Bastion Admin Guide En

ADMINISTRATION GUIDE
WALLIX Bastion 9.0.2
Reference: https://doc.wallix.com/en/bastion/9.0.2/Bastion-admin-guide
Copyright © 2021 WALLIX
WALLIX Bastion 9.0.2 – Administration Guide
Table of Contents
1. Introduction .......................................................................................................................... 11
1.1. Preamble ................................................................................................................... 11
1.2. Copyright & Licenses ................................................................................................ 11
1.3. Third-party components ............................................................................................ 11
1.4. Legend ...................................................................................................................... 11
1.5. About this document ................................................................................................. 12
2. Compatibility and limits ........................................................................................................ 13
3. Glossary ............................................................................................................................... 14
4. Concepts .............................................................................................................................. 16
4.1. General information ................................................................................................... 16
4.2. Positioning of WALLIX Bastion in the network infrastructure ...................................... 16
4.3. The concept of WALLIX Bastion ACLs ...................................................................... 17
4.4. Roll-out ...................................................................................................................... 18
4.5. Rights of the user connected to WALLIX Bastion ...................................................... 18
4.6. Data encryption ......................................................................................................... 18
4.6.1. Administration with HTTPS protocol (Web interface and API) ......................... 19
4.6.2. Administration with SSH protocol ................................................................... 19
4.6.3. RDP (TLS based) primary connection algorithms ........................................... 20
4.6.4. SSH primary connection algorithms ............................................................... 21
4.6.5. Secondary connection algorithms ................................................................... 21
5. Specific features .................................................................................................................. 22
5.1. WALLIX Session Manager ........................................................................................ 22
5.2. WALLIX Password Manager ..................................................................................... 22
5.3. Password external vault ............................................................................................ 22
5.4. High-Availability ......................................................................................................... 23
6. Getting started with WALLIX Bastion ................................................................................... 24
6.1. Pre-configuration of TCP and UDP network ports ..................................................... 24
6.1.1. Communication from WALLIX Bastion ............................................................ 24
6.1.2. Communication to WALLIX Bastion ................................................................ 24
6.2. Using the command line to connect to WALLIX Bastion ............................................ 25
6.3. Browsing through the menu of the Web interface ..................................................... 26
6.4. Availability of specific management features ............................................................. 31
6.4.1. Session management ..................................................................................... 31
6.4.2. Password management .................................................................................. 31
6.5. Managing data search, sort and layout customization in the tables of the Web
interface ........................................................................................................................... 31
6.5.1. Search data ................................................................................................... 31
6.5.2. Sort data ........................................................................................................ 32
6.5.3. Customize layout ............................................................................................ 32
6.5.4. Delete data .................................................................................................... 33
7. Login on the Web interface ................................................................................................. 34
7.1. Access to the Web administration interface .............................................................. 34
7.2. Description of the home page ................................................................................... 36
7.3. Setting your preferences ........................................................................................... 36
7.4. Summary ................................................................................................................... 38
8. Appliance configuration ........................................................................................................ 39
8.1. Interface configuration ............................................................................................... 40
8.1.1. Configuring the Web user interface ................................................................ 40
8.1.2. Configuring the session timeout ..................................................................... 41
8.1.3. Configuring the debug mode .......................................................................... 41
8.1.4. Configuring the OEM ..................................................................................... 41
2
8.2. License ..................................................................................................................... 43

