LOGBOOK

HELP

Quiz Entry - updated: 2026.07.06

In a firewall's Authentication Profile, why might the Allow List be set to all, and what could a more restrictive value look like?

Allow List = all permits any user in the profile's user store to authenticate; restricting it limits which usernames/groups are valid for this auth path.

Three layers of "who is allowed":

  1. Authentication Profile → Allow List: filters which users in the user store may even attempt this auth method. all = everyone.
  2. Authentication Policy Rule: which traffic must authenticate at all (which zones, which services).
  3. Security Policy Rule: what authenticated users may then do (allow/deny by user/group).

Restrictive Allow List examples:

  • Allow List = it-admins → only admins use this Local DB; everyone else is rejected.
  • Allow List = vpn-users, contractors → only these AD groups can authenticate via this profile.

Why have it when Security Policy already filters by user?

  • Defense in depth: even if a Security Rule is misconfigured to allow more than intended, Allow List still blocks unintended users from authenticating in the first place.
  • Different auth profiles for different user populations (e.g., employees → AD; partners → Local DB) without leaking accounts across.

Tip: Allow List is the early gate; Security Rule is the final gate. Both should agree.

Go deeper:

From Quiz: INTROL / Firewall Advanced Lab (Lab 6) | Updated: Jul 06, 2026