of the file.
It is possible to set a key used to encrypt the automatic backup at generation. This parameter can
be managed via "Configuration" > "Configuration Options" > "Global", then enter a 16-character
string in the field "Backup key".
When this command is executed, the purge is performed on the backup files according to the
specified arguments.
All backup files older than the STANDARD_BACKUP parameter value are deleted each time the
command is executed. This value corresponds to the number of days during which backups are
kept.
If the remaining disk space is lower than the MIN_FREE parameter value, then backup files
older than the CRITICAL_BACKUP parameter value are deleted until the value of the threshold
of the minimum acceptable free space is greater than or equal to the MIN_FREE value. The
CRITICAL_BACKUP value corresponds to the number of days during which backups are kept.
It is possible to set the number of days during which backups are kept and the threshold of
the minimum free disk space from the Web interface. These parameters can be managed via
"Configuration" > "Configuration Options" > "Global", then enter the appropriate values in the fields
“Keep critical backup newer than”, “Keep standard backup newer than” and “Keep min free disk
space”.
When the WABBackupPurge command is executed, the values in these fields are then considered
as the default values if the arguments CRITICAL_BACKUP, STANDARD_BACKUP and MIN_FREE
are not specified.
66
WALLIX Bastion 10.0.5 – Administration Guide
8.14. High-Availability
8.14.1. Operating limitations and pre-requisites
The WALLIX Bastion 10.0.5 HA active/passive type cluster does not have a load balancing function.
Both devices must be linked directly to each other using a Ethernet crossover cable through RJ45
port labelled "2".
The HA interfaces on both the "Master" and the "Slave" nodes must be configured with static IP
addresses belonging to the same subnet.
The system must be configured (especially the /etc/hosts and /etc/network/interfaces
files) from the Web interface or using the WABHASetup script to prevent desynchronization with the
configuration files of the replicated file system.
Both cluster nodes must be strictly at the same level regarding their WALLIX Bastion version and
hotfix numbers.
Warning:
The WALLIX Bastion HA feature is designed to answer hardware issues related to disk,
motherboard, network card, etc and is not supported through virtual appliances.
In a virtual environment, the setup is different as there is no "hardware" part. We thus
recommend using the High-Availability feature provided by VMware. The High-Availability
provided by VMware is available from the entry level VMware license (VMware vSphere
Standard) and requires at least two hypervisors. For further information, see https://
www.vmware.com/uk/products/vsphere/high-availability.html
Please also refer to the Quick Start Guide for further information.
Caution:
The following precautions need to be observed before implementing a new node in an
existing High-Availability configuration:
• the new node must be strictly at the same level as the other node regarding the WALLIX
Bastion version and hotfix numbers
• the new node must have the same number of configured interfaces, including VIPs and
VLANs but excluding HA VIPs (interfaces suffixed with “ha”).
• storage capacity for the hard drive coming with the new node must be equal to or
greater than the one of the former node
• System time of the new node must be synchronized with the one of the other node
67
WALLIX Bastion 10.0.5 – Administration Guide
3. Use the "wabadmin" account to log directly onto the "Master" and "Slave" device consoles.
Caution:
All data on the "Slave" will be permanently deleted!
4. Enter the "super" command then the "sudo -i" command to sign in as a super-user.
5. Check that the clocks of both cluster nodes are synchronized using the Linux "date" command
or by synchronization with an NTP server, as explained on Section 5.3.4, “Time service
configuration” in the Quick Start Guide.
6. Carry out the send notification test (refer to Section 5.3.5, “SMTP server configuration” in the
Quickstart Guide) to check that an SMTP server is configured and operational.
7. Check that both devices are configured with a static IP address, their "eth1" interfaces are setup
and they have different machine names. If not, proceed to the required adjustments on the GUI.
Note the IP address of the "eth1" interface of the "Slave" node which is required for answering
to the "Slave IP:" question during the execution of the "WABHASetup" command as described
in next step.
8. Run the "WABHASetup" command on the "Master" device console and follow the instructions:
wabsuper$ WABHASetup
Slave IP:
HA Virtual IP:
HA Virtual netmask:
HA Notification mail address:
...
Note:
A log file wabhasetup.log is created in the directory from which this command has
been launched and stores the output of the operation.
The WABHASetup command requests the interface configuration for all the physical
and VLAN interfaces which are mapped with services. For further information on
service mapping configuration, refer to Section 8.11, “Service control”, page 59.
68
WALLIX Bastion 10.0.5 – Administration Guide
Note that "Start" and "Stop" commands will only apply to the local node.
Warning:
To avoid unintentional switch, we recommend stopping the "Slave" node before the
"Master" one and start the "Slave" node after the "Master" one.
To check the current state of a node, the administrator can use the following maintenance command:
wabsuper$ /opt/wab/bin/WABHAStatus
affected_node# rm /etc/opt/wab/ha/fatal_error
1. The outage was short and the nodes were not used (no sessions created, no accounts added,
etc.): in this case, the administrator can choose either of the nodes as the reference "Master".
2. The outage was short and/or only one of the nodes was actually used (shown by the presence of
session files and of more recent modification dates on only one of the nodes). The administrator
must select this node as the new reference "Master".
3. The outage was complex and both nodes were used in parallel (which is unlikely, related to a
serious network failure). The administrator must then select a node to be the new reference
"Master" (the one with the most modifications) and back up the data from the other node. Lastly,
the data must be manually imported to the new "Master".
Once the reference "Master" is chosen, follow the procedure below to restore the cluster:
69
WALLIX Bastion 10.0.5 – Administration Guide
When Bastions are configured in HA mode, it is no longer possible to make network changes, such
as IP addresses, from the GUI. As the disks of both machines are synchronized through the network,
you must connect to the "Master" node in SSH and run the following command:
In the event of a node replacement, first disconnect the faulty device and start the replacement
WALLIX Bastion. Make sure to configure it with the same static IP address as the faulty node, and
then enter this command on the operational node:
In the event of a file system integrity error, detectable through the kernel messages (i.e.: "File
system is now read-only due to the potential of on-disk corruption. Please
run fsck.ext4 once the file system is unmounted."), proceed as follows:
1. Enter "sudo -i WABHAInitd --force stop" to turn off HA on both nodes, starting with the "Slave".
2. Check that the shared file system is removed from both nodes by entering "sudo -i umount /
var/wab".
3. Disable DRBD on the "Slave" mode by entering "sudo -i drbdadm secondary wab".
4. Enable DRBD on the "Master" mode by entering "sudo -i drbdadm primary wab".
70
WALLIX Bastion 10.0.5 – Administration Guide
Consequence: Both nodes will detect the fault (ssh not accessible)
Notifications: [WAB] - WALLIX Bastion HA master WabA error detected by WabA Reason: Service
ssh isn't responding and we couldn't restart it!
71
WALLIX Bastion 10.0.5 – Administration Guide
Notifications: [WAB] - WALLIX Bastion HA master WabA error detected by WabB Reason: Host
respond to ping but ssh service is down, will try to switch to master...
Result: the "Slave" will take over and the "Master" will be downgraded to "Slave"
Full resolution: repair the fault so that WabA can become the "Master" again
Notification: [WAB] - The WALLIX Bastion HA slave WabB is no longer connected to master WabA!
Master data replication isn't working.
Result: data replication interrupted, but the volume is still working (in degraded mode)
Note: If the volume of data on the degraded "Master" is negligible (e.g. no new session),
synchronization takes place instantaneously. If not, a notification is sent.
Notification: [WAB] - The WALLIX Bastion HA cluster synchronization completed! The data on both
nodes is now fully synchronized.
Consequence: both nodes will detect the fault. The "Master" will continue to operate in degraded
mode.
Notification: [WAB] - The WALLIX Bastion HA slave WabB is no longer connected to master WabA!
Master data replication isn't working.
Consequence: the "Slave" will assume that the "Master" is turned off and will switch over to "Master"
and will operate in degraded mode.
Notification: [WAB] - The WALLIX Bastion HA slave WabA isn't connected to the master master
WabB anymore! Master data replication isn't working.
72
WALLIX Bastion 10.0.5 – Administration Guide
Result: the shared volume will start to diverge between both nodes. The most probable case is that
one of the nodes is no longer on the network, in which case the resolution is simple: reconnect both
Bastions or if you have used iptables:
WabA# iptables -F
WabB# iptables -F
Notification: [WAB] - The WALLIX Bastion HA disks diverged (split brain detected) The WALLIX
Bastion HA drbd shared volume is now disconnected. Peers have lost connection with each other
and both have switched to master node... Data can't be synced cleanly! You need to manually
discard the changes on one of the nodes.
Once you find out the out-of-date node, follow the procedure below:
73
WALLIX Bastion 10.0.5 – Administration Guide
Chapter 9. Users
Important:
All the IP addresses which can be set on WALLIX Bastion support both IPv4 and IPv6
formats.
The "Users" menu allows you to create and manage WALLIX Bastion users/administrators.
You can also configure the user groups to which the authorizations apply. For further information,
refer to Chapter 14, “Authorization management”, page 301.
Note:
User account names are not case sensitive but case is preserved as account is created.
• list user accounts according to a filter on local accounts or domain accounts from LDAP and
Active Directory domains. When an LDAP or Active Directory domain is selected from the list,
then the users from the directory mapped with a user group in WALLIX Bastion are displayed. For
further information on this mapping, refer to Section 9.9, “Configuration of LDAP, Active Directory
or Azure AD domain mapping”, page 118.
• add/edit/delete a user account
• identify the users for whom the "Credential recovery" right is enabled in their profile: a key icon
is then displayed in the "Profile" column on the related line. These users receive an email
gathering the target account passwords in case of password change. For further information,
refer to Section 11.4, “"Break glass" mechanism configuration”, page 241.
For further information on user profiles, refer to Section 9.3, “User profiles”, page 87.
• release the lock of a user account by clicking on the padlock icon displayed in the "Status"
column on the related line. A user account is locked when the maximum number of allowed
authentication failures defined in the local password policy has been reached. For further
information, refer to Section 9.6, “Local password policy configuration”, page 99.
• identify the users for whom the account is active: a tick icon is then displayed in the "Status"
column on the related line.
• identify the users for whom the account has expired: an hourglass icon is then displayed in the
"Status" column on the related line. The account expiration date can be set during the creation
or modification of the account.
• identify the users for whom the account is disabled: a warning icon is then displayed in the
column "Status" column on the related line. The user account deactivation can be set during the
creation or modification of the account.
• access the detail of the account to view the user's rights on the GUI but also their authorizations
regarding devices, applications and target accounts
• import users from a .csv file which can be used to populate the WALLIX Bastion user database
74
WALLIX Bastion 10.0.5 – Administration Guide
For further information on how to search data and customize the layout in the tables of WALLIX
Bastion, refer to Section 6.5, “Managing data search, sort and layout customization in the tables
of the Web interface”, page 32.
• the user name used to log on to the Web user interface and proxies.
• a name, used to identify the person to whom the user name belongs
• an email address which can be modified later on by the user
• a field to upload a GPG public key: the user will receive the new password in an encrypted email.
This key can be modified later on by the user.
Warning:
If the GPG key is not specified for the user with the “product_administrator” or
“operation_administrator” profile, then a warning email is sent daily to notify the user
of the missing declaration of the GPG key.
The sending of this warning email can be managed via the “Missing GPG key warning
email” option in the menu “Configuration” > “Configuration options” > “Global”. By
default, this option is enabled.
• a preferred language, used to select the language in which the messages sent to the user from
the proxies are displayed. This choice can be modified later on by the user.
• a profile, used to define the user rights and limitations (refer to Section 9.3, “User
profiles”, page 87)
• a check box to indicate whether the user account is disabled. If so, this user will not be allowed to
log on to the WALLIX Bastion Web interface and proxies. This check box is deselected by default.
75
WALLIX Bastion 10.0.5 – Administration Guide
Caution:
If this check box is deselected and no rights are defined in the user profile, then the
user will not be allowed to log on to the WALLIX Bastion Web interface, the REST API
Web Service and RDP/SSH sessions.
• a field including a calendar (displayed with a right-click) to select, if needed, the account expiration
date
• a list of groups, used to select the groups into which the user should be included. You can
also add a user to a group in the add or edit page for a group (refer to Section 9.2, “User
groups”, page 83)
• an authentication procedure, which may be different for each user (refer to Section 9.8, “External
authentication configuration”, page 109). You can select several procedures to indicate the
backup servers for external authentications (LDAP, RADIUS, etc.)
• if the chosen authentication procedure is "local_password":
– a field to enter and confirm a password: there may be certain requirements regarding
the passwords the system will accept (refer to Section 9.6, “Local password policy
configuration”, page 99). This password can be modified later on by the user.
– a field to force the password change for the user. The latter will then receive a notification
message indicating that their account has been created and that the password must be
changed at first login (see also Section 8.12, “SMTP server”, page 61). If the administrator
forces password change, the user will have to change the password next time they will
authenticate either on the login screen of WALLIX Bastion or when connecting to the RDP or
SSH session. No access will be granted as long as the password is not changed.
• if the chosen authentication procedure is "local_sshkey", a field to upload or enter manually an
SSH public key using RSA, ED25519 or ECDSA algorithm. This key can be modified later on
by the user.
Warning:
It is not possible to set a key if no algorithm is allowed for the SSH public key on the
"Local Password Policy" page from the "Configuration" menu. For further information,
refer to Section 9.6, “Local password policy configuration”, page 99.
This key must be in the OpenSSH format. Otherwise an error message is displayed.
If you use PuTTYgen to generate the key, you must save in a text file the public key
displayed in the OpenSSH format during the generation. As an example, this key is
labelled as follow:
"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA0yR9lBQov6[.....]c3xu9p/xNjw==
rsa-key-20151204"
You can then upload this key on the dedicated area on this page.
If a key already exists, you can load a private key using Puttygen in order to generate
the corresponding public key in the appropriate format.
• if the chosen authentication procedure is "local_x509" a field to enter the DN (i.e. "Distinguished
Name") of the certificate to allow the user authentication (refer to Section 9.7.4, “User
authentication configuration”, page 105) when X509 authentication is set for WALLIX Bastion
76
WALLIX Bastion 10.0.5 – Administration Guide
• a source IP/subnet address or range of addresses to restrict the access to this address/range of
addresses for proxies and the Web interface.
The fields in this page are the same as those in the user creation page.
Note:
If the "password" field is not changed, the user password is not modified.
77
WALLIX Bastion 10.0.5 – Administration Guide
From the "Accounts" page, click on a user name to display the user data and expand the "Rights
on GUI" area to view the related data for this user.
• "Authorizations on devices": this area shows the list of the devices which can be accessed by
this user
Click on the icon at the beginning of a line to download the configuration file to establish a
connection.
• "Authorizations on applications": this area shows the list of the applications which can be
accessed by this user
Click on the icon at the beginning of a line to download the configuration file to establish a
connection.
• "Authorizations on accounts": this area shows the list of the target accounts which can be
accessed by this user
• a .csv file or
• a company directory (LDAP or Active Directory) if you only want to replicate a snapshot of
your directory into the WALLIX Bastion database. You can use the LDAP domain integration
functionality that makes direct use of the directory (refer to Section 9.9, “Configuration of LDAP,
Active Directory or Azure AD domain mapping”, page 118).
• from the "CSV" page on the "Import/Export" menu. You can select the "Users" check box to import
the related data. The field and list separators can also be configured.
• or from the "Accounts" page on the "Users" menu. You can click on the "Import CSV file" icon at
the top right of the page to import the related data. You are then redirected to the "CSV" page on
the "Import/Export" menu: the "Users" check box is automatically selected to import the related
data. The field and list separators can also be configured.
The file must begin with a line containing the following tag:
#wab910 user
Important:
Data related to the users' password, SSH key or X509 DN is not provided in the .csv file
when exporting users. It must then be specified in the .csv file prior to import.
The update of existing data when importing a .csv file overwrites old data.
78
WALLIX Bastion 10.0.5 – Administration Guide
Warning:
The first line of the .csv file containing the tag must not be modified. If this line is modified,
the file can no longer be imported into WALLIX Bastion.
79
WALLIX Bastion 10.0.5 – Administration Guide
80
WALLIX Bastion 10.0.5 – Administration Guide
Once you have imported the .csv file, a summary report is displayed.
This report lists the number of elements which were created and updated in the WALLIX Bastion
database but also the rejected data. In case of rejection, the corresponding error is mentioned.
Warning:
If the imported users should authenticate on the directory used for the import, you
must first create the authentication method (see also Section 9.8.1, “Add an external
authentication”, page 110).
Case 1: Import users from an LDAP directory without using Active Directory
To import users from an LDAP directory without using Active Directory, enter the fields on the "Users
from LDAP/AD" page as follows:
81
WALLIX Bastion 10.0.5 – Administration Guide
Note:
For further information on TLS configuration, refer to Section 15.26, “Configure TLS
options for LDAP external authentication”, page 323.
Note:
The user must have read rights for the base DN used.
Note:
For further information on TLS configuration, refer to Section 15.26, “Configure TLS
options for LDAP external authentication”, page 323.
• "Base DN": depends on the domain name. For example, for the domain "mycorp.lan", the base
DN should be "dc=mycorp,dc=lan"
• "User name attribute": the connection attribute is "sAMAccountName"
Caution:
Due to an Active Directory limitation, the “sAMAccountName” attribute must be up to
20 characters long and cannot contain the following characters: "/\[]:;|=,+*?<>
82
WALLIX Bastion 10.0.5 – Administration Guide
Note:
The user must have read rights for the base DN used.
If the import is successful, a page listing the users extracted from the directory is displayed: choose
the users you wish to import in WALLIX Bastion by selecting the check box at the beginning of the
concerned line. Before final import, you must assign an authentication and a profile to the selected
users. A user group and a domain name can also be assigned to the selection.
Click on the "Import" button to import data on the user database of WALLIX Bastion.
Once the import operation is performed, a summary report is displayed. This report lists the number
of users which were created/rejected in the WALLIX Bastion database. In case of rejection, the
corresponding error is mentioned.
Note:
The user name of the imported user is based on the following syntax:
Note:
The administrator cannot view on this page the profile defined for a group (displayed in
the “Profile” field) when this profile has at least one permission that the administrator's
profile cannot grant as a transferable right. For further information, refer to Section 9.3,
“User profiles”, page 87.
83
WALLIX Bastion 10.0.5 – Administration Guide
For further information on how to search data and customize the layout in the tables of WALLIX
Bastion, refer to Section 6.5, “Managing data search, sort and layout customization in the tables
of the Web interface”, page 32.
Note:
If several time frames are selected, the time frame applied is the combination of all the
selected times frames.
Warning:
Character sequence detection is only enabled for data sent by the client to the
server and only for connections under specific protocols (available in the list from the
"Subprotocol" field).
Warning:
When there is no LDAP, AD or Azure AD authentication domain configured in WALLIX
Bastion, the “Authentication domain mapping” frame is not displayed on this page.
84
WALLIX Bastion 10.0.5 – Administration Guide
Note:
The administrator cannot view the area “LDAP authentication mapping” when the
profile mapped to the group has at least one permission that the administrator's profile
cannot grant as a transferable right. For further information, refer to Section 9.3, “User
profiles”, page 87.
Warning:
You cannot delete a user group linked to active authorizations (refer to Chapter 14,
“Authorization management”, page 301).
85
WALLIX Bastion 10.0.5 – Administration Guide
The file must begin with a line containing the following tag:
#wab910 usersgroup
Important:
The update of existing data when importing a .csv file overwrites old data.
Warning:
The first line of the .csv file containing the tag must not be modified. If this line is modified,
the file can no longer be imported into WALLIX Bastion.
86
WALLIX Bastion 10.0.5 – Administration Guide
Once you have imported the .csv file, a summary report is displayed.
This report lists the number of elements which were created and updated in the WALLIX Bastion
database but also the rejected data. In case of rejection, the corresponding error is mentioned.
For further information on how to search data and customize the layout in the tables of WALLIX
Bastion, refer to Section 6.5, “Managing data search, sort and layout customization in the tables
of the Web interface”, page 32.
• "approver": this profile can accept/reject approval requests to access target accounts
• "auditor": this profile can view WALLIX Bastion audit data (refer to Section 12.3, “Audit
data”, page 248) but cannot access target accounts
• "operation_administrator": this profile can perform any operation. However, it has no access to
the following features: the "System" menu (including system backup and restoration), the "Audit"
menu, all the system logs and the target accounts.
• "disabled": this profile has no rights; it can be edited or deleted if unused but it should not be used
to disable a user account. We recommend selecting the "Disabled" option on the user account
add/edit page if you wish to disable a user. For further information, refer to Section 9.1, “User
accounts”, page 74.
Caution:
The "disabled" profile is only displayed on an upgraded version of WALLIX Bastion as it
is inherited by default from a former version. During the upgrade, users with the former
"disabled" profile are automatically linked to the "user" profile and the "Disabled" option
on the user account edit page is selected by default.
• "system_administrator": this profile has full system administration rights via the "System" menu.
It can change the appliance configuration, access the console to create and restore backups and
view all the system logs. However, this profile cannot access target accounts.
• "user": this profile has no administration rights but can access target accounts
87
WALLIX Bastion 10.0.5 – Administration Guide
• "product_administrator": this profile has full administration rights and can connect to target
accounts
Note:
The configuration for the factory-set administrator account is the
"product_administrator" profile.
On the "Rights" part, you can set the authorizations for the main features of the Web interface
displayed from the WALLIX Bastion menu:
• "None": no rights: the menu entry will not appear when the user logs on
• "View": the user can view the elements created but cannot edit them
• "Modify": the user can view and edit elements
• "Execute" (only for backup/restoration): the user can perform a system backup or restoration
(refer to Section 8.13, “Backup and Restoration”, page 62)
Another option can be used to enable/disable the access to the target accounts.
The "Transferable rights" part is displayed if the "Modify" right for the "Users", "User profiles" or
"Settings" feature is set on the "Rights" part.
On the "Transferable rights" part, you can set the authorizations which can be granted by the profile
members. These authorizations are inherited from the rights set for the profile. The rights which can
be transferred by the profile members cannot overtake their own rights. As a consequence, a profile
cannot give permissions to modify a feature if it has not the right to modify this specific feature and
is not allowed to transfer this right (except for the "Session audit" and the "Target account access"
rights).
Note:
A user cannot view the profiles and the profile members having at least one permission
that this user does not have (except for the "Session audit" and the "Target account
access" rights).
However, this rule does neither apply to the "Groups" sub-entry in the "Users" menu nor
to the entries in the "Audit" menu.
On the "Dashboards" part, you can select the dashboards which can be viewed by the profile
members. The list of dashboards displayed on this area is inherited from the authorizations set for
your profile.
88
WALLIX Bastion 10.0.5 – Administration Guide
• "IP limitations": define the source IP for which the access is restricted for primary connection.
This address can be a single IP address or sub-network mask or hostname.
• "User group limitations" and "Target group limitations": select the user groups and/or the target
groups which can only be viewed and managed by the profile members. The authorizations set
for the profile members will apply to these groups and the addition of users and/or target accounts
will be restricted to these groups.
If you define limitations on target groups, select from the list of values the default group to which
the new target accounts will belong.
The limitations which are defined on this section apply to the users linked to the profile, these can be
either local users or users imported from an LDAP/AD directory or members of a WALLIX Bastion
user group linked through an authentication mapping to a group from the LDAP/AD directory.
Warning:
If the target account access is allowed for a profile, we do not recommend defining
limitations for the profile members from the "Other features" part as it may lead to
functional inconsistencies.
89
WALLIX Bastion 10.0.5 – Administration Guide
Warning:
A predefined profile can neither be deleted nor edited.
Warning:
A predefined profile can neither be deleted nor edited.
You cannot delete a profile if at least one user is linked to this profile.
Important:
The update of existing data when importing a .csv file overwrites old data.
Warning:
The first line of the .csv file containing the tag must not be modified. If this line is modified,
the file can no longer be imported into WALLIX Bastion.
Possible values:
-: none
r: right to "View"
w: right to "Modify"
x: right to "Execute"
90
WALLIX Bastion 10.0.5 – Administration Guide
- Manage Authorizations:
right to "Modify"
91
WALLIX Bastion 10.0.5 – Administration Guide
- Settings: none
- System settings: right to
"Modify"
- Backup/Restore: right to
"Execute"
- Credential recovery: none
Target Boolean R True or False False
account
access
IP limitations IP/subnet/ O [aA-zZ], [0-9], '-', '/', '.' N/A
hostname
e.g. for subnet: 1.1.1.0/24
Possible values:
-: none
r: right to "View"
w: right to "Modify"
x: right to "Execute"
92
WALLIX Bastion 10.0.5 – Administration Guide
- Manage Authorizations:
right to "Modify"
- Settings: none
- Backup/Restore: right to
"Execute"
93
WALLIX Bastion 10.0.5 – Administration Guide
Once you have imported the .csv file, a summary report is displayed.
This report lists the number of elements which were created and updated in the WALLIX Bastion
database but also the rejected data. In case of rejection, the corresponding error is mentioned.
Warning:
When WALLIX Bastion is configured in High-Availability mode with DRBD, the user data
retention configuration is only spread out to the “Slave” node when the latter becomes
“Master” node after a switchover. It is recommended to force a DRBD switch in order to
display the new configuration on all nodes.
The “Data retention policy” section, available from “Configuration” > “Configuration options”, allows
you to configure the following options:
• “Remove user data older than”: it consists of deleting the users' data contained in the databases
of WALLIX Bastion, i.e. the data located in the following tables: account activity, answer,
approval, auth_log, session_log and user. Thus, all data older than the value defined in
this field in number of weeks (with the suffix “w” such as “10w” for 10 weeks) or in number of days
(with the suffix “d” such as “24d” for 24 days) is deleted. If no suffix is specified, then the value
is considered to be expressed in number of weeks.
Note:
The deletion of user data from the WALLIX Bastion databases is based on:
– for the account activity table: the date of the user's activity
– for the answer table: the creation date of the approval answer
– for the approval table: the end date of the approval
– for the auth_log table: the timestamp of the authentication logs
– for the user table: the deactivation date of the user
For further information on the session purge, refer to Section 15.20, “Export and/or
purge session recordings manually”, page 318 and Section 15.21, “Export and/or
purge session recordings automatically”, page 320.
• “Max delete objects”: it consists of the maximum number of objects, per data type, to delete from
the database. This field is displayed when the check box of the "Advanced options" field at the
top right of the page has been selected. It should ONLY be changed upon instructions from the
WALLIX Support Team!
94
WALLIX Bastion 10.0.5 – Administration Guide
• “Remove user logs older than”: it consists of deleting the users' data contained in the logs of
WALLIX Bastion, i.e. the data located in the files saved in partition /var/log: syslog, debug,
error, user.log, wabaudit.log and wabauth.log. Thus, all data older than the value
defined in this field in number of weeks (with the suffix “w” such as “20w” for 20 weeks) or in
number of days (with the suffix “d” such as “36d” for 36 days) is deleted. If no suffix is entered,
then the value is considered to be expressed in number of weeks. The maximum retention time
for the logs is 365 days or 52 weeks.
Warning:
If the defined value for the option “Remove user data older than” is higher than the one
set for “Remove user logs older than”, then the log retention time takes into account the
value defined for “Remove user data older than”.
Note:
When notifications are enabled for this event type, the email summarizes errors for
sessions older than 3 days by default. It is however possible to set a different value
for this number of days. To edit this parameter, go to “Configuration” > “Configuration
options” > “Session log policy”, then enter a positive integer in the field “Summarize
error older than” below section “IntegrityChecker”. If “0” is entered in this field, then
there is no error summary in the notification email.
• a RAID error
• a pattern detection during analysis of an RDP or SSH flow
• a license expiration warning
Note:
When notifications are enabled for this event type, the warning email will be sent 15
days, 10 days, 5 days and 1 day before the license expiration date.
It is also possible to define thresholds to trigger a notification to the administrator when
one of the license metrics has reached and/or exceeded these thresholds. For more
information, refer to Section 8.2.2, “Managing the sending of notifications”, page 46.
From the “Notifications” page of the “Configuration” menu, you can add, edit or delete notifications.
95
WALLIX Bastion 10.0.5 – Administration Guide
For further information on how to search data and customize the layout in the tables of WALLIX
Bastion, refer to Section 6.5, “Managing data search, sort and layout customization in the tables
of the Web interface”, page 32.
Note:
Once you have entered a valid email address, click on “+ Add” to add it to the recipient
list. Once an email address is added, you have the possibility to delete it from the list
by clicking on the “-” icon.
You can add as many recipients' email as necessary.
96
WALLIX Bastion 10.0.5 – Administration Guide
Note:
You can configure the settings for sending emails on the “SMTP Server” page of the
“System” menu (refer to Section 8.12, “SMTP server”, page 61).
The fields of this page are the same as those on the notification creation page, except for the “Name”
field which cannot be edited.
• modify the subject and body of the notifications to your specific needs
• send notifications in HTML format
Note:
Once a custom notification template has been created, the notification will be sent in the
following order:
• First, the custom notification in the user's language if a corresponding template exists.
For example: approval_pending_user_fr.txt
• Or the custom notification in English if a corresponding template exists. For example:
approval_pending_user_en.txt
• Or the default notification of WALLIX Bastion in the user's language. For example:
approval_pending_user.txt
Caution:
The name of the custom notification templates must be the same as the name of the
default notification templates, followed by the language suffix.
97
WALLIX Bastion 10.0.5 – Administration Guide
To display the list of default notifications in order to copy the name, run
the following command: ls /opt/wab/lib/python3.7/site-packages/
wallixgenericnotifier/templates/mail.
The table below lists the additional variables available for the custom notifications:
The table below lists the variables available for the custom approval notifications sent to users
asking for approval (all the templates: approval_*_user.txt):
The table below lists the variables available for the custom approval notifications sent to
approvers (all the templates: approval_*_approver.txt):
98
WALLIX Bastion 10.0.5 – Administration Guide
99
WALLIX Bastion 10.0.5 – Administration Guide
From the “Local Password Policy” page on the “Configuration” menu, you can define the password
policy and configure the password expiration time.
• the password validity period in number of days. After this period, the user will be prompted for
password change on the login screen of WALLIX Bastion or when connecting to the RDP or SSH
session. We recommend configuring this setting for a period of less than one year.
Note:
A warning window displays when this field is updated to list the users whose password
will expire the next time they login.
• the period in number of days before the display of the first password expiration warning. We
recommend setting this period to a value of at least 20 days.
• the maximum number of authentication failures allowed per user. We recommend setting this
number to a value of at most 5 authentication attempts.
• the number of previous passwords which cannot be reused. We recommend rejecting at least
the last 4 passwords.
• the minimum length of the password. This value must be greater than the sum of the other length
constraints. We recommend setting this length to a value of at least 12 characters.
• the minimum number of special characters in the password. We recommend setting this number
to a value of at least 1 character.
• the minimum number of uppercase letters in the password. We recommend setting this number
to a value of at least 1 character.
• the minimum number of lowercase letters in the password. We recommend setting this number
to a value of at least 1 character.
• the minimum number of digits in the password. We recommend setting this number to a value
of at least 1 character.
• a list to select one or several algorithms allowed for the SSH public key. If the “RSA” algorithm is
selected, the minimum key length must be entered in the “Minimum RSA key length” field. This
value must not be lower than 1024 bits.
Note:
If no algorithm is selected, then the definition of the SSH public key cannot be performed
on the “My Preferences” page and the SSH public key cannot be set for the local user
on the “Accounts” page from the “Users” menu.
• a toggle button to allow passwords similar to the user name. We do not recommend allowing
similarity.
• a button to upload the file containing the list of banned passwords.
Note:
The file containing the list of banned passwords must be in a UTF-8 format.
100
WALLIX Bastion 10.0.5 – Administration Guide
From the “X509 configuration” page on the “Configuration” menu, you can configure the X509
authentication as well as Certificate Revocation Lists (CRLs) and the Online Certificate Status
Protocol (OCSP). To do so, select “Certificates”, “CRL” or “OCSP” from the drop-down list.
• the public key in PEM format of the Certificate Authority which issued the server certificate. The
certificate may be auto-signed or issued by an accredited authority.
• the certificate in PEM format for the WALLIX Bastion Web server
• the private key in PEM format for the server certificate
101
WALLIX Bastion 10.0.5 – Administration Guide
Warning:
If the signature algorithm of the server certificate is too weak, an error message is
displayed during the upload. Please contact the WALLIX Support Team for more
information.
Warning:
If the X509 authentication is enabled, TLSv1.3 cryptographic algorithm for HTTPS
connection will be deactivated. However, this algorithm is activated by default when the
X509 authentication is disabled.
Note:
The WALLIX Bastion Web interface and the REST API Web Service are not available
during this set-up phase. The connections on the interface are thus disconnected.
However, RDP and SSH sessions are not affected.
102
WALLIX Bastion 10.0.5 – Administration Guide
Note:
The CRL files are stored in the directory /var/wab/apache2/ssl.crl/.
An uploaded file gathering several CRLs will be divided into several unit CRL files.
An uploaded CRL will only replace an old one if the number corresponding to the
“CRLNumber” is greater than or equal to the one of this former version.
This list can also be updated using a dedicated command. For further information, refer
to Section 15.30, “Update the CRL (Certificate Revocation List)”, page 326.