8.2.1. Managing the license key from the command line .......................................... 45
8.2.2. Managing the sending of notifications ............................................................ 45
8.3. Encryption ................................................................................................................. 45
8.4. System status ........................................................................................................... 46
8.5. System logs .............................................................................................................. 47
8.6. Network ..................................................................................................................... 48
8.7. Time service ............................................................................................................. 50
8.8. Remote storage ........................................................................................................ 51
8.9. SIEM integration ....................................................................................................... 52
8.10. SNMP ...................................................................................................................... 53
8.11. Service control ........................................................................................................ 57
8.11.1. Service mapping ........................................................................................... 57
8.11.2. Service activation ......................................................................................... 58
8.12. SMTP server ........................................................................................................... 59
8.13. Backup and Restoration .......................................................................................... 60
8.13.1. Restoration of configuration files .................................................................. 61
8.13.2. Backup/Restoration from the command line ................................................. 62
8.13.3. Automatic backup configuration .................................................................... 63
8.13.4. Automatic backup purge .............................................................................. 64
8.14. High-Availability ....................................................................................................... 65
8.14.1. Operating limitations and pre-requisites ....................................................... 65
8.14.2. Cluster configuration .................................................................................... 66
8.14.3. Starting the cluster ....................................................................................... 66
8.14.4. Stopping/Restarting the cluster ..................................................................... 67
8.14.5. Recovery from fatal error (WALLIX Bastion HA is locked down) ................... 67
8.14.6. Network outages and Split-Brain .................................................................. 67
8.14.7. Reconfiguring the cluster network ................................................................ 68
8.14.8. Replacing a faulty machine .......................................................................... 68
8.14.9. Recovering a faulty volume .......................................................................... 68
8.14.10. High-Availability operation tests .................................................................. 69
9. Users ................................................................................................................................... 72
9.1. User accounts ........................................................................................................... 72
9.1.1. Add a user ..................................................................................................... 73
9.1.2. Edit a user ..................................................................................................... 75
9.1.3. Delete a user ................................................................................................. 75
9.1.4. View the user's rights on the GUI .................................................................. 75
9.1.5. View the devices, applications and target accounts accessible by a user ........ 76
9.1.6. Import users ................................................................................................... 76
9.2. User groups .............................................................................................................. 82
9.2.1. Add a user group ........................................................................................... 82
9.2.2. Edit a user group ........................................................................................... 84
9.2.3. Delete a user group ....................................................................................... 84
9.2.4. View the user group members ....................................................................... 85
9.2.5. Import user groups ......................................................................................... 85
9.3. User profiles .............................................................................................................. 86
9.3.1. Default profiles ............................................................................................... 86
9.3.2. Add a user profile .......................................................................................... 86
9.3.3. Edit a user profile .......................................................................................... 88
9.3.4. Delete a user profile ...................................................................................... 88
9.3.5. Import user profiles ........................................................................................ 89
9.4. User data retention policy ......................................................................................... 92
9.5. Notification configuration ........................................................................................... 93
3
9.5.1. Add a notification ........................................................................................... 94

9.5.2. Edit a notification ........................................................................................... 95
9.5.3. Delete a notification ....................................................................................... 95
9.5.4. Create custom notification templates .............................................................. 96
9.6. Local password policy configuration .......................................................................... 98
9.7. X509 certificate authentication configuration ........................................................... 100
9.7.1. Setting X509 certificate authentication .......................................................... 100
9.7.2. CRL management ........................................................................................ 101
9.7.3. OCSP management ..................................................................................... 102
9.7.4. User authentication configuration ................................................................. 103
9.7.5. X509 authentication ...................................................................................... 104
9.7.6. Disable and unset X509 certificate authentication mode ............................... 106
9.8. External authentication configuration ....................................................................... 107
9.8.1. Add an external authentication ..................................................................... 107
9.8.2. Edit an external authentication ..................................................................... 114
9.8.3. Delete an external authentication ................................................................. 114
9.9. Configuration of LDAP or Active Directory domain mapping .................................... 114
9.9.1. Add an LDAP/AD domain ............................................................................ 115
9.9.2. Edit an LDAP/AD domain ............................................................................. 119
9.9.3. Delete an LDAP/AD domain ......................................................................... 119
9.9.4. Import LDAP/AD domains ............................................................................ 120
9.9.5. Import LDAP/AD mappings on user groups .................................................. 122
10. Targets ............................................................................................................................. 124
10.1. Devices ................................................................................................................. 124
10.1.1. Add a device .............................................................................................. 124
10.1.2. Edit a device .............................................................................................. 131
10.1.3. Use tags to organize devices ..................................................................... 131
10.1.4. Delete a device .......................................................................................... 132
10.1.5. Import devices ............................................................................................ 132
10.1.6. SSH specific options .................................................................................. 134
10.1.7. RDP specific options .................................................................................. 135
10.2. Applications ........................................................................................................... 136
10.2.1. Configure the jump server .......................................................................... 137
10.2.2. Configure the application launch using RemoteApp mode .......................... 138
10.2.3. Automate connections to an application using AutoIt scripts ....................... 139
10.2.4. Automate connections to a Web application using WALLIX Application
Driver ...................................................................................................................... 141
10.2.5. Add an application ..................................................................................... 144
10.2.6. Edit an application ...................................................................................... 145
10.2.7. Delete an application .................................................................................. 145
10.2.8. Add an account to the application .............................................................. 145
10.2.9. Manage the resource associations with the application .............................. 146
10.2.10. Import applications ................................................................................... 146
10.3. Domains ................................................................................................................ 148
10.3.1. Add a global domain .................................................................................. 149
10.3.2. Associate the domain with an SSH Certificate Authority ............................. 150
10.3.3. Edit a global or a local domain ................................................................... 151
10.3.4. Add an account to the global or a local domain .......................................... 152
10.3.5. Change the passwords for all the accounts on the global domain ............... 152
10.3.6. Change the passwords for all the accounts on the local domain ................. 152
10.3.7. Revoke the signed certificate for the accounts on the domain associated
with a Certificate Authority ..................................................................................... 153
10.3.8. Delete a global domain .............................................................................. 153
4
10.3.9. Import global domains ................................................................................ 153

