User administration

Create and configure users and groups (permissions)

Last adaptation to the version: 14.1.1 (11.2025)

New:

Installer for the Windows VPN-Client
Icons in the User overview for active functions
Info note added to WireGuard Peer Addresses
Note on file names added User overview for active functions

CLI command for Support-User Information

notempty

This article refers to a Beta version

14.0 12.7 12.6 12.5.1 12.4 12.2.4 12.2.3 11.8.8 11.8.5 11.7

Introduction

The users entered here are stored in a local database on the appliance.
The authentication configured at this point is also performed against the local database.
In addition, local user groups can be assigned to an AD/LDAP group.

User

Caption	Value	Description	User UTMuser@firewall.name.fqdnAuthentication User administration
Name	`admin`	Login name of the user
Groups	Administrator	Group membership of the respective user
Permissions	Firewall administrator	Authorizations, configuration under Groups
Active functions notempty New as of v14.1.0	Application: SSL VPN Configured by: User	Shows which user options are configured Hovering over the icons displays the name of the function and whether the right is assigned via the group or directly
		L2TP is configured
		An SSL VPN connection is configured
		A WireGuard connection is configured
		An IPSec connection is configured
		The login password may be changed
		The mail filter is configured
		Wake on LAN (WOL) is configured
		The use of OTP is configured/possible
Notes	Expires in 9 hours	After expiration the user can no longer log in.
		Edit or delete the user
		Search across all displayed values, including under notes or authorizations.
Add user		Creates a new user. [[#{#var:Benutzer hinzufügen}} \| see below]]
Delete all expired users		Does exactly that. Support users are automatically removed 24 hours after the expiry date at the latest.
OTP Codes		Generates a pdf document with OTP codes in QR format and plain text for all users except the user admin. notempty One OTP code is displayed per page.
		Updates the table
		Enlarges the display area for the table to the height of the screen.

The support user is a temporary administrator who can be activated, for example, to be supported by Securepoint support.

Multiple support users cannot be created at the same time. If a support user already exists, you will be asked whether the existing user should be deleted!

Caption	Value	Description	Add Support User UTMuser@firewall.name.fqdnSupport User Download support information 42 Support-Benutzer erstellen
Neuen Support-Benutzer erstellen:		Man klickt auf , um einen neuen Support-Benutzer anzulegen. Es öffnet sich ein neuer Dialog


Login name:	support-XLP-QHY-EE5	Arbitrary name beginning with support-. Manual entry is not possible.	Add Support User UTMuser@firewall.name.fqdnSupport User Download support information Copy credentials UTM v12.6 Authentifizierung Benutzer Supportbenutzer-en.png
Login name:		Generate new login name at random.
Password:	•••••••••••••••••••	The Password tab defines the strength of the password and whether the password can be changed by the user.
		Show password
		Generate new random password
Expiration date:	2023-10-20 12:00:00	After expiration the user can no longer log in. However, the expiration date can be extended again. (It cannot be set in the past in the web interface!)
Groups:	administrator	By default, the first user group with the authorization Firewall Administrator is entered. You can select other groups that also have this permission.
Root permission:	No	With activation gives the user additional root privileges. When connecting with SSH, the login is done directly on the root console!
Download support information notempty New as of v14.0.0		The downloadable support information contains log messages and system information. These may be necessary to solve a support case. It is recommended to download these and attach them to a support ticket.
Copy credentials		Username and password are saved to the clipboard. The content of the clipboard then looks like this: Username: support-NII-Z53-Yk2 Password: UMC-DP6-FSK-F46-ULD notempty Before saving, the login name and the password must be noted! The password can no longer be displayed after saving.
Save		Clicking the button creates and saves the support user.
CLI command	user support new name support-4711 password insecure-ChangeTh1s groups administrator expirydate 2024-10-20 12:00 flags ROOT	The support user can also be created via CLI if required. The value for the expiration date can either be specified as Unixtime (time in seconds since 1.1.1970 00:00) or in the format: YYYYY-MM-DD HH:MM. notempty Neuer Befehl: Information on the support user can then be retrieved using the command view supportuser (Link to the Wiki article)

General User

Add / edit user

Add user /

The dialog Add user opens. This dialog contains several tabs. There is no need to make entries in all tabs. With the entries are accepted.