103
WALLIX Bastion 10.0.5 – Administration Guide
On the “OCSP” page, please follow the following steps to manage the OCSP:
104
WALLIX Bastion 10.0.5 – Administration Guide
The “Local authentication - X509” section and the “Certificate DN” field appear on the page when
adding or editing a user (refer to Section 9.1, “User accounts”, page 74). To associate the user
with the certificate, the DN (i.e. "Distinguished Name") of the certificate must be entered in the
“Certificate DN” field as follows:
CN=Lucas Martin,O=MyCorp,L=PARIS,ST=IDF,C=FR
When the certificate is used, the associated user will then be authenticated on WALLIX Bastion.
Caution:
Some certificates include the attribute "emailAddress" mentioned as "E =... " in the
certificate DN. This attribute must be replaced by "emailAddress =... " in the field provided.
Note:
The certificates must be signed by the same Certificate Authority as the Web server
certificate.
The maximum supported length of a DN is 1,024 bytes (the exact number of characters
may be less depending on the length of the UTF-8 encoding).
105
WALLIX Bastion 10.0.5 – Administration Guide
Figure 9.12. "Accounts" page in modification mode with the "Certificate DN" field
106
WALLIX Bastion 10.0.5 – Administration Guide
Users and administrators can then log on using a saved certificate stored in the browser.
107
WALLIX Bastion 10.0.5 – Administration Guide
They can choose to accept or reject multiple automatic connections for RDP sessions, SSH
sessions or both for a given time period expressed in seconds by enabling the “Also applies to
all connections for:” button and configuring the fields underneath this button.
Warning:
The browser and the RDP or SSH client must be both running on the same workstation
(then use the same IP) to allow the connection confirmation request display.
The maximum duration value during which automatic connections are allowed can be
defined in the field “X509 automatic sessions timer” from “Configuration” > “Configuration
Options” > “Global”. This duration cannot exceed 60 seconds and is set to 15 seconds by
default. The user cannot specify in the popup window a duration greater than this value.
If the authentication is based on account mapping, the user must enter their password
on the target.
Warning:
The Web interface is restarted. Thus, no user connections must be active.
The default configuration is restored: the certificates are deleted and new auto-signed
certificates are generated.
108
WALLIX Bastion 10.0.5 – Administration Guide
An external authentication method is linked to a user account during the creation or modification of
the account. For further information, refer to Section 9.1.1, “Add a user”, page 75.
• Kerberos
• Kerberos-Password
• LDAP
• Active Directory
• RADIUS
• PingID
• SAML
From the “External authentications” page on the “Configuration” menu, you can add, edit or delete
external authentication configurations.
In order to integrate users from an external LDAP, Active Directory or Azure AD domain, you will
then need to configure the authentication domain. For further information, refer to Section 9.9,
“Configuration of LDAP, Active Directory or Azure AD domain mapping”, page 118.
For further information on how to search data and customize the layout in the tables of WALLIX
Bastion, refer to Section 6.5, “Managing data search, sort and layout customization in the tables
of the Web interface”, page 32.
109
WALLIX Bastion 10.0.5 – Administration Guide
Note:
The default authentication configured on WALLIX Bastion is “local”. This external
authentication method allows users to log in using the product’s internal data engine.
Please refer to the sections below to get specific information on the creation of external
authentications.
Figure 9.17. "External Authentications" page in addition mode for LDAP authentication
110
WALLIX Bastion 10.0.5 – Administration Guide
If an HTTP service is present in the keytab file, the Kerberos support is activated for authenticating
on the GUI; this requires adding the iwab suffix to the url: https://bastion_ip_address/
iwab or https://<bastion_name>/iwab.
HOST services are used for Kerberos authentication to the SSH proxy. It is then possible
to use a “forwardable” ticket to connect to a target within the same Kerberos domain using
account mapping (refer to Section 10.4.1, “Add a target account to a global domain”, page 172,
Section 10.4.2, “Add a target account to a device”, page 175 or Section 10.4.3, “Add a target
account to an application”, page 177).
• “Description”: enter a description if needed
• “Use primary domain name for two-factor authentication (2FA)”: this option is only relevant when
this authentication is used as a second factor after first authenticating via LDAP. Check the box
to force the domain name to be mentioned in the login (e.g. “user@domain”) during the second
authentication.
In order for a Kerberos authenticated user (via the GUI or the SSH proxy) to be acknowledged by
WALLIX Bastion, at least one of the following two conditions is required:
• the user is defined locally on WALLIX Bastion and the appropriate Kerberos external
authentication is configured for this user or
• the user is an LDAP user mapped to a WALLIX Bastion group. In this case, at least one of the
following configurations is required:
– a mapping must be defined on WALLIX Bastion for the LDAP domain of the user and the
Kerberos domain name must match the LDAP domain name (case insensitive) or
– a default LDAP domain is defined on WALLIX Bastion
For Kerberos-Password authentications, please ensure that the Kerberos infrastructure is properly
configured to be able to authenticate.
111
WALLIX Bastion 10.0.5 – Administration Guide
• the user is defined locally on WALLIX Bastion and a Kerberos-Password external authentication
is configured for this user or
• Kerberos-Password is used as a second factor after first authenticating via LDAP with or without
using Active Directory
Caution:
This timeout applies to any new LDAP external authentication. The LDAP external
authentications inherited from an earlier version of WALLIX Bastion keep the former
timeout value defined.
• “Encryption”: select the appropriate encryption protocol. The connection port is then updated
depending on the selection.
Note:
For further information on TLS configuration, refer to Section 15.26, “Configure TLS
options for LDAP external authentication”, page 323.
• “CA certificate”: this field is accessible when “StartTLS” or “SSL” is selected as the encryption
protocol. Browse a path to upload the CA certificate file. The authenticity of the certificate is
compared with the LDAP server certificate during the connection.
Important:
The hostname specified in the “Server” field must be identical to the one entered in the
“CN” field of the certificate.
• “Bind method”: select the “anonymous”, “simple (password)” or “simple (client certificate)” bind
method
112
WALLIX Bastion 10.0.5 – Administration Guide
• “User” and “Password”: these fields are displayed when the simple (password) bind method is
selected. Specify a user name and a password to use to search for the WALLIX Bastion user
name in the directory.
Note:
The user must have read rights for the base DN used.
• “Client certificate” and “Client key”: these fields are displayed when the simple (client certificate)
bind method is selected and the chosen encryption protocol is either “StartTLS” or “SSL”. Browse
to the private key and the certificate used to connect and authenticate on the LDAP server by
providing a PKCS#12 file. Once the files have been uploaded, a passphrase can be provided for
the certificate on the dedicated field. The authenticity of the certificate is compared with the CA
certificate during the connection.
• “Test authentication”: click on this button to test the LDAP authentication configuration once the
required fields are entered. A test in progress can be cancelled at any time.
Important:
When using this method, the user may be prompted to change their password after
expiration on the login screen of WALLIX Bastion or when connecting to the RDP or SSH
session. The prerequisites are then as follows:
• the minimum required version for the Active Directory server is Windows Server 2008
R2
• the option “AD user password change” (accessible from the menu “Configuration” >
“Configuration options” > “Global” > section “main”) must be selected and
• at least one encryption protocol must be set for this method in the “Encryption” field
(i.e. either “StartTLS” or “SSL”)
To add an LDAP external authentication using Active Directory, specify the fields as follows.
In the “Network parameters” section:
113
WALLIX Bastion 10.0.5 – Administration Guide
Important:
For an LDAP external authentication using Active Directory, the fully qualified domain
name (FQDN) must be properly specified to be supported in Active Directory.
• “Port”: specify the port number of the server. The default port is 389.
• “Timeout”: specify the maximum waiting time (expressed in seconds) for a connection attempt to
the LDAP server. This value is set to 3 seconds by default.
Caution:
This timeout applies to all new LDAP external authentications. The LDAP external
authentications inherited from an earlier version of WALLIX Bastion keep the former
timeout value defined.
• “Encryption”: select the appropriate encryption protocol. The connection port is then updated
depending on the selection.
Note:
For further information on TLS configuration, refer to Section 15.26, “Configure TLS
options for LDAP external authentication”, page 323.
• “CA certificate”: this field is displayed when “StartTLS” or “SSL” is selected as the encryption
protocol. Browse to the CA certificate file. The authenticity of the certificate is compared with the
LDAP server certificate during the connection.
Important:
The hostname specified in the “Server” field must be identical to the one entered in the
“CN” field of the certificate.
• “Bind method”: select the “anonymous”, “simple (password)”, “simple (client certificate)” or “GSS-
API” bind method
Note:
The SASL bind method based on GSS-API must be selected when the LDAP user is
included in the “Protected users” group.
114
WALLIX Bastion 10.0.5 – Administration Guide
• “User” and “Password”: these fields are displayed when the simple (password) bind method or
the GSS-API bind method is selected. Specify a user name and a password to use to search for
the WALLIX Bastion user name in the directory.
Note:
The user must have read rights for the base DN used.
• “Client certificate” and “Client key”: these fields are displayed when the simple (client certificate)
bind method is selected and the chosen encryption protocol is either “StartTLS” or “SSL”. Browse
to the private key and the certificate used to connect and authenticate on the LDAP server by
providing a PKCS#12 file. Once the files have been uploaded, a passphrase can be provided
for the certificate in the dedicated field. The certificate is compared with the CA certificate during
the connection.
• “Test authentication”: click on this button to test the LDAP authentication configuration once the
required fields are entered. A test in progress can be cancelled at any time.
• “Base DN”: depends on the domain name. For example, for the domain “mycorp.lan”, the base
DN should be “dc=mycorp,dc=lan”.
• “Login attribute”: specify the login attribute used for the connection. By default, this connection
attribute corresponds to “sAMAccountName”.
Caution:
Due to an Active Directory limitation, the “sAMAccountName” attribute must be up to
20 characters long and cannot contain the following characters: "/\[]:;|=,+*?<>
The “mail” attribute can be specified in this field to allow users associated with this authentication
to use their email when logging into the Web interface. The following login formats are then
supported:
– jdoe@mycompany.com@domain. The format is then “login@domain” with the email defined
as login (i.e. “jdoe@mycompany.com”)
– domain\\jdoe@mycompany.com. The format is then “domain\\login” with the email defined as
login (i.e. “jdoe@mycompany.com”)
– jdoe@mycompany.com with the domain defined as the default LDAP/AD domain
• “User name attribute”: specify the user name attribute. By default, it corresponds to
“sAMAccountName”.
Caution:
Due to an Active Directory limitation, the “sAMAccountName” attribute must be up to
20 characters long and cannot contain the following characters: "/\[]:;|=,+*?<>
115
WALLIX Bastion 10.0.5 – Administration Guide
• “Properties file”: browse to the PingID properties file (named pingid.properties) containing
several account-specific settings. This file can be downloaded from the PingID administrator
interface.
• “Description”: enter a description if needed
• “Force OTP”: check the box to force the one-time password (or “OTP”) authentication only. In this
case, no other authentication method will be proposed.
• “Use primary domain name for two-factor authentication (2FA)”: this option is only relevant when
this authentication is used as a second factor after first authenticating via LDAP. Check the box
to force the domain name to be mentioned in the login (e.g. “user@domain”) during the second
authentication.
Note:
The WALLIX Bastion administrator should remind the user to specify only the login field
to access the Web interface when authenticating via PingID.
Caution:
This timeout applies to any new RADIUS external authentication. The RADIUS external
authentications inherited from an earlier version of WALLIX Bastion keep the former
timeout value defined.
Note:
In the context of a second factor authentication, if a user performs several connections
and the client's IP address is the same as the one used for the previous authentication
then they are not prompted to authenticate again.
116
WALLIX Bastion 10.0.5 – Administration Guide
• Register an application for WALLIX Bastion in the Microsoft Azure environment to enable
Single Sign On (SSO) feature. For further information, refer to https://docs.microsoft.com/en-
us/azure/active-directory/manage-apps/add-application-portal-setup-sso.
• Configure the Azure AD permissions “Application Directory.Read.All” and “Delegated
User.Read” for the application.
• Add all the users allowed to connect to the application one after another. For further
information, refer to https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/
assign-user-or-group-access-portal.
Important:
The internet connection between WALLIX Bastion and the Microsoft Azure
environment for the domain “https://graph.microsoft.com” must not be interrupted.
2. In WALLIX Bastion, from the menu “Configuration” > “External authentications”, click on “+ Add
[SAML]”.
3. Specify the fields as follows:
• “Name”: specify the authentication name.
• “Timeout”: specify the maximum waiting time (expressed in seconds) for an authentication
attempt. This time starts from the moment the user clicks on the Azure authentication button
on the login page. This value is set to 900 seconds by default.
• “Description”: enter a description if needed.
• “IdP metadata”: browse a path to upload the identity provider (also called “IdP”) metadata
XML file. This file is downloadable from the application registration described in the
prerequisites section above.
4. Click on “Apply”. Once the IdP metadata file has been uploaded, the following fields are
then displayed. The latter cannot be edited but the corresponding value can be copied to the
clipboard if needed.
• “IdP entity ID”: Identifier of the identity provider interacting with the service provider (also
called “SP”), i.e. WALLIX Bastion, in the SAML communication process. It corresponds to the
“entityID” attribute of the “EntityDescriptor” element in the identity provider metadata file.
• “IdP SAML request URL”: URL to which WALLIX Bastion redirects the user for
authentication. It corresponds to the “Location” attribute of the “SingleSignOnService”
element in the identity provider metadata file.
• “SP entity ID”: Identifier used to refer to WALLIX Bastion in interactions with the identity
provider in the SAML communication. It corresponds to the “entityID” attribute of the
“EntityDescriptor” element in the service provider metadata file.
• “SP assertion consumer service”: URL to which the identity provider redirects the user once
the latter has authenticated. It corresponds to the “AssertionConsumerService” attribute of
the “SPSSODescriptor” element in the service provider metadata file.
Note:
The identity provider metadata XML file can be downloaded by clicking on
“Download registered IdP metadata”.
117
WALLIX Bastion 10.0.5 – Administration Guide
5. Create a new Azure AD authentication domain. For further information, refer to Section 9.9.1.2,
“Add an Azure AD authentication domain”, page 125.
Warning:
You cannot delete an external authentication if at least one user is linked to this
authentication.
Note:
It is possible to configure the TLS options to allow the request of a given CA certificate to
authenticate on the LDAP server by editing the file /etc/ldap/ldap.conf. For further
118
WALLIX Bastion 10.0.5 – Administration Guide
• if needed, the selection, in the list of values of the “Secondary authentication” field, of a secondary
authentication to be used to enable two-factor authentication after a first authentication on the
domain. If several authentications (necessarily of the same type, e.g. only RADIUS or PINGID,
etc.) are selected, they are used one after the other, according to the defined order, until a
response is received from the server. This allows resilience in case of a secondary authentication
server failure as long as the configurations are the same.
Note:
With the exception of LDAP external authentication, all external authentications defined
from the “External authentications” page on the “Configuration” menu can be used as
a secondary authentication, after a first LDAP authentication.
• the user: the schema attribute is specified in the “User name attribute” field on the “External
authentications” page (refer to Section 9.8.1, “Add an external authentication”, page 110). By
default, WALLIX Bastion uses “sAMAccountName” with AD or “uid” with LDAP.
119
WALLIX Bastion 10.0.5 – Administration Guide
Caution:
Due to an Active Directory limitation, the “sAMAccountName” attribute must be up to
20 characters long and cannot contain the following characters: "/\[]:;|=,+*?<>
• the group attribute: this is the attribute describing a user group membership. The default
value is “memberOf” for an AD server and “(&(ObjectClass=posixGroup)(memberUid=
${uid}))” for an LDAP server. This is an LDAP query used to find the groups containing the
user defined by his or her “uid”. By default, some servers may not support for each account
the list of groups to which it belongs. It is therefore necessary to specify an additional query.
The “${uid}” syntax is specific to the Bastion; the “uid” attribute can be replaced by any user
attribute. If the LDAP server supports the “memberOf” value, its use is then recommended. This
is the case with OpenLDAP servers configured with the “memberOf” overlay.
Note:
The “memberOf” attribute must also be entered in the field of the “Ldap attributes”
option located in “Configuration” > “Configuration options” > “Global”. The field can be
set to “*” to retrieve all the attributes but the performance of WALLIX Bastion may be
affected. The “Ldap attributes” option is displayed when the check box of “Advanced
options” at the top right of the page has been selected. It should ONLY be changed
upon instructions from the WALLIX Support Team!
It is possible to manage recursive groups with an AD server. In this case, the default value has
to be changed with the query below:
(&(ObjectClass=group)(member:1.2.840.113556.1.4.1941:=${distinguishedName}))
Note:
The values defined in the LDAP or AD server must be prefixed as “sshKey: <public
key>”.
The SSH public keys must be in the OpenSSH format and encrypted with the following
algorithms:
120
WALLIX Bastion 10.0.5 – Administration Guide
• the default email domain: it is the domain component used to build the user's email address if not
found in the directory. This address is built by prefixing the domain with the user name.
• the language attribute: usually, it is the “preferredLanguage” attribute (AD and LDAP).
• the default language: it is the default language of the domain members if the language is not
defined in the directory.
Note:
In order to use Okta Identity Cloud as an LDAP domain, make sure to set these three
parameters, in “Configuration” > “Configuration options” > “Global” > section “main”, as
follows:
These parameters are displayed when the check box of the “Advanced options” field at
the top right of the page has been selected. It should ONLY be changed upon instructions
from the WALLIX Support Team!
• an option to enable the X509 authentication: if this option is checked, users can only authenticate
to the LDAP or AD domain using X509 certificate authentication method. When this option is
checked, the fields of this area are then enabled.
• the condition to match an LDAP or AD domain to the X509 certificate. If no condition is specified
in the field “Matching condition”, the LDAP or AD domain can be used for X509 authentication
regardless of the certificate.
This condition is formatted according to the following variables retrieved from the certificate:
121
WALLIX Bastion 10.0.5 – Administration Guide
For example, the matching condition below will associate the domain with a certificate issued
by an organization whose name (“issuer_o”) includes “Company Ltd.” OR a certificate whose
common name (“issuer_cn”) includes “Security Cert” and whose user's organization unit
(“subject_ou”) corresponds to “Finance&Accounting”:
The operator “&&” (i.e. “AND”) has precedence over the operator “||” (i.e. “OR”). The values are
case sensitive unlike variables.
Important:
The format corresponds to the syntax used in the advanced search filters of the REST
API. For further information, refer to the related online help page at this address:
https://bastion_ip_address/api/doc/Usage.html#search
• the LDAP or AD search filter to retrieve users from the domain. This data is expressed using
LDAP filter syntax, but any available variables as listed in the field “Matching condition” field can
also be used.
Note:
All variables specified in the “Search filter” field must be present in the certificate to
provide a valid LDAP or AD filter and retrieve users accordingly.
For example, the filter syntax below will retrieve LDAP or AD users whose “cn” is the
“subject_cn” of the certificate or whose “uid” is the “subject_uid” of the certificate and whose
“preferredLanguage” attribute is “fr”:
(&(|(cn=${subject_cn})(uid=${subject_uid}))(preferredLanguage=fr))
For example, the filter syntax below will retrieve AD users whose local part of the
“userPrincipalName” is the “subject_cn” of the certificate and whose domain includes either
“company.com” or “biz.company.com”:
122
WALLIX Bastion 10.0.5 – Administration Guide
(|(userPrincipalName=${subject_cn}@company.com)(userPrincipalName=
${subject_cn}@biz.company.com))
• when using X509 authentication with an Active Directory server, the mention of the domain name
to match the SAN email. The domain is used to check the email field from the X509 Subject
Alternative Name (SAN) extension.
It is then necessary to add LDAP or AD authentication mappings by clicking on the “+ Add” button.
A mapping links the WALLIX Bastion user group with a group from the directory. To define a
mapping, the name of the WALLIX Bastion user group must be selected in the “User group” field,
and the value of the directory group attribute (e.g. its full DN for “memberOf”) must be specified
in the “Group” field.
If the WALLIX Bastion group is not already mapped, you must also select the WALLIX Bastion profile
for the group members in the “User group profile” field. If no mapping is found when a user connects,
the latter can be placed in a default group. To do this, check the box “Default group for users without
group in this domain”. Thus, any user defined in the directory can access WALLIX Bastion.
The mappings can also be edited on the user group modification page (refer to Section 9.2, “User
groups”, page 83).
Note:
On the “Mappings” tab, the administrator cannot view the mappings whose profiles have
at least one permission that the administrator's profile cannot grant as a transferable right.
For further information, refer to Section 9.3, “User profiles”, page 87.
123
WALLIX Bastion 10.0.5 – Administration Guide
124
WALLIX Bastion 10.0.5 – Administration Guide
125
WALLIX Bastion 10.0.5 – Administration Guide
The “General” section lists the following main properties for the authentication domain:
• “Server domain name”: the WALLIX Bastion domain name.
• “Authentication domain name”: the Azure AD authentication domain name.
• “Default domain” option: check this box to allow the stripping of the domain part (i.e.
@domain) from the user login when authenticating to WALLIX Bastion. Thus, local users
defined in WALLIX Access Manager can be mapped to users in the Bastion domain.
• “Description”
• “Authentication protocol”: select in the dropdown list of this field the authentication protocol
to be used.
126
WALLIX Bastion 10.0.5 – Administration Guide
WALLIX Bastion. The mappings can also be edited on the user group modification page (refer
to Section 9.2, “User groups”, page 83).
Note:
On the “Mappings” tab, the administrator cannot view the mappings whose
profiles have at least one permission that the administrator's profile cannot
grant as a transferable right. For further information, refer to Section 9.3, “User
profiles”, page 87.
127
WALLIX Bastion 10.0.5 – Administration Guide
128
WALLIX Bastion 10.0.5 – Administration Guide
The fields in this page are the same as those in the authentication domain creation page.
Warning:
You cannot delete an authentication domain if at least one user group is mapped to this
domain.
Important:
The update of existing data when importing a .csv file overwrites old data.
Warning:
The first line of the .csv file containing the tag must not be modified. If this line is modified,
the file can no longer be imported into WALLIX Bastion.
"AzureAD"
"LDAP"
"AD"
Description Text O Free text N/A
129
WALLIX Bastion 10.0.5 – Administration Guide
(memberUid=
${uid}))"
Full name Text O [aA-zZ], [0-9], '-', '_' LDAP-AD:
attribute "displayName"
Full name attribute defined LDAP: "cn"
for the LDAP/AD domain
Public key Text O [aA-zZ], [0-9], '-', '_' N/A
attribute
Public key attribute defined
for the LDAP/AD domain
Email attribute Text O [aA-zZ], [0-9], '-', '_' "mail"
130
WALLIX Bastion 10.0.5 – Administration Guide
131
WALLIX Bastion 10.0.5 – Administration Guide
Once you have imported the .csv file, a summary report is displayed.
This report lists the number of elements which were created and updated in the WALLIX Bastion
database but also the rejected data. In case of rejection, the corresponding error is mentioned.
The file must begin with a line containing the following tag:
#wab910 usersgroupmappings
Important:
The update of existing data when importing a .csv file overwrites old data.
132
WALLIX Bastion 10.0.5 – Administration Guide
Warning:
The first line of the .csv file containing the tag must not be modified. If this line is modified,
the file can no longer be imported into WALLIX Bastion.
IMPORTANT: If several
groups are entered, then
they must be separated by
spaces. Additionally, if the
name of the group includes
one or more spaces, then it
must be enclosed in double
quotes (as shown in the
above example).
In the context of an
LDAP domain, rule allowing
to define the users in
the authentication domain
mapped to the WALLIX
Bastion user group. This
rule indicates the value to
map for the defined group
133
WALLIX Bastion 10.0.5 – Administration Guide
CN=Users,DC=2008,
DC=system,DC=enterprise'
If no external group is
specified, then all the existing
mappings for the group/
domain pair are deleted
during import.
If an external group
is specified without an
authentication domain, then
the import fails.
Once you have imported the .csv file, a summary report is displayed.
This report lists the number of elements which were created and updated in the WALLIX Bastion
database but also the rejected data. In case of rejection, the corresponding error is mentioned.
134
WALLIX Bastion 10.0.5 – Administration Guide
The “Targets” menu allows you to create and manage devices, applications, domains, accounts and
groups which can be accessed from WALLIX Bastion.
This chapter describes the menu elements, i.e. the following pages:
10.1. Devices
A device is characterized by a physical or virtual equipment for which WALLIX Bastion manages
the access to sessions or passwords.
The “Devices” page on the “Targets” menu allows you to:
• list devices
• add, edit and delete a device
• filter devices using tags. For further information, refer to Section 10.1.3, “Use tags to organize
devices”, page 140.
It is possible to import devices from a .csv file to populate the WALLIX Bastion resource database.
For further information, refer to Section 10.1.5, “Import devices”, page 142.
For further information on how to search data and customize the layout in the tables of WALLIX
Bastion, refer to Section 6.5, “Managing data search, sort and layout customization in the tables
of the Web interface”, page 32.
135
WALLIX Bastion 10.0.5 – Administration Guide
• the device name: this is the name users will use to access the device. It can be unrelated to the
machine’s DNS name. An existing name cannot be assigned to another device.
• an alias: it can be used as a second name for the device. The device name has priority over the
alias. An existing alias cannot be assigned to another device.
• the device IP address or FQDN: it corresponds to a network address
Note:
Once you have entered the general data in the “General” tab and clicked on “Apply”, you
can access the other tabs of the device creation page.
To add a service, click on the “+ Add” button and select the desired protocol from the list. A window
opens and allows you to select and enter the following fields:
• the service name: this is the name users will use to access the service. The name can be unrelated
to the protocol name and the port number.
• the default port
• a connection policy defining the authentication mechanism for the service on this device. For
further information, refer to Section 12.4, “Connection policies”, page 261.
You can declare a connection scenario for the connection policies based on the TELNET or
RLOGIN protocols. For further information, refer to Section 12.16, “TELNET/RLOGIN connection
scenario on a target device”, page 275.
136
WALLIX Bastion 10.0.5 – Administration Guide
You can declare a startup scenario for the connection policies based on the SSH protocol. For
further information, refer to Section 12.19, “SSH startup scenario on a target device”, page 278.
• a global domain: it is required to select a global domain in order to create targets for applications
and clusters
• a list of proxy options for RDP and SSH connections. For further information, refer to
Section 10.1.6, “SSH specific options”, page 143 and Section 10.1.7, “RDP specific
options”, page 144.
Note:
If you want to add more than one specific service, you can repeat this process as many
times as necessary.
Once you have added a service, you have the possibility to add it to a group in order to configure
a target group for session management through account mapping and/or interactive login. The
resource associations can also be managed from the “Groups” page (for further information, refer
to Section 10.5.1, “Add a target group”, page 183).
To add a service to a group, check the box at the beginning of the line of the concerned service
and click on the “Add to group” button. A window opens and allows you to enter and select the
following fields:
• the group name: you can select an existing group or create a new one
• a description
• the target type: either account mapping or interactive login
• the services
Note:
After clicking on the “Add and continue” button, the data is saved and you have the
possibility to associate the service with another group and/or target type. Otherwise, click
on the “Add and close” button to save the data and close the window.
137
WALLIX Bastion 10.0.5 – Administration Guide
– the account name: this is the name users will use to access the local account
– the account login
– a field to associate resources: a resource association is required to create targets for
applications and clusters
– a description
– the checkout policy
– a toggle button to enable or disable the automatic password change for this account
– a toggle button to enable or disable the automatic SSH key change for this account
• on the “Password” tab:
– a password and its confirmation
– a toggle button to enable or disable the manual change of the password and its propagation
on the target
Note:
You have the possibility to delete a password already set for this account by clicking
on the “Delete password” button.
Note:
You have the possibility to delete an SSH private key already set for this account by
clicking on the “Delete existing SSH private key” button.
Once you have added a local account on the device, you have the possibility to add it to a group
in order to configure:
• a target group for session management from an account (for further information, refer to
Section 10.5.1.2, “Configure a target group for session management from an account in the
vault”, page 184)
• a target group for session management for a scenario account (for further information,
refer to Section 10.5.1.3, “Configure a target group for a scenario account during SSH
session”, page 184)
• a target group for password management from an account (for further information, refer to
Section 10.5.1.6, “Configure a target group for password management from an account in the
vault”, page 186)
138
WALLIX Bastion 10.0.5 – Administration Guide
Note:
The resource associations can also be managed from the “Groups” page (for further
information, refer to Section 10.5, “Target groups”, page 183).
To add a local account to a group, check the box at the beginning of the line to select the concerned
local account, then click on the “Add to group” button. A window opens and allows you to enter and
select the following fields:
• the group name: you can select an existing group or create a new one
• a description
• the target type: either account for session management or scenario account for session
management or account for password management
• the service (if it is required for the selected target type)
• the local accounts
Note:
After clicking on the “Add and continue” button, the data is saved and you have the
possibility to associate the local account with another group and/or target type and/or
service. Otherwise, click on the “Add and close” button to save the data and close the
window.
Note:
Target accounts and services must exist for the device to be able to manage associations.
By clicking on a group name, you are redirected to the data modification page of this group. You
can then configure, edit or delete the data related to this group. For further information, refer to
Section 10.5, “Target groups”, page 183.
Caution:
A user is allowed to display the certificates on the device if the “View” right for the “Targets
& accounts” feature is set in their profile (refer to Section 9.3, “User profiles”, page 87).
A user is allowed to delete the certificates on the device if the “Modify” right for the “Targets
& accounts” feature is set in their profile (refer to Section 9.3, “User profiles”, page 87).
139
WALLIX Bastion 10.0.5 – Administration Guide
The “Tags” tab allows you to list, add and delete tags on the device.
These tags allow you to organize your devices in a consistent and relevant way in order to quickly
identify a specific device. For further information, refer to Section 10.1.3, “Use tags to organize
devices”, page 140.
Note:
Each device can have a maximum of 64 tags.
To add a tag, click on the “+ Add” button. A window opens and allows you to select and enter the
following fields:
• “Key”: this is the key of the tag. You can select an existing key or create a new one. The key is
limited to 512 characters.
• “Value”: this is the value of the key. You can select an existing value or create a new one. The
value is limited to 256 characters.
Warning:
It is not possible to add tags with identical keys on the same device.
Keys and values are case sensitive and accept UTF-8 characters. Spaces are forbidden
at the beginning and end of the “Key” and “Value” fields.
Once the fields are selected and entered, click on the “Add and continue” button to save the new
data and to continue the creation of tags. Otherwise, click on the “Add and close” button to save
the data and close the window.
Warning:
A tag cannot be edited. In order to change a key and/or a value, it is necessary to delete
the tag and create a new one.
To delete a tag, check the box at the beginning of the line to select the tag you wish to delete, then
click on the “Delete” button.
Warning:
If you delete a device, the associated tags are also deleted.
140
WALLIX Bastion 10.0.5 – Administration Guide
Theses tags will be used to organize the devices listed in this table and will thus allow you to quickly
identify the devices on which actions must be performed.
Note:
Each device can have a maximum of 64 tags.
• “Key”: this is the key of the tag. You can select an existing key or create a new one. The key is
limited to 512 characters.
• “Value”: this is the value of the key. You can select an existing value or create a new one. The
value is limited to 256 characters.
Warning:
It is not possible to add tags with identical keys on the same device.
Keys and values are case sensitive and accept UTF-8 characters. Spaces are forbidden
at the beginning and end of the “Key” and “Value” fields.
A tag cannot be edited. In order to change a key and/or a value, it is necessary to delete
the tag and create a new one.
Once the fields are selected and entered, click on the “Add and continue” button to save the new
data and to continue the creation of tags. Otherwise, click on the “Add and close” button to save
the data and close the window.
Click on the icon in the header of the “Tags” column to display the search field. By clicking in
this field, you access a list of all the tag keys and tag values existing in WALLIX Bastion. Enter
then select the key or the value of the desired tag and click on the “Search” button. The devices
corresponding to the filter are listed in the table. An active filter is symbolized by the orange icon .
To delete a filter, click on the icon at the top right of the table or click on the icon then on
the “Restore” button.
141
WALLIX Bastion 10.0.5 – Administration Guide
From the “Devices” page on the “Targets” menu, check the box at the beginning of the line to select
the device(s) you wish to delete, then click on the “Delete” button. WALLIX Bastion displays a
dialogue box requesting a confirmation before permanently deleting the line(s).
Warning:
You cannot delete a device on which target accounts are declared.
Important:
The update of existing data when importing a .csv file overwrites old data.
Warning:
The first line of the .csv file containing the tag must not be modified. If this line is modified,
the file can no longer be imported into WALLIX Bastion.
142
WALLIX Bastion 10.0.5 – Administration Guide
rdp/RDP/3389/RDP//RDP_CLIPBOARD_UP|RDP_CLIPBOARD_DOWN|RDP_PRINTER|RDP_COM_PORT|
RDP_DRIVE|RDP_SMARTCARD
Once you have imported the .csv file, a summary report is displayed.
This report lists the number of elements which were created and updated in the WALLIX Bastion
database but also the rejected data. In case of rejection, the corresponding error is mentioned.
143
WALLIX Bastion 10.0.5 – Administration Guide
Note:
Some clients also need the option SSH_SHELL_SESSION to list the directories when
they are used in SCP mode.