10.3.10. Import local domains ................................................................................ 156
10.4. Target accounts ..................................................................................................... 159
10.4.1. Add a target account to a global domain .................................................... 159
10.4.2. Add a target account to a device ............................................................... 163
10.4.3. Add a target account to an application ....................................................... 165
10.4.4. Edit a target account .................................................................................. 166
10.4.5. Change the credentials automatically for one or several accounts .............. 167
10.4.6. Change the credentials manually for a given target account ....................... 168
10.4.7. Delete a target account .............................................................................. 168
10.4.8. Import target accounts ............................................................................... 168
10.5. Target groups ........................................................................................................ 172
10.5.1. Add a target group ..................................................................................... 172
10.5.2. Edit a target group ..................................................................................... 182
10.5.3. Delete a target group ................................................................................. 182
10.5.4. Import target groups ................................................................................... 183
10.6. Clusters ................................................................................................................. 184
10.6.1. Add a cluster .............................................................................................. 185
10.6.2. Edit a cluster .............................................................................................. 185
10.6.3. Delete a cluster .......................................................................................... 186
10.6.4. Import clusters ............................................................................................ 186
10.7. External password vault plugins ............................................................................ 187
10.7.1. Bastion plugin ............................................................................................ 188
10.7.2. CyberArk Enterprise Password Vault plugin ............................................... 188
10.7.3. HashiCorp Vault plugin ............................................................................... 189
10.7.4. Thycotic Secret Server plugin .................................................................... 190
10.8. Checkout policies .................................................................................................. 193
10.8.1. Add a checkout policy ................................................................................ 194
10.8.2. Edit a checkout policy ................................................................................ 195
10.8.3. Delete a checkout policy ............................................................................ 195
10.9. Discovery .............................................................................................................. 195
10.9.1. Configure a network scan .......................................................................... 196
10.9.2. Configure an Active Directory scan ............................................................ 197
10.9.3. Launch a scan manually ............................................................................ 198
10.9.4. Set a periodic scan launch ......................................................................... 198
10.9.5. View the results of a scan job .................................................................... 198
10.9.6. Onboard discovered devices in WALLIX Bastion ........................................ 199
11. Password management .................................................................................................... 201
11.1. User authorizations on passwords ......................................................................... 201
11.1.1. Password access through an approval workflow ......................................... 202
11.2. Password change plugins ...................................................................................... 203
11.2.1. Plugin matrix .............................................................................................. 203
11.2.2. Cisco plugin ................................................................................................ 208
11.2.3. Dell iDRAC plugin ...................................................................................... 208
11.2.4. Fortinet FortiGate plugin ............................................................................. 208
11.2.5. IBM 3270 .................................................................................................... 208
11.2.6. Juniper SRX plugin ..................................................................................... 211
11.2.7. LDAP plugin ............................................................................................... 211
11.2.8. MySQL plugin ............................................................................................. 212
11.2.9. Oracle plugin .............................................................................................. 212
11.2.10. Palo Alto PA-500 plugin ............................................................................ 212
11.2.11. Unix plugin ................................................................................................ 212
11.2.12. Windows plugin ........................................................................................ 213
5
11.2.13. WindowsService plugin ............................................................................. 213