User General

General

root user

Caption	Value	Description	Add user UTMuser@firewall.name.fqdnAuthenticationUser Enter user login data
Login name:	admin-user	Login name of the user
Login name:	root	A user with the name root must also be a member of a group with administrator privileges This user will then automatically get root permission. After logging on to the appliance via ssh, this user does not end up on the CLI but immediately in the Linux console This user has extensive diagnostic tools available there, e.g. tcpdump The root user reaches the Command Line Interface (CLI) with the command spcli and leaves it with exit The root user should definitely be given a short-term expiration date or be removed immediately after the diagnostic work!
Password: Confirm password:	•••••••• Very strong	Passwords must meet the following criteria: at least 8 characters length at least 3 of the following categories: Upper case Lower case Special characters Digits
Expiration date:	2023-11-01 00:00:00	After expiration the user can no longer log in. However, the expiration date can be extended again. (It cannot be set in the past in the web interface!) The expiration date can also be changed via CLI: user attribute set name testnutzer attribute expirydate value 2023-11-01 00:00 The value is given as Unixtime (time in seconds since 1.1.1970 00:00) or as: YYYY-MM-DD HH:MM .
Groups:	administrator	Group membership and therefore authorizations of this user

VPN

Here fixed tunnel IP addresses can be assigned to the users.

L2TP
Caption	Description	Define IP Tunnel Addresses
L2TP IP Address:	The tunnel IP address for L2TP
SSL-VPN
IPv4 Address:	The tunnel IPv4 address for SSL-VPN
IPv6 Address:	The tunnel IPv6 address for SSL-VPN
WIREGUARD
IPv4 Peer Address:	Die Tunnel IPv4-Adresse für WireGuard Diese Option konfiguriert WireGuards AllowedIPs für den Benutzer-Client. Die IPs der Gegenstellen werden in der UTM als allowed IPs hinterlegt.
IPv6 Peer Address:	Die Tunnel IPv6-Adresse für WireGuard Diese Option konfiguriert WireGuards AllowedIPs. Die IPs der Gegenstellen werden in der UTM als allowed IPs hinterlegt.
Private key:	Private key to be used for a user-related WireGuard connection.
Private key:	By clicking the button, the key management can be opened and a key can be created.
IPSEC
EAP-MSCHAPV2 Password:	The password for EAP-MSCHAPV2 For security reasons, the EAP password should differ from the user's general password. This HowTo describes the configuration of IPSec EAP
PPTP is no longer available because it has been proven to be an insecure protocol.

WireGuard

Caption	Value	Description	WireGuard settings for user
Use settings from the group:	Off Default	When enabled, the WireGuard settings from the group are used.
Configuration downloadable in the user interface:	On	The configuration can be downloaded in the user interface.
WireGuard connection:	wg_roadwarrior	WireGuard connection that this user should use.
Endpoint:	192.168.175.1	IP address or host name of the UTM. Must only be set if the UTM is not accessible via the firewall name.
Endpoint port:	51820	The port to the associated endpoint. This must be between 49152 and 65535.
Pre-Shared Key:	**************	Enter the pre-shared key of the WireGuard connection.
	Generate	Generate a Pre-shared Key with very strong.
	Copy to clipboard	Copies the pre-shared key to the clipboard
Keepalive:	On 25 Sek.	When activated, the duration can be set in seconds by Keepalive.

SSL-VPN

Caption	Value	Description	Benutzer bearbeiten UTMuser@firewall.name.fqdnAuthenticationUser SSL-VPN settings for users
Use group settings:	No	If the user is a member of a group, the settings can be adopted from there. The following settings are then greyed out here and are to be configured in the Authentication Users Area Groups menu.
Client downloadable in the user interface	Yes	The Securepoint VPN Windows client can be downloaded from the user web interface (accessible via port 1443 by default). The port is configurable in the → Network →Server settingsTab Server settings Button Webserver / User Webinterface Port: : 1443.
SSL VPN connection:	RW-Securepoint	Selection of a connection created in the VPN SSL-VPN menu.
Client certificate:	CC Roadwarrior	A certificate must be specified that the client uses to authenticate itself to the UTM. It is also possible to use ACME certificates.
Remote Gateway:	192.168.175.1 (Example-IP)	External IP address or DNS resolvable address of the gateway to which the connection is to be established.
Redirect Gateway:	by Default-Route-Splitting notempty New as of v14.1.1	All data traffic is routed through the tunnel. The VPN tunnel acts as the primary default gateway. If the tunnel does not respond, the regular default gateway is used.
	by replacing the default gateway (deprecated)	All data traffic is routed through the tunnel. Completely replaces the default gateway (without fallback).
	Off	Only destinations behind the VPN are routed through the tunnel. The default gateway is used for all other destinations
Installer notempty New as of v14.1.1 ARM-64 Version verfügbar Portable x64 und ARM-64 Version verfügbar Windows Client verfügbar Die Schaltflächen werden nur bei bereits angelegten Benutzern angezeigt		Lädt ein Installationsprogramm herunter, mit dem man entweder den aktuellen Windows VPN-Client installiert oder alternativ den Windows VPN-Client als portable Version (ohne Installation) herunterladen und nutzen kann Der installierte Client aktualisiert sich bei neuen Updates eigenständig - unabhängig von der UTM-Version.
Configuration		Downloads the configuration files for any VPN clients. The file contains the necessary configuration files and certificates in the local_firewall.securepoint.local.tblk folder.
Configuration with certificate notempty New as of v14.0.1		Downloads the configuration file for any VPN client. The certificates are written directly to the ovpn file.
The file name contains the user name and notempty v14.1.1 the type of file (installer, portable, config, or inline)

Password

The Password tab defines the strength of the password and whether the password can be changed by the user.