Some session options must be associated with others to be fully operational:
- SSH_X11 must be associated with SSH_SHELL_SESSION or
SSH_REMOTE_COMMAND (at least one of the two)
- SSH_AUTH_AGENT must be associated with SSH_SHELL_SESSION or
SSH_REMOTE_COMMAND (at least one of the two)
- SSH_REVERSE_TCPIP must be associated with SSH_SHELL_SESSION
- SSH_REVERSE_UNIXSOCK must be associated with SSH_SHELL_SESSION
SSH_SHELL_SESSION, SSH_REMOTE_COMMAND, SSH_SCP_UP/DOWN and
SFTP_SESSION allow the opening of session channels. By default, only one session
channel can be open during an SSH connection (or session). To allow the opening of
several session channels, the option “Allow multi channels” must be selected at the
level of the SSH connection policy (which can be accessed from “Session Management”
> “Connection Policies”. For further information, refer to Section 12.4, “Connection
policies”, page 261).
• RDP_CLIPBOARD_UP: allows data transfer via the clipboard from the client to the RDP session
• RDP_CLIPBOARD_DOWN: allows data transfer via the clipboard from the session to the RDP
client
• RDP_CLIPBOARD_FILE: allows file transfer from the copy/paste function via the clipboard
• RDP_PRINTER: allows use of local printers in the remote session
• RDP_COM_PORT: allows use of local serial and parallel ports in the remote session
• RDP_DRIVE: allows use of local drives in the remote session
• RDP_SMARTCARD: allows use of local smartcards in the remote session
• RDP_AUDIO_OUTPUT: allows audio playback from the session to the RDP client
• RDP_AUDIO_INPUT: allows audio recording from the client to the RDP session
144
WALLIX Bastion 10.0.5 – Administration Guide
Note:
Some session options must be associated with others to be fully operational:
- RDP_CLIPBOARD_FILE must be associated with RDP_CLIPBOARD_UP to transfer a
file via the clipboard from the client to the RDP session
- RDP_CLIPBOARD_FILE must be associated with RDP_CLIPBOARD_DOWN to
transfer a file via the clipboard from the session to the RDP client
10.2. Applications
WALLIX Bastion enables you to manage application sessions through a jump server on which
the application itself is installed. The user logs on to WALLIX Bastion and chooses an application
in the selector (refer to the figure 10.2, “Application session flow”, page 145). WALLIX Bastion
then initiates an RDP session and automatically launches the application by providing it with the
necessary account information (user name and password). The application session is then recorded
as an RDP session.
Important:
It is not possible to run an application whose linked target operates under a Windows 10
operating system as the remote desktop service does not support the "alternate shell"
function.
Warning:
In order to allow WALLIX Bastion to manage the connections to an application, the latter
must be able to receive the user name and password to be used for the connection as
command-line arguments.
• list applications
• add/edit/delete an application
145
WALLIX Bastion 10.0.5 – Administration Guide
• import applications from a .csv file which can be used to populate the WALLIX Bastion resource
database
For further information on how to search data and customize the layout in the tables of WALLIX
Bastion, refer to Section 6.5, “Managing data search, sort and layout customization in the tables
of the Web interface”, page 32.
Warning:
Please note that after the 120-day grace period expires, you must install Client Access
Licenses (CAL) in order to continue to use these services.
You must provide the user with the right to launch the application. This can be done by providing
access to unlisted programs or by adding the application to the authorized programs as described
below.
If you use the session probe mode, it is necessary to publish the command prompt (cmd.exe) as
the RemoteApp program. For further information regarding this mode and the configuration, we
strongly advise you to refer to Section 12.22, “Using the session probe mode”, page 283.
We recommend setting the lowest possible value as the maximum period during which a
disconnected user session is kept active on the server running Terminal Server. To do so, you can
proceed as follows:
146
WALLIX Bastion 10.0.5 – Administration Guide
Alternatively, you can use the corresponding setting with an account policy.
Under Windows Server 2012 or later, you must set an additional setting in order to allow access to
a client that does not use network-level authentication. To do so:
1. Open the "Server Manager" application and select "Remote Desktop Services".
2. Select the needed collection in "Collections". "Quick Session Collection" corresponds to the
default collection.
3. In the "Properties" frame, select "Edit Properties".
4. In the "Security" section, deselect the "Allow connections only from computers running Remote
Desktop with Network Level Authentication (more secure)" check box.
147
WALLIX Bastion 10.0.5 – Administration Guide
Warning:
This field is displayed when the check box of the "Advanced options" field at the top right
of the page has been selected. It should ONLY be changed upon instructions from the
WALLIX Support Team!
Important:
The RemoteApp sessions of a user connected simultaneously on one or several
applications are split by default when displayed from the "Current Sessions" and
"Session History" pages below the "Audit" menu). If the option "Rdp enable sessions
split" (accessible from "Configuration" > "Configuration Options" > "GUI (Legacy)" >
"main" section) is deselected, it may be possible to get an overlay view of these sessions.
The client Remote Desktop Connection (MSTSC) connected to Windows Server 2008
or 2012 does not allow several RemoteApp programs to share the same RDP session.
There will be as many RDP sessions created as the number of RemoteApp programs
launched.
Display issues related to the Microsoft client have been reported when using RemoteApp
mode and multiple monitors. Dysfunctions occur when the primary monitor is not located
in the upper left part of the virtual screen. The recommended workaround is to locate
the primary monitor in the upper left part of the virtual screen. Refer to https://
go.microsoft.com/fwlink/?LinkId=191444 for further information on the virtual
screen.
The session probe mode can be used to run the applications defined within the Bastion.
This operating mode provides the benefit of blocking the launch of child processes.
This is not the case when using the RemoteApp native mode. However, the restrictions
defined during the creation of the RemoteApp program in Windows (which may concern
user groups, command-line arguments allowed, etc.) will not apply. This mode can
be managed via "Session Management" > "Connection Policies > "RDP", then select/
deselect the option "Use session probe to launch remote program" below section "rdp".
For further information regarding the "session probe" mode, refer to Section 12.22, “Using
the session probe mode”, page 283.
Business applications usually implement an authentication screen to allow a user to only access
the needed data. The authentication step checks the login and the password manually entered by
this user. The latter has then the knowledge of this sensitive information.
To restrict disclosing of such information, we recommend using AutoIt scripts. These scripts are
supported by WALLIX Bastion and can be used, in particular, to fill in credential forms automatically.
With this process, the application's credential information is retrieved through the RDP virtual
channel. In such a case, the user has no access to this information.
148
WALLIX Bastion 10.0.5 – Administration Guide
When technical constraint is strong and safety risk is low, the credential information can also be
passed the application to as command line arguments. However, we do not recommend using such
an approach as the application user may easily access the information.
To allow AutoIt scripts retrieving credential information through the RDP virtual channel, the latter
must be enabled from "Configuration" > "Configuration Options" > "RDP proxy" then enter the name
of this virtual channel in the field "Auth channel" below section "mod_rdp". The symbol "*" tells
WALLIX Bastion to use the default name being wablnch. Note that WALLIX Bastion and the AutoIT
script must both use the same virtual channel name to operate properly.
Once the virtual channel is enabled, the AutoIt script must be deployed on the server running
Terminal Server then added to the listed RemoteApp programs:
Note:
The WALLIX Support Team can provide you with a generic AutoIt connection script. Feel
free to contact the Team, should you have any other questions (refer to Chapter 18,
“Contact WALLIX Bastion Support”, page 363).
Next, when configuring the application from the "Applications" page on WALLIX Bastion:
Example:
In the above example, the script WABIELogon_VC_64.exe launches Internet Explorer, retrieves
the credential information from the virtual channel and establishes a connection to the application.
Once the application is configured, it can be linked to a target group from "Targets" > "Groups".
149
WALLIX Bastion 10.0.5 – Administration Guide
Note:
To automate connections to non Web-based applications, refer to Section 10.2.3,
“Automate connections to an application using AutoIt scripts”, page 148.
Application Driver retrieves the authentication information from the application via an RDP virtual
channel and automatically connects the user.
The authentication forms are thus filled out without user intervention and sensitive data is not
disclosed during the authentication phase.
Application Driver can be used without any specific deployment (refer to Section 10.2.4.1, “Using
WALLIX Application Driver without specific deployment”, page 150) or by manual deployment
(refer to Section 10.2.4.2, “Using WALLIX Application Driver via a manual deployment”, page 151).
Note:
WALLIX Bastion and Application Driver must use the same virtual channel name to
operate properly.
To configure the virtual channel, it is necessary to enter the name of the RDP virtual
channel in the “Auth channel” field located in “Configuration” > “Configuration options” >
“RDP proxy” > [mod_rdp] section.
By default, the symbol “*” is already specified and tells WALLIX Bastion to use the default
virtual channel name: wablnch.
10.2.4.1.1. Prerequisites
The session probe mode must be enabled in order to use Application Driver without specific
deployment.
The prerequisites for the automatic deployment of Application Driver are the same as the
prerequisites for running Session Probe. For further information, refer to Section 12.22, “Using the
session probe mode”, page 283.
Note:
Please note that __APP_DRIVER_IE__ is no longer maintained. We recommend using
the markers for Google Chrome or Microsoft Edge based on Chromium.
The UI Automation script cannot currently be run on Windows Server 2022 when the
RemoteApp mode is enabled. We recommand:
150
WALLIX Bastion 10.0.5 – Administration Guide
The setup must be performed from the “Applications” page in the “Targets” menu:
Example for the launch of the Web application using Internet Explorer:
Application Driver can be deployed manually through an executable file as well as configuration
scripts provided to the administrators of the jump servers upon request to the Support Team.
Please contact the Team for further information (see Chapter 18, “Contact WALLIX Bastion
Support”, page 363).
However, we recommend using WALLIX Application Driver in connection with the session probe
mode. For further information, refer to Section 10.2.4.1, “Using WALLIX Application Driver without
specific deployment”, page 150. You can, however, deploy Application Driver manually.
151
WALLIX Bastion 10.0.5 – Administration Guide
Note:
The script WABChromeLogonUIA.lua will be used to select the launch of the Web
application using Google Chrome and the script WABIELogon.lua will be used to
select the launch of the Web application using Internet Explorer.
The setup must be performed from the “Applications” page in the “Targets” menu:
1. In the “Parameters” field, specify either the path to the script WABChromeLogonUIA.lua or
the path to the script WABIELogon.lua according to the selected browser for the launch of
the Web application as well as the necessary parameters. For further information on the latter,
see Section 10.2.4.3, “Parameters of WALLIX Application Driver for the launch of the Web
application”, page 154.
2. In the “Application path”, enter the path to the AppDriver.exe file.
Important:
AppDriver.exe /? must be entered in the “Application path” field to access the
command line help and version number of Application Driver.
Example for the launch of the Web application using Google Chrome:
152
WALLIX Bastion 10.0.5 – Administration Guide
153
WALLIX Bastion 10.0.5 – Administration Guide
10.2.4.3. Parameters of WALLIX Application Driver for the launch of the Web
application
Mandatory parameters
Parameter Description
/lua_file:<Lua script file name> Applies only when using WALLIX
Application Driver via a manual
deployment. Sets the Lua script's path used
to open the Web session.
/e:URL=<URL> Defines the website URL.
Important:
In order to access the command line help and the version number of the Lua script used
by Application Driver, it is necessary to specify the /e:ShowUsage=Yes parameter in
the “Parameters” field, such as:
/lua_file:<Lua script file name> /e:ShowUsage=Yes
154
WALLIX Bastion 10.0.5 – Administration Guide
155
WALLIX Bastion 10.0.5 – Administration Guide
By default, “Application Driver” launches the Web browser with a blank user profile. As a result,
browser extensions installed in Windows will not be loaded. This can be an issue for some
applications.
However, it is possible to authorize the use of Google Chrome extensions by using the following
parameters simultaneously:
156
WALLIX Bastion 10.0.5 – Administration Guide
Important:
A user can install software components (plugins/extensions) in the user profile of the
Web browser. If this existing profile is used as a template when copying, these software
components will be loaded into the browser of the application session. The browser
behavior may be affected by security vulnerabilities introduced by this method. The
WALLIX Bastion administrator must be aware of these risks.
It is recommended not to give access to the associated Windows account other than
through the website application. It is also recommended to use a password change policy
for the associated Windows account.
To enable users to connect to the application, you must now link the accounts with it as described in
Section 10.4, “Target accounts”, page 171. User access rights, like those of devices, are managed
using authorizations (permissions). The RDP protocol must therefore be used.
157
WALLIX Bastion 10.0.5 – Administration Guide
Warning:
You cannot delete an application on which target accounts are declared.
158
WALLIX Bastion 10.0.5 – Administration Guide
Click on "Manage association" to manage the resource associations: you access a page with the
list of the available resource(s) and selected one(s) for the application. Move a resource from the
"Available accounts" frame to the "Selected accounts" one in order to perform the association. And
conversely, move a resource from the "Selected accounts" frame to the "Available accounts" one
in order to remove the association.
#wab910 application
Important:
The update of existing data when importing a .csv file overwrites old data.
Warning:
The first line of the .csv file containing the tag must not be modified. If this line is modified,
the file can no longer be imported into WALLIX Bastion.
159
WALLIX Bastion 10.0.5 – Administration Guide
For an application on
a cluster: target1= 'path1'
target2='path2', for each target
of the cluster,with target1 in
format account@domain@my_
device:rdp
Startup Text O For an application on a cluster: N/A
directories
target1='wdir1' target2='wdir2'
Connection Text O Name of the connection policy on RDP
policy the RDP protocol
Once you have imported the .csv file, a summary report is displayed.
This report lists the number of elements which were created and updated in the WALLIX Bastion
database but also the rejected data. In case of rejection, the corresponding error is mentioned.
10.3. Domains
A global domain is a management entity grouping multiple target accounts which can be used to
authenticate across multiple devices. This entity offers the significant advantage of expanding and
synchronizing the password change at once for all the accounts on the devices associated with
the domain.
A global domain can also be associated with a password external vault. In this case, this domain
groups accounts which are managed externally through the association of an external vault plugin.
As a result, a password change mechanism cannot be applied to the related accounts within
WALLIX Bastion. For further information, refer to Section 5.3, “Password external vault”, page 23.
A local domain is a management entity grouping multiple target accounts which can be used to
authenticate on a single device only. This entity offers the significant advantage of expanding and
synchronizing the password change at once for all the accounts associated with the domain.
Local domains are created through the association with a device or a target account. For
further information, refer to Section 10.1, “Devices”, page 135 and Section 10.4, “Target
accounts”, page 171.
The "Domains" page allows you to:
• list global or local domains according to a dedicated filter on the domain type
• identify domains which are associated with a Certificate Authority
• identify domains for which the password change is enabled
• identify domains which are associated with an external password vault
• add/edit/delete a global domain
160
WALLIX Bastion 10.0.5 – Administration Guide
For further information on how to search data and customize the layout in the tables of WALLIX
Bastion, refer to Section 6.5, “Managing data search, sort and layout customization in the tables
of the Web interface”, page 32.
161
WALLIX Bastion 10.0.5 – Administration Guide
From the "Domains" page, make sure that "Global" is selected in the "Display domain type" field on
the top of the page. Click on "Add a global domain" to display the global domain creation page.
• the domain name: a WALLIX Bastion internal representation of the domain used to display
accounts and targets on the Web user interface or during RDP/SSH sessions
• the domain real name: the name of the external domain if the created domain is a mapping of
an external domain (LDAP, AD, NIS). The domain real name is ignored when password change
is performed on Unix-derived targets.
• a description
• the vault type: choose whether the domain is associated with an external password vault or a
local one
Warning:
This field is only displayed when the “External Vaults” feature is associated with the
license key.
• if the chosen vault type is "Local" or the “External Vaults” feature is not associated with the
license key, options to define an SSH Certificate Authority to be associated with the domain for
the connection. The Certificate Authority (or "CA") is represented by a private/public SSH key
pair. It is possible to:
– generate a key: in this case, select the appropriate key type and length from the list (RSA 2048
by default) or
– browse a path to upload the file containing an existing key (in the OpenSSH or PuTTY key
formats) and specify the corresponding passphrase (if any defined)
For further information, refer to Section 10.3.2, “Associate the domain with an SSH Certificate
Authority”, page 163.
• if the chosen vault type is "Local" or the “External Vaults” feature is not associated with the license
key, an option to enable the password change for the accounts on this domain and, if enabled:
– the password change policy to be selected for this domain. For further information, refer to
Section 11.3, “Password change policies”, page 239.
– the password change plugin to be selected for this domain and the related parameters to be
specified. For further information, refer to Section 11.2, “Password change plugins”, page 223.
Note:
The CA public key is transferred to the target device (for a local domain) or the target
server (for a global domain) when a password change plugin is set on the concerned
domain and the WALLIX Password Manager feature is associated with the license key.
162
WALLIX Bastion 10.0.5 – Administration Guide
• if the chosen vault type is "External", select the vault plugin for this domain and specify the related
parameters. For further information, refer to Section 5.3, “Password external vault”, page 23 and
Section 10.7, “External password vault plugins”, page 198.
Warning:
This field is only displayed when the “External Vaults” feature is associated with the
license key.
• the Kerberos parameters: the Kerberos parameters are only supported by the WindowsService
plugin. When the chosen password change plugin is “WindowsService” and the transport protocol
defined for this plugin is “Kerberos”, then specify the following fields on the global domain page of
the administrator account selected during the definition of the reference (for further information,
refer to Section 11.2.13, “WindowsService plugin”, page 234 and Section 10.4.1.4, “Define
references for service account management”, page 174):
– “Kerberos realm”: specify the Kerberos realm
– “Kerberos KDC”: specify the domain name or the IP address of the KDC server
– “Kerberos port”: specify the port number of the KDC server. The default port is 88.
163
WALLIX Bastion 10.0.5 – Administration Guide
allow SSH authentication using this account, the public key must be present on the target server
(usually in the file authorized_keys located in the home directory of the target account).
When a CA is associated with a domain, the public SSH keys for all the target accounts on this
domain are automatically signed by the CA. The summary page of an account on a domain which is
associated with a CA will therefore allow to download the corresponding signed certificate, instead
of an SSH public key. Furthermore, when a user wishes to check out the credentials of a target
account on a domain associated with a CA, the option to download the certificate is added. The
private key alone is not sufficient for authentication.
Warning:
The administrator account is required on the local domain when using Fortinet FortiGate
or IBM 3270 password change plugin. This account should be first added to the domain
from the "Domain accounts" area on the domain summary page, once the domain
creation step has been completed. For further information, refer to Section 10.3.4, “Add
an account to the global or a local domain”, page 165. Once the "Enable password
change" option has been selected on the domain modification page, select this account
from the list in the "Administrator account" field prior to select the plugin in the "Password
change plugin" field.
When the global domain is associated with an external vault, the related information is displayed on
the domain summary page, from the "External vault plugin" and the "Vault plugin parameters" fields.
If an SSH Certificate Authority has been set for this domain (domain type is "Global" or "Local for
a device"), a line with the CA private key type and length is displayed on the domain modification
page. It is then possible to:
Note:
If the CA private key defined for the domain is changed, then the SSH keys for all the
accounts on this domain are re-signed with the new Certificate Authority.
164
WALLIX Bastion 10.0.5 – Administration Guide
The CA public key is transferred to the target device (for a local domain) or the target
server (for a global domain) when a password change plugin is set on the concerned
domain and the WALLIX Password Manager feature is associated with the license key.
For further information, refer to Section 10.3.2, “Associate the domain with an SSH
Certificate Authority”, page 163.
Note:
The "Change passwords" button on the right part of the page is displayed when an
administrator account is defined for the domain.
The passwords are changed in accordance with the password change policy selected
for the global domain. For further information, refer to Section 11.3, “Password change
policies”, page 239.
Note:
The "Change passwords" button on the right part of the page is displayed when an
administrator account is defined for the domain.
165
WALLIX Bastion 10.0.5 – Administration Guide
The passwords are changed in accordance with the password change policy selected
for the local domain. For further information, refer to Section 11.3, “Password change
policies”, page 239.
• either revoke the certificates for all the accounts on the domain by clicking on "Revoke all" on
the header column
• or revoke the certificate of a given account by clicking on the "Revoke" button at the end of the
concerned line
A revocation list is automatically generated and transferred to the target server to mention that this
or these certificates can no longer be used for connection.
Note:
After deleting a global domain, all related global accounts are removed, including
discovered global accounts from the “Onboarding” page on the “Discovered items” and
“Hidden items” views. For further information on global account onboarding, refer to
Section 10.9.3.2.2, “Onboard discovered global accounts”, page 219.
The file must begin with a line containing the following tag:
#wab910 globaldomain
Important:
The update of existing data when importing a .csv file overwrites old data.
166
WALLIX Bastion 10.0.5 – Administration Guide
Warning:
The first line of the .csv file containing the tag must not be modified. If this line is modified,
the file can no longer be imported into WALLIX Bastion.
Format: key1=value1
key2=value2
Windows:
domain_controller_address
(required)
167
WALLIX Bastion 10.0.5 – Administration Guide
168
WALLIX Bastion 10.0.5 – Administration Guide
Format: key1=value1
key2=value2
Once you have imported the .csv file, a summary report is displayed.
This report lists the number of elements which were created and updated in the WALLIX Bastion
database but also the rejected data. In case of rejection, the corresponding error is mentioned.
The file must begin with a line containing the following tag:
#wab910 localdomain
Important:
The update of existing data when importing a .csv file overwrites old data.
Warning:
The first line of the .csv file containing the tag must not be modified. If this line is modified,
the file can no longer be imported into WALLIX Bastion.
169
WALLIX Bastion 10.0.5 – Administration Guide
Format: key1=value1
key2=value2
Windows: no specific
parameter to set
For devices:
170
WALLIX Bastion 10.0.5 – Administration Guide
For applications:
• Global account: the account is defined on a global domain and is used to access services
on devices in this domain and to manage service accounts (for further information on the
management of service accounts, refer to Section 10.4.1.4, “Define references for service
account management”, page 174)
• Device account: the account is defined on a device and is only used for accessing a service on
this device
• Application account: the account is defined for an application only (an account to access the jump
server–the target device on which the application is running–might be necessary)
• list the target accounts and the domains, devices and applications declared on them
• add, edit and delete an account
It is possible to import target accounts from a .csv file to populate the WALLIX Bastion resource
database. For further information, refer to Section 10.4.8, “Import target accounts”, page 180.
For further information on how to search data and customize the layout in the tables of WALLIX
Bastion, refer to Section 6.5, “Managing data search, sort and layout customization in the tables
of the Web interface”, page 32.
171
WALLIX Bastion 10.0.5 – Administration Guide
• the name of the global domain to which you want to add an account. It will not be possible to edit
the name of the global domain once you have clicked on “Apply”.
• the account name: this is the internal representation of the account in WALLIX Bastion. This
information is displayed on the session selector and on the account's credential checkout page
on the Web interface. This name must be unique within the WALLIX Bastion domain.
Important:
When the account is created on a global domain associated with an external
password vault linked to the Bastion plugin (refer to Section 10.7.1, “Bastion
plugin”, page 199 for further information), its name must be formed as
follows: “account_name\\global_domain” or “account_name\\local_domain\\device” or
“account_name\\local_domain\\application”. Note that “\\” must be used as a separator.
“account_name” corresponds to the name of an account on the remote WALLIX
Bastion.
“global_domain” and “local_domain” correspond respectively to a global and a local
domain on the remote WALLIX Bastion.
“device” and “application” correspond respectively to a device and an application on
the local domain on the remote WALLIX Bastion.
• the account login: this is the user name of the remote account. This information is not displayed
on the session selector or on the account's credential checkout page on the Web interface.
• a field to associate resources: a resource association is required to create targets for applications
and clusters. To associate resources, select a device and a service in the drop-down lists and
click on “+”. Once created, it is possible to delete this association by clicking on the “-” red icon.
You can associate as many resources as necessary.
• a description
• the checkout policy to associate with the account. For further information, refer to Section 10.8,
“Checkout policies”, page 205.
• a toggle button to enable or disable the automatic password change for this account. See
Section 4.6, “Data encryption”, page 19 for the data encryption information related to password
storage.
• a toggle button to enable or disable the automatic SSH key change for this account
• the certificate validity period if the account is defined on a domain associated with a Certificate
Authority. The appropriate format is as follows:
[number of weeks]wk[number of days]d[number of hours]h[number of
minutes]min[number of seconds]s
172
WALLIX Bastion 10.0.5 – Administration Guide
If no value is entered in this field, then the certificate is valid for an unlimited period.
Note:
Once you have entered the general data in the “General” tab and clicked on “Apply”, you
can access the other tabs of the global domain account creation page.
• or by uploading a key:
1. Select “Private key uploading” from the drop-down list.
2. Drag-and-drop a file or browse a path to upload the file containing an existing private key (in
the OpenSSH or PuTTY key format) in the “Upload SSH private key” section.
3. Specify the corresponding passphrase (if any defined) in the “Passphrase” field.
173
WALLIX Bastion 10.0.5 – Administration Guide
4. Enable the “Propagate credential change” button to change the SSH private key of the
account and instantly propagate it on the target.
Once you have defined the SSH private key for the account, click on “Apply”.
You have now the possibility to download the corresponding SSH public key in the OpenSSH or
ssh.com format from the “Download SSH public key” button.
Note that you can delete the SSH private key defined for this account by clicking on the “Delete
existing SSH private key” button.
Once you have defined the reference, click on “Apply and close”.
Note that by clicking on the link in the “Device status” column, information on the password change
status of the service accounts can be viewed.
To delete a reference, check the box at the beginning of the corresponding line, then click on the
“Delete” button.
Warning:
If you delete a global account, the associated references are also deleted.
Note:
This association type can also be managed from the “Groups” page (for further
information, refer to Section 10.5, “Target groups”, page 183).
174
WALLIX Bastion 10.0.5 – Administration Guide
To add a global domain account to a group, check the box at the beginning of the line to select the
related global account, then click on the “Add to group” button. A window opens and allows you to
enter and select the following fields:
Note:
After clicking on the “Add and continue” button, the data is saved and you have the
possibility to manage new resource associations. Otherwise, click on the “Add and close”
button to save the data and close the window.
• the name of the device to which you want to add an account. It will not be possible to edit the
name of the device once you have clicked on “Apply”.
• the local domain name: you can select an existing local domain or create a new one. It will not
be possible to edit the name of the local domain once you have clicked on “Apply”.
• the account name: this is the internal representation of the account in WALLIX Bastion. This
information is displayed on the session selector and on the account's credential checkout page
on the Web interface. This name must be unique within the WALLIX Bastion domain.
• the account login: this is the user name of the remote account. This information is not displayed
on the session selector or on the account's credential checkout page on the Web interface.
• a field to associate resources: a resource association is required to create targets for applications
and clusters. To associate resources, select a service in the drop-down list and click on “+”. Once
created, it is possible to delete this association by clicking on the “-” red icon. You can associate
as many resources as necessary.
• a description
• the checkout policy to associate with the account. For further information, refer to Section 10.8,
“Checkout policies”, page 205.
• a toggle button to enable or disable the automatic password change for this account. See
Section 4.6, “Data encryption”, page 19 for the data encryption information related to password
storage.
• a toggle button to enable or disable the automatic SSH key change for this account
175
WALLIX Bastion 10.0.5 – Administration Guide
Note:
Once you have entered the general data in the “General” tab and clicked on “Apply”, you
can access the other tabs of the device account creation page.
• or by uploading a key:
1. Select “Private key uploading” from the drop-down list.
2. Drag-and-drop a file or browse a path to upload the file containing an existing private key (in
the OpenSSH or PuTTY key format) in the “Upload SSH private key” section.
3. Specify the corresponding passphrase (if any defined) in the “Passphrase” field.
4. Enable the “Propagate credential change” button to change the SSH private key of the
account and instantly propagate it on the target.
Once you have defined the SSH private key for the account, click on “Apply”.
You have now the possibility to download the corresponding SSH public key in the OpenSSH or
ssh.com format from the “Download SSH public key” button.
Note that you can delete the SSH private key defined for this account by clicking on the “Delete
existing SSH private key” button.
Note:
This association type can also be managed from the “Groups” page (for further
information, refer to Section 10.5, “Target groups”, page 183).
To add a device account to a group, check the box at the beginning of the line to select the related
device account, then click on the “Add to group” button. A window opens and allows you to enter
and select the following fields:
176
WALLIX Bastion 10.0.5 – Administration Guide
Warning:
The account is displayed in the list as many times as there are services defined on
the device to which it belongs. Make sure to select only the relevant account(s) for the
association to the group.
Note:
After clicking on the “Add and continue” button, the data is saved and you have the
possibility to associate the local account with another group and/or target type. Otherwise,
click on the “Add and close” button to save the data and close the window.
• the name of the application to which you want to add an account. It will not be possible to edit
the name of the application once you have clicked on “Apply”.
• the local domain name: you can select an existing local domain or create a new one. It will not
be possible to edit the name of the local domain once you have clicked on “Apply”.
• the account name: this is the internal representation of the account in WALLIX Bastion. This
information is displayed on the session selector and on the account's credential checkout page
on the Web interface. This name must be unique within the WALLIX Bastion domain.
• the account login: this is the user name of the remote account. This information is not displayed
on the session selector or on the account's credential checkout page on the Web interface.
• a description
• the checkout policy to associate with the account. For further information, refer to Section 10.8,
“Checkout policies”, page 205.
• a toggle button to enable or disable the automatic password change for this account. See
Section 4.6, “Data encryption”, page 19 for the data encryption information related to password
storage.
Note:
Once you have entered the general data in the “General” tab and clicked on “Apply”, you
can access the “Password” tab of the application account creation page.
177
WALLIX Bastion 10.0.5 – Administration Guide
You also have the possibility to manually change and instantly propagate the password of the
account on the target by using the toggle button “Propagate credential change”.
Once you have defined the password for the account, click on “Apply”.
Note that you can delete a password already set for this account by clicking on the “Delete
password” button.
Note:
This association type can also be managed from the “Groups” page (for further
information, refer to Section 10.5, “Target groups”, page 183).
To add an application account to a group, check the box at the beginning of the line to select the
related application account, then click on the “Add to group” button. A window opens and allows
you to enter and select the following fields:
Note:
After clicking on the “Add and continue” button, the data is saved and you have the
possibility to associate the local account with another group and/or target type. Otherwise,
click on the “Add and close” button to save the data and close the window.
For further information on how to enter data in the tabs, refer to Section 10.4.3, “Add a target account
to an application”, page 177 to edit a global domain account or refer to Section 10.4.2, “Add a
target account to a device”, page 175 to edit a device account or refer to Section 10.4.3, “Add a
target account to an application”, page 177 to edit an application account.
Warning:
You cannot edit the login, password, SSH private key and checkout policy of a target
account on the Web interface or via the REST API when the related credentials are being
178
WALLIX Bastion 10.0.5 – Administration Guide
checked out. The credentials must first be checked in using the “Force check-in option”
to be able to edit the corresponding fields. For further information, refer to Section 12.3.6,
“Account history”, page 256.
When the global domain account is defined on a domain associated with a Certificate
Authority, it is possible to edit the certificate validity period or to enter it if it has not been
defined previously. The appropriate format is as follows:
However, if this value is edited or defined at this point, the former validity period still
applies and the new validity period for the certificate will apply at next SSH key change.
To do this:
The credentials are now changed on WALLIX Bastion and on the related target(s).
Note:
The automatic credential change is only possible for accounts belonging to a domain on
which the password change is enabled.
Once this change has been launched, the credentials are instantly changed on WALLIX
Bastion and propagated on the related target(s).
• in accordance with the password change policy selected for the domain. For further
information, refer to Section 11.3, “Password change policies”, page 239.
• when the checkout policy allows the password change at check-in. For further
information, refer to Section 10.8, “Checkout policies”, page 205.
179
WALLIX Bastion 10.0.5 – Administration Guide
From the “Accounts” page on the “Targets” menu, you have the possibility to manually change an
account password and/or SSH private key and to instantly propagate the change on the target.
To do this, select the desired account type from the drop-down list and click on the account name
in order to open the related modification page. You can then:
• on the “Password” tab: enter and confirm the new password of the account and enable the toggle
button “Propagate credential change”
• on the “Private key uploading” page of the “SSH private key” tab: upload the new key and enable
the toggle button “Propagate credential change”
Once you have entered the fields and enabled the propagation toggle button, click on “Apply” to
propagate the new password and/or SSH private key on the target.
Note:
The manual credential change is only possible for accounts belonging to a domain on
which the password change is enabled.
Once this change has been launched, the credentials are instantly changed on WALLIX
Bastion and propagated on the related target(s).
The credentials are changed:
• in accordance with the password change policy selected for the domain. For further
information, refer to Section 11.3, “Password change policies”, page 239.
• when the checkout policy allows the password change at check-in. For further
information, refer to Section 10.8, “Checkout policies”, page 205.
#wab910 account
Important:
The update of existing data when importing a .csv file overwrites old data.
Warning:
The first line of the .csv file containing the tag must not be modified. If this line is modified,
the file can no longer be imported into WALLIX Bastion.
180
WALLIX Bastion 10.0.5 – Administration Guide
Authentication can be
performed either by password
or by a private key or both or
none of them.
Authentication can be
performed either by password
or by a private key or both or
none of them.
181
WALLIX Bastion 10.0.5 – Administration Guide
For an account on an
application:
182
WALLIX Bastion 10.0.5 – Administration Guide
#wab910 account
my_device_user;device_user_login;description;False;P4sSw0rD;;False;default;
local_domain_1;my_device;;my_domain_user;domain_user_login;description;True;
P4sSw0rD;;False;default;my_global_domain;;;device_on_domain:rdpmy_app_user;
app_user_login;description;False;P4sSw0rD;;True;default;local_domain_1;;my_application;
Once you have imported the .csv file, a summary report is displayed.