11.3. Password change policies ..................................................................................... 214
11.3.1. Add a password change policy ................................................................... 214
11.3.2. Edit a password change policy ................................................................... 216
11.3.3. Delete a password change policy ............................................................... 216
11.4. "Break glass" mechanism configuration ................................................................. 216
12. Session management ...................................................................................................... 218
12.1. User authorizations on sessions ........................................................................... 218
12.1.1. Specific options for SSH sessions .............................................................. 219
12.1.2. Specific options for RDP sessions .............................................................. 219
12.1.3. Session access through an approval workflow ........................................... 220
12.2. Target connection in interactive mode for SCP and SFTP protocols ...................... 222
12.3. Audit data .............................................................................................................. 223
12.3.1. Current sessions ........................................................................................ 223
12.3.2. Current sessions in real-time view .............................................................. 224
12.3.3. Session sharing and remote control on RDP current sessions .................... 225
12.3.4. Session history ........................................................................................... 225
12.3.5. Session recordings ..................................................................................... 227
12.3.6. Account history ........................................................................................... 231
12.3.7. Approval history ......................................................................................... 232
12.3.8. Authentication history ................................................................................. 233
12.3.9. Connection statistics .................................................................................. 234
12.4. Connection policies ............................................................................................... 236
12.4.1. Add a connection policy ............................................................................. 237
12.4.2. Edit a connection policy ............................................................................. 238
12.4.3. Delete a connection policy ......................................................................... 238
12.5. Session recording options ..................................................................................... 239
12.6. Transformation rule to get a login for secondary connection .................................. 239
12.7. Transformation rule to get credentials of an account in the vault of WALLIX
Bastion ........................................................................................................................... 240
12.8. Using an antivirus software or a DLP (Data Loss Prevention) solution with ICAP ... 241
12.8.1. Configuration of connection to ICAP servers .............................................. 241
12.8.2. Enabling file verification .............................................................................. 242
12.8.3. Blocking file transfer on invalid verification ................................................. 242
12.8.4. Enabling file storage on invalid verification ................................................. 243
12.9. Enabling storage of files transferred during the RDP or SSH session .................... 243
12.10. Enabling smart card authentication on targets for RDP protocol .......................... 243
12.11. Configuration of recorded sensitive data in logs for RDP protocol ........................ 244
12.12. Allowing or rejecting dynamic virtual channels for RDP protocol .......................... 244
12.13. Log configuration of all the keyboard input for RLOGIN, SSH and TELNET
protocols ......................................................................................................................... 245
12.14. TELNET/RLOGIN connection scenario on a target device ................................... 245
12.15. Configuration of cryptographic algorithms supported on target devices ................ 246
12.15.1. SSH cryptographic settings on target devices .......................................... 246
12.15.2. RDP cryptographic settings on target devices .......................................... 246
12.16. SSH startup scenario on a target device ............................................................. 247
12.16.1. Commands ............................................................................................... 247
12.16.2. Token ....................................................................................................... 248
12.16.3. Startup scenario configuration .................................................................. 249
12.17. Transparent mode configuration for RDP and SSH proxies ................................. 250
12.18. Enabling KeepAlive function for the proxies ........................................................ 251
12.18.1. Enabling KeepAlive function for connection between the RDP proxy and
the RDP client ........................................................................................................ 251
6
12.18.2. Enabling KeepAlive function for connection between the SSH proxy and
the SSH client ........................................................................................................ 251
12.18.3. Enabling KeepAlive function for connection between the SSH proxy and
the SSH target server ............................................................................................ 252
12.19. Using the session probe mode ............................................................................ 252
12.19.1. Default operating mode ............................................................................ 253
12.19.2. Choice of the launcher ............................................................................. 253
12.19.3. Prerequisites ............................................................................................ 253
12.19.4. Configuration ............................................................................................ 254
12.19.5. Launching the session probe from a specific directory .............................. 258
12.20. Using the session probe mode with the WALLIX BestSafe agent ........................ 259
12.20.1. Enabling the interaction with the WALLIX BestSafe agent ........................ 259
12.20.2. Event logging ........................................................................................... 259
12.20.3. Detection of outbound connections .......................................................... 259
12.20.4. Detection of process launching ................................................................ 260
12.21. Load balancing with Remote Desktop Connection Broker ................................... 260
12.21.1. Prerequisites ............................................................................................ 260
12.21.2. Configuration ............................................................................................ 261
12.22. Connection messages ......................................................................................... 261
13. Dashboards ...................................................................................................................... 263
13.1. Administration dashboard ...................................................................................... 263
13.1.1. View the data on the “Live” tab .................................................................. 263
13.1.2. View the data on the “KPIs” tab ................................................................. 264
13.1.3. Common features ....................................................................................... 265
13.2. Audit dashboard .................................................................................................... 265
13.2.1. View the data ............................................................................................. 266
13.2.2. Common features ....................................................................................... 267
14. Authorization management ............................................................................................... 269
14.1. Add an authorization ............................................................................................. 269
14.2. Edit an authorization ............................................................................................. 270
14.3. Delete an authorization ......................................................................................... 270
14.4. Import authorizations ............................................................................................. 271
14.5. View the current approvals .................................................................................... 273
14.6. View the approval history ...................................................................................... 274
14.7. Approval workflow ................................................................................................. 275
14.7.1. Workflow configuration ............................................................................... 276
14.7.2. Workflow steps ........................................................................................... 276
14.8. Time frames configuration ..................................................................................... 277
14.8.1. Add a time frame ....................................................................................... 278
14.8.2. Edit a time frame ....................................................................................... 278
14.8.3. Delete a time frame ................................................................................... 278
15. Specific commands .......................................................................................................... 279
15.1. Use the command line to connect to WALLIX Bastion ........................................... 280
15.2. Restore WALLIX Bastion to factory settings .......................................................... 280
15.3. Restore the factory-set administrator account ....................................................... 280
15.4. Change the password of the factory-set administrator account .............................. 281
15.5. Reset data encryption in WALLIX Bastion ............................................................. 281
15.6. Get the version information of WALLIX Bastion ..................................................... 281
15.7. Change the keyboard layout ................................................................................. 282
15.8. Get the GUI URL .................................................................................................. 282
15.9. Change the GRUB password ................................................................................ 282
15.10. Change the network configuration ....................................................................... 282
15.11. Change the security level configuration ............................................................... 282
7
15.12. Configure services .............................................................................................. 283