Caption	Default	Description	Setting the password properties
Password change allowed:	Off	Determines whether the user can change his or her password in the user interface.
Minimum password length:	8	The minimum password length can be set to more than 8 characters.
Passwords must meet the following criteria: at least 8 characters length at least 3 of the following categories: Upper case Lower case Special characters Digits

Mailfilter

Caption		Description
Use group settings	No	If the user is a member of a group, the settings can be applied from there. The following settings are then hidden here and can be configured in the menu Authentication Users / Groups.
Allow downloads of following attachments:	None (Default)	In the user interface, the user can download/u> attachments of mails that meet certain criteria.
	Filtered but not quarantined	This function may allow the downloading of viruses and should therefore only be allowed for experienced users!
	Quarantined but not filtered	This function may allow the downloading of viruses and should therefore only be allowed for experienced users!
	Quarantined and/or filtered	This function may allow the downloading of viruses and should therefore only be allowed for experienced users!
Allow forwarding of the following e-mails: Die Berechtigung Mailfilter Administrator überschreibt diese Konfiguration mit dem Default Wert. notempty updated	None	In the user interface, the user can forward/u> attachments of mails that meet certain criteria.
	Filtered but not quarantined
	Quarantined but not filtered (Default)	This function may allow the forwarding of viruses and should therefore only be allowed for experienced users!
	Quarantined and/or filtered	This function may allow the forwarding of viruses and should therefore only be allowed for experienced users!
Reports E-Mail Address		If several mail addresses for a user are stored in an AD, the entry configured there as Primary SMTP address is used as the default address.
Report language:	Default	Default under Network Server settings → Firewall → Language of reports It can be specifically selected: German or English
Email Addresses
Email Addresses		Adding an email address to the list
user@ttt-point.de		Email accounts that can be viewed by this user to control the mail filter. Delete with

WOL

WOL stands for Wake on LAN and switches on a computer via the network card. In order to start the computer via data packet, the computer must also support this. This is usually configured in the BIOS or UEFI.

After logging into the user interface, the user can trigger a WOL for devices entered here.
2 magic packets are sent via UDP to destination ports 7 and 9. notempty
New as of v12.7.0
The magic packets can also be sent in VLANs

Caption	Default	Description	Configure Wake on Lan
Description:		Free text
MAC address:	__:__:__:__:__:__	MAC address of the computer to be activated via Wake on Lan.
Interface:	LAN1	Interface of the appliance via which the WOL packet must be sent.
		Adds another device for WOL
		Calls the entry for editing.
		Deletes the item

OTP

There is a separate page in the wiki for the OTP settings.

Groups

Some settings described in the Users section can also be set for the entire group. However, the settings for the individual user replace the group settings.

Permissions

Caption	Description	Add group UTMuser@firewall.name.fqdnAuthentication Add group
Group Name:	Choose name freely

Permissions
Firewall administrator	Members of this group can call the admin interface (by default accessible on port 11115. There must always be at least one firewall administrator.
Spamreport	Members of this group can receive a spam report
VPN-L2TP	Members of this group can establish a VPN-L2TP connection.
Mailrelay User	Members of this group can use the Mailrelay TLS/SSL encryption is required for authentication This permission is NOT required to access the quarantined emails.
HTTP-Proxy	Members of this group can use the HTTP proxy.
IPSEC XAUTH	Members of this group can authenticate themselves with IPSEC.
IPSEC EAP	Members of this group can authenticate for IPSec connections with IKEv2 using Microsoft CHAPv2
Userinterface	Members of this group have access to the user interface (including mailfilter)
Clientless VPN	Members of this group can use clientless VPN
Mailfilter Administrator	Members of this group, in combination with the User Web Interface right, have access to all emails that are temporarily stored in the UTM's mail archive. - Regardless of whether they are legitimate recipients or senders of these emails. Overwrites the manually set value of ‘'Allow forwarding of the following emails:’' with the value Quarantined but not filtered for this group notempty updated
SSL-VPN	Members of this group can establish an SSL VPN connection.
WireGuard	Members of this group can establish a WireGuard connection
User interface administrator	Members of this group can access the Captive Portal user administration via the user interface.

Clientless VPN

Connections created under VPN Clientless VPN are displayed here.
Open clientless VPN administration Here you can configure and add connections.

Clientless VPN
Caption	Default	Description
Name		Name of the connection
Access	Off	If activated, members of this group can use this connection.

Further information in the article to Clientless VPN.