This report lists the number of elements which were created and updated in the WALLIX Bastion
database but also the rejected data. In case of rejection, the corresponding error is mentioned.
It is possible to import target groups from a .csv file to populate the WALLIX Bastion resource
database. For further information, refer to Section 10.5.4, “Import target groups”, page 194.
For further information on how to search data and customize the layout in the tables of WALLIX
Bastion, refer to Section 6.5, “Managing data search, sort and layout customization in the tables
of the Web interface”, page 32.
This page consists of the following tabs: “General”, “Session management targets”, “Password
management targets” and “Restrictions”.
183
WALLIX Bastion 10.0.5 – Administration Guide
Note:
Once you have entered the general data in the “General” tab and clicked on “Apply”, you
can access the other tabs of the group creation page.
1. From the “Session management targets” tab, select “Account” from the drop-down list then click
on the “+ Add” button to display the resource association creation page.
2. In the “From” field, select the desired value to perform the association: “A device and related
local accounts”, “A device and global accounts”, “An application and related local accounts” or
“An application and global accounts”.
3. Depending on the chosen value, select the device or the application concerned by the
association in the next field.
4. In the “Service” field, select the service (if necessary) which will be used to access the target
account(s).
5. Once all the fields are entered, the list of available accounts is displayed. Check the box at the
beginning of the line of the desired target account(s) in order to perform the association.
6. Click on the “Add and continue” button to save the data and proceed with the creation of other
associations within the group. Otherwise, click on “Add and close” to save the data and close
the resource association creation page.
Note:
At least one local and/or global account must exist for the device and the application to
be able to manage this association.
At least one service must exist on the device to be able to manage this association.
You can delete an association by checking the box at the beginning of the line of the concerned
account(s) and then by clicking on the “Delete association(s)” button. WALLIX Bastion displays a
dialogue box requesting a confirmation before permanently deleting the line(s).
10.5.1.3. Configure a target group for a scenario account during SSH session
This procedure consists in defining, within a group, the target accounts which can be used by a
startup scenario once the SSH session has been initiated. These accounts are called “scenario
accounts”. For further information, refer to Section 12.19, “SSH startup scenario on a target
device”, page 278.
1. From the “Session management targets” tab, select “Scenario account” from the drop-down list
then click on the “+ Add” button to display the resource association creation page.
184
WALLIX Bastion 10.0.5 – Administration Guide
2. In the “From” field, select the desired value to perform the association: “A device and related
local accounts” or “A global domain and related accounts”.
3. Depending on the chosen value, select the device or the global domain concerned by the
association in the next field.
4. Once the fields are entered, the list of available accounts is displayed. Check the box at the
beginning of the line of the desired target account(s) in order to perform the association.
5. Click on the “Add and continue” button to save the data and proceed with the creation of other
associations within the group. Otherwise, click on “Add and close” to save the data and close
the resource association creation page.
Note:
At least one local account must exist on the device and/or one global account must exist
on the global domain to be able to manage associations.
You can delete an association by checking the box at the beginning of the line of the concerned
account(s) and then by clicking on the “Delete association(s)” button. WALLIX Bastion displays a
dialogue box requesting a confirmation before permanently deleting the line(s).
Warning:
The authentication method PASSWORD_MAPPING must be selected in the connection
policy associated with the target to be able to connect to this target using the
account mapping mechanism (for further information, refer to Section 12.4, “Connection
policies”, page 261).
1. From the “Session management targets” tab, select “Account mapping” from the drop-down list
then click on the “+ Add” button to display the resource association creation page.
2. In the “From” field, select the desired value to perform the association: “A device and related
services” or “Applications”.
3. If you wish to access a device, select the one concerned by the association in the next field.
4. Once the fields are entered, the list of available services and applications is displayed. Check
the box at the beginning of the line of the desired service(s) or application(s) in order to perform
the association.
185
WALLIX Bastion 10.0.5 – Administration Guide
5. Click on the “Add and continue” button to save the data and proceed with the creation of other
associations within the group. Otherwise, click on “Add and close” to save the data and close
the resource association creation page.
You can delete an association by checking the box at the beginning of the line of the concerned
account(s) and then by clicking on the “Delete association(s)” button. WALLIX Bastion displays a
dialogue box requesting a confirmation before permanently deleting the line(s).
Note:
The authentication method PASSWORD_INTERACTIVE must be selected at the level of
the connection policy associated with the target to be able to connect to this target using
the interactive login mechanism (for further information, refer to Section 12.4, “Connection
policies”, page 261).
1. From the “Session management targets” tab, select “Interactive login” from the drop-down list
then click on the “+ Add” button to display the resource association creation page.
2. In the “From” field, select the desired value to perform the association: “A device and related
services” or “Applications”.
3. If you wish to access a device, select the one concerned by the association in the next field.
4. Once the fields are entered, the list of available services and applications is displayed. Check
the box at the beginning of the line of the desired service(s) or application(s) in order to perform
the association.
5. Click on the “Add and continue” button to save the data and proceed with the creation of other
associations within the group. Otherwise, click on “Add and close” to save the data and close
the resource association creation page.
You can delete an association by checking the box at the beginning of the line of the concerned
account(s) and then by clicking on the “Delete association(s)” button. WALLIX Bastion displays a
dialogue box requesting a confirmation before permanently deleting the line(s).
1. From the “Password management targets” tab, click on the “+ Add” button to display the
resource association creation page.
2. In the “From” field, select the desired value to perform the association: “A device and related
local accounts”, “A global domain and related accounts” or “An application and related local
accounts”.
186
WALLIX Bastion 10.0.5 – Administration Guide
3. Depending on the chosen value, select the device, the global domain or the application
concerned by the association in the next field.
4. Once the fields are entered, the list of available account(s) is displayed. Check the box at the
beginning of the line of the desired target account(s) in order to perform the association.
5. Click on the “Add and continue” button to save the data and proceed with the creation of other
associations within the group. Otherwise, click on “Add and close” to save the data and close
the resource association creation page.
You can delete an association by checking the box at the beginning of the line of the concerned
account(s) and then by clicking on the “Delete association(s)” button. WALLIX Bastion displays a
dialogue box requesting a confirmation before permanently deleting the line(s).
When creating/editing user groups or target groups, you can define “restrictions” through a set of
actions to apply when certain character sequences are detected in the upward flow from SSH proxy
by enabling/disabling pattern detection. The data analyzed is the data entered by the user.
Note:
A set of allowed commands can be defined as regular expressions for remote command
execution for subprotocol SSH_REMOTE_COMMAND. For further information,
refer to Section 10.5.1.7.1.5, “Patterns of allowed commands for subprotocol
SSH_REMOTE_COMMAND”, page 190.
To add a restriction, click on the “Restrictions” tab then on the “+ Add” button to display the dedicated
creation window. The relevant actions must be selected in the “Action” field and the corresponding
rules must be defined in the “Rules” field.
In the event of detection, the corresponding action will apply: session disconnection for the “Kill”
action or sending of a notification for the “Notify” action.
Warning:
Character sequence detection is only enabled for data sent by the client to the server.
The list of patterns applied is the sum of those present in the user groups and the target groups.
The linked action is the most restrictive: if the “Kill” action is in one of the groups, then this action
will be selected.
The rules must be entered as regular expressions, with one expression per line.
E.g.: to prevent files from being deleted, the expressions to enter in the “Rules” field are as follows:
unlink\s+.*
rm\s+.*
By default, the “Kill” action will disconnect the session at first detection.
187
WALLIX Bastion 10.0.5 – Administration Guide
It is however possible to define a detection count with blocking and warning before the session
disconnection.
This can be done through the definition of a global option for SSH proxy: from the “Configuration
Options” page on the “Configuration” menu, select “SSH proxy” in the list to access the SSH proxy
configuration page, then enter a positive integer in the “Warning count” field. This value is “0” by
default.
For example, if you enter “5” in this field, the user will be warned five times upon detection (while
preventing execution of the command) before disconnecting the session at the sixth detection.
Warning:
By default, the keyboard inputs not displayed on the terminal (e.g. passwords) are
not logged within WALLIX Bastion, unless the option “Log all kbd” is enabled on the
configuration page for the related connection policy. However, a malicious user can force
the display permanently during the session using the following command:
stty -echo
In such a case, the session can then be disconnected by defining the following “Kill” rule
in the “Restrictions” tab of the “Groups” page:
$filesize:>X
A trailing letter (such as “m”, “k”, “g”) can be specified to provide a scaling factor as described in
the table below:
$downsize:>X
188
WALLIX Bastion 10.0.5 – Administration Guide
A trailing letter (such as “m”, “k”, “g”) can be specified to provide a scaling factor as described in
the table below:
CISCO routers under IOS are quite restrictive for command input but support auto completion and
partial input when command prefixes are unambiguous.
It is therefore necessary to use a specific extension of the rules syntax to forbid or allow some
commands in the most exhaustive way on such a system.
Warning:
A target having this type of detection rules will be considered as a CISCO IOS device.
It should therefore not be used for another kind of device such as Linux/Unix under risk
of malfunction.
This syntax extension can be used with subprotocols SSH_SHELL_SESSION, RLOGIN or TELNET
(according to the kind of connection), for any kind of action.
• White list of commands: only the listed commands are allowed. The syntax to use in the “Rules”
field is as follows: $acmd:[command list]
• Black list of commands: any commands are allowed except those in the list. The syntax to use
in the “Rules” field is as follows: $cmd:[command list]
The command list is delimited by square brackets, each command being separated by a comma.
For example: [enable, show kerberos, access-template, configure terminal]
A command can contain a “:” separator to indicate the end of the unambiguous prefix. The
command itself must not contain any “:” character. For example for the commands "en[able]",
"sh[ow] kerb[eros]", "access-t[emplate]", and "conf[igure] t[erminal]" the list would be: [en:able,
sh:ow kerb:eros, access-t:emplate, conf:igure t:erminal]
$cmd:[en:able, sh:ow]
189
WALLIX Bastion 10.0.5 – Administration Guide
In case of multiple declarations, all lists of the same kind are merged.
If both white and black lists are declared together, detection will be done from the white list where
commands from the black list have been removed.
By default, implicitly, the commands “alias” and “prompt” will be added to a black list and the
command “exit” will be added to a white list.
Example of detection using the white list: [w:here, sh:ow ke:rberos, co:nnect]
Input Detection
show Yes
show kerb No
sh ke c No
show kron schedule Yes
show ip arp Yes
config t Yes
where No
w No
alias show display Yes
exit No
Table 10.3. Cisco IOS Detection with white list
Example of detection using the black list: [w:here, sh:ow ke:rberos, co:nnect]
Input Detection
show No
show kerb Yes
sh ke c Yes
show kron schedule No
show ip arp No
config t No
where Yes
w Yes
alias show display Yes
exit No
Table 10.4. Cisco IOS Detection with black list
A set of allowed commands can be defined as regular expressions for remote command execution.
A command mismatch will then be detected.
$allow:<re_1>
190
WALLIX Bastion 10.0.5 – Administration Guide
Commands matching the regular expression <re_1> are thus allowed. The others are detected.
If several expressions prefixed with “allow” are defined, a command matching one of them will be
allowed.
$allow:<re_1>
$allow:<re_2>
...
$allow:<re_n>
Rules defined as standard regular expressions are also checked. Thus, a rule defined as an allowed
regular expression and a standard regular expression will be detected and, the corresponding action
will then be performed.
Input Detection
abc No
cde Yes
Table 10.5. Commands
$allow:abc
$allow:ps.*
Input Detection
abc No
cde Yes
ps aux No
ps aux | grep eggs No
ls Yes
Table 10.6. Commands
$allow:abc
$allow:ps.*
ps.*\|
Input Detection
abc No
191
WALLIX Bastion 10.0.5 – Administration Guide
Input Detection
cde Yes
ps aux No
ps aux | grep eggs Yes
ls Yes
Table 10.7. Commands
When creating/editing user groups or target groups, you can define “restrictions” through a set of
actions to apply when certain character sequences are detected in RDP keyboard flows (the data
analyzed is the data entered by the user) and or the window title bars (the data analyzed is the data
displayed on the screen). This is performed by enabling/disabling pattern detection.
To add a restriction, click on the “Restrictions” tab then on the “+ Add” button to display the dedicated
creation window. The relevant actions must be selected in the “Action” field and the corresponding
rules must be defined in the “Rules” field.
In the event of detection, the corresponding action will apply: session disconnection for the “Kill”
action or sending of a notification for the “Notify” action.
Warning:
Character sequence detection is only enabled for data sent by the client to the server.
The list of patterns applied is the sum of those present in the user groups and the target groups.
The linked action is the most restrictive: if the “Kill” action is in one of the groups, then this action
will be selected.
The rules must be entered as regular expressions, with one expression per line.
An expression prefixed with “$ocr:” or without any prefix will only match the title bars of active
windows (and not those of the inactive windows).
An expression prefixed with “$kbd-ocr:” or “$ocr-kbd:” will match keyboard input and title bars of
active windows.
E.g.: to ensure files are not deleted from the command prompt (cmd.exe), the expressions to enter
in the "Rules" field are as follows:
$kbd:del\s+.*
$kbd:erase\s+.*
$ocr:Command Prompt
$ocr:.*\\cmd.exe
192
WALLIX Bastion 10.0.5 – Administration Guide
• “$exact-content:” searches for an entire string. It becomes “content:” when it is used with “$kbd:”.
• “$regex:” searches for a regular expression. This is the default behavior.
• “$exact-regex:” searches for a regular expression formed with “^pattern$”
“-” is the separator character for “$ocr:” and “$kbd:”. The supported separator characters are “-”
and “,”.
Warning:
If you choose to kill the session when a specific window title bar is displayed, users will
not be able to reconnect until this window is closed or its title changed because their
sessions will be killed again immediately.
You can import the restrictions defined during the creation or modification of user groups
or target groups. These restrictions define the actions to apply when certain character
sequences are detected in the upward flow from proxies (refer to Section 10.5.1.7.1, “SSH flow
analysis / Pattern detection”, page 187 and Section 10.5.1.7.2, “RDP flows analysis / Pattern
detection”, page 192).
From the “CSV” page on the “Import/Export” menu, select the “Restrictions” check box to import the
related data. The field and list separators can also be configured.
The file must begin with a line containing the following tag:
#wab910 restriction
Important:
The update of existing data when importing a .csv file overwrites old data.
Warning:
The first line of the .csv file containing the tag must not be modified. If this line is modified,
the file can no longer be imported into WALLIX Bastion.
193
WALLIX Bastion 10.0.5 – Administration Guide
Once you have imported the .csv file, a summary report is displayed.
This report lists the number of elements which were created and updated in the WALLIX Bastion
database but also the rejected data. In case of rejection, the corresponding error is mentioned.
Caution:
A user is allowed to export restrictions if at least the “View” right for the “Targets &
accounts” feature is set in their profile (refer to Section 9.3, “User profiles”, page 87).
If only the “View” right for the “Targets & accounts” feature is set in the profile, then the
user will be able to export restrictions on target groups only.
If the “View” right for the “Users” feature is also set in the profile, then the user will be able
to export the restrictions defined on the user groups he/she is allowed to view (depending
on the limitations set for the profile. For further information, refer to Section 9.3, “User
profiles”, page 87).
If only the “View” right for the “Users” feature is set in the profile, then the user will not
be able to export any restriction.
For further information on how to enter data in the tabs, refer to Section 10.5.1, “Add a target
group”, page 183.
Warning:
You cannot delete a target group linked to active authorizations (refer to Chapter 12,
“Session management”, page 243).
194
WALLIX Bastion 10.0.5 – Administration Guide
From the “CSV” page on the “Import/Export” menu, select the “Target groups” check box to import
the related data. The field and list separators can also be configured.
The file must begin with a line containing the following tag:
#wab910 targetsgroup
Important:
The update of existing data when importing a .csv file overwrites old data.
Warning:
The first line of the .csv file containing the tag must not be modified. If this line is modified,
the file can no longer be imported into WALLIX Bastion.
account@domain@device:protocol
Account Text O Selected account mapping targets N/A
mapping
Format for account mapping
targets:
device:protocol
Interactive Text O Selected interactive login targets N/A
login
Format for interactive login targets:
device:protocol
Accounts Text O Selected target accounts for N/A
password management
195
WALLIX Bastion 10.0.5 – Administration Guide
account@domain@device or
account@domain@application
Scenario Text O Selected scenario accounts N/A
account@domain or
account@domain@device
Once you have imported the .csv file, a summary report is displayed.
This report lists the number of elements which were created and updated in the WALLIX Bastion
database but also the rejected data. In case of rejection, the corresponding error is mentioned.
10.6. Clusters
A cluster is a group of jump servers. The use of a cluster in place of a single device allows application
load sharing and High-Availability. The jump server used to run an application is selected in two
steps. WALLIX Bastion firstly sorts the servers, beginning with the one that has the fewest open
sessions, and then tries to connect to each server until it succeeds.
The "Clusters" page allows you to:
For further information on how to search data and customize the layout in the tables of WALLIX
Bastion, refer to Section 6.5, “Managing data search, sort and layout customization in the tables
of the Web interface”, page 32.
196
WALLIX Bastion 10.0.5 – Administration Guide
The fields in this page are the same as those in the cluster creation page.
The file must begin with a line containing the following tag:
#wab910 cluster
Important:
The update of existing data when importing a .csv file overwrites old data.
197
WALLIX Bastion 10.0.5 – Administration Guide
Warning:
The first line of the .csv file containing the tag must not be modified. If this line is modified,
the file can no longer be imported into WALLIX Bastion.
Once you have imported the .csv file, a summary report is displayed.
This report lists the number of elements which were created and updated in the WALLIX Bastion
database but also the rejected data. In case of rejection, the corresponding error is mentioned.
198
WALLIX Bastion 10.0.5 – Administration Guide
From the "Password Vault Plugins" page on the "Targets" menu, you can view the list of the plugins
configured in WALLIX Bastion. For further information, refer to Section 5.3, “Password external
vault”, page 23.
Warning:
This page is only displayed when the “External Vaults” feature is associated with the
license key.
An external password vault plugin can be selected during the creation of a global domain (refer to
Section 10.3, “Domains”, page 160) and several parameters can be set depending on the chosen
plugin.
For further information on how to search data and customize the layout in the tables of WALLIX
Bastion, refer to Section 6.5, “Managing data search, sort and layout customization in the tables
of the Web interface”, page 32.
The parameters to be set for this plugin during the creation of a global domain (refer to Section 10.3,
“Domains”, page 160) are defined as follows:
• API URL: URL of the REST API to access the vault. This parameter is required. This URL must
start with “https://” and end with “/api/vX.Y”. The minimum API version supported is 2.3.
• API key: key to connect to the REST API. If a key is entered, it must be entered again for
confirmation. This key must be generated on the remote WALLIX Bastion.
• Service account login: login of the service account to connect to the REST API. This login must
correspond to the user name of an account on the remote WALLIX Bastion.
• Service account password: password of the service account to connect to the REST API. If a
password is entered, it must be entered again for confirmation.
199
WALLIX Bastion 10.0.5 – Administration Guide
This plugin allows access to the password vault of the CyberArk Enterprise Password Vault privilege
management solution via the REST API Web service. For further information, refer to Section 5.3,
“Password external vault”, page 23.
The parameters to be set for this plugin during the creation of a global domain (refer to Section 10.3,
“Domains”, page 160) are defined as follows:
• API URL: URL of the REST API to access the vault. This parameter is required. This URL must
start with “https://” and end with “/PasswordVault”.
• Safe name: name of the container in the CyberArk Enterprise Password Vault privilege
management solution into which the secrets are stored. This parameter is required.
• Service account login: login of the service account to connect to the REST API. This login must
correspond to the user name of an account in the CyberArk Enterprise Password Vault privilege
management solution.
• Service account password: password of the service account to connect to the REST API. If a
password is entered, it must be entered again for confirmation.
• Maximum checkout duration (minutes): maximum time interval, expressed in minutes, during
which checkout can be performed. At the end of this period, an automatic check-in is performed
by the system. If "0" is entered in this field, then no automatic check-in is performed.
1. Vault root
└── 2. Name of the secret engine
├── 3. Account name in WALLIX Bastion
├── Login (field “login”)
200
WALLIX Bastion 10.0.5 – Administration Guide
The login and at least one credential (password or SSH key) are required.
The SSH key must be entered in the OpenSSH or PEM formats. The certificate corresponds to the
content of a signed public key which can be downloaded from the Web interface of WALLIX Bastion.
Figure 10.8. Example: Secret data for account “user1” within engine
“engine_one” in HashiCorp Vault secret management solution
• API URL: URL of the REST API to access the vault. This parameter is required.
• Vault plugin: select “external” as vault type. This parameter is required.
• Secret engine path: access path to the vault secret engine. This parameter is required.
• Engine version: select the version of the Key/Value secret engine. This parameter is required.
• Token: token to access the vault through the “Token” authentication method. If a token is entered,
it must be entered again for confirmation.
• Username: login of the account to access the vault through the “Userpass” authentication method.
This login must correspond to the user name of an account in the HashiCorp Vault secret
management solution.
• Password: password of the account to access the vault through the “Userpass” authentication
method. If a password is entered, it must be entered again for confirmation.
201
WALLIX Bastion 10.0.5 – Administration Guide
• PKCS#12 file: browse a path to upload a PKCS#12 file so as to provide the private and public
keys to access the vault through the “TLS Certificate” authentication method.
• PKCS#12 file passphrase: passphrase to unlock the keys provided via the PKCS#12 file for the
“TLS Certificate” authentication method. If a passphrase is entered, it must be entered again for
confirmation.
• Role name: name of the role associated with the Certificate Authority (or "CA") on the server of
the HashiCorp Vault secret management solution.
Note:
Mapping occurs between the account name in the WALLIX Bastion solution and the
secret name in the HashiCorp Vault secret management solution. The account name
must therefore correspond to the secret name in the HashiCorp Vault secret management
solution. If the secret name entered is “user1”, this same name must be assigned to the
account name.
It is possible to create an account login in the “Targets” > “Accounts” > “Global accounts”
page and set a password for it, without affecting data mapping between the two solutions.
202
WALLIX Bastion 10.0.5 – Administration Guide
This plugin allows access to the vault of the Thycotic Secret Server secret management solution
via the REST API Web service. For further information, refer to Section 5.3, “Password external
vault”, page 23.
This plugin allows checkout and check-in operations on passwords and SSH keys of the target
accounts. However, it does not allow to extend the checkout duration for the credentials.
Some features in the Thycotic Secret Server secret management solution are not supported by
WALLIX Bastion. Therefore, the secrets managed by accounts enabling at least one of the following
features cannot be accessed:
• API URL: URL of the REST API to access the vault. This parameter is required. This URL
must start with “https://” and end with “/SecretServer”, e.g. “https://vault.mycompany.com/
SecretSever”.
• Service account login: login of the service account to connect to the REST API. This login must
correspond to the user name of an account in the Thycotic Secret Server secret management
solution.
• Service account password: password of the service account to connect to the REST API. If a
password is entered, it must be entered again for confirmation.
• Login field: name of the field storing the account login in the Thycotic Secret Server secret
management solution. This name is case-sensitive. This parameter is required and contains
“Username” as a default value.
Warning:
The “Service account login” and “Service account password” fields are optional. If no
service account is used, the user must then provide a password when authenticating
via RDP or SSH proxies or the Web interface to access the vault of the Thycotic Secret
Server secret management solution. As authentications through X509 certificate, SSH
key or Kerberos ticket do not work in this context, it is required to define a service account.
• If the user has authenticated using a login and a password, then these credentials are used to
access the server of the Thycotic Secret Server secret management solution.
• If the user has authenticated using a Kerberos ticket or an SSH key or X509 certificate (or any
other authentication method without providing a password), the service account is used to retrieve
the secret. In this case, the service account must have at least the same rights as the user.
• If none of these methods works, then access to the vault to retrieve a secret will fail.
203
WALLIX Bastion 10.0.5 – Administration Guide
The search is done through the specification of the secret ID number of the external vault's account
in the “Login” field of the target account in WALLIX Bastion. This target account is then used to map
the account in the vault of the Thycotic Secret Server secret management solution.
- On Thycotic Secret Server solution interface, the parameters of the account are as follows:
The URL mentioned on the above screenshot shows that the secret ID of the concerned account
is “26”.
- On WALLIX Bastion Web interface, the parameters defined for the Thycotic Secret Server plugin
are as follows:
As mentioned on the above screenshot, the value in “Login field” corresponds to the field
name storing the account login in the Thycotic Secret Server secret management solution, i.e.
204
WALLIX Bastion 10.0.5 – Administration Guide
“Username”. The value of the account login stored in the “Username” field is then “root”, as shown
on the previous screenshot.
- On WALLIX Bastion Web interface, the parameters defined for the target account are defined as
follows:
• the “Name” field contains the target account name which will be displayed on the selector of the
proxy client, i.e. “SSH_root”
• the “Login” field includes the secret ID number “26” to map the account in the Thycotic Secret
Server solution and retrieve the corresponding secret
Warning:
As the “Login” field includes the secret ID number, the option “copy from name” must
not be selected. This field must not correspond to the user name of the remote account.
• the password if it has been defined for the account either on the local or the remote WALLIX
Bastion
• the SSH private key if it has been defined for the account either on the local or the remote WALLIX
Bastion
• the certificate (i.e. the signed SSH public key) if the account is defined on a domain associated
with a Certificate Authority
The “Checkout policies” page on the “Targets” menu allows you to:
Warning:
A default checkout policy called “default” is configured on WALLIX Bastion. You can edit
this policy but you cannot delete it.
205
WALLIX Bastion 10.0.5 – Administration Guide
For further information on how to search data and customize the layout in the tables of WALLIX
Bastion, refer to Section 6.5, “Managing data search, sort and layout customization in the tables
of the Web interface”, page 32.
This creation page consists of the following tabs: “General” and “Accounts”.
Note:
This field must be entered if both the checkout duration and checkout extension have
been set. Moreover, this duration must be greater than or equal to the sum of the
values defined for the checkout duration and the extension.
If the duration extension is not set, this field must be empty or the value entered must
be the same as the one defined for the checkout duration.
206
WALLIX Bastion 10.0.5 – Administration Guide
• list the accounts associated with the related checkout policy. To do so, select the desired account
type from the drop-down list.
• edit an account associated with the checkout policy. To do so, select the desired account type from
the drop-down list, then click on the name of the account to display the related modification page.
For further information, refer to Section 10.4.1, “Add a target account to a global
domain”, page 172 to edit a global domain account, to Section 10.4.2, “Add a target account
to a device”, page 175 to edit a device account and to Section 10.4.3, “Add a target account to
an application”, page 177 to edit an application account.
• delete accounts linked to the checkout policy. To do so, select the desired account type from the
drop-down list, then check the box at the beginning of the line of the account(s) and click on the
“Delete” button.
Warning:
If access to target accounts is not allowed for a profile, then the profile members can
neither delete nor edit a password checkout policy.
207
WALLIX Bastion 10.0.5 – Administration Guide
From the “Checkout policies” page on the “Targets” menu, check the box at the beginning of the
line of the policy(ies) you wish to delete, then click on the “Delete” button. WALLIX Bastion displays
a dialogue box requesting a confirmation before permanently deleting the selected line(s).
Warning:
You cannot delete a password checkout policy if at least one target account is linked to
this policy.
If access to target accounts is not allowed for a profile, then the profile members can
neither delete nor edit a password checkout policy.
10.9. Discovery
WALLIX Bastion embeds a specific module to provide continuous automatic discovery of assets on
configured networks and Active Directories and onboard the desired results.
Note:
The “Discovery” entry will not be displayed on the Web interface if the “Enable
modules” option, accessible from “Configuration” > “Configuration options” > “Module
configuration”, section “main” is deselected. This option is displayed when the check box
of the “Advanced options” field at the top right of the page has been selected. It should
ONLY be changed upon instructions from the WALLIX Support Team!
The “View” right for the “Targets & accounts” feature with no limitations on target groups
must be set in the user profile to view the pages in the “Discovery” entry.
For further information on how to search data and customize the layout in the tables of WALLIX
Bastion, refer to Section 6.5, “Managing data search, sort and layout customization in the tables
of the Web interface”, page 32.
Important:
The “Module configuration” option must be activated (for further information, refer to
Section 10.9, “Discovery”, page 208) and the “View” right on “Targets & accounts” and
208
WALLIX Bastion 10.0.5 – Administration Guide
“Settings” features with no limitations on target groups must be set in the user profile
to view the pages in the “Discovery” entry. To edit these pages, the “Modify” right on
“Settings” features must additionally be set in the user profile.
To ensure high performance, a network scan must not be performed on a subnet with
more than 8,192 IP addresses.
From the “Discovery” entry in the “Targets” menu, select “Scan configuration” then click on the “+
Add [Network]” button to display the scan configuration creation page and enter the fields.
For example, if 0 0 * * * or @daily is entered in this field, then the scan job is set to
run once a day at midnight. For further information, refer to https://en.wikipedia.org/w/
index.php?title=Cron#CRON_expression.
List of values are available below this field to define clearly this period using the cron syntax.
Once you have entered the fields, click on “Apply” to save the configuration or click on “Apply and
launch” to launch the scan immediately.
Important:
The “Module configuration” option must be activated (for further information, refer to
Section 10.9, “Discovery”, page 208) and the “View” right on “Targets & accounts” and
209
WALLIX Bastion 10.0.5 – Administration Guide
“Settings” features with no limitations on target groups must be set in the user profile
to view the pages in the “Discovery” entry. To edit these pages, the “Modify” right on
“Settings” features must additionally be set in the user profile.
To ensure high performance, a network scan must not be performed on a subnet with
more than 8,192 IP addresses.
An administrator account must be configured to discover accounts on new devices. To do so, create
a global domain from the “Domains” page. (For further information, refer to Section 10.3.1, “Add a
global domain”, page 162.) Then create an account on this global domain. (For further information,
refer to Section 10.3.4, “Add an account to the global or a local domain”, page 165.)
From the “Discovery” entry in the “Targets” menu, select “Scan configuration” then click on the “+
Add [Network]” button to display the scan configuration creation page and enter the fields.
This page consists of the following fields:
Note:
A maximum number of 5 administrator accounts can be selected.
• the subnets specified using a CIDR notation (<network address>/<number of mask bits>), e.g.:
192.168.0.15/24. Once you have entered a valid address, click on the “+ Add field” button to add
as many subnets as necessary. Once a subnet is added, you have the possibility to delete it by
clicking on the “-” icon.
• the protocol and port associations. To create an association, select a protocol in the dropdown
list then specify the related port. Click on the “+ Add field” button to create as many associations
as necessary. Once created, it is possible to delete this association by clicking on the “-” icon.
• the SSH banner filters specified using regular expressions. Only devices with a banner matching
these regular expressions will be discovered. Once you have entered an expression, click on the
“+ Add field” button to add as many expressions as necessary. Once an expression is added, you
have the possibility to delete it by clicking on the “-” icon.
• the scan periodicity, i.e. the frequency at which the scan is automatically triggered. The
format of the “Periodicity” field corresponds to the cron syntax. This field supports the usual
syntax on 5 fields <Minute> <Hour> <Day_of_the_Month> <Month_of_the_Year>
<Day_of_the_Week> and aliases @.
For example, if 0 0 * * * or @daily is entered in this field, then the scan job is set to
run once a day at midnight. For further information, refer to https://en.wikipedia.org/w/
index.php?title=Cron#CRON_expression.
List of values are available below this field to define clearly this period using the cron syntax.
If this field is left empty, then no periodicity is set.
• an option to enable the periodicity and thus set the automatic scan launch.
210
WALLIX Bastion 10.0.5 – Administration Guide
• the email addresses of the recipients to be notified at the end of the scan. Once you have entered
an email, click on the “+ Add field” button to add as many emails as necessary. Once an email is
added, you have the possibility to delete it by clicking on the “-” icon.
Once you have entered the fields, click on “Apply” to save the configuration or click on “Apply and
launch” to launch the scan immediately.
Important:
The “Module configuration” option must be activated (for further information, refer to
Section 10.9, “Discovery”, page 208) and the “View” right on “Targets & accounts” and
“Settings” features with no limitations on target groups must be set in the user profile
to view the pages in the “Discovery” entry. To edit these pages, the “Modify” right on
“Settings” features must additionally be set in the user profile.
From the “Discovery” entry in the “Targets” menu, select “Scan configuration” then click on the “+
Add [Active Directory]” button to display the scan configuration creation page and enter the fields.
This page consists of the following fields:
211
WALLIX Bastion 10.0.5 – Administration Guide
Warning:
To perform a relevant Active Directory scan for device discovery, make sure the DNS
server is configured in accordance with this scan. The DNS section is accessible
from the menu “System” > “Network”. For further information, refer to Section 8.6,
“Network”, page 49.
Once you have entered the fields, click on “Apply” to save the configuration or click on “Apply and
launch” to launch the scan immediately.
Important:
The “Module configuration” option must be activated (for further information, refer to
Section 10.9, “Discovery”, page 208) and the “View” right on “Targets & accounts” and
“Settings” features with no limitations on target groups must be set in the user profile
to view the pages in the “Discovery” entry. To edit these pages, the “Modify” right on
“Settings” features must additionally be set in the user profile.
An administrator account must be created to discover local accounts on new devices during the
Active Directory scan. To do so, create a global domain from the “Domains” page. For further
information, refer to Section 10.3.1, “Add a global domain”, page 162. Then create an account for
this global domain. For further information, refer to Section 10.3.4, “Add an account to the global
or a local domain”, page 165.