15.13. Configure High-Availability (HA) .......................................................................... 283
15.14. Generate the report on the system status ........................................................... 283
15.15. Manage the license key ...................................................................................... 283
15.16. Use WABConsole to change the user password ................................................. 284
15.17. Display the content of "journalctl" logs ................................................................ 284
15.18. Export and/or purge session recordings manually ............................................... 284
15.19. Export and/or purge session recordings automatically ......................................... 286
15.20. Move local session recordings to remote storage ................................................ 287
15.21. Re-import archived session recordings ................................................................ 288
15.22. Check integrity of session log files ...................................................................... 288
15.23. Change target servers identification .................................................................... 289
15.24. Configure TLS options for LDAP external authentication ..................................... 289
15.25. Configure TLS client for SIEM integration ........................................................... 289
15.26. Change self-signed certificates of services .......................................................... 290
15.26.1. Change the certificate for the Web interface and the API .......................... 290
15.26.2. Change the RDP proxy certificate ............................................................ 291
15.26.3. Change the SSH proxy host key .............................................................. 291
15.27. Cryptographic configuration of services ............................................................... 291
15.27.1. Configure the security level to restore RDP protocol compatibility ............. 291
15.27.2. Configure the security level to restore SSH protocol compatibility ............. 292
15.27.3. Restore default cryptographic settings ...................................................... 292
15.28. Update the CRL (Certificate Revocation List) ...................................................... 292
16. REST API Web Services ................................................................................................. 294
16.1. WALLIX Bastion REST API documentation ........................................................... 294
16.2. SCIM REST API documentation ........................................................................... 294
16.3. REST API key management ................................................................................. 294
16.3.1. Generate an API key ................................................................................. 295
16.3.2. Edit an API key .......................................................................................... 295
16.3.3. Delete an API key ...................................................................................... 295
17. SIEM messages ............................................................................................................... 296
17.1. Logs from authentication ....................................................................................... 296
17.1.1. Successful authentication ........................................................................... 296
17.1.2. Authentication failure .................................................................................. 296
17.1.3. Authentication cancellation (either by the client or by the user) ................... 297
17.2. Logs from WALLIX Bastion Web interface ............................................................ 297
17.2.1. Object type: Account .................................................................................. 297
17.2.2. Object type: Account activity (Audit) ........................................................... 297
17.2.3. Object type: Account history (Audit) ........................................................... 298
17.2.4. Object type: Answer from approval request ................................................ 298
17.2.5. Object type: API key .................................................................................. 298
17.2.6. Object type: Application .............................................................................. 298
17.2.7. Object type: Application path ...................................................................... 298
17.2.8. Object type: Approval ................................................................................. 299
17.2.9. Object type: Authorization .......................................................................... 299
17.2.10. Object type: Backup/Restore .................................................................... 300
17.2.11. Object type: Checkout policy .................................................................... 300
17.2.12. Object type: Cluster .................................................................................. 300
17.2.13. Object type: Connection policy ................................................................. 301
17.2.14. Object type: Credential change information .............................................. 301
17.2.15. Object type: Password change policy ....................................................... 302
17.2.16. Object type: Device .................................................................................. 302
17.2.17. Object type: Global domain ...................................................................... 302
8
17.2.18. Object type: LDAP domain ....................................................................... 302

