Quiz Entry - updated: 2026.07.06
In a firewall's Authentication Profile, why might the Allow List be set to all, and what could a more restrictive value look like?
Allow List = all permits any user in the profile's user store to authenticate; restricting it limits which usernames/groups are valid for this auth path.
Three layers of "who is allowed":
- Authentication Profile → Allow List: filters which users in the user store may even attempt this auth method.
all= everyone. - Authentication Policy Rule: which traffic must authenticate at all (which zones, which services).
- Security Policy Rule: what authenticated users may then do (allow/deny by user/group).
Restrictive Allow List examples:
Allow List = it-admins→ only admins use this Local DB; everyone else is rejected.Allow List = vpn-users, contractors→ only these AD groups can authenticate via this profile.
Why have it when Security Policy already filters by user?
- Defense in depth: even if a Security Rule is misconfigured to allow more than intended, Allow List still blocks unintended users from authenticating in the first place.
- Different auth profiles for different user populations (e.g., employees → AD; partners → Local DB) without leaking accounts across.
Tip: Allow List is the early gate; Security Rule is the final gate. Both should agree.
Go deeper:
Authentication (Wikipedia) — the verify-who-you-are step the Allow List gates.
Authorization (Wikipedia) — the second gate (what you may do) the card contrasts with it.