From the “Discovery” entry in the “Targets” menu, select “Scan configuration” then click on the “+
Add [Active Directory]” button to display the scan configuration creation page and enter the fields.
Note:
A maximum number of 5 administrator accounts can be selected.
212
WALLIX Bastion 10.0.5 – Administration Guide
• an external authentication. Select an LDAP external authentication using Active Directory in the
dropdown list or click on the link below the field to be redirected to the authentication creation
page. For further information on the creation of an external authentication using Active Directory,
refer to Section 9.8.1.3, “Add an LDAP external authentication”, page 112.
• an LDAP/AD search filter. The default query “(objectClass=Computer)” retrieves all the
computers from the directory. This query can be refined with additional criteria.
• the Distinguished Names (or “DNs”) of the entries in the directory. Once you have entered a DN,
click on the “+ Add field” button to add as many DNs as necessary. Click on the “-” icon to delete
a field.
• the protocol and port associations. To create an association, select a protocol in the dropdown
list then specify the related port. Click on the “+ Add field” button to create as many associations
as necessary. Once created, it is possible to delete this association by clicking on the “-” icon.
• the SSH banner filters specified using regular expressions. Only devices with a banner matching
these regular expressions will be discovered. Once you have entered an expression, click on the
“+ Add field ” button to add as many expressions as necessary. Once an expression is added,
you have the possibility to delete it by clicking on the “-” icon.
• the scan periodicity, i.e. the frequency at which the scan is automatically triggered. The
format of the “Periodicity” field corresponds to the cron syntax. This field supports the usual
syntax on 5 fields <Minute> <Hour> <Day_of_the_Month> <Month_of_the_Year>
<Day_of_the_Week> and aliases @.
For example, if 0 0 * * * or @daily is entered in this field, then the scan job is set to
run once a day at midnight. For further information, refer to https://en.wikipedia.org/w/
index.php?title=Cron#CRON_expression.
List of values are available below this field to define clearly this period using the cron syntax.
If this field is left empty, then no periodicity is set.
• an option to enable the periodicity and thus set the automatic scan launch.
• the email addresses of the recipients to be notified at the end of the scan. Once you have entered
an email, click on the “+ Add field” button to add as many emails as necessary. Once an email is
added, you have the possibility to delete it by clicking on the “-” icon.
Warning:
To perform a relevant Active Directory scan for local account discovery, make sure the
DNS server is configured in accordance with this scan. The DNS section is accessible
from the menu “System” > “Network”. For further information, refer to Section 8.6,
“Network”, page 49.
Once you have entered the fields, click on “Apply” to save the configuration or click on “Apply and
launch” to launch the scan immediately.
Important:
The “Module configuration” option must be activated (for further information, refer to
Section 10.9, “Discovery”, page 208) and the “View” right on “Targets & accounts” and
“Settings” features with no limitations on target groups must be set in the user profile
to view the pages in the “Discovery” entry. To edit these pages, the “Modify” right on
“Settings” features must additionally be set in the user profile.
213
WALLIX Bastion 10.0.5 – Administration Guide
From the “Discovery” entry in the “Targets” menu, select “Scan configuration” then click on the “+
Add [Active Directory]” button to display the scan configuration creation page and enter the fields.
This page consists of the following fields:
Once you have entered the fields, click on “Apply” to save the configuration or click on “Apply and
launch” to launch the scan immediately.
1. Check the box at the beginning of the line of the scan(s) you wish to launch.
2. Click on the “Launch manually” button to launch the scan(s) immediately.
214
WALLIX Bastion 10.0.5 – Administration Guide
Note:
The time at which the next scan job will be triggered is displayed in the “Next job”
column in the list of the configured scans.
From the “Discovery” entry in the “Targets” menu, select “Job list” to display the list of the scan jobs.
Each line provides the following information:
• the job start date and time. The calendar icon in the header of the “Start date” column allows the
display of a date picker to select the desired date.
• the job type
• the job status
• the job duration
• the number of discovered devices and/or accounts matching the scan filters
• the scan name
• the subnet information
• the subnets for a network scan
• the Distinguished Names for an Active Directory scan
• get information on a job by clicking on the data in the “Start date” column: it contains an access link
to a dedicated page. The “General” tab displays the scan configuration properties, the number of
215
WALLIX Bastion 10.0.5 – Administration Guide
discovered devices and discovered local accounts, or the number of discovered global accounts
matching the scan filters, if the account discovery option is enabled. The “Raw results” tab lists
all the discovered assets during a successful job. The “Discovered accounts” column will display
the number of discovered local accounts related to the discovered device. Click on “+” at the
beginning of the line of the device to display the list of accounts related to the device. The
discovered global accounts will be displayed in the “Distinguished Names” and “Account login”
columns.
• cancel a running job if needed. To do so, select the desired job(s) whose status is “Running” by
checking the box at the beginning of the line(s) and click on the “Cancel” button.
• access the scan configuration page to edit the properties by clicking on the link in the “Scan
name” column.
10.9.3. Onboarding
10.9.3.1. Onboard discovered devices in WALLIX Bastion
Important:
The “Module configuration” option must be activated (for further information, refer to
Section 10.9, “Discovery”, page 208) and the “View” right on “Targets & accounts”
feature with no limitations on target groups must be set in the user profile to view the pages
in the “Discovery” entry. To edit these pages, the “Modify” right on “ Target & accounts”
feature must additionally be set in the user profile.
From the “Discovery” entry in the “Targets” menu, select “Onboarding” to display the list of the
discovered devices.
By default, from the “Devices / Local accounts” tab, the “Discovered items” view displays the devices
which can be onboarded.
To onboard devices at once:
1. Click on the “Onboard” button in the blue frame. This frame displays the steps to onboard
devices. The first step is “Selection”. It is possible to cancel this action by clicking on the “Cancel”
button in this frame.
2. Check the box at the beginning of the lines of the devices to onboard.
3. Click on the “Next” button in the blue frame. The “Rotation management” step is available only
if local accounts are selected. Click on the “Next” button. The last step is “Summary”. This step
allows you to check all selected devices to onboard. It is possible to modify this selection by
clicking on the “Previous” button.
4. Click on the “Onboard” button. The devices are then onboarded within WALLIX Bastion and can
be managed from the “Devices” page on the “Targets” menu.
Note:
The status of the device is automatically set as “Onboarded” on the “General” tab
(accessible from the “Devices” page on the “Targets” menu).
• get information on the related jobs by clicking on the data in the “First discovery” and “Last
discovery” columns: they contain an access link to a dedicated page. The “General” tab displays
216
WALLIX Bastion 10.0.5 – Administration Guide
the scan configuration properties and the number of discovered devices matching the scan filters.
The “Raw results” tab lists all the discovered assets during the job.
• hide irrelevant devices. To do so, click on the “Hide” button in the blue frame. It is possible to
cancel this action by clicking on the “Cancel” button in this frame. Select the devices to hide
by checking the box at the beginning of the lines. Click on the “Next” button in the blue frame.
The last step is “Summary”. This step allows you to check all selected devices you wish to hide.
It is possible to modify the device selection by clicking on the “Previous” button. Then click on
the “Hide” button. The corresponding devices are then listed on the “Hidden items” view. Hidden
devices can also be onboarded if needed by clicking on the “Onboard” button and by following
the procedure described above.
• unhide devices. Hidden devices can be displayed again on the “Discovered items” view. To do
so, from the “Hidden items” view, click on the “Unhide” button in the blue frame. Select the devices
to unhide by checking the box at the beginning of the lines. Click on the “Next” button. The last
step is “Summary”. This step allows you to check all selected devices you wish to unhide. It is
possible to modify the device selection by clicking on the “Previous” button. Then click on the
“Unhide” button.
• delete devices. To do so, click on the “Delete” button in the blue frame. Select the devices to
delete by checking the box at the beginning of the lines. Click on the “Next” button. The last step
is “Summary”. This step allows you to check all selected devices you wish to delete. It is possible
to modify the device selection by clicking on the “Previous” button. Then click on the “Delete”
button. This operation removes the selected devices from the Bastion. As an example, it can be
relevant to delete devices which no longer exist and are still displayed in the “Discovered items”
or “Hidden items” views. They will be displayed again if they are discovered after a new scan.
Important:
The “Module configuration” option must be activated (for further information, refer to
Section 10.9, “Discovery”, page 208) and the “View” right on “Targets & accounts”
feature with no limitations on target groups must be set in the user profile to view the pages
in the “Discovery” entry. To edit these pages, the “Modify” right on “ Target & accounts”
feature must additionally be set in the user profile.
From the “Discovery” entry in the “Targets” menu, select “Onboarding” to display the list of
the discovered devices and the related number of discovered local accounts, and/or the global
accounts.
By default, from the “Devices / Local accounts” tab, the “Discovered items” view displays the list
of the devices and the number of accounts which can be onboarded. The global accounts are
displayed in the “Global accounts” tab.
1. In the “Devices / Local accounts” tab, click on the “Onboard” button in the blue frame. This frame
displays the steps to onboard local accounts. The first step is “Selection”. It is possible to cancel
this action by clicking on the “Cancel” button in this frame.
2. Click on “+” at the beginning of the line of the device to display the list of accounts related to
the device. This list of accounts provides the following information:
• Account login
• Status
• Administrator account
217
WALLIX Bastion 10.0.5 – Administration Guide
• Last login
• Groups
• First discovery
• Last discovery
Note:
It is possible to filter the local accounts you wish to onboard by entering the “Account
login”, “Last login” and/or “Group” fields. Then click on the “Search” button.
3. Check the box at the beginning of the line of the local account you wish to onboard.
Note:
To onboard device and local account at once, check the box at the beginning of the
line of the device you wish to onboard. By default, each account of device is selected
to be onboarded. It is possible to deselect accounts to avoid their onboarding.
Figure 10.11. Example for local account onboarding at rotation management step
6. Click on the “Next” button in the frame. The last step is “Summary”. This step allows you to
check all local accounts and/or devices to onboard. It is possible to modify this selection by
clicking twice on the “Previous” button.
7. Click on the “Onboard” button. The local accounts are then onboarded within WALLIX Bastion
and the password change plugin and password change policy configuration is applied. The local
accounts can be managed from the “Accounts” page on the “Targets” menu.
218
WALLIX Bastion 10.0.5 – Administration Guide
• get information on the related jobs by clicking on the data in the “First discovery” and “Last
discovery” columns: they contain an access link to a dedicated page. The “General” tab displays
the scan configuration properties and the number of discovered devices and accounts matching
the scan filters. The “Raw results” tab lists all the discovered assets during the job.
• hide irrelevant devices and/or local accounts. To do so, click on the “Hide” button in the blue
frame. It is possible to cancel this action by clicking on the “Cancel” button in this frame. Select
the devices and/or local accounts to hide by checking the box at the beginning of the lines. Click
on the “Next” button in the frame. The last step is “Summary”. This step allows you to check all
selected devices and/or local accounts to hide. It is possible to modify this selection by clicking
on the “Previous” button. Then click on the “Hide” button. The corresponding devices and/or
accounts are then listed on the “Hidden items” view. Hidden devices and/or local accounts can
also be onboarded if needed by clicking on the “Onboard” button and by following the procedure
described above.
• unhide devices and/or local accounts. Hidden devices and/or local accounts can be displayed
again on the “Discovered items” view. To do so, from the “Hidden items” view, click on the “Unhide”
button in the blue frame. Select the devices and/or local accounts to unhide by checking the box
at the beginning of the lines. Click on the “Next” button. The last step is “Summary”. This step
allows you to check all selected devices and/or local accounts to unhide. It is possible to modify
the device selection by clicking on the “Previous” button. Then click on the “Unhide” button.
• delete devices and/or local accounts. To do so, click on the “Delete” button in the blue frame.
Select the devices and/or local accounts to delete by checking the box at the beginning of the
lines. Click on the “Next” button. The last step is “Summary”. This step allows you to check all
selected devices and/or local accounts to delete. It is possible to modify this selection by clicking
on the “Previous” button. Then click on the “Delete” button. This operation removes the selected
devices and/or accounts from the Bastion. As an example, it can be relevant to delete devices
and/or accounts which no longer exist and are still displayed on the “Discovered items” or “Hidden
items” views. They will be displayed again if they are discovered after a new scan.
1. In the “Global accounts” tab, click on the “Onboard” button in the blue frame. This section
displays the steps to onboard global accounts. The first step is “Selection”. It is possible to
cancel this action by clicking on the “Cancel” button in this frame.
2. Check the box at the beginning of the lines of the global accounts to onboard. Click on the
“Next” button at the top right of the page.
3. Click on the “Onboard” button. The global accounts are then onboarded within WALLIX Bastion.
They can be managed from the “Accounts” page on the “Targets” menu.
Note:
After deleting a global domain, all related global accounts are removed, including
discovered global accounts from the “Onboarding” page on the “Discovered items”
and “Hidden items” views.
• get information on the related jobs by clicking on the data in the “First discovery” and “Last
discovery” columns: they contain an access link to a dedicated page. The “General” tab displays
the scan configuration properties and the number of discovered accounts matching the scan
filters. The “Raw results” tab lists all the discovered assets during the job.
219
WALLIX Bastion 10.0.5 – Administration Guide
• hide irrelevant global accounts. To do so, click on the “Hide” button in the blue frame. It is possible
to cancel this action by clicking on the “Cancel” button in this frame. Select the global accounts
to hide by checking the box at the beginning of the lines. Click on the “Next” button in the frame.
The last step is “Summary”. This step allows you to check all selected global accounts to hide. It
is possible to modify this selection by clicking on the “Previous” button. Then click on the “Hide”
button. The corresponding global accounts are then listed on the “Hidden items” view. Hidden
global accounts can also be onboarded if needed by clicking on the “Onboard” button and by
following the procedure described above.
• unhide global accounts. Hidden global accounts can be displayed again on the “Discovered
items” view. To do so, from the “Hidden items” view, click on the “Unhide” button in the blue frame.
Select the global accounts to unhide by checking the box at the beginning of the lines. Click on
the “Next” button. The last step is “Summary”. This step allows you to check all selected global
accounts to unhide. It is possible to modify this selection by clicking on the “Previous” button.
Then click on the “Unhide” button.
• delete global accounts. To do so, click on the “Delete” button in the blue frame. Select the global
accounts to delete by checking the box at the beginning of the lines. Click on the “Next” button.
The last step is “Summary”. This step allows you to check all selected global accounts to delete. It
is possible to modify this selection by clicking on the “Previous” button. Then click on the “Delete”
button. This operation removes the selected global accounts from the Bastion. As an example, it
can be relevant to delete accounts which no longer exist and are still displayed in the “Discovered
items” or “Hidden items” views. They will be displayed again if they are discovered after a new
scan.
220
WALLIX Bastion 10.0.5 – Administration Guide
Important:
All the IP addresses which can be set on WALLIX Bastion support both IPv4 and IPv6
formats.
• click on "View" at the beginning of the line to display in another page the credentials of the related
account. In this case, the lock has been disabled at the level of the checkout policy associated
with this account: several users can then access the credentials at the same time.
• click on "Check out" at the beginning of the line to display in another page the credentials of
the related account in another page. In this case, the lock has been enabled at the level of the
checkout policy associated with this account: only this user can access the credentials at this
time. For further information, refer to Section 10.8, “Checkout policies”, page 205.
Important:
If an approval is not necessary to access the credentials or has been accepted by
approvers, the user can directly check outs the data. Otherwise, an error message
is displayed and the user must send a request to access the credentials. For
further information, refer to Section 11.1.1, “Password access through an approval
workflow”, page 222.
In the event of an ongoing password change, the concerned account cannot be
checked out. An error message is then displayed informing the user that the account
is temporarily unavailable for checkout.
• click on "Check out remotely" at the beginning of the line to display in another page the credentials
of the related external vault account.
• identify the account being locked consequently to an ongoing checkout. In this case, no action
can be performed until the release of this lock.
• send a request to approvers to access the account's credentials by clicking on "Request" in the
"Approval" column at the end of the line. For further information, refer to Section 11.1.1, “Password
access through an approval workflow”, page 222.
When the user has access to the page listing the account's credentials, they can view:
• the name of the account being checked out mentioned above the frame
221
WALLIX Bastion 10.0.5 – Administration Guide
On the page listing the account's credentials, the user can also:
• click on the "Check in" button to end check out. The user is then redirected to the page listing
the authorized target accounts. If the lock has been enabled in the checkout policy associated
with this account, this action also releases the lock of the account. For further information, refer
to Section 10.8, “Checkout policies”, page 205.
• click on the "Extend checkout" button if a checkout extension has been defined in the checkout
policy associated with the account. Otherwise this button is not displayed. This action extends the
checkout duration and can then be performed several times as long as the maximum duration has
not been reached. For further information, refer to Section 10.8, “Checkout policies”, page 205.
When the lock has been enabled in the checkout policy associated with this account, the latter
remains locked for the period defined within this policy. It is then necessary to click on the "Check
in" button to release the lock of the account before the end of checkout duration. Nonetheless,
the account is automatically checked in at the end of this duration and the user is redirected
to the page listing the authorized target accounts. The remaining time before automatic check-
in is displayed below the credentials. For further information, refer to Section 10.8, “Checkout
policies”, page 205.
222
WALLIX Bastion 10.0.5 – Administration Guide
The user can click on the notepad icon at the beginning of the line to get a detailed view of the
request. The page provides a "Cancel request" button to cancel the approval requests which are
still valid.
Note:
A script can be called during the approval request creation, but also at the beginning and
end of each session within the request duration period, to manage the approval in an
external ticketing system. To do so, the path to this script is to be entered in the "Ticketing
interface path" field via "Configuration" > "Configuration Options" > "Global".
The script must be uploaded to the /usr/local/bin directory for which the “wabuser”
user has execution rights. To upload a file to this directory, the user must be logged in
with “root” privileges.
The script is then systematically called even if a ticket number is not specified in the
"Ticket" field. When the script writes on the standard output a ticket number expected in
format: "ticket=1234", WALLIX Bastion takes into account this number and not the one
specified in the "Ticket" field.
223
WALLIX Bastion 10.0.5 – Administration Guide
224
WALLIX Bastion 10.0.5 – Administration Guide
• “Host”: device hostname or IP address. This parameter is only required for a global domain.
• “Port”: device port number (SSH default port: 22).
• “Enable password”: privilege elevation password of the "enable" command. This parameter is
required.
Supported rotation
• Password
• “Host”: device hostname or IP address. This parameter is only required for a global domain.
• “Port”: device port number (SSH default port: 22)
• “Index”: index of the privileged account. By default, it corresponds to index 2. This parameter is
required.
• “iDRAC version”: device version. By default, it corresponds to Dell iDRAC8. This parameter is
required.
225
WALLIX Bastion 10.0.5 – Administration Guide
Supported rotation
• Password
• “Host”: device hostname or IP address. This parameter is only required for a global domain.
• “Port”: device port number (SSH default port: 22)
• “Configuration”: character string referring to the section of the configuration. Only the
configuration for the default "System admin" is currently supported.
Supported rotation
• Password
• SSH key (on local domain only)
Warning:
The administrator account is required on the local domain for this plugin. This
account should be first added to the domain from the "Domain accounts" area on
the domain summary page, once the domain creation step has been completed. For
further information, refer to Section 10.3.4, “Add an account to the global or a local
domain”, page 165. Once the "Enable password change" option has been selected on the
domain modification page, select this account from the list in the "Administrator account"
field prior to select the Fortinet FortiGate plugin in the "Password change plugin" field.
226
WALLIX Bastion 10.0.5 – Administration Guide
The parameters to be set for this plugin during the creation/modification of a local domain for a
device only (refer to Section 10.3, “Domains”, page 160) are defined as follows:
• “Port”: system port number (3272 over TLS default port: 623). This parameter is required.
• “Scenario”: scenario labelled in plain text played by the plugin to change passwords. This
parameter is required.
This scenario includes the following commands and also accepts comments and empty lines:
• EXPECT: expects to receive a specific character string at a given offset which must be absolute,
starting from line 1 in the upper part of the terminal
• IF EXPECT/ELSE/FI: expects to receive a specific character string at a given offset which must
be absolute, starting from line 1 in the upper part of the terminal. If the string is found, the condition
in the TRUE block element is executed. Otherwise, the condition in the ELSE block element is
executed if the latter exists.
• MOVE_TO: moves the cursor to a given position starting from line and column 1 in the upper part
of the terminal (for example, command MOVE_TO:5:18 moves the cursor to line 5 column 18)
• PUT: writes a specific character string at the cursor position
• SEND_ENTER | SEND_PF3 | SEND_PF4 | SEND_PF5 | SEND_PF6 | SEND_PF7 | SEND_PF8: these
commands send the specific key (e.g. ENTER or PF7) to the terminal
• LOG_ERROR: writes the message specified as a parameter into the error logs
• LOG_SCREEN: writes the whole 3270 terminal screen and cursor position into the error logs
• QUIT: ends the session. The password is considered as unchanged.
Scenario example:
An AS/390 emulator with 3270 capabilities can be found at http://www.canpub.com/teammpg/de/
sim390/.
#######
# Script for MUSIC AS/390 emulator
# with TN3270 support
#######
####
# Welcome screen
EXPECT:16:Multi-User System for
SEND_ENTER
####
# Login screen
EXPECT:3:MUSIC Userid:
PUT:$account
MOVE_TO:5:18
227
WALLIX Bastion 10.0.5 – Administration Guide
PUT:$old_password
SEND_ENTER
####
# Login errors
IF EXPECT:7:Password incorrect
LOG_ERROR:Bad password !
QUIT
FI
####
#
EXPECT:1:Userid last signed
SEND_ENTER
####
# Change password
EXPECT:12:Change password
PUT:7
SEND_ENTER
####
# End of changing password
IF EXPECT:4:SELECT OPTION
PUT:X
ELSE
# Quit with an error
LOG_ERROR:Password has not been changed
# Print the terminal screen to syslog
LOG_SCREEN
QUIT
FI
Supported rotation
• Password
228
WALLIX Bastion 10.0.5 – Administration Guide
Warning:
The administrator account is required on the local domain for this plugin when the
variables $admin_login and $admin_password are specified in the scenario. This
account should be first added to the domain from the "Domain accounts" area on
the domain summary page, once the domain creation step has been completed. For
further information, refer to Section 10.3.4, “Add an account to the global or a local
domain”, page 165. Once the "Enable password change" option has been selected on the
domain modification page, select this account from the list in the "Administrator account"
field prior to select the IBM 3270 plugin in the "Password change plugin" field.
Supported rotation
• Password
229
WALLIX Bastion 10.0.5 – Administration Guide
• “Port”: server port number (default port: 389). This parameter is required.
• “Encryption”: encryption protocol to use: STARTTLS (default value), TLS or None. This parameter
is required.
• “Active Directory”: option to select if the password change is associated with Active Directory.
• “Network timeout”: maximum time period expressed in seconds for connection attempt to the
server.
• “Administrator Bind DN | Administrator password”: Bind DN and password of the administrator
allowed to connect to the LDAP or Active Directory. These parameters are required.
e.g. for LDAP Bind DN: “CN=administrator, DC=mycompany, DC=com”
e.g. for Active Directory Bind DN: “administrator@mycompany.com”
Warning:
If an administrator account has been set on the domain for this plugin, then the
parameters of this account will be used to connect to the LDAP or Active Directory.
Those defined in the “Administrator Bind DN” and “Administrator password” fields are
then not considered.
This account should be first added to the domain from the "Domain accounts" area on
the domain summary page, once the domain creation step has been completed. For
further information, refer to Section 10.3.4, “Add an account to the global or a local
domain”, page 165. Once the "Enable password change" option has been selected on
the domain modification page, select this account from the list in the "Administrator
account" field prior to select the LDAP plugin in the "Password change plugin" field.
• “Password attribute”: password attribute required for password change. It corresponds to the
LDAP attribute “userPassword” by default. This parameter is required.
• “User DN format”: syntax of the user DN used to specify the account concerned by password
change. By default, it corresponds to the string “CN=${USER},DC=dev,DC=example,DC=com”
where parameter “${USER}” will be replaced by the user name. This format is also used for the
administrator account which may be set on the domain for this plugin. This parameter is required.
• “Custom parameters”: additional custom attributes to be specified for password change.
These parameters may be required by the server and depend on its configuration. Each
“parameter=value” pair must be labelled on a single line.
Supported rotation
• Password
230
WALLIX Bastion 10.0.5 – Administration Guide
Field description
The parameters to be set for this plugin during the creation/modification of a global or local domain
(refer to Section 10.3, “Domains”, page 160) for a device or an application are defined as follows:
• “Host”: database hostname or IP address. This parameter is only required for a global domain.
• “Port”: database port number
Supported rotation
• Password
• “Host”: database hostname or IP address. This parameter is only required for a global domain.
• “Port”: database port number
• “Service name”: database service name (SID). This parameter is required.
• “Admin mode”: connection mode for the administrator account. The relevant mode can be
selected from the list of values. This parameter is set to implement reconciliation. When
reconciliation is implemented, the password is changed and the locked account is released.
Supported rotation
• Password
231
WALLIX Bastion 10.0.5 – Administration Guide
Field description
The parameter to be set for this plugin during the creation/modification of a local domain for a device
only (refer to Section 10.3, “Domains”, page 160) is defined as follows:
Supported rotation
• Password
• “Host”: system hostname or IP address. This parameter is only required for a global domain.
• “Port”: system hostname or IP address (SSH default port: 22)
• “Root password”: password to connect as "root".
The root account may not be able to connect to the target to perform the password change via
SSH under certain circumstances, for security reasons. In this case, the plugin will refer to the
administrator account set for the domain to connect to the target and then use the root password
via the "su" command.
When reconciliation is needed, the authentication with password or SSH key is attempted for the
administrator account.
Supported rotation
• Password
• SSH key
• SSH CA certificate
232
WALLIX Bastion 10.0.5 – Administration Guide
• For further information on plugin version and supported target versions, refer to Table 11.1, “Plugin
matrix - Part 1”, page 224.
The parameters to be set for this plugin during the creation/modification of a global or local domain
(refer to Section 10.3, “Domains”, page 160) for a device are defined as follows:
• “Domain controller address”: domain controller hostname or IP address. This parameter is only
required for a global domain.
• “Administrator login and administrator password”: login and password of a privileged account
which is allowed to change passwords of other accounts. These parameters are optional but note
that WALLIX Bastion cannot define the new password of an account if the former one is unknown.
These parameters correspond to the credentials of the account selected in the "Administrator
account" field defined on the domain page (refer to Section 10.3, “Domains”, page 160) and are
set to implement reconciliation.
To allow full operation of the automatic password change process on a standalone Windows
Server, this privileged account must be included in the administrator group.
To allow full operation of the automatic password change process on a Windows Server
configured with Active Directory, this privileged account must have the "Reset password" right
set for the other accounts on the domain. For further information on how to delegate permission
to reset passwords of Active Directory user accounts, refer to https://www.petri.com/delegate-
permission-reset-ad-user-account-passwords.
Warning:
To allow full operation of the automatic password change process in WALLIX Bastion, we
strongly recommend changing the default value set for the minimum password age at the
level of the Windows password policy. This value should be set to "0":
On the other hand, to avoid any timeout error when performing password change
on a target under Windows Server 2012, we recommend enabling the rule “Netlogon
Service(NP-In)” in the Windows firewall advanced settings.
Supported rotation
• Password
233
WALLIX Bastion 10.0.5 – Administration Guide
• The administrator account is the local administrator account or domain account with the "Reset
password" right set for the other accounts on the domain.
Warning:
To allow full operation of the password change process on a Windows service, the
installation of PowerShell 3.0 or later and the activation of WinRM are required on the
Windows server.
Field description
The parameters to be set for this plugin during the creation/modification of a global or local domain
(refer to Section 10.3, “Domains”, page 160) for a device are as follows:
• “Name”: name of the Windows Service for which the password must be changed. This parameter
is required.
• “Transport”: transport protocol used to authenticate to the WinRM server: Kerberos (default
value), CredSSP or NTLM. This parameter is required.
Warning:
If the transport protocol defined for this plugin is Kerberos, then the fields “Kerberos
realm”, “Kerberos KDC” and “Kerberos port” must be specified on the global domain
page of the administrator account selected during the definition of the reference. For
further information, refer to Section 10.3.1, “Add a global domain”, page 162.
• “Restart the service”: option to select if the Windows Service must be restarted after the password
change. When the Windows Service is deployed on multiple Windows servers, this service is
restarted successively on each server after the password change, in order to avoid an interruption
of the service.
Supported rotation
• Password
234
WALLIX Bastion 10.0.5 – Administration Guide
• “Host”: device hostname or IP address. This parameter is only required for a global domain.
• “Port”: device port (SSH default port: 22).
Supported rotation
• Password
• “Host”: system hostname or IP address. This parameter is only required for a global domain.
• “Port”: SSH server port (default: 22).
Supported rotation
• Password
235
WALLIX Bastion 10.0.5 – Administration Guide
• Password
• “Host”: system hostname or IP address. This parameter is only required for a global domain.
• “Port”: system port (SSH default port: 22).
• “Connection Account”: account used for SSH connection.
• “Account Password”: password for SSH account.
• “Path of setpasswd.exe”: full path of setpasswd.exe in unix format. E.g., /drives/c/Program Files/
uvnc bvba/UltraVNC/setpasswd.exe
Supported rotation
• Password
• Prerequisite: a Cygwin or an SSH connection to the Windows server hosting Ultra VNC is
necessary.
• There is a host key shared with proxies.
• For further information on plugin version and supported target versions, refer to Table 11.1, “Plugin
matrix - Part 1”, page 224.
236
WALLIX Bastion 10.0.5 – Administration Guide
The parameters to be set for this plugin during the creation/modification of a global or local domain
(refer to Section 10.3, “Domains”, page 160) for a device are defined as follows:
• “Host”: system hostname or IP address. This parameter is only required for a global domain.
• “Port”: system port (SSH default port: 22)
• “Root password”: password to connect as "root".
The root account may not be able to connect to the target to perform the password change via
SSH under certain circumstances, for security reasons. In this case, the plugin will refer to the
administrator account set for the domain to connect to the target and then use the root password
via the "su" command.
When reconciliation is needed, the authentication with password or SSH key is attempted for the
administrator account.
Supported rotation
• Password
• SSH key
• An administrator account is not required on domain if the user has a password command access.
• The administrator account is an administrator account with "sudo", "passwd", "pwdadm" rights.
The parameters to be set for this plugin during the creation/modification of a global or local domain
(refer to Section 10.3, “Domains”, page 160) for a device or an application are defined as follows:
• “Host”: system hostname or IP address. This parameter is only required for a global domain.
• “Port”: system port (SSH default port: 22)
Supported rotation
• Password
237
WALLIX Bastion 10.0.5 – Administration Guide
• For further information on plugin version and supported target versions, refer to Table 11.1, “Plugin
matrix - Part 1”, page 224.
• “Host”: system hostname or IP address. This parameter is only required for a global domain.
• “Port”: system port (SSH default port: 22)
Supported rotation
• Password
11.2.21. F5 plugin
Field description
The parameters to be set for this plugin during the creation/modification of a global or local domain
(refer to Section 10.3, “Domains”, page 160) for a device are defined as follows:
• “Host”: system hostname or IP address. This parameter is only required for a global domain.
• “Port”: Sytem port (SSH default port: 22)
• “Group name”: Devices group name (for Sync)
Supported rotation
• Password
238
WALLIX Bastion 10.0.5 – Administration Guide
Warning:
All passwords for which automatic change is configured, as described in Section 10.4.5,
“Change the credentials automatically for one or several accounts”, page 179, will be
replaced. You must therefore check that the emails containing the new passwords have
indeed been received and can be unencrypted. You are recommended to do so by testing
the process on a single, non-administrator account.
From the “Password change policies” page on the “Password management” menu, you can list,
add, edit or delete password change policies.
For further information on how to search data and customize the layout in the tables of WALLIX
Bastion, refer to Section 6.5, “Managing data search, sort and layout customization in the tables
of the Web interface”, page 32.
Warning:
A default password change policy called “default” is configured in WALLIX Bastion. This
policy can neither be deleted nor edited.
For example, if 0 0 * * * or @daily is entered in this field, then the password change job is set
to run once a day at midnight. For further information, refer to https://en.wikipedia.org/
w/index.php?title=Cron#CRON_expression.
List of values are available below this field to define clearly this period using cron syntax.
239
WALLIX Bastion 10.0.5 – Administration Guide
• a dropdown list to indicate if the policy concerns either a change of password or SSH key or both
When the selected policy concerns a password change, the “Password generation” section
becomes accessible and lists the following fields:
• the password length, i.e. the number of characters the password must contain
• the number of non-alphanumeric ASCII characters (or special characters) which must be present
in the password
• the number of lowercase letters which must be present in the password
• the number of uppercase letters which must be present in the password
• the number of digits which must be present in the password
• the characters which must be excluded from the password. Once you have entered a character
in the field, click on “+” to add it to the forbidden character list. Once a character is added, you
have the possibility to delete it from the list by clicking on the “-” red icon.
When the selected policy concerns an SSH key change, the “SSH key generation” section becomes
accessible and lists the following fields:
You will find below a summary table of the SSH key types and the corresponding sizes allowed:
When the selected policy concerns a password change and an SSH key change as well, both
sections become accessible and list the fields described above.
240
WALLIX Bastion 10.0.5 – Administration Guide
Warning:
If the target account access is not allowed for a profile, then the profile members can
neither delete nor edit a password change policy.
Warning:
If the target account access is not allowed for a profile, then the profile members can
neither delete nor edit a password change policy.
Credentials in the bastion are automatically sent to the user every night at 2:34 a.m. in the time
zone in which WALLIX Bastion is located (as defined in the "Time Service" page on the "System"
menu): they receive an encrypted email containing the list of all the credentials for the target groups
gathered in the Bastion, depending on the scope of the limitations set for their profile.
Furthermore, the user receives an encrypted email containing the new password and/or SSH key
for the target account whenever the latter is changed (automatically or manually), depending on
the password change and checkout policies linked to the account. For further information, refer to
Section 10.4.5, “Change the credentials automatically for one or several accounts”, page 179 and
Section 10.4.6, “Change the credentials manually for a given target account”, page 179.
Important:
The user is notified when the following conditions are fulfilled:
• a public GPG key is declared for the user (refer to Section 7.3, “Setting your
preferences”, page 38)
• the user has the right to get the list of all the credentials in WALLIX Bastion: the
"Execute" right for the "Credential recovery" feature is set in their profile (refer to
Section 9.3, “User profiles”, page 87)
• the change (either automatic or manual) must be enabled:
– at the level of the domain: a password change policy and a password change
plugin must be linked to the domain. For further information, refer to Section 10.3,
241
WALLIX Bastion 10.0.5 – Administration Guide
“Domains”, page 160, Section 11.3, “Password change policies”, page 239 and
Section 11.2, “Password change plugins”, page 223.
– at the level of the target account: a checkout policy must be linked to the account
and the automatic password and/or SSH key change must be set, if so. For further
information, refer to Section 10.4, “Target accounts”, page 171 and Section 10.8,
“Checkout policies”, page 205.
Note:
The email containing the list of all the credentials can be decrypted using a PGP-
compatible tool. It is then required to decrypt the attachment separately and use a CSV
or JSON-compatible tool to open the attachment in this format.
242
WALLIX Bastion 10.0.5 – Administration Guide
A latency period can occur when displaying the “Sessions” page in the “My authorizations”
menu due to a large volume of sessions existing in the Bastion. To improve the page
load performance, it is necessary to deselect the option “Session last connection date”
accessible from “Configuration” > “Configuration options” > “GUI (Legacy)” > section
“main”. Note that when the option “Session last connection date” is deselected, the data
in the “Last connection” column is no longer displayed.
Important:
All the IP addresses which can be set on WALLIX Bastion support both IPv4 and IPv6
formats.
The user can access the target by clicking on one of the following icons at the beginning of the
concerned line:
• : this icon allows the user to download an RDP configuration file or a shell script with the SSH
command (WALLIX-PuTTY on Windows or SSH on other systems) he/she can save to establish a
connection from an RDP or an SSH client (filename suffix .puttywab or .xsh or .rdp under Windows
and .sh or .remmina under Linux). In this case, the WALLIX Bastion password is required for the
connection.
• : “Instant access (one-time password, limited in time)”: this icon allows the user to open the file
to immediately establish a connection from an RDP client (filename suffix .rdp under Windows
and .sh or .remmina under Linux). In this case, no password is required but the access is granted
for a limited period of time. This icon is also displayed for the connection to an application.
• : “Instant access with WALLIX-PuTTY (one-time password, limited in time)”: this icon allows
the user to open the file to immediately establish a connection from an SSH client (filename suffix
.puttywab or .xsh under Windows and .sh under Linux). In this case, no password is required but
the access is granted for a limited period of time. For SSH authentication, see also Section 12.2,
“Target connection in interactive mode for SCP and SFTP protocols”, page 247.
Note:
The display of icons, and consequently the access to the file to establish a connection,
depends on the parameters set for the connection and file types related to RDP and SSH
according to the operating system via "Configuration" > "Configuration Options" > "GUI
(Legacy)", in the following fields:
243
WALLIX Bastion 10.0.5 – Administration Guide
When the authorization concerns a RAWTCPIP service, only the application WALLIX-
PuTTY allows the user to download or open the file to establish the connection (filename
suffix .puttywab). For further information on WALLIX-PuTTY, refer to Section 12.1.1,
“Specific options for SSH sessions”, page 244.
Note:
In a load balancing process, it is possible to specify the WALLIX Bastion's FQDN or IP
address to which the user will be redirected to when accessing a target via "Configuration"
> "Configuration Options" > "GUI (Legacy)":
• in the field "Connection file fqdn standard": when the target is accessed by downloading
the configuration file
• in the field "Connection file fqdn otp": when the target is instantly accessed with one-
time password method.
To use the .puttywab files on Windows, the application WALLIX-PuTTY has to be downloaded and
installed from the link "Download WALLIX-PuTTY" displayed at the top of the page. This link is
only displayed when the workstation is running under Windows and the user is also authorized to
connect to at least one SSH target. The installation sets the file association so that the application
is started automatically. The installation does not require administrative privileges. However, the
installation is only operational for the logged user and not for all users of the workstation.
The "Options" area at the top left of the page allows the user to select the resolution and the color
depth for the RDP client window. The settings are saved for the workstation being used. Thus a user
can establish an RDP connection through a desktop or a laptop with different resolution settings
for each workstation.
For further information on RemoteApp mode, refer to Section 10.2.2, “Configure the application
launch using RemoteApp mode”, page 147.
244
WALLIX Bastion 10.0.5 – Administration Guide
Warning:
The RemoteApp sessions of a user connected simultaneously on one or several
applications are split by default when displayed from the "Current Sessions" and
"Session History" pages below the "Audit" menu). If the option "Rdp enable sessions
split" (accessible from "Configuration" > "Configuration Options" > "GUI (Legacy)" >
"main" section) is deselected, it may be possible to get an overlay view of these sessions.
The client Remote Desktop Connection (MSTSC) connected to Windows Server 2008
or 2012 does not allow several RemoteApp programs to share the same RDP session.
There will be as many RDP sessions created as the number of RemoteApp programs
launched.
Display issues related to the Microsoft client have been reported when using RemoteApp
mode and multiple monitors. Dysfunctions occur when the primary monitor is not located
in the upper left part of the virtual screen. The recommended workaround is to locate
the primary monitor in the upper left part of the virtual screen. Refer to https://
go.microsoft.com/fwlink/?LinkId=191444 for further information on the virtual
screen.
On the other hand, to allow glyphs support between iOS client and the RDP proxy and thus display
text properly on the selector when accessing sessions from mobile devices, the option "Bogus ios
glyph support level" is selected by default. This parameter can be managed via "Configuration" >
"Configuration Options" > "RDP proxy" > section "client".
Moreover, as the support of Unicode character set for keyboard event is necessary to operate
the Remote Desktop Connection client under iOS, the option "Unicode keyboard event support" is
selected by default. This parameter can be managed via "Configuration" > "Configuration Options"
> "RDP proxy" > section "globals".
As the keyboard behavior for VNC sessions depends on the target server environment, options
allow to declare this environment and allow the corresponding behavior. These options can be
managed below the "vnc" section on the configuration page related to the connection policy for the
VNC protocol. This page can be accessed from "Session Management" > "Connection Policies":
245
WALLIX Bastion 10.0.5 – Administration Guide
Once the request is performed, the user is redirected on the "Sessions" page and then he/she can
view the status of the sent approval requests on the bottom table.
Each line provides the following information:
The user can click on the notepad icon at the beginning of the line to get a detailed view of the
request. The page provides a "Cancel request" button to cancel the approval requests which are
still valid.
Note:
A script can be called during the approval request creation, but also at the beginning and
end of each session within the request duration period, to manage the approval in an
external ticketing system. To do so, the path to this script is to be entered in the "Ticketing
interface path" field via "Configuration" > "Configuration Options" > "Global".
The script must be uploaded to the /usr/local/bin directory for which the “wabuser”
user has execution rights. To upload a file to this directory, the user must be logged in
with “root” privileges.
The script is then systematically called even if a ticket number is not specified in the
"Ticket" field. When the script writes on the standard output a ticket number expected in
format: "ticket=1234", WALLIX Bastion takes into account this number and not the one
specified in the "Ticket" field.
When this script is called, it receives as a parameter the path to a file providing all the
session information.
Example of information provided in the file during the approval request creation:
[request]
user=johndoe
target=target1@local@repo:SSH
date=2017-09-22 10:12:19
duration=300
ticket=1234
comment=I have to install patches
session_id=
session_start=0
session_end=0
target_host=
[request]
user=johndoe
target=target1@local@repo:SSH
246
WALLIX Bastion 10.0.5 – Administration Guide
date=2017-09-22 10:12:00
duration=300
ticket=1234
comment=I have to install patches
session_id=15ea8a529008635d5254006c3e07
session_start=2017-09-22 10:12:29
session_end=0
target_host=host1.mydomain.lan
[request]
user=johndoe
target=target1@local@repo:SSH
date=2017-09-22 10:12:00
duration=300
ticket=1234
comment=I have to install patches
session_id=15ea8a529008635d5254006c3e07
session_start=2017-09-22 10:12:30
session_end=2017-09-22 10:12:34
target_host=host1.mydomain.lan
247
WALLIX Bastion 10.0.5 – Administration Guide
Examples:
Login: “wabuser”: no additional prompt
Login: “wabuser?”: target password is prompted
Login: “wabuser?p”: target password is prompted
Login: “wabuser?l”: target login is prompted
Login: “wabuser?lp”: target login is prompted first then target password is prompted
The password is required when the authentication method PASSWORD_INTERACTIVE has been
selected at the level of the connection policy associated with the target (for further information, refer
to Section 12.4, “Connection policies”, page 261).
Note:
The generic term "connection" will be used throughout this section to refer to both SSH
and RDP connections.
On the top of the page, the auditor can choose to enable/disable automatic refresh of current session
data. When the corresponding option is enabled, you can set the refresh frequency. This may be
particularly useful when selecting the active connections to close.
Each line provides the following information:
Note:
Specific keywords must be entered in the “Search:” field above the table header to
search for RDP sessions:
– the rdp:app keyword to search for application sessions
– the rdp:notapp keyword to search for sessions which are not application sessions
248
WALLIX Bastion 10.0.5 – Administration Guide
The auditor can also close one or more connections on this page: to do so, it is necessary to check
the box at the beginning of the line(s) to select the related connection(s), then click on the red
icon, on the column header, to close the corresponding connection(s). WALLIX Bastion displays a
dialogue box requesting a confirmation before permanently closing the connections(s).
Users connected through RDP or SSH are then informed that the connection has been closed by
the administrator, as shown below:
Note:
When closing a connection, the auditor can prevent the local user from connecting again.
This action can be set via "Configuration" > "Configuration Options" > "GUI (Legacy)",
then select the option "Audit kill session lock user". This option is deselected by default:
the function is disabled.
The auditor can click on the magnifying glass icon at the beginning of the concerned line in the
list to open a window to view the session in real-time. He/she can click again on this icon to close
the window.
Note:
The auditor can view the current SSH session even if the session recording option has
not been enabled at the level of the authorization defined for the user group and the target
group.
249
WALLIX Bastion 10.0.5 – Administration Guide
In the context of an RDP session, the auditor can enable the “Allow rt without recording”
option accessible from “Configuration” > “Configuration options” > “RDP proxy” > section
“video” to view the current RDP session for which the session recording option has not
been enabled in the authorization defined for the user group and the target group.
By enabling the “Enable osd 4 eyes” option accessible from “Configuration” >
“Configuration options” > “RDP proxy” > section “client”, a message is displayed for the
user to inform him/her that the session is being audited as soon as the auditor starts
viewing the RDP session in real-time.
Warning:
Session sharing and remote control on RDP current sessions are available through
WALLIX Bastion for targets under Windows Server 2012 and later versions supporting
“Remote Desktop Shadowing” feature for remote control.
The advanced configuration option “Session shadowing support” (accessible from
"Configuration" > "Configuration Options" > "RDP proxy" then section "mod_rdp") must
be enabled to allow session sharing and remote control on RDP current sessions through
WALLIX Bastion.
During this process, the auditor's session is recorded only if the user's session is also
recorded.
Note:
Only a single remote control request can be sent during the user's session.
The auditor will not be able to remotely control the user's session as long as the latter
has not accepted the request on the dedicated window.
250
WALLIX Bastion 10.0.5 – Administration Guide
From the "Session History" page on the "Audit" menu, the auditor can view the history of all
connections to targets made through WALLIX Bastion and also visualize the session recordings
(refer to Section 12.3.5, “Session recordings”, page 252).
Caution:
An auditor with limitations set on their profile can see the session history only if they are
allowed to view the authorization set for the session. This authorization is defined for a
user group and a target group they are allowed to view.
Warning:
This page shows only the closed sessions on targets. To get the view on the current
sessions, refer to Section 12.3.1, “Current sessions”, page 248.
This page does not show user authentications and thus user authentication failures
due to access rights. To get this information, refer to Section 12.3.8, “Authentication
history”, page 258. SIEM messages provide more information on authentications and
access rights. For further information, refer to Chapter 17, “SIEM messages”, page 331.
• the user name and source IP for the connection (set as follows: name@ipsource)
• the target accessed (set as follows: account@target:service)
• the target host or IP
• the source and destination protocols
Note:
Specific keywords must be entered in the “Search:” field above the table header to
search for RDP sessions:
– the rdp:app keyword to search for application sessions
– the rdp:notapp keyword to search for sessions which are not application sessions
251
WALLIX Bastion 10.0.5 – Administration Guide
Note:
The file size of the session recording is not displayed when session has been initiated
from a version earlier than WALLIX Bastion 6.2.
• an icon representing the result of the connection. In the event of a failure, an auditor can get
more detail on the connection issue (e.g. wrong password, authentication to target failed, target
resource not available, session killed by the administrator or by a “Kill” action, etc.) by clicking
on the icon. This description can be updated if needed. In case of success, an auditor can add a
description in a dedicated area by clicking on the icon. The addition of comments into this area
is logged in the WALLIX Bastion audit log (i.e. "wabaudit"). For further information regarding this
log, refer to Section 8.5, “System logs”, page 49.
•
the icon is displayed when the session has been shared between the user and the auditor
with remote control. The information can then be displayed by hovering the mouse over the icon:
it corresponds either to the auditor's remote control session or the user's controlled session.
Filters can be defined on the top of the page to facilitate the search and restrict the display to relevant
records. The available filters are based on:
• a sort on the display of either all data or only the existing device or only the existing application
• the definition of a period
• the definition of the last N days
• a search for text occurrences in the columns. For further information, refer to Section 6.5.1,
“Search data”, page 32.
Note:
Only the last 1,000 records are displayed in the Web user interface. The occurrence filter
is applied to these 1,000 records. Older sessions can only be retrieved through the date
range filter.
252
WALLIX Bastion 10.0.5 – Administration Guide
Some icons may be displayed at the beginning of the lines to allow specific actions:
• : this icon allows the auditor to download the session recording in the unprocessed format
ttyrec for the SSH session or in the pcap format (which can be viewed with the packet analyzer
Wireshark) for the RAWTCPIP session
• : this icon allows the auditor to download the visible content of the SSH session in a flat text
format (txt)
• : this icon allows the auditor to display the page to view the recording of the session. Then a
viewer allows to go through the session video. The session information is displayed on the top
of the page.
When viewing an SSH session, it is possible to get the transcription of the video and the session
metadata but also download the files transferred during the session in the dedicated areas below
the viewer.
253
WALLIX Bastion 10.0.5 – Administration Guide
Note:
When replaying the video of a RemoteApp application session, the area of the
content displayed in the RDP viewer can be set. This parameter can be managed
from "Configuration" > "Configuration Options" > "RDP proxy" then below section
"video", select the appropriate value in "Smart video cropping".
The recording for a session based on the RDP protocol includes both video and
automatic OCR of the applications running on the remote machine by detecting title
bars.
The algorithm used to detect the title bar content is very fast and thus allows real-time
execution. However, it only works with "Windows Standard" windows and a default
font size of 96PPP with a colour depth of 15 bits or more (15, 16, 24 or 32 bits, it does
not work in 8-bit mode). In its current version, the OCR function will not work if the
title bar style is changed, even to a style that is visually very similar, for example to
"Windows classic", or if the title bar colour, style, font size or resolution is changed. In
addition, OCR is configured to detect only the title bars of applications closed using
254
WALLIX Bastion 10.0.5 – Administration Guide
the three icons: close icon, minimize icon and maximize icon. If the title bar contains
an icon, this will generally be replaced by question marks before the recognized text.
255
WALLIX Bastion 10.0.5 – Administration Guide
and displayed in this area. It is then possible to click on the entries in this list to browse quickly
through the film in the viewer.
On the "Activity" column, the auditor can click on "Show" to view the activity history for the account
on a dedicated page. This page displays a table listing the check-in and checkout operations on
the account's credentials recorded at a given date and time.
Caution:
An auditor with limitations set on their profile can see the activity history for the account
only if they are allowed to view both groups in the authorization set to view the account's
credentials.
On the "History" column, the auditor can click on "Show" to view the password change history for
the account on a dedicated page. This page displays information related to the password or SSH
key changes for the account at a given date and time.
Caution:
An auditor with limitations set on their profile can see the password change history for
the account only if they are allowed to view the related account.
On the "Actions" column, the "Force check-in" option is available for the accounts which are checked
out by users. The auditor can click on this option to check-in the credentials for the related account.
Note that the current RDP or SSH session will not be closed when the account's credential check-
in is forced.
256
WALLIX Bastion 10.0.5 – Administration Guide
Note:
The "Force check-in" option is always available for the accounts defined on a global
domain associated with an external password vault. In this case, the "External vault"
column contains a check mark for the relevant accounts.
• checkout
• checkout duration extension
• check-in and automatic check-in
• forced check-in
This information can be sent to a SIEM software if the routing is configured on WALLIX Bastion.
For further information, refer to Section 8.9, “SIEM integration”, page 54.
Note:
Some system logs saved in partition /var/log are stored for a maximum time period
of 5 weeks.
When the auditor displays the detail of a "pending" request, this action is logged in the WALLIX
Bastion audit log (i.e. "wabaudit"). For further information regarding this log, refer to Section 8.5,
“System logs”, page 49.
Caution:
An auditor with limitations set on their profile can see the approval history only if they are
allowed to view the authorization set to demand an approval request. This authorization
is defined for a user group and a target group they are allowed to view.
257
WALLIX Bastion 10.0.5 – Administration Guide
Filters can be defined on the top of the page to facilitate the search and restrict the display to relevant
records. The available filters are based on:
Note:
Only the last 1,000 records are displayed in the Web user interface. The occurrence filter
is applied to these 1,000 records. Older sessions can only be retrieved through the date
range filter.
A click on the notepad icon at the beginning of the line allows the auditor to get a detailed view
of the request.
258
WALLIX Bastion 10.0.5 – Administration Guide
Filters can be defined at the top of the page to facilitate searches and restrict the display to relevant
data. The available filters are based on:
Note:
Only the last 1,000 records are displayed in the Web interface. The occurrence filter is
applied to these 1,000 records. Older sessions can only be retrieved by defining a date
range.
Note:
Authentication attempts with an expired OTP are not attributed to a user and are logged
as [unknown username].
259
WALLIX Bastion 10.0.5 – Administration Guide
At the top left of the page, the auditor can select the type of statistical information he/she wishes to
view in the list of values: either "Statistics" or "Unused resources".
If "Statistics" (by default) is selected by the auditor, the display can be restricted to the most/less
frequently occurring events (target connections by device or by user or by date, etc.): a maximum
number of 35 elements can be displayed.
Filters can be defined at the bottom of the page to facilitate the search and restrict the display to
relevant records. The available filters are based on the selection among the WALLIX Bastion users
and/or devices and/or targets.
Once the charts have been generated, the auditor can click on those related to the WALLIX Bastion
and target connections to get the corresponding detail on the "Authentication History" page (refer
to Section 12.3.8, “Authentication history”, page 258) or the "Session History" page (refer to
Section 12.3.4, “Session history”, page 250).
A table in the header of the generated graphs lists the selected filters and a button below the graphs
allows to download a .csv file presenting the related data.
If "Unused resources" is selected by the auditor, he/she can view the unused users or targets for a
given period of time. This period may be a date range or a number of days before the current date.
The data can either be displayed as a list directly on the current page or downloaded as a .csv file.
260
WALLIX Bastion 10.0.5 – Administration Guide
261
WALLIX Bastion 10.0.5 – Administration Guide
The mechanisms available for RDP, VNC, SSH, TELNET, RLOGIN and RAW TCP/IP protocols are
predefined in WALLIX Bastion and can neither be deleted nor edited.
On each of these pages, a useful description can be displayed for all the fields by selecting the check
box of the "Help on options" field on the right of the page. This description includes the required
format to be specified when entering data in the concerned field.
Warning:
The specific options displayed when the check box of the "Advanced options" field at
the top right of the page is selected should ONLY be changed upon instructions from
the WALLIX Support Team! An icon representing an exclamation mark on an orange
background is displayed near the concerned fields.
For further information on how to search data and customize the layout in the tables of WALLIX
Bastion, refer to Section 6.5, “Managing data search, sort and layout customization in the tables
of the Web interface”, page 32.
262
WALLIX Bastion 10.0.5 – Administration Guide
• the definition of a transformation rule to get a login for secondary connection. For further
information, refer to Section 12.7, “Transformation rule to get a login for secondary
connection”, page 267.
• the definition of a transformation rule to get the credentials of an account in the vault. For further
information, refer to Section 12.8, “Transformation rule to retrieve the credentials of an account
in the vault of WALLIX Bastion”, page 267.
For the connection policies based on the TELNET or RLOGIN protocols, a sequence of commands
must be entered in the "Scenario" field to define an authentication. A connection scenario is defined
by default but it can be modified. For further information, refer to Section 12.16, “TELNET/RLOGIN
connection scenario on a target device”, page 275.
For the connection policies based on the SSH protocol, a startup scenario can be entered in the
"Scenario" field (below the "startup scenario section) to perform specific actions at the beginning
of the session. For further information, refer to Section 12.19, “SSH startup scenario on a target
device”, page 278.
The session probe can be enabled for the connection policies based on the RDP protocol. For
further information, refer to Section 12.22, “Using the session probe mode”, page 283.
For the connection policies based on the VNC protocol, an SSH tunnel can be created to secure
the connections to VNC sessions.. For further information, refer to Section 12.18, “Connecting to
a VNC session over an SSH tunnel”, page 277.
Figure 12.14. "Connection Policies" page in addition mode for RLOGIN protocol
The fields in this page are the same as those in the connection policy creation page, except the
"Protocol" field which cannot be accessed.
Warning:
If the target account access is not allowed for a profile, then the profile members can
neither delete nor edit a connection policy.
263
WALLIX Bastion 10.0.5 – Administration Guide
From the "Connection Policies" page, check the box at the beginning of the line(s) to select the
related policy(ies), then click on the trash icon to delete the selected line(s). WALLIX Bastion
displays a dialogue box requesting a confirmation before permanently deleting the line(s).
Warning:
You cannot delete a connection policy when the latter is linked to a device (at the level
of the service on the "Devices" page). For further information on how to link a connection
policy on a device, refer to Section 10.1.1, “Add a device”, page 135.
If the target account access is not allowed for a profile, then the profile members can
neither delete nor edit a connection policy.
These records can be viewed from the "Session History" page on the "Audit" menu. For further
information, refer to Section 12.3.4, “Session history”, page 250 and Section 12.3.5, “Session
recordings”, page 252.
The encrypted recordings can only be read by the WALLIX Bastion instance which created them.
The encryption algorithm used is AES 256 CBC. Signature is done by calculating an HMAC SHA
256 fingerprint. The fingerprint is checked at playback.
All application protocols based on TCP for the transport layer in the Open Systems Interconnection
model (OSI model) can be managed by Universal Tunneling. An SSH tunnel is used between
the user's workstation and WALLIX Bastion to encrypt and protect the data. For each Universal
Tunneling session, a PCAP file can be generated to ensure traceability after the session.
264
WALLIX Bastion 10.0.5 – Administration Guide
12.6.1. Prerequisites
UT sessions are compatible with the user workstations running under:
• Windows XP, Windows 7, Windows 8, Windows 10 for the redirection to the local address mode
and the redirection to a temporary interface mode
• any Linux distribution with OpenSSH, only for the redirection to the local address mode
The targets must have a port open on the network for a TCP-compatible protocol.
• the redirection to the local address: the fat client must be configured to redirect its traffic to the local
address (127.0.0.1) and a user-defined access port. The traffic will then be redirected through
the SSH tunnel. This mode does not require any specific privileges from the user.
• the redirection to a temporary interface: the fat client does not need to be configured as a
temporary network interface will be created on the user's workstation using the IP of the target.
The traffic sent on this interface will then be redirected through the tunnel. This mode requires
specific privileges from the user.
265
WALLIX Bastion 10.0.5 – Administration Guide
Note:
By enabling this option, the target address of each packet now matches the IP
address of the NAT in the PCAP file.
1. Add a device with a RAWTCPIP service whose port is the opened port on the target that
is usually accessed by the fat client. For further information, refer to Section 10.1.1, “Add a
device”, page 135.
Examples:
If the target is the MySQL database exposed on 192.168.0.1:3306 and accessible from a
MySQL client, the IP address of the device will be 192.168.0.1 and the port of the RAWTCPIP
service will be 3306.
If the target is behind a NAT (Network Address Translation) solution, a specific connection policy
must be configured. For further information, refer to Section 12.6.2.2, “NAT (Network Address
Translation)”, page 265.
12.6.4. Audit
The Universal Tunneling session can be recorded. Session recordings can be viewed at the end of
the session. For further information, refer to Section 12.3.5, “Session recordings”, page 252.
The recording of a Universal Tunneling session consists of a PCAP file containing all the traffic
exchanged between the user's client and the target through the session. This PCAP file can be
analyzed with a packet analyzer such as Wireshark, a free and open-source tool.
• the client address of each packet is filled in with the IP of the system from which the tunnel was
established (the IP of the user's workstation, or the IP of the Access Manager in the case of a
session initiated from WALLIX Access Manager)
266
WALLIX Bastion 10.0.5 – Administration Guide
• the remote address of each packet is filled in with the IP of the target or with the NAT IP of the
configured option (refer to Section 12.6.2.2, “NAT (Network Address Translation)”, page 265)
Note that if the data transmitted above the TCP layer is encrypted between the user and the target,
this data will appear encrypted in the PCAP file.
• a user account login if the target account is included in a group configured for account
mapping (for further information, refer to Section 10.5.1.4, “Configure a target group for session
management through account mapping”, page 185)
• a login of an account in the vault of WALLIX Bastion it the target account is included in a group
configured for session management from accounts in the vault (for further information, refer to
Section 10.5.1.2, “Configure a target group for session management from an account in the
vault”, page 184).
This rule is set in the "Transformation rule " field on the configuration page for the related connection
policy, accessible from "Session Management" > "Connection Policies".
The character string includes the required field ${LOGIN} and possibly the optional field ${DOMAIN}
in an LDAP mapping context.
The transformation rule returns the string and replaces the fields ${LOGIN} and ${DOMAIN} with
the appropriate values (i.e. the login and domain).
The result corresponds to the login for connection on the target.
Note:
The transformation rule defined is ignored if the target account is included in a
group configured for interactive login (for further information, refer to Section 10.5.1.5,
“Configure a target group for session management through interactive login”, page 186).
267
WALLIX Bastion 10.0.5 – Administration Guide
• the target account is in a group configured for account mapping (for further information,
refer to Section 10.5.1.4, “Configure a target group for session management through account
mapping”, page 185)
• the PUBKEY_VAULT and/or PASSWORD_VAULT authentication method must be selected in the
connection policy associated with the target
This rule is set in the “Vault transformation rule” field on the configuration page of the connection
policy, accessible from “Session management” > “Connection policies”.
The character string can include the following fields:
A regular expression (or “regex”) can be specified for the transformation using this syntax: ${USER:/
regex/substitution}. For example, all user logins starting with “A” will be substituted by “B” if the
${USER} variable is specified as follows: ${USER:/^A/B}.
The transformation rule returns the string and substitutes the fields with the appropriate values.
The result corresponds to the account in the vault for which the credentials are to be retrieved. This
result can be viewed on the “Syslog” page in the “System” menu.
There are two types of accounts in the vault: local domain account and global domain account.
Their syntax is defined as follows:
268
WALLIX Bastion 10.0.5 – Administration Guide
If the login of the user is “bastion_user1” and the device of the target in account mapping is
“winprod”, then the result of the transformation is the vault account: user1@local@winprod.
${USER:/^adm_/adm_domain1_}@domain1
If the login of the user starts with “adm_”, “adm_” is then substituted by “adm_domain1_” and
“@domain1” is added to the end of the login. Thus, if a user login is “adm_jdoe” then the result of
the transformation is the global domain account “adm_domain1_jdoe@domain1” in the vault.
The files which can be verified are those transferred via subprotocols SFTP and SCP
(SFTP_SESSION, SSH_SCP_UP and SSH_SCP_DOWN) during SSH session and from the copy/
paste function via the clipboard (RDP_CLIPBOARD_FILE) during RDP session.
File verification does not interfere with file transfer. The status returned by the ICAP server is logged:
• in the session metadata displayed from the "Session History" page on the "Audit" menu,
in the "Session metadata" area. For further information, refer to Section 12.3.4, “Session
history”, page 250 and Section 12.3.5, “Session recordings”, page 252.
• in SIEM messages, if the routing to a SIEM software is configured on WALLIX Bastion. For
further information, refer to Section 8.9, “SIEM integration”, page 54 and Chapter 17, “SIEM
messages”, page 331.
• for the files transferred as an “upload” operation from client to server (e.g. an antivirus software)
and
• for the files transferred as a “download” operation from server to client (e.g. a DLP solution)
The settings of ICAP servers can be defined from "Configuration" > "Configuration Options" > "RDP
proxy" (for RDP protocol) or "SSH proxy" (for SSH protocol) within the following sections:
269
WALLIX Bastion 10.0.5 – Administration Guide
• [icap_server_up] to configure the ICAP server for files transferred as an “upload” operation and
• [icap_server_down] to configure the ICAP server for files transferred as an “download” operation
• “Enable up”: option to select to enable verification of files transferred as an “upload” operation
by the ICAP server. The latter is configured in section [icap_server_up] from the configuration
options of the related proxy (accessible from "Configuration" > "Configuration Options" > "RDP
proxy" or "SSH proxy").
• “Enable down”: option to select to enable verification of files transferred as a “download” operation
by the ICAP server. The latter is configured in section [icap_server_down] from the configuration
options of the related proxy (accessible from "Configuration" > "Configuration Options" > "RDP
proxy" or "SSH proxy").
When the connection policy is defined on the RDP protocol, the section [file_verification] also
allows to enter the following parameters:
• “Clipboard text up”: option to select to enable verification of text transferred as an “upload”
operation from the copy/paste function via the clipboard by the ICAP servers. The “Enable up”
option must be selected to allow this verification.
• “Clipboard text down”: option to select to enable verification of text transferred as a “download”
operation from the copy/paste function via the clipboard by the ICAP servers. The “Enable down”
option must be selected to allow this verification.
To do so, on the configuration page for the related connection policy, the parameters to be entered
in section [file_verification] are as follows:
• “Block invalid file up”: option to select to block file transfer for an “upload” operation when files
have been detected as invalid during verification
• “Block invalid file down”: option to select to block file transfer for a “download” operation when
files have been detected as invalid during verification
270
WALLIX Bastion 10.0.5 – Administration Guide
Note:
Session recording must be enabled for the authorization defined (see Section 14.1, “Add
an authorization”, page 301) to allow the auditor to view and download the transferred
files from the "Session History" page on the "Audit" menu.
Note:
Session recording must be enabled for the authorization defined (see Section 14.1, “Add
an authorization”, page 301) to allow the auditor to view and download the transferred
files from the "Session History" page on the "Audit" menu.
Note:
The smart card authentication is only possible for the connection to targets through the
interactive login mechanism.
271
WALLIX Bastion 10.0.5 – Administration Guide
• select the “RDP SMARTCARD” proxy option for the RDP service associated with the related
device from the menu “Targets” > “Devices” then “Services” tab
• select the “Force smartcard authentication” option accessible from “Session management” >
“Connection policies” > “RDP”, [rdp] section.
Warning:
After enabling this option, Network Level Authentication (NLA) will be disabled.
The credentials of a possible associated target account can no longer be used.
12.12.2. Procedure
12.12.2.1. Add the global domain
1. Create a global domain. This global domain will manage the global accounts which will be
used on AD silo: the privileged user account and the service account. To do so, from the
menu “Targets” > “Domains”, click on “+ Add a global domain”. For further information, refer to
Section 10.3.1, “Add a global domain”, page 162.
2. Enter the corresponding fields. As an example, enter “ad-win2019” in the “Name” field and
“example.com” in the “Real name” field.
3. Click on “Apply”.
272
WALLIX Bastion 10.0.5 – Administration Guide
5. Enter the corresponding fields to create the service account. As an example, enter “service-t0”
in the “Account name” field and “service-t0$” in the “Account login” field.
Warning:
Add the “$” symbol at the end of the service account login to identify this account as
a Bastion service account.
6. Click on “Apply”.
Warning:
To create a Kerberos external authentication, the keytab file must be valid. This file
is generated on the key distribution center described above.
4. Click on “Apply”.
273
WALLIX Bastion 10.0.5 – Administration Guide
2. Enter the corresponding fields in the “General” tab. As an example, enter “server2019” in the
“Name” field and “server2019.example.com ” in the “IP address or FQDN” field.
3. Click on “Apply”.
4. Add a service in the “Services” tab by clicking on the “+ Add [RDP]” button.
5. Enter the “Service name” field and the “Connection policy” field in accordance with the RDP
connection policy previously created for silo.
6. Click on “Apply and close”.
274
WALLIX Bastion 10.0.5 – Administration Guide
Dynamic virtual channels can be open during connection to the RDP session to transfer any type
of data.
It is possible to configure the dynamic virtual channels which can be allowed or rejected during the
RDP session.
These channels can be specified in the fields "Allowed dynamic channels" and "Denied dynamic
channels" below the "rdp" section on the configuration page related to the RDP connection policy.
This page can be accessed from "Session Management" > "Connection Policies".
By default, all dynamic virtual channels are allowed. The configuration in the field "Denied dynamic
channels" has precedence over the one set in the field "Allowed dynamic channels".
When attempting to open a dynamic virtual channel, the information related to its authorization or
rejection is logged:
• in the session metadata displayed from the "Session History" page on the "Audit" menu,
in the "Session metadata" area. For further information, refer to Section 12.3.4, “Session
history”, page 250 and Section 12.3.5, “Session recordings”, page 252.
• in SIEM messages, if the routing to a SIEM software is configured on WALLIX Bastion. For
further information, refer to Section 8.9, “SIEM integration”, page 54 and Chapter 17, “SIEM
messages”, page 331.
Warning:
Rejecting dynamic virtual channels may disturb RDP connections.
This full log can be enabled by selecting the option "Log all kbd" on the configuration page for the
related connection policy, accessible from "Session Management" > "Connection Policies".
When this option is disabled, then only keyboard input displayed on the terminal is logged.
This information can be viewed from the "Session History" page on the "Audit" menu, in the "Session
metadata" area. For further information, refer to Section 12.3.4, “Session history”, page 250 and
Section 12.3.5, “Session recordings”, page 252.
Warning:
When this option is enabled, the passwords entered during session are logged and then
displayed as plain text.
275
WALLIX Bastion 10.0.5 – Administration Guide
An authentication sequence can be declared by specifying the "Scenario" field on the configuration
page related to the connection policy for the TELNET or RLOGIN protocol. This page can be
accessed from "Session Management" > "Connection Policies". For further information, refer to
Section 12.4, “Connection policies”, page 261.
This sequence can be used to interpret commands sent by an interactive shell and to automate
logon. This pseudo language includes the following syntax:
The following sequence (supported on a 3Com Superstack switch accessible via TELNET):
SEND:\r\n
EXPECT:(?i)login:
SEND:$login\r\n
EXPECT:(?i)Password:
SEND:$password\r\n
is interpreted as follows:
This sequence should also work for TELNET servers running under Windows.
For TELNET servers running under Unix or Linux, you should rather use the following sequence:
EXPECT:(?i)login:
SEND:$login\n
EXPECT:(?i)Password:
SEND:$password\n
For RLOGIN devices, only the password is expected. As an example, the following authentication
sequence has been tested for a RLOGIN connection to a Debian 5.0 lenny system:
EXPECT:(?i)Password:
SEND:$password\n
Note:
As a rule of thumb, login is already provided for SSH connections (in keyboard interactive
mode) and RLOGIN connections. It is necessary to provide it in the sequence only for
TELNET connections.
276
WALLIX Bastion 10.0.5 – Administration Guide
Warning:
This section is displayed when the check box of the "Advanced options" field at the top
right of the page has been selected. It should ONLY be changed upon instructions from
the WALLIX Support Team!
• “Tls min level”: minimum TLS version level supported. By default, no minimum level is set in this
field to ensure highest compatibility with target servers.
• “Tls max level”: maximum TLS version level supported. By default, no maximum level is set in
this field to ensure highest compatibility with target servers.
• “Cipher string”: additional cryptographic algorithms used for TLSv1.2 connections supported
by client. By default, no value is specified in this field to apply system-wide configuration
corresponding to SSL security level 2. The value “ALL” must be set to support all cryptographic
algorithms and ensure highest compatibility with target servers.
• “Show common cipher list”: option to select to show in log files the list of common algorithms
supported by client and server
277
WALLIX Bastion 10.0.5 – Administration Guide
The VNC connection over an SSH tunnel can be enabled from the configuration page related to the
connection policy for the VNC protocol. This page can be accessed from “Session management” >
“Connection policies” > “VNC” > section [vnc_over_ssh].
• “Enable”: this check box allows you to enable or disable the VNC connection over an SSH tunnel.
By default, this option is disabled.
• “Ssh port”: the SSH port number to establish the connection. By default, the port is 22 and can
be modified if needed.
• “Tunneling credential source”: the source of the credentials needed to create and establish the
SSH tunnel; either the credentials of the connection policy (“static_login”) or the credentials of
the scenario account (“scenario_account”)
• “Ssh login” and “Ssh password”: the credentials of the SSH server provided in the connection
policy to be entered when the “static_login” option is selected in “Tunneling credential source”
• “Scenario account name”: the name of the scenario account to be entered when the
“scenario_account” option is selected in “Tunneling credential source”. The recommended
syntaxes for this field are:
– “account@global_domain” for a scenario account on a global domain
– “account@local_domain@” for a scenario account on a local domain
Important:
It is recommended to associate the global domain (when not associated with an
external vault) or the local domain (domain type “Local for a device”) with an SSH
Certificate Authority to use the certificate-based authentication. If the association has
not been made, the key-based authentication will be used. For more information, refer
to Section 10.3.1, “Add a global domain”, page 162.
For example, it can be used at the beginning of the SSH Shell session to assign the user the "root"
privileges using "su" and "sudo" commands without having knowledge of the password.
Note:
A startup scenario can also be used for Shell sessions on TELNET and RLOGIN
protocols. It can be declared by specifying the “Scenario” field below the “startup
scenario” section on the configuration page related to the connection policy defined for the
TELNET or RLOGIN protocol. This page can be accessed from “Session management”
> “Connection policies”.
12.19.1. Commands
A scenario is a sequence of commands separated by a carriage return: a line of the scenario
corresponds to a command.
278
WALLIX Bastion 10.0.5 – Administration Guide
A command is defined by a type and value pair separated by a colon ':' TYPE:VALUE.
A command starting with # will be ignored.
This startup scenario consists of a sequence of commands based on response request and data
sending. These commands are executed at the beginning of a Shell session related to an SSH
target. The syntax includes the following commands:
• SEND: this command sends the value associated with the server and goes ahead with the
scenario.
The associated value may include a token (refer to Section 12.19.2, “Token”, page 279).
See the example below to send the interactive "sudo" command:
SEND:exec sudo -i
• EXPECT: this command waits for a response from the server in relation to the associated value
before continuing the execution of the scenario.
The associated value is a regular expression. It may include a token (refer to Section 12.19.2,
“Token”, page 279) which will be interpreted before the regular expression. This value must be
labelled in the server's language.
See the example below to wait for a command prompt:
EXPECT:.*@.*:~$
If after a given period of time, no response from the server corresponds to the associated value,
then the scenario fails.
Warning:
If no EXPECT command is used, the scenario will execute the SEND command once the
connection is established and will not wait for a data output.
If sensitive data is used, it is strongly recommended to use EXPECT commands.
Even if the “Show output” box is unchecked, it is necessary to use the EXPECT command
to avoid displaying data output in the terminal.
12.19.2. Token
The value of a command may include a token.
A token is a part of the value which will be replaced by an attribute provided by the SSH proxy or
WALLIX Bastion.
A token is represented by the following syntax: ${type} or ${type:param} and is defined by a
type and an optional parameter.
The following token types can be used: login, password and user.
279
WALLIX Bastion 10.0.5 – Administration Guide
If a parameter is provided, it specifies the account in WALLIX Bastion for which the parameters
("login" and "password") are to be retrieved.
It is also possible to use placeholder attributes in the token parameter to specify a given scenario
account. The following placeholder attributes can be used:
SEND:exec sudo -i
EXPECT:password.*:
SEND:${password}
See the example below of a script for switching user on a "root" account on the same device using
the "su" command:
SEND:exec su - root
EXPECT:Password:
SEND:${password:root@local@}
280
WALLIX Bastion 10.0.5 – Administration Guide
See the example below of an interactive access to a MySQL database on a global domain in WALLIX
Bastion:
This mode can be enabled by selecting the "Enable" check box on the configuration page related to
the connection policy for the SSH protocol. This page can be accessed from "Session Management"
> "Connection Policies".
• "Enable": this check box allows to enable or disable the startup scenario. By default, this option
is disabled.
• "Scenario": a startup scenario can be declared in this field.
• "Show output": this check box allow to display or hide inputs/outputs on the Shell during the
scenario execution. By default, this option is enabled.
• "Timeout": this field allows to define the time period (expressed in seconds) before the failure of
an EXPECT command.
Warning:
This field is displayed when the check box of the "Advanced options" field at the top
right of the page has been selected. It should ONLY be changed upon instructions from
the WALLIX Support Team!
• "Ask startup": this check box allows to enable or disable a prompt to ask the user if he/she wishes
to run the scenario. By default, the scenario is necessarily executed.
Warning:
This field is displayed when the check box of the "Advanced options" field at the top
right of the page has been selected. It should ONLY be changed upon instructions from
the WALLIX Support Team!
• on the "RDP proxy" configuration page by selecting "Enable transparent mode" below section
"globals"
281
WALLIX Bastion 10.0.5 – Administration Guide
• on the "SSH proxy" configuration page by selecting "Enable transparent mode" below section
"main"
In order to use the transparent mode, the network should be configured in a way that the RDP or
SSH traffic going to the targets is first redirected to a WALLIX Bastion user network interface. It
could be achieved using routing rules. WALLIX Bastion then acts as a gateway.
The proxy intercepts the traffic sent to the TCP port 3389 (for RDP and VNC protocols). Any traffic
not destined to WALLIX Bastion but intercepted by the WALLIX Bastion on any other port (other
that 3389) is lost.
The proxy picks up automatically the target by looking at the destination IP address of the
connection. When only a single target is identified by the address, the connection is performed
automatically without the display of the selector. In the other cases, the selector displays the list of
targets matching this address.
Moreover, it is possible to define a set of targets belonging to a subnet. This is achieved by entering
a subnet instead of an IP address in the "Device host" field during the creation of the device, from
the "Devices" page, by using a CIDR notation (<network address>/<number of mask bits>). For
further information on this configuration, refer to Section 10.1.1, “Add a device”, page 135.
If the destination IP address of the connection corresponds to several targets and at least of one
these is defined by an IP address (or FQDN), then the targets defined by subnets are ignored.
When only a single target is identified by the address, the connection is performed automatically
without the display of the selector.
Once the RDP or SSH transparent mode is enabled, the following parameters can be set to control
the proxy behavior:
• The option "Auth mode passthrough" (accessible from "Configuration" > "Configuration Options"
> "SSH proxy" for SSH; or "Configuration" > "Configuration Options" > "RDP proxy sesman"
for RDP) enables or disables authentication delegation. The latter prevents WALLIX Bastion
from performing the authentication when it receives a connection request. The request is
then forwarded directly to the target and WALLIX Bastion authorizes the connection if the
authentication by the target is successful. It allows to deploy WALLIX Bastion in an environment
where only the target knows the credentials; this is the case for some configurations of VMware
Horizon View for instance.
• The "Default login" field (accessible from "Configuration" > "Configuration Options" > "SSH proxy"
for SSH; or "Configuration" > "Configuration Options" > "RDP proxy sesman" for RDP) allows to
specify WALLIX Bastion user different from the RDP or SSH identity. In this case, the sessions and
their records will be associated to this WALLIX Bastion user. The RDP or SSH identity information
is registered in the target field when available.
282
WALLIX Bastion 10.0.5 – Administration Guide
This function is enabled when the time interval between two KeepAlive messages is set. This interval
is expressed in milliseconds. This parameter can be managed via "Configuration" > "Configuration
Options" > "RDP proxy", then specify the appropriate value in the option "Rdp keepalive connection
interval". This value is set to "0" by default: the function is then disabled.
Warning:
RDP clients based on FreeRDP may conflict with KeepAlive messages.
Warning:
This field is displayed when the check box of the "Advanced options" field at the top right
of the page has been selected. It should ONLY be changed upon instructions from the
WALLIX Support Team!
• "Server keepalive type": this option enables the sending of the Keepalive message to the server
and also allows to choose the packet type to send. The value "none" is selected by default: the
function is then disabled.
• "Server keepalive interval": this option allows to specify the time interval in seconds between two
KeepAlive messages, when the function has been enabled by selecting the packet type to send
from the option "Server keepalive type". This value is set to "0" by default: the function is then
disabled.
Warning:
These fields are displayed when the check box of the "Advanced options" field at the top
right of the page has been selected. They should ONLY be changed upon instructions
from the WALLIX Support Team!
283
WALLIX Bastion 10.0.5 – Administration Guide
The session probe requires no specific deployment. It runs in the user's RDP session according to
their privileges. Consequently, it does not increase the attack surface of the information system.
This mode can be enabled by selecting the option "Enable session probe" on the configuration page
related to the connection policy for the RDP protocol. This page can be accessed from "Session
Management" > "Connection Policies".
The session probe can also block the TCP jump connections. A jump connection passes through a
WALLIX Bastion target to access another machine on the internal network. The session probe can
then detect and stop this type of connection.
The session probe provides protection of the passwords entered in the session by detecting the
input cursor into password input fields or a UAC (User Account Control) window. When such an
event occurs in the session, the session probe informs WALLIX Bastion so that the latter can pause
the collection of keyboard input data.
If the session probe stops for any reason, WALLIX Bastion will stop the current session.
As for a classic RDP session, if the user disconnects without closing a session using the session
probe, the session will continue to operate through the remote desktop service (for a predetermined
period). During this time interval, the user can return to the session exactly where they left it.
To ensure security, the session probe implements a mechanism which prevents the user from
recovering an incompatible session instead of the current one.
The discrepancies which may prevent a session to be recovered by another one are as follows:
If WALLIX Bastion detects that it is not possible to recover the RDP session, the current connection
is closed and a new one will take over in a transparent way for the user.
284
WALLIX Bastion 10.0.5 – Administration Guide
12.22.3. Prerequisites
The session probe operates under a Windows operating system with the Remote Desktop services
supporting the "alternate shell" function.
Environments under Windows XP and servers from Windows Server 2003 support the smart
launcher.
When the smart launcher is used:
• the redirection of clipboard must be allowed by Remote Desktop Services (or Terminal Services)
on the target. This is the default setting.
• the keyboard shortcut Windows+R must be enabled at the level of the group policies for
the target (this is the default setting). Keyboard shortcuts can be disabled via "Local Group
Policy Editor" > "User Configuration" > "Administrative Templates" > "Windows Components" >
"Windows Explorer" or "File Explorer" > "Turn off Windows+X hotkeys" or "Turn off Windows Key
hotkeys".
The standard launcher only operates on targets under Windows Server and Windows XP
environments. It does not support targets under Windows 7, 8.x and 10.
From Windows Server 2008 and only when the standard launcher is used, it is
necessary to publish the "Command Prompt" (cmd.exe) as the RemoteApp program.
For further information, refer to https://technet.microsoft.com/en-gb/library/
cc753788.aspx. Moreover, all command line parameters must be allowed for this
program by selecting the radio button "Allow any command-line parameters" in the
"Remote Desktop Connection Program properties" dialog box. For further information, refer
to https://blogs.technet.microsoft.com/infratalks/2013/02/06/publishing-
remoteapps-and-remote-session-in-remote-desktop-services-2012/.
The redirection of local disks must be allowed by Remote Desktop Services (or Terminal Services)
on the target. This is the default setting.
The temporary folder of the secondary account (Windows account) must allow at least 5MB free
disk space.
The Windows user account must be able to launch batch script and executables from his own
temporary directory (this is the default setting). It is possible to set a software restriction via "Local
Group Policy Editor" > "Computer configuration" > "Windows Settings" > "Security Settings" >
"Software Restriction Policies" by adding a new rule in "Additional Rules".
When opening a new RDP session, applications that launch automatically at startup and require a
user account control (UAC) confirmation request may block the session probe. We recommend not
configuring the automatic launch of applications requiring a UAC confirmation request.
285
WALLIX Bastion 10.0.5 – Administration Guide
12.22.4. Configuration
The configuration of the session probe is set on the configuration page related to the connection
policy for the RDP protocol, which can be accessed from "Session Management" > "Connection
Policies". The section "session probe" lists the following parameters:
Select/deselect the check box to enable/disable the use of the Smart Launcher when launching
the session probe.
Warning:
The smart launcher is only available for standard RDP sessions.
When connecting to an application, only the standard launcher is used. The RDP proxy
automatically chooses to launch the standard launcher.
Unlike the standard launcher, the smart launcher does not require the command prompt
(cmd.exe) to be published as a RemoteApp program.
The redirection of clipboard must be enabled by Terminal Services to be able to use the
smart launcher (this is enabled by default).
The session probe is loaded by a batch script. Without WALLIX Bastion, this script will cause the
display of a non-user friendly black console window in the RDP session. Moreover, the user may
interact with it and disrupt the loading process. Enabling the launch mask can block the display as
well as mouse and keyboard inputs during the loading of the session probe loading phase. As a
consequence, the console window becomes invisible.
Data displayed in the console window is useful to diagnose any loading problem concerning the
session probe. This is the reason why the user has the possibility to disable the launch mask.
Warning:
This field is displayed when the check box of the "Advanced options" field at the top right
of the page has been selected. It should ONLY be changed upon instructions from the
WALLIX Support Team!
Select the desired behavior in the event of a failed launch of the session probe.
The option "0: ignore failure and continue" may not operate properly under some versions of
Windows.
This field is used when the behavior selected in the "On launch failure" field corresponds to "1:
disconnect user". It allows to specify the waiting time (expressed in milliseconds) before WALLIX
Bastion considers the failure of the session probe launch.
286
WALLIX Bastion 10.0.5 – Administration Guide
Warning:
This field is displayed when the check box of the "Advanced options" field at the top right
of the page has been selected. It should ONLY be changed upon instructions from the
WALLIX Support Team!
This field is used when the behavior selected in the "On launch failure" field corresponds to "0:
ignore failure and continue" or "2: reconnect without Session Probe". It allows to specify the waiting
time (expressed in milliseconds) before WALLIX Bastion considers the failure of the session probe
launch.
Warning:
This field is displayed when the check box of the "Advanced options" field at the top right
of the page has been selected. It should ONLY be changed upon instructions from the
WALLIX Support Team!
Select the check box to optimize the launching of the session probe.
Warning:
Only servers from Windows Server 2008 and above are supported!
This field allows to specify the maximum waiting time (expressed in milliseconds) between the
issue from WALLIX Bastion of a request from KeepAlive to the session probe and the receipt of
the corresponding response.
WALLIX Bastion sends KeepAlive messages to the session probe on a regular basis. Without a
response from the latter and at the expiration of the period defined here, WALLIX Bastion will
consider that the session probe is no longer active and will stop the connection.
WALLIX Bastion can also stop the connection when the behavior selected in the "On keepalive
timeout" field corresponds to "1: disconnect user".
Warning:
This field is displayed when the check box of the "Advanced options" field at the top right
of the page has been selected. It should ONLY be changed upon instructions from the
WALLIX Support Team!
Select the desired behavior when a loss of response to the KeepAlive message is detected.
The option "2: freeze session and wait for next keepalive response" freezes the current session
and displays an error message. The session will be reactivated upon receipt of the response to the
KeepAlive message.
287
WALLIX Bastion 10.0.5 – Administration Guide
If this check box is selected then disconnected sessions will be automatically closed by the session
probe.
Warning:
A network failure may cause the disconnection of the current RDP sessions. If this option
is enabled, any unsaved data will be lost.
If this check box is selected then the log files for the Windows session are stored on the user's
temporary directory.
We recommend not keeping this log active for a long period as it may be rather verbose and cause
hard disk saturation.
Warning:
This field is displayed when the check box of the "Advanced options" field at the top right
of the page has been selected. It should ONLY be changed upon instructions from the
WALLIX Support Team!
Select/deselect the check box to enable/disable the interaction of the session probe with the
WALLIX BestSafe agent. For further information, refer to Section 12.23, “Using the session probe
mode with the WALLIX BestSafe agent”, page 291.
If this check box is selected then a disconnected session (i.e. which has not been signed off by the
user) can be recovered by another user.
This field allows to specify the rules for blocking TCP jump connections.
• an inclusive port range, e.g.: "1024-65535". One of the two range values can be omitted. In this
case, "1" is the default value for the range beginning and "65535" is the default one for the range
end.
An authorization rule is formed with the $allow prefix. It allows the connection to remote hosts.
A notification rule is formed with the $notify prefix. It allows the connection to remote hosts and
the generation of a notification.
288
WALLIX Bastion 10.0.5 – Administration Guide
A prohibition rule is formed with the $deny prefix. It prohibits the connection. The $deny prefix
can be omitted. A rule formed with the $deny prefix has precedence over a rule formed with the
$notification prefix for the same connection address.
As an example, to prohibit all RDP jump connections, the following rule can be entered:
"$deny:0.0.0.0/0:3389" or "0.0.0.0/0:3389".
"Process monitoring rules" field
This field allows to specify the monitoring rules when processes are launched.
These rules are generally formed as follows: <$prefix:><search pattern>.
The rules are separated between them by a comma (",").
A notification rule is formed with the $notify prefix. It allows to generate a notification.
E.g.: $notify:notepad.exe: the opening of the application notepad.exe is notified but not forbidden.
A prohibition rule is formed with the $deny prefix. In addition to notification, it allows to stop the
process. The $deny prefix can be omitted. A rule formed with the $deny prefix has precedence
over a rule formed with the $notification prefix.
E.g. 1: $deny:notepad.exe: the opening of the application notepad.exe is forbidden and notified.
E.g. 2: notepad.exe,cmd.exe: the opening of the applications notepad.exe and cmd.exe is
forbidden and notified.
E.g. 3: $notify:notepad.exe,$deny:notepad.exe: same result as for E.g. 1 above.
Moreover, the rules formed with <$prefix:><@> apply to all the child processes of the application
(as defined via "Targets" > "Applications"). Thus, if this rule is:
• $deny:@, then the opening of any child process (whatever the name) is forbidden and notified
• $notify:@, then the opening of any child process (whatever the name) is notified but not forbidden
Warning:
This parameter only works if the value “2: passwords and unidentified texts are masked”
has been selected in “Keyboard input masking level” below section “session log”, for
information display in the session metadata.
289
WALLIX Bastion 10.0.5 – Administration Guide
Warning:
This parameter only works if the value “2: passwords and unidentified texts are masked”
has been selected in “Keyboard input masking level” below section “session log”, for
information display in the session metadata.
This field allows you to enter values to disable certain technologies used by the session probe mode,
such as “MS Active Accessibility” and “MS UI Automation”. Disabling these technologies helps to
overcome compatibility issues and limit the CPU load generated by the session probe mode.
Please note that when these technologies are disabled, passwords entered in the dedicated
application fields may be visible in the session logs.
These technologies can only be safely disabled together in an application session running a Java
application.
To enable the launch of the session probe from another location than the temporary directory of the
Windows user account, the procedure is as follows:
1. Create a new directory on the target which will be used as the startup directory by the session
probe.
Important:
All Windows users must have write permission.
2. Set an environment variable for all Windows users on the target pointing to this new directory.
Important:
The maximum length of the environment variable name is restricted to 3 characters.
3. Specify the name of this environment variable in the field “Alternate directory environment
variable” (displayed as an advanced option) below section “session probe” on the configuration
page related to the connection policy for the RDP protocol. This page can be accessed from
“Session Management” > “Connection Policies”.
Warning:
The session probe executable file will thus remain in the directory. This file will be
overwritten on next connection.
290
WALLIX Bastion 10.0.5 – Administration Guide
Note:
The interaction is supported from WALLIX BestSafe Enterprise version 4.0.0.
291
WALLIX Bastion 10.0.5 – Administration Guide
• allow users to reconnect to their existing sessions in a load-balanced RD Session Host server
farm
• enable you to evenly distribute the session load among RD Session Host servers in a load-
balanced RD Session Host server farm
• provide users access to virtual desktops hosted on RD Virtualization Host servers and to
RemoteApp programs hosted on RD Session Host servers through RemoteApp and Desktop
Connection.
12.24.1. Prerequisites
WALLIX Bastion supports Remote Desktop Connection Broker with the following configuration:
• at least one server must have access to the role service RD Connection Broker
• at least one server must have access to the role service RD Licensing
• at least one server must have access to the role service RD Web Access
• role services RD Connection Broker, RD Licensing and RD Web Access can share the same
server
• several servers must have access to the role service RD Session Host
Caution:
We recommend not installing the role service RD Session Host on a server having access
to the role service RD Connection Broker.
RD Connection Broker cannot be used with a WALLIX Bastion cluster as a result of
interferences between both services. We strongly recommend giving priority to RD
Connection Broker in the context of load balancing.
It is not necessary to choose among Remote Desktop or RemoteApp collections when resources
are accessed via the WALLIX Bastion Web interface. Indeed, WALLIX Bastion uses RemoteApp
collections for all connections.
RD Connection Broker must be set on RD Session Host servers. This can be performed locally (on
each RD Session Host) with Local Group Policy Editor (gpedit.exe).
292
WALLIX Bastion 10.0.5 – Administration Guide
12.24.2. Configuration
RD Connection Broker must be declared on WALLIX Bastion as a target.
In order to reach directly RD Connection Broker (and not one of the RD Session Host), the field "Load
balance info" must be specified at the level of the RDP connection policy, via "Session Management"
> "Connection Policies".
This field must be entered with the information retrieved from the field "loadbalanceinfo:s:" in the .rdp
file saved from the Work Resources page on RD Web Access (https://<ip-rd_web_access>/
rdweb/).
Note:
These messages are not displayed to users for the following sessions: SFTP, SCP
or remote command (SSH_REMOTE_COMMAND) with an SSH key for primary
authentication or a Kerberos ticket.
293
WALLIX Bastion 10.0.5 – Administration Guide
294
WALLIX Bastion 10.0.5 – Administration Guide
Note:
The “Dashboards” entry will not be displayed on the Web interface if the “Enable
modules” option, accessible from “Configuration” > “Configuration options” > “Module
configuration”, section “main” is deselected. This option is displayed when the check box
of the “Advanced options” field at the top right of the page has been selected. It should
ONLY be changed upon instructions from the WALLIX Support Team!
The language selected on the “Profile” tab of the “My preferences” page does not affect
the language in which the dashboards are displayed. The dashboards are available in
English only.
Important:
Only the user whose profile is associated with the “Administration” dashboard is allowed
to view the “Administration” entry in the “Dashboards” menu.
By default, the user associated with the “product_administrator” or
“operation_administrator” profile can access this menu entry.
For further information on user profiles, refer to Section 9.3, “User profiles”, page 87.
• The “Time filter” area allows the user to define the period of time for which they want to view
the data. By default, this period corresponds to the last 7 days and can be edited by clicking on
the “Last week” value under “Time range”. A window is then displayed: it is possible to select
a predefined period on the “Defaults” tab or to define a date range or a number of days before
the current date on the “Custom” tab. It is then necessary to click on “OK” to generate the charts
corresponding to this period.
• The “User group filter” area allows the user to restrict the display in the charts by selecting one
or more user groups, according to the selected period of time.
295
WALLIX Bastion 10.0.5 – Administration Guide
• The “Target group filter” area allows the user to restrict the display in the charts by selecting one
or more target groups, according to the selected period of time.
Each filter area displays an icon on the top right indicating the number of corresponding active
filters. It is possible to click on this icon to view the active filters under the “Applied filters” section in
a dedicated window. This window may also display the unset filters under the “Unset filters” section.
A click on each type of filters in these sections redirects to the corresponding filter area at the top
of the page to edit and/or add one or more criteria.
Once the relevant data is entered in the filter areas, a set of charts is displayed on the page and
the following actions are possible:
• highlight the desired data by clicking on the legend entry above the chart
• display the numerical data for a given day by hovering the mouse pointer over the chart
• edit the filters by clicking on the icon on the top right of the chart.
• the number of users connected over the defined period, the number of devices and accounts
declared and managed within WALLIX Bastion
• the number of users connected, devices and accounts used for sessions over the last 7 days
compared to the previous week
296
WALLIX Bastion 10.0.5 – Administration Guide
• the number of users who have been inactive for 180 days and the number of devices and accounts
which have never been used for sessions.
A tabular view presents also the oldest connections by user groups and by target account groups.
• “Refresh dashboard”: this feature allows the user to instantly refresh all the components of the
dashboard
• “Set auto-refresh interval”: this feature allows the user to select a time interval between each
automatic refresh of the dashboard. This time interval is only saved for the current session.
• “Download as image”: this feature allows the user to download the dashboard in JPG format.
On the top right corner of each component of the “Connection data” and “Connection indicators”
tabs, a contextual menu offers the following actions:
• “Force refresh”: this feature allows the user to instantly refresh the data. The last refresh is also
indicated.
• “Maximize chart”: this feature allows the user to display the full screen view of the chart. It is
possible to return to the condensed view by clicking on the “Minimize chart” entry from this same
contextual menu.
• “Download as image”: this feature allows the user to download the chart in JPG format
• “Export CSV”: this feature allows the user to download the data of the chart as a .csv file.
297
WALLIX Bastion 10.0.5 – Administration Guide
From the “Audit” page on the “Dashboards” menu, it is possible to generate charts and tables from
statistical data defined in the filter areas.
The data viewable from this dashboard corresponds primarily to account, session, user group and
target account group activities.
Important:
Only the user whose profile is associated with the “Audit” dashboard is allowed to view
the “Audit” entry in the “Dashboards” menu.
By default, the user associated with the “product_administrator” or “auditor” profile can
access this menu entry.
For further information on user profiles, refer to Section 9.3, “User profiles”, page 87.
• The “Time filter” area allows the user to define the period of time for which they want to view
the data. By default, this period corresponds to the last 7 days and can be edited by clicking on
the “Last week” value under “Time range”. A window is then displayed: it is possible to select
a predefined period on the “Defaults” tab or to define a date range or a number of days before
the current date on the “Custom” tab. It is then necessary to click on “OK” to generate the charts
corresponding to this period.
• The “User group filter” area allows the user to restrict the display in the chart by selecting one or
more user groups, according to the selected period of time.
• The “Target group filter” area allows the user to restrict the display in the chart by selecting one
or more target groups, according to the selected period of time.
Each filter area displays an icon on the top right indicating the number of corresponding active
filters. It is possible to click on this icon to view the active filters under the “Applied filters” section in
a dedicated window. This window may also display the unset filters under the “Unset filters” section.
A click on each type of filters in these sections redirects to the corresponding filter area at the top
of the page to edit and/or add one or more criteria.
Once the relevant data is entered in the filter areas, a set of charts and tables is displayed on the
page. These charts and tables include:
• highlight the desired data by clicking on the legend entry above the chart
• display the numerical data for a given day by hovering the mouse pointer over the chart
• edit the filters by clicking on the icon on the top right of the chart.
298
WALLIX Bastion 10.0.5 – Administration Guide
• “Refresh dashboard”: this feature allows the user to instantly refresh all the components of the
dashboard
• “Set auto-refresh interval”: this feature allows the user to select a time interval between each
automatic refresh of the dashboard. This time interval is only saved for the current session.
• “Download as image”: this feature allows the user to download the dashboard in JPG format.
On the top right corner of each component of the “Audit” dashboard, a contextual menu offers the
following actions:
299
WALLIX Bastion 10.0.5 – Administration Guide
• “Force refresh”: this feature allows the user to instantly refresh the data. The last refresh is also
indicated.
• “Maximize chart”: this feature allows the user to display the full screen view of the chart. It is
possible to return to the condensed view by clicking on the “Minimize chart” entry from this same
contextual menu.
• “Download as image”: this feature allows the user to download the chart in JPG format
• “Export CSV”: this feature allows the user to download the data of the chart as a .csv file.
300
WALLIX Bastion 10.0.5 – Administration Guide
For further information on how to search data and customize the layout in the tables of WALLIX
Bastion, refer to Section 6.5, “Managing data search, sort and layout customization in the tables
of the Web interface”, page 32.
301
WALLIX Bastion 10.0.5 – Administration Guide
• a check box to enable or disable session recording. The type of recording depends on the protocol
to access the device.
• a check box to enable or disable password checkout. This option is selected by default for the
new authorization.
• a check box to enable or disable an approval workflow for the new authorization. For further
information, refer to Section 14.7, “Approval workflow”, page 307.
302
WALLIX Bastion 10.0.5 – Administration Guide
From the "Manage Authorizations" page, click on the "Import CSV file" icon at the top right of the
page to import the related data. You are then redirected to the "CSV" page on the "Import/Export"
menu: the "Authorizations" check box is automatically selected to import the related data. The field
and list separators can also be configured.
The file must begin with a line containing the following tag:
#wab910 authorization
Important:
The update of existing data when importing a .csv file overwrites old data.
Warning:
The first line of the .csv file containing the tag must not be modified. If this line is modified,
the file can no longer be imported into WALLIX Bastion.
False if Approval
required = False
True if
Mandatory
comment = True
Mandatory Boolean R True or False False
comment
303
WALLIX Bastion 10.0.5 – Administration Guide
False if Approval
required = False
True if
Mandatory ticket
= True
Mandatory Boolean R True or False False
ticket
False if Approval
required = False
Approver Text R if Approval Approver groups defined N/A
groups required = True
There can be one or several Empty if
approver groups Approval
required = False
Active quorum Integer R Integer number between 0 and "0"
number the number of approvers in
groups
For further information, refer to Section 10.1.6, “SSH specific options”, page 143 and Section 10.1.7,
“RDP specific options”, page 144.
304
WALLIX Bastion 10.0.5 – Administration Guide
#wab910 authorization
Group_users1;target_group1;SSH_SHELL_SESSION SFTP_SESSION;False;False;True;True;
description;False;False;False;False;False;group_approvers;1;2False;0
Once you have imported the .csv file, a summary report is displayed.
This report lists the number of elements which were created and updated in the WALLIX Bastion
database but also the rejected data. In case of rejection, the corresponding error is mentioned.
On the top of the page, the approver can choose to enable/disable automatic refresh of current
approval data. When the corresponding option is enabled, you can set the refresh frequency.
By clicking on the notepad icon at the beginning of the line, the approver is redirected to the approval
request detail page:
305
WALLIX Bastion 10.0.5 – Administration Guide
Since a session or the target credentials can still be accessed as long as an accepted request has
not expired, the approver can cancel a request before its expiration to inhibit further access from a
user to the target by clicking on the "Cancel" button.
For further information, refer to Section 14.7, “Approval workflow”, page 307.
Note:
Only the last 1,000 records are displayed in the Web user interface. The occurrence filter
is applied to these 1,000 records. Older sessions can only be retrieved through the date
range filter.
306
WALLIX Bastion 10.0.5 – Administration Guide
Figure 14.6. "My Approval History" - Approval request history detail page
307
WALLIX Bastion 10.0.5 – Administration Guide
An approver is a user who has been designated by a WALLIX Bastion administrator with the right to
approve: the "Modify" right for the "Manage Approvals" feature is set in the approver's profile (refer
to Section 9.3, “User profiles”, page 87).
Note:
By default, an approver is allowed to approve their own requests. This behavior can
be managed via the option “Allow self approvals” from the menu “Configuration” >
“Configuration options” > “Global”. If this option is deselected, then the approver cannot
view their own requests on the “My approval history” page from the “Authorizations” menu.
Their requests will only be viewed by the other members of the approver group.
Approvers can decide to allow or reject the connection to a target or the access to the target
credentials. A request is approved when a quorum has been reached. The quorum is the minimum
number of favorable answers required for a particular authorization.
• for active periods, by specifying a value in "Quorum in authorized time frames". A quorum for the
active periods equal to 0 means that approvals are not required for active periods.
• for inactive periods, by specifying a value in "Quorum outside authorized time frames". A quorum
for inactive periods equal to 0 means that no connections are ever possible during inactive
periods.
A single connection can be defined for the approval. The user is then restricted to connect only
once during the approval duration.
308
WALLIX Bastion 10.0.5 – Administration Guide
A timeout in format [hours]h[mins]m can be defined for the approval. If the user has not
connected to the target and this timeout has been reached, then the status of the "accepted" request
automatically switches to "closed". When the approver accepts the request, this value is set as the
maximum value in the "Timeout" field on the form. The approver can reduce this value.
Note:
When the first approver accepts the request and the start date and time have been
reached:
– the start date and time of the request are then updated with the start date and time
of this action
– the end date and time are then extended for the request duration from this action
• a request is marked as "rejected" and subsequently dismissed as soon as an approver rejects it.
The user is then notified by email of the reason for the rejection.
• a request is "pending" as long as the quorum has not been reached and it has not been rejected.
If the request is no longer valid (i.e. its duration has expired), it is then marked as "closed "and it
is no longer possible for an approver to answer the request. Likewise, it is not possible to answer
requests that have been accepted or rejected.
Note:
A request is also marked as "closed" if one of the following elements has been deleted:
the requesting user and/or the concerned target and/or the concerned authorization.
An "accepted" request switches automatically to the "closed" status if the user has not
connected to the target and the timeout defined for the approval has been reached.
Each approver is given the possibility to reduce the duration of a request. The duration is
incrementally decreased: a subsequent approver, when answering the same request, sees the
reduced period and not the original one.
Users can view approval statuses for their requests on the "My Authorizations" menu.
When the quorum is reached, the user is notified by email. The session can then be started or the
target credentials can then be accessed for the allocated duration. If the session is disconnected
before the end of the duration, the user can start a new session without a new approval as long
as the end of the period specified by the duration of the initial approval is not elapsed. In order to
prevent a user to reconnect after the initial session, approvers can cancel a request.
309
WALLIX Bastion 10.0.5 – Administration Guide
The time frames which can be defined in WALLIX Bastion are used to set the periods during which
a user is allowed to connect to targets.
A time frame is linked to one or more user groups. For further information, refer to Section 9.2,
“User groups”, page 83.
From the “Time frames” page on the “Configuration” menu, you can add, edit or delete time frames.
Warning:
A default time frame called “allthetime” is configured in WALLIX Bastion. It allows users
to connect to targets on any day and at any time. This time frame cannot be deleted.
The time reference used is the local time of WALLIX Bastion.
310
WALLIX Bastion 10.0.5 – Administration Guide
Warning:
You cannot delete a time frame linked to a user group.
311
WALLIX Bastion 10.0.5 – Administration Guide
312
WALLIX Bastion 10.0.5 – Administration Guide
# WABInitReset
A message is then displayed to request confirmation before restoring the settings. By default, this
command only restore the configuration for the keyboard layout, the GRUB menu and the users.
It is possible to restore all settings or a specific one using option --reset, as shown below:
When option --reset is used, no message is displayed to request confirmation before restoring
the settings.
The option -h shows the help message listing the arguments which can be used to perform this
action.
313
WALLIX Bastion 10.0.5 – Administration Guide
# WABRestoreDefaultAdmin
# WABRestoreDefaultAdmin -c
Note:
The previous default password is not requested when performing this action.
# bastion-crypto init
The passphrase to secure the encryption key must be entered in the “Enter WALLIX Bastion
Passphrase” dialog box.
The encryption key can also be set using the following command lines:
The --security-level high option is used to secure the encryption key with a passphrase.
The --security-level low option is used when no passphrase is to be set for the encryption
key.
314
WALLIX Bastion 10.0.5 – Administration Guide
Once the initial installation has been performed and after the system reboot on the shell
administration console, you can execute the following command when logged in as “root” to unlock
the encryption key of WALLIX Bastion and thus access the Web interface:
# bastion-crypto unlock
The passphrase which has been set to secure the encryption key must be entered in the “WALLIX
Bastion Passphrase unlocking” dialog box.
# WABResetCrypto
Caution:
All data in WALLIX Bastion (user accounts, session recordings, etc.) is deleted when
encryption is reset!
It is therefore highly recommended to back up a copy of WALLIX Bastion configuration
BEFORE resetting encryption. For further information, refer to Section 8.13, “Backup and
Restoration”, page 62.
# WABVersion
The history of all the installation operations (installation and upgrades of your WALLIX Bastion but
also installation or removal of Hotfixes) can be displayed when executing the following command:
# WABVersion -H
# WABChangeKeyboard
# WABGetGuiUrl
315
WALLIX Bastion 10.0.5 – Administration Guide
# WABChangeGrub
# WABNetworkConfiguration
However, the advanced configuration can only be performed from the "Network" page on
the "System" menu on the Web interface. For further information, refer to Section 8.6,
“Network”, page 49.
Note:
When WALLIX Bastion is configured in HA (or « High-Availability ») mode, this command
can only be executed on the "Master" node.
# WABSecurityLevel
The security level set via this command affects both the HTTP and the SSH servers.
The default security level for the HTTP server is set to a high value. Only the following cryptographic
algorithms can then be used:
• ECDHE-ECDSA-AES256-GCM-SHA384
• ECDHE-RSA-AES256-GCM-SHA384
• ECDHE-ECDSA-CHACHA20-POLY1305
• ECDHE-ECDSA-AES128-GCM-SHA256
• ECDHE-RSA-AES128-GCM-SHA256
• ECDHE-ECDSA-AES256-SHA384
• ECDHE-RSA-AES256-SHA384
• ECDHE-ECDSA-AES128-SHA256
• ECDHE-RSA-AES128-SHA256
• P-256
• P-384
• brainpoolP256r1
• brainpoolP384r1
• brainpoolP512r1
316
WALLIX Bastion 10.0.5 – Administration Guide
The default security level for the SSH server is set to a low value, allowing any cryptographic
algorithms to be used.
The security level set via this command is preserved during upgrade.
Caution:
When WALLIX Bastion is configured in HA (or « High-Availability ») mode, the security
level for the SSH server set via this command is only spread out to the Slave node when
the latter is switching from Slave to Master.
# WABServices
For further information, refer to Section 8.11.2, “Service activation”, page 60.
wabsuper$ WABHASetup
Note:
This command can only be executed on the "Master" node.
To check the current state of a node, you can use the following maintenance command:
wabsuper$ /opt/wab/bin/WABHAStatus
Next, launch this program and send the file sysinfo.txt in the generated archive (sysinfo.gz)
to the WALLIX Support Team.
# WABGetLicenseInfo
317
WALLIX Bastion 10.0.5 – Administration Guide
You can execute the following command to generate the license context file:
# WABSetLicense -d
# WABConsole
To obtain the list of commands, simply enter help on the console prompt.
Help is available for each command by entering either help or -h.
The command currently available for a user with the "product_administrator" profile is:
change_user_password.
The command currently available for a regular user is: change_password.
# WABJournalCtl
# /opt/wab/bin/WABSessionLogExport -h
318
WALLIX Bastion 10.0.5 – Administration Guide
The option -h shows the help message listing the arguments which can be used to perform this
action.
Use this script to create an .archive file, saved in /var/wab/recorded/export_sessions,
including for the period defined:
Note:
Local archives are to be moved manually by the administrator to remote storage in /var/
wab/remote/recorded/export_sessions. However, a script allows to archive and/
or purge session recordings automatically. You can define options on the Web interface
of WALLIX Bastion to configure the actions which will be carried out by this script.
For further information, refer to Section 15.21, “Export and/or purge session recordings
automatically”, page 320.
All sessions for the period defined will also be removed, unless option -p has been used.
It is possible to archive and/or purge sessions according to their IDs using option --sessions.
It is possible to archive and/or purge only uncorrupted sessions using option --good-only.
It is possible to archive and/or purge only corrupted sessions using option -w or --wrong-only.
It is possible to archive and/or purge sessions depending on a given status (e.g. failed sessions,
interrupted sessions, etc.) using option --status.
It is possible to archive and/or purge only sessions stored on local storage using option --local-
storage.
It is possible to archive and/or purge only sessions stored on remote storage using option --
remote-storage.
It is possible to archive and/or purge traces related to targets under a given protocol (SSH, RDP,
etc.) using option --protocol.
It is possible to archive and/or purge only non-critical sessions using option --non-critical.
It is possible to archive and/or purge traces related to specific user(s) using option --user.
It is possible to archive and/or purge traces related to users in specific user group(s) using option
--user-group.
It is possible to archive and/or purge traces related to specific target(s) using option --target.
It is possible to archive and/or purge traces related to targets in specific target group(s) using option
--target-group.
It is possible not to archive traces using option -a. In this case, information on the concerned session
is displayed at the command line.
It is possible not to purge traces using option -p. In this case, information on the concerned session
is displayed at the command line.
It is possible to display orphan files related to purged sessions using option --show-orphans.
These files can be deleted using option -P or --purge-orphans. In this case, these files will not
be archived even if an archive is created.
319
WALLIX Bastion 10.0.5 – Administration Guide
It is possible to specify a passphrase for the archive using option --passphrase. The latter should
however not be used as the passphrase is displayed as a string on the command-line.
It is possible to specify a file descriptor to get the archive passphrase from using option --
passphrase-fd.
It is possible to specify a path to a file to get the archive passphrase from using option --
passphrase-file.
You can execute the following script to re-import the generated archive files:
# /opt/wab/bin/WABSessionLogImport -h
The option -h shows the help message listing the arguments which can be used to
perform this action. For further information, refer to Section 15.23, “Re-import archived session
recordings”, page 322.
A script allows to archive and/or purge session recordings automatically. You can define options
on the Web interface of WALLIX Bastion to configure the actions which will be carried out by
this script. For further information, refer to Section 15.21, “Export and/or purge session recordings
automatically”, page 320.
Another script also allows to move session recordings from a local storage to a remote
one. For further information, refer to Section 15.22, “Move local session recordings to remote
storage”, page 321.
The actions carried out by this script can be configured via the options in section "Retention Policy"
from "Configuration" > "Configuration Options" > "Session log policy":
• if a value is entered in the field “Remove sessions older than”, then all sessions older than this
value expressed in number of days (with suffix “d”, e.g. “20d” for 20 days) or in number of months
(with suffix “m”, e.g. “36m” for 36 months) are removed. If no suffix is entered, then the value is
considered by default as expressed in number of days.
• all the orphan files on remote storage are removed
• if a value is entered in the field “Archive sessions older than”, then all sessions older than this
value expressed in number of days (with suffix “d”, e.g. “20d” for 20 days) or in number of months
(with suffix “m”, e.g. “36m” for 36 months) are archived. If no suffix is entered, then the value is
considered by default as expressed in number of days. This operation applies to sessions on
both local and remote storage.
• if a path to a script is entered in the field “Post archive script”, then it is called to export archives.
Otherwise, archives are transferred on remote storage, if present.
• the elements on local storage are removed, starting from the oldest to the most recent and by
type, until a given size of free disk space is reached. This value is to be entered in the field
“Remove sessions below free space”. This size is expressed in bytes (with suffixes “kb”, “kib”,
320
WALLIX Bastion 10.0.5 – Administration Guide
“Mb”, “Mib”, “Gb” and “Gib”) or in percentage of disk space in partition /var/wab. This removal
is carried following the steps below:
– first, archives older than 24h
– next, non-critical sessions which are older than the value entered in the field “Prefer sessions
older than”
– then, critical sessions which are older than the value entered in the field “Prefer sessions older
than”
– then, non-critical sessions older than 24h
– then, critical sessions which are older than the value entered in the field “Keep critical newer
than” or older than 24h
– next, non-critical sessions newer than 24h
– then, archives newer than 24h
– lastly, critical sessions newer than 24h if no value is entered in the field “Keep critical newer
than”
• a notification is sent with the list of the archived and removed elements. A notification is also sent
when the value related to the size of available free disk space has not been reached.
Archives are removed regardless of the critical or non critical context for sessions.
Furthermore, it is also possible to modify the default passphrase defined in the field “Archive key”.
This passphrase is used to encrypt the archived elements.
The option -h shows the help message listing the arguments which can be used to perform this
action.
The following subcommands can be used:
• info: this subcommand allows to display the status of the available disk space on the remote
storage
Syntax example for the info subcommand:
# bastion-traceman info
• move local: this subcommand allows to move session recordings from the remote storage
onto the local one
Syntax example for the move local subcommand:
# bastion-traceman move local
• move remote: this subcommand allows to move session recordings from the local storage onto
the remote one
321
WALLIX Bastion 10.0.5 – Administration Guide
The available selection criteria are the same as those which can be used to export and/or
purge session recordings manually, except for the options --local-storage and --remote-
storage. For further information, refer to Section 15.20, “Export and/or purge session recordings
manually”, page 318.
Note:
When the session recordings are moved, the related folders are deleted when they
become empty. The following folders are considered:
• /var/wab/recorded/ssh/<YYYY-MM-DD>
• /var/wab/recorded/rdp/<YYYY-MM-DD>
• /var/wab/remote/recorded/ssh/<YYYY-MM-DD>
• /var/wab/remote/recorded/rdp/<YYYY-MM-DD>
Note that the folder related to the current day is never deleted.
From the "Remote Storage" page on the "System" menu, you can configure the export
of session video recordings to an external file system. For further information, refer to
Section 8.8, “Remote storage”, page 53.
# /opt/wab/bin/WABSessionLogImport -h
The option -h shows the help message listing the arguments which can be used to perform this
action.
It is possible to only list the content of the archive using option --list. The archive will not be
re-imported.
# /opt/wab/bin/WABSessionLogIntegrityChecker -h
The option -h shows the help message listing the arguments which can be used to perform this
action.
The available trace selection criteria are the same as those which can be used to export and/or
purge session recordings manually. For further information, refer to Section 15.20, “Export and/or
purge session recordings manually”, page 318.
When notifications are enabled for integrity errors, the email summarizes errors for sessions older
than 3 days by default. It is however possible to set another value for this number of days. This
322
WALLIX Bastion 10.0.5 – Administration Guide
parameter can be managed via "Configuration" > "Configuration Options" > "Session log policy",
then enter a positive integer in the field "Summarize error older than" below section "Integrity
Checker". If "0" is entered in this field, then there is no error summary on the notification email.
If this certificate or key is different, the WALLIX Bastion proxy will close the connection as it could
be considered as an attack. It is therefore necessary to inform WALLIX Bastion when this certificate
or key has been changed. To do so, you can delete the declared certificate or key on the device
and the new one will be automatically saved at the next access to the device through the RDP or
SSH proxy. For further information, refer to Section 10.1.1.6, “View and delete certificates or keys
on the device”, page 139.
Warning:
This field is displayed when the check box of the "Advanced options" field at the top right
of the page has been selected. It should ONLY be changed upon instructions from the
WALLIX Support Team!
The following placeholders must be specified in the content of the file as described below:
• <SIEM_SERVER>
• <SIEM_PORT>
• <CA_DIR>
• <CLIENT_KEY>
• <CLIENT_CERT>
cat /etc/syslog-ng/conf.d/tls_siem.conf
destination d_rltp {
syslog( <SIEM_SERVER>
323
WALLIX Bastion 10.0.5 – Administration Guide
transport("tls")
port(<SIEM_PORT>)
tls(
peer-verify(required-trusted) ca_dir(<CA_DIR>)
key_file(<CLIENT_KEY>)
cert_file(<CLIENT_CERT>)
)
);
};
log {
source(s_src);
destination(d_rltp);
};
A TLS configuration can also be performed from the Web interface. For further information, refer
to Section 8.9, “SIEM integration”, page 54.
Note:
The new certificate generated as a .pem file must be converted into a .crt file prior to
be replaced in the directory.
Once the files have been replaced, it may be necessary to restart the Apache service by entering
the following command:
Note:
These files are also modified by applying the X509 authentication configuration
procedure. For further information, refer to Section 9.7, “X509 certificate authentication
configuration”, page 101.
If High-Availability is set, the directory into which the certificates are gathered is shared
between both nodes. The procedure is to be applied on the active node only.
You could later generate back a self-signed certificate with the following command:
324
WALLIX Bastion 10.0.5 – Administration Guide
# WABGuiCertificate selfsign -f
Once the files have been replaced, restart RDP proxy by entering the following command:
Note:
You could later generate back a self-signed certificate with the following command:
The host key must use RSA algorithm and a minimum 4,096-bit length is recommended.
To install your host key using ED25519 format, copy it on WALLIX Bastion in the directory /var/
wab/etc/ssh/server_ed25519.key location.
Note:
You can generate an SSH proxy host key on WALLIX Bastion by deleting the current host
keys and executing the generator script with the following command:
# rm /var/wab/etc/ssh/server_rsa.key
# rm /var/wab/etc/ssh/server_ed25519.key
# WABSshServerGenRsaKey.sh
325
WALLIX Bastion 10.0.5 – Administration Guide
To restore compatibility and therefore allow connections, it is then necessary to perform the following
actions at the level of the RDP proxy configuration from the "Configuration Options" page on the
"Configuration" menu, below the "client" section:
• for clients under Windows Server 2000 or lower: select the option "Tls fallback legacy"
• for clients supporting TLS from Windows XP: allow the minimum supported version for TLS
protocol by entering "0" in the "Tls min level" field and delete the value in the "Ssl cipher list" field.
Warning:
We remind you that these actions will lower the security level of the WALLIX Bastion
services.
• below the "main" section: “Hostkeys”, “Client kex algos”, “Client cipher algos”, “Client integrity
algos”, “Client compression algos”
• below the "front_algorithms" section: “Dh modulus min size”
We recommend keeping the default configuration for these algorithms to ensure the highest security
level with SSH clients.
Warning:
These fields are displayed when the check box of the "Advanced options" field at the top
right of the page has been selected. They should ONLY be changed upon instructions
from the WALLIX Support Team!
# vim.tiny /etc/apache2/sites-enabled/wab-httpd.conf
SSLProtocol TLSv1.2
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:HIGH:!MD5:!aNULL:!EDH
2. Comment out all other lines with the same keys.
326
WALLIX Bastion 10.0.5 – Administration Guide
• either copy the file on the WALLIX Bastion in PEM format. Then, execute the following command:
# WABCRLFetch -f CRL_FILE
• or from the SSH console (port 2242), execute the following command replacing parameters by
the relevant data and the full path of the local CRL file:
Example:
Note:
The CRL files are stored in the directory /var/wab/apache2/ssl.crl/.
An uploaded file gathering several CRLs will be divided into several unit CRL files.
An uploaded CRL will only replace an old one if the number corresponding to the
“CRLNumber” is greater than or equal to the one of this former version.
This list can also be updated using the Web interface. For further information, refer to
Section 9.7.2, “CRL management”, page 103.
There are two main options for changing the Redis password: generate and change.
Important:
This command can only be run as root.
Once the password has been changed, some WALLIX services are restarted, which may cause
WALLIX Bastion users to log out.
327
WALLIX Bastion 10.0.5 – Administration Guide
A good practice is to run one of these scripts as soon as WALLIX Bastion is initialized.
328
WALLIX Bastion 10.0.5 – Administration Guide
https://bastion_ip_address/api/doc
https://bastion_ip_address/api/doc/APIChangelog.html
https://bastion_ip_address/api/v3.7/doc
https://bastion_ip_address/api/v3.7/doc/APIChangelog.html
https://bastion_ip_address/api/v3.6/doc
https://bastion_ip_address/api/v3.6/doc/APIChangelog.html
Note:
The REST API version 3.5 is deprecated and then no longer available for this version
of WALLIX Bastion.
https://bastion_ip_address/scim/doc
329
WALLIX Bastion 10.0.5 – Administration Guide
Important:
Only the administrator whose profile includes all rights together with transferable rights
(such as the “product_administrator” profile) can view the “API keys” entry in the
“Configuration” menu.
For further information on how to search data and customize the layout in the tables of WALLIX
Bastion, refer to Section 6.5, “Managing data search, sort and layout customization in the tables
of the Web interface”, page 32.
Once the fields are specified and applied, a window opens and displays the generated API key.
Warning:
After closing the window, it will no longer be possible to view the API key.
The fields of this page are the same as those on the API key creation page.
330
WALLIX Bastion 10.0.5 – Administration Guide
The stream provides messages for the events described in following sections.
331
WALLIX Bastion 10.0.5 – Administration Guide
Example:
The stream provides messages for the various object types described in following sections.
Examples:
332
WALLIX Bastion 10.0.5 – Administration Guide
333
WALLIX Bastion 10.0.5 – Administration Guide
334
WALLIX Bastion 10.0.5 – Administration Guide
Examples:
Examples:
335
WALLIX Bastion 10.0.5 – Administration Guide
Examples:
[wabaudit] action="add" type="Cluster" object="cluster_154954837225"
user="ADMIN" client_ip="10.10.45.212" infos="member_targets
[account_154954837122@local1@device_154954837021:rdp,
account_154954837224@local1@device_154954837123:rdp]"
[wabaudit] action="delete" type="Cluster" object="cluster_154954875802"
user="ADMIN" client_ip="10.10.45.212" infos=""
[wabaudit] action="edit" type="Cluster" object="cluster_154954878267"
user="ADMIN" client_ip="10.10.45.212" infos=""
336
WALLIX Bastion 10.0.5 – Administration Guide
337
WALLIX Bastion 10.0.5 – Administration Guide
338
WALLIX Bastion 10.0.5 – Administration Guide
Examples:
[wabaudit] action="add" type="Notification"
object="notification_154955208543" user="ADMIN" client_ip="10.10.45.212"
infos="dest [notify@mydomain.com], flag [0], isNotificationEnable [True],
type [EMAIL]"
[wabaudit] action="delete" type="Notification"
object="notification_154955204621" user="ADMIN" client_ip="10.10.45.212"
infos=""
[wabaudit] action="edit" type="Notification"
object="notification_154955216694" user="ADMIN" client_ip="10.10.45.212"
infos="flag ['16' to '0']"
339
WALLIX Bastion 10.0.5 – Administration Guide
Example:
[wabaudit] action="edit" type="Recording Options" user="admin"
client_ip="10.10.43.28" infos="Recording Options ['No encryption, with
checksum' to 'No encryption, no checksum']"
340
WALLIX Bastion 10.0.5 – Administration Guide
pubkey_account_without_password@local@DEVICE_SSH_FORWARDING:SSH and 35
other(s)], Profiles_limit [], Timeframes [allthetime]"
[wabaudit] action="delete" type="Targetgroup"
object="target_group_154954938767" user="ADMIN" client_ip="10.10.45.212"
infos=""
[wabaudit] action="edit" type="Targetgroup"
object="target_group_154954945465" user="ADMIN" client_ip="10.10.45.212"
infos="Description ['some desc' to 'some other desc']"
341
WALLIX Bastion 10.0.5 – Administration Guide
342
WALLIX Bastion 10.0.5 – Administration Guide
Note:
The psid number is the same for all actions logged during the same session.
Note:
The psid number is the same for all actions logged during the same session.
343
WALLIX Bastion 10.0.5 – Administration Guide
Note:
The psid number is the same for all actions logged during the same session.
Note:
The psid number is the same for all actions logged during the same session.
Note:
The psid number is the same for all actions logged during the same session.
344
WALLIX Bastion 10.0.5 – Administration Guide
Note:
The session duration format (“duration”) is as follows:
h:mm:ss
“h”: the number of hours. Note that it is only labelled on a single digit from “0” to “9”.
Examples:
duration="0:00:07"
duration="2:15:01"
duration="16:23:16"
duration="88:02:01"
duration="157:45:59"
345
WALLIX Bastion 10.0.5 – Administration Guide
346
WALLIX Bastion 10.0.5 – Administration Guide
347
WALLIX Bastion 10.0.5 – Administration Guide
17.4.14. End of file transfer on SFTP with file size and hash
[SSH Session] type=”SFTP_EVENT”
session_id="002ac1d68450742e1928b88df3ca15385d710b33"
client_ip="192.168.1.10" target_ip="192.168.1.200" user="maint"
device="debian" service="ssh" account="admin" data=”get /
var/log/syslog done, length= 338079, sha256 =
711cf730055826274d76ebb0505e13973f69d1b55d81199385362f5f319e9453”
348
WALLIX Bastion 10.0.5 – Administration Guide
17.4.17. End of file transfer on SCP with file size and hash
[SSH Session] type=”SCP_EVENT”
session_id="002ac1d68450742e1928b88df3ca15385d710b33"
client_ip="192.168.1.10" target_ip="192.168.1.200" user="maint"
device="debian" service="ssh" account="admin" data=”get /
var/log/syslog done, length= 338079, sha256 =
711cf730055826274d76ebb0505e13973f69d1b55d81199385362f5f319e9453”
Note:
This can be enabled by selecting the option "Log group membership" below the "trace"
section on the configuration page related to the connection policy for the SSH protocol.
This page can be accessed from "Session Management" > "Connection Policies".
349
WALLIX Bastion 10.0.5 – Administration Guide
Note:
The status may change depending on the ICAP server.
Note:
The psid number is the same for all actions logged during the same session.
350
WALLIX Bastion 10.0.5 – Administration Guide
Note:
The psid number is the same for all actions logged during the same session.
351
WALLIX Bastion 10.0.5 – Administration Guide
352
WALLIX Bastion 10.0.5 – Administration Guide
Note:
The session duration format (“duration”) is as follows:
h:mm:ss
“h”: the number of hours. Note that it is only labelled on a single digit from “0” to “9”.
Examples:
duration="0:00:07"
duration="2:15:01"
duration="16:23:16"
duration="88:02:01"
duration="157:45:59"
Note:
The session duration format (“duration”) is as follows:
h:mm:ss
“h”: the number of hours. Note that it is only labelled on a single digit from “0” to “9”.
353
WALLIX Bastion 10.0.5 – Administration Guide
Examples:
duration="0:00:07"
duration="2:15:01"
duration="16:23:16"
duration="88:02:01"
duration="157:45:59"
Note:
This log is displayed when session ending is slow and then exceeds the timeout of the
RDP proxy.
354
WALLIX Bastion 10.0.5 – Administration Guide
355
WALLIX Bastion 10.0.5 – Administration Guide
Note:
The session duration format (“duration”) is as follows:
h:mm:ss
“h”: the number of hours. Note that it is only labelled on a single digit from “0” to “9”.
“mm”: the number of minutes is always labelled on 2 digits
“ss”: the number of seconds is always labelled on 2 digits
Examples:
duration="0:00:07"
duration="2:15:01"
duration="16:23:16"
duration="88:02:01"
duration="157:45:59"
356
WALLIX Bastion 10.0.5 – Administration Guide
357
WALLIX Bastion 10.0.5 – Administration Guide
358
WALLIX Bastion 10.0.5 – Administration Guide
Note:
The status may change depending on the ICAP server.
17.5.40.3. Verification of a valid text transferred from the copy/paste function via
the clipboard
[RDP Session] session_id=”SESSIONID-0000” client_ip=”192.168.1.10”
target_ip=”192.168.1.200” user=”maint” device=”win2k8” service=”rdp”
359
WALLIX Bastion 10.0.5 – Administration Guide
360
WALLIX Bastion 10.0.5 – Administration Guide
361
WALLIX Bastion 10.0.5 – Administration Guide
Examples:
• checkout
• checkout duration extension
• check-in and automatic check-in
• forced check-in
• credential change
Examples:
362
WALLIX Bastion 10.0.5 – Administration Guide
Web: https://support.wallix.com/
Telephone: (+33) (0)1 70 36 37 50 for Europe, Middle East and Africa and (+1) 438-814-0255 for
the Americas
363
WALLIX Bastion 10.0.5 – Administration Guide
364
WALLIX Bastion 10.0.5 – Administration Guide
365
WALLIX Bastion 10.0.5 – Administration Guide
366
WALLIX Bastion 10.0.5 – Administration Guide
D DLP
Dashboards, 295 configuration for verification of files transferred
administration, 295 with ICAP for RDP and SSH, 269
audit, 297 Domains, 160
Dell iDRAC plugin, 225 add, 162
Device accounts add an account, 165
delete, 180 associate with a CA, 163
edit, 178 associate with an SSH Certificate Authority, 163
Devices, 135 change the passwords for all the accounts, 165,
accounts, 175 165
add, 135 delete, 166
add tags, 141 edit, 164
add/list/delete a tag, 139 import, 166, 169
add/list/edit/delete a local account, 137 local domains, 137
add/list/edit/delete a service, 136 menu, 160
configuration of RDP cryptographic settings, 277 revoke the signed certificate for the accounts,
configuration of SSH cryptographic settings, 277 166
delete, 141 Dynamic virtual channels
delete certificates, 139 allowing for RDP, 274
discovery, 208 rejecting for RDP, 275
configure a network scan, 208
configure an Active Directory scan, 211 E
launch a scan manually, 214 Encryption, 46
onboard discovered devices, 216 Algorithms, 19
set a periodic scan launch, 214 menu, 46
discovery) passphrase, 46
view the results of a scan job, 215 presentation, 19
edit, 140 Esx plugin, 238
filter devices, 141 External authentications, 109
import, 142 add, 110
local accounts, 137 add for Kerberos, 110
local domains, 137 add for Kerberos-Password, 111
manage local accounts, 137 add for LDAP using Active Directory, 113
manage local domains, 137 add for LDAP without Active Directory, 112
manage services, 136 add for PingID, 115
manage target group associations, 139 add for RADIUS, 116
manage the tag association, 139 add for SAML, 117
menu, 135 delete, 118
RDP specific options, 144 edit, 118
remove tags, 141 menu, 109
SSH specific options, 143 External password vault
SSH startup scenario, 278 plugins, 199
tags, 140
TELNET/RLOGIN connection scenario, 275 F
Discovery, 208 F5 plugin, 238
configure a network scan, 208, 209 File storage
configure an Active Directory scan, 211, 212 connection policies, 271
launch a scan manually, 214 Fortinet FortiGate plugin, 226
menu, 208
onboard discovered accounts, 217 G
onboard discovered devices, 216 GDPR, 94
set a periodic scan launch, 214 General concepts, 17
view the results of a scan job, 215 General data protection regulation, 94
367
WALLIX Bastion 10.0.5 – Administration Guide
368
WALLIX Bastion 10.0.5 – Administration Guide
369
WALLIX Bastion 10.0.5 – Administration Guide
370
WALLIX Bastion 10.0.5 – Administration Guide
371
WALLIX Bastion 10.0.5 – Administration Guide
372
WALLIX Bastion 10.0.5 – Administration Guide
373
WALLIX Bastion 10.0.5 – Administration Guide
374
WALLIX Bastion 10.0.5 – Administration Guide
X
X509, 101
X509 certificate authentication, 101
configuration, 101
CRL management, 103
disable, 108
OCSP management, 104
unset, 108
user configuration, 105
X509 authentication, 106
X509 configuration
menu, 101
375