17.2.19. Object type: LDAP mapping ..................................................................... 303
17.2.20. Object type: Local domain ........................................................................ 303
17.2.21. Object type: Notification ........................................................................... 303
17.2.22. Object type: Period ................................................................................... 304
17.2.23. Object type: Profile ................................................................................... 304
17.2.24. Object type: Local password policy .......................................................... 304
17.2.25. Object type: Recording options ................................................................ 304
17.2.26. Object type: Restriction ............................................................................ 305
17.2.27. Object type: Service ................................................................................. 305
17.2.28. Object type: Session logs ......................................................................... 305
17.2.29. Object type: Target group ......................................................................... 305
17.2.30. Object type: Time frame ........................................................................... 306
17.2.31. Object type: User ..................................................................................... 306
17.2.32. Object type: External authentication ......................................................... 306
17.2.33. Object type: User group ........................................................................... 307
17.2.34. Object type: X509 parameters (CRL) ....................................................... 307
17.3. Logs from the SSH service ................................................................................... 307
17.3.1. Flow of a successful session ...................................................................... 307
17.3.2. Flow of a connection failure: connection denied, machine is powered off or
service unavailable ................................................................................................. 309
17.3.3. Flow of a connection failure: invalid target or access denied ....................... 309
17.3.4. Successful session opening ....................................................................... 310
17.3.5. Session opening failure .............................................................................. 310
17.3.6. Session disconnection ................................................................................ 310
17.3.7. Channel events .......................................................................................... 310
17.3.8. Request events .......................................................................................... 311
17.3.9. Pattern detection on shell or remote command .......................................... 312
17.3.10. Command detection on Cisco devices ..................................................... 312
17.3.11. SFTP actions ............................................................................................ 313
17.3.12. File size restriction on SFTP .................................................................... 313
17.3.13. Beginning of file transfer on SFTP ........................................................... 313
17.3.14. End of file transfer on SFTP with file size and hash .................................. 313
17.3.15. File size restriction on SCP ...................................................................... 313
17.3.16. Beginning of file transfer on SCP ............................................................. 314
17.3.17. End of file transfer on SCP with file size and hash ................................... 314
17.3.18. User typed keyboard input ....................................................................... 314
17.3.19. Export group membership for target account in session metadata ............ 314
17.3.20. File verification by ICAP server ................................................................ 314
17.4. Logs from the RDP service ................................................................................... 315
17.4.1. Flow of a connection failure: connection denied, machine is powered off or
service unavailable ................................................................................................. 315
17.4.2. Flow of a connection failure: invalid target or access denied ....................... 315
17.4.3. Successful session opening ....................................................................... 316
17.4.4. Upload file via clipboard ............................................................................. 316
17.4.5. Download file via clipboard ........................................................................ 316
17.4.6. Upload data via clipboard (such as image, sound, etc. except Unicode text
format or local data) ............................................................................................... 316
17.4.7. Download data via clipboard (such as image, sound, etc. except Unicode
text format or local data) ........................................................................................ 317
17.4.8. Upload data via clipboard (such as Unicode text format or local data) ......... 317
17.4.9. Download data via clipboard (such as Unicode text format or local data) .... 317
17.4.10. Reading workstation file from server ........................................................ 317
9
17.4.11. Writing workstation file by server .............................................................. 317

17.4.12. Target disconnected the session .............................................................. 318
17.4.13. Session ended by proxy ........................................................................... 318
17.4.14. Session ending in progress ...................................................................... 319
17.4.15. Window title bars as detected by the Session Probe ................................ 319
17.4.16. Window title bars as detected by OCR ..................................................... 319
17.4.17. User typed keycodes translated using the current layout .......................... 319
17.4.18. Click on a button in a window .................................................................. 319
17.4.19. Text edition in a text field in a window ...................................................... 320
17.4.20. Focus in and out on a password text box ................................................. 320
17.4.21. Focus in and out on an unidentified input field ......................................... 320
17.4.22. New active windows detected by the Session Probe ................................ 320
17.4.23. Change of keyboard layout ...................................................................... 320
17.4.24. Creation of a new process ....................................................................... 320
17.4.25. Process ended ......................................................................................... 321
17.4.26. Process blocked ....................................................................................... 321
17.4.27. VNC session initiated ............................................................................... 321
17.4.28. VNC session ended ................................................................................. 321
17.4.29. UAC prompt displayed ............................................................................. 321
17.4.30. X509 server certificate match ................................................................... 322
17.4.31. Connection to server allowed ................................................................... 322
17.4.32. New X509 certificate created ................................................................... 322
17.4.33. X509 server certificate match failure ........................................................ 322
17.4.34. X509 server certificate internal error ......................................................... 322
17.4.35. Kerberos ticket creation ............................................................................ 322
17.4.36. Kerberos ticket deletion ............................................................................ 322
17.4.37. State of check boxes in metadata collected by the Session Probe ............ 323
17.4.38. Web navigation data collected from the Session Probe ............................ 323
17.4.39. Export group membership for target account in session metadata ............ 324
17.4.40. File verification by ICAP server ................................................................ 324
17.4.41. Opening of dynamic virtual channel ......................................................... 325
17.5. Logs from the system ........................................................................................... 325
17.5.1. Integrity of session log files ........................................................................ 325
17.5.2. System configuration changes .................................................................... 326
17.6. Logs from vault activities ....................................................................................... 327
18. Contact WALLIX Bastion Support .................................................................................... 328
Index ...................................................................................................................................... 329
10
Chapter 1. Introduction
1.1. Preamble
Thank you for choosing WALLIX Bastion.
The WALLIX Bastion solution is marketed in the form of a dedicated, ready-to-use server or as a
virtual device for the following virtual environments:
• Amazon Web Services (AWS)

• Google Cloud Platform (GCP)
• Kernel-based Virtual Machine (KVM)
• Microsoft Azure
• Microsoft Hyper-V
• OpenStack
• VMware vSphere
This product has been engineered with the greatest care by our teams at WALLIX and we trust that
it will deliver complete satisfaction.
1.2. Copyright & Licenses

This document is the property of WALLIX and may not be reproduced without its prior consent.
All the product or company names mentioned herein are the registered trademarks of their
respective owners.
WALLIX Bastion is subject to the WALLIX software license contract.
WALLIX Bastion is based on free software. The list and source code of GPL and LGPL licensed
software used by WALLIX Bastion are available from WALLIX. Please send your request on Internet
by creating a new case at https://support.wallix.com/ or in writing to:
WALLIX
Service Support
250 bis, Rue du Faubourg Saint-Honoré
75008 PARIS
FRANCE
1.3. Third-party components

Please refer to the Third-Party Components document to get the list of packages being modified by
WALLIX and the information related to the license agreement terms.
1.4. Legend
prompt $ command to input <parameter to replace>
command output
on one or more lines
11
prompt $
1.5. About this document

This document is the Administration Guide for WALLIX Bastion 9.0.2. Use it to configure WALLIX
Bastion prior to roll-out, and also for its administration and day-to-day operation.
The following documents are also provided by WALLIX:
• a Quick Start Guide to guide you through the initial start-up of your device (physical or virtual
appliance) for configuration or give you indication to access images for deployment of WALLIX
Bastion on virtual environments
• a User Guide to help you use WALLIX Bastion to connect to the devices you administer.
They can be downloaded from the WALLIX Support portal (https://support.wallix.com

[https://support.wallix.com/]).
12
Chapter 2. Compatibility and limits

Please refer to the Release Notes document to check the compatibility of WALLIX Bastion 9.0.2 with
various clients or targets and learn more about the known limitations/issues and also the technical
requirements and feature enhancements of this latest version.
We do not recommend modifying your system configuration or installing an additional software as

it could prevent your WALLIX Bastion from being fully operational. Any additional tool or software
installation should only be performed upon instruction from the WALLIX Support Team. For further
information, refer to Chapter 18, “Contact WALLIX Bastion Support”, page 328.
13
Chapter 3. Glossary
You will encounter the following technical terms as you work with WALLIX Bastion and you go
through the sections of this guide. This list is not exhaustive.
ACL Acronym for "Access Control List". This is a system to manage

access to a resource (a device, file, etc.).
Account An entity (managed by WALLIX Bastion or by an external
password vault) that allows a user to be authenticated to a
system and to be granted a defined level of authorization to
access resources on that system, for management purposes.
An account belongs to a domain.
Account mapping Mechanism which allows a user to establish a connection to a
resource using his/her credentials (user name and password).
This may be particularly useful when the user account is
declared on a company directory and is granted access on
the target resource. These primary credentials (user name and
password) are then used by an RDP or an SSH client to
authenticate a session on the remote resource. A resource can
be a specific service on some device, or an application (running
on a jump server or a cluster). As prerequisites, the user must be
authorized to access this specific resource in account mapping
mode and an account with the same user name and password
must exist on the specified resource.
Check-in Operation which consists in releasing the credentials of a given
account. This action is complementary to the checkout action. If
the lock was set on the account at checkout, it is released with
the check-in operation.
Checkout Operation which consists in recovering and displaying the
credentials of a given account. It is possible to set the lock of
the account during this operation in order to prevent concurrent
use by multiple users.
Connection scenario Scenario to automate connection to a device that does not offer
protocols supporting automated sending of credentials (SSH or
RDP).
Device Physical or virtual device for which WALLIX Bastion manages
the access to sessions or passwords.
External authentication Authentication managed by a directory external to WALLIX
Bastion.
External password vault External structure that manages accounts.
Global domain Management entity grouping multiple target accounts which can
be used to authenticate across multiple devices. A password
change process (policy and change plugin) can be applied to all
accounts in the global domain.
A global domain can be associated with a password external
vault. In this case, this domain groups accounts which are
managed externally through the association of an external vault
plugin. As a result, a password change mechanism cannot be
applied to the related accounts within WALLIX Bastion.
14
Interactive login Mechanism which allows a user to dynamically enter his/her

user name and enter the secondary password on the selector
of the proxy client (RDP or SSH) to access a resource. The
credentials entered by the user on this selector are then used by
the proxy to authenticate the session on the remote resource.
A resource can be a specific service on a same device, or
an application (running on a jump server or a cluster). As
prerequisites, the user must be authorized to access this specific
resource in interactive login mode and an account with the same
user name and password must exist on the specified resource.
Local authentication Authentication managed by WALLIX Bastion.
Local domain Management entity grouping multiple target accounts which can
be used to authenticate on a single device only. A password
change process (policy and change plugin) can be applied to all
accounts in the local domain.
Lock Mechanism which prevents multiple concurrent use of an
account.
Password Password, SSH key, Kerberos ticket or any other secret data
that allows the account to be authenticated to a system.
Password vault Structure that manages accounts. It allows configuration via
policies and it enforces account usage according to these
policies.
Primary connection See WALLIX Bastion connection
Resource One of the following entities: a device (association of a device
and a service in the context of account mapping), a target or an
account.
Scenario account Target account which can be used by a startup scenario at the
beginning of the SSH session.
Secondary connection See Target connection
Startup scenario Scenario which can be used at the beginning of the SSH Shell
session to perform some actions, such as, assigning the user
the "root" privileges using "su" and "sudo" commands without
having knowledge of the password.
Target See Target application and Target account
Target application A target application is characterized by the association of the
following entities: an application and an account.
Target account A target account is characterized by the association of the
following entities: a device and a service and an account.
Target connection (also called Connection initiated between WALLIX Bastion and a target
"Secondary connection") account.
WALLIX Bastion connection Connection initiated between a user and WALLIX Bastion.
(also called "Primary
connection")
15
Chapter 4. Concepts
4.1. General information
WALLIX Bastion has been developed for the technical teams who administer IT infrastructure
(servers, network and security devices, etc.). This solution has been designed to meet the access
control and traceability needs of system administrators.
WALLIX Bastion includes access control lists (ACLs) and traceability features. It constitutes a
security buffer for administrators who wish to log on to devices by:
• checking the authentication detail provided by the user

• checking their access rights for the concerned resource
• managing passwords of the target accounts
WALLIX Bastion also allows you to automate logons to target devices to enhance the security of
the information system by preventing disclosure of server authentication detail.
Protocols currently supported are as follows:
• SSH (and its sub-systems)

• TELNET, RLOGIN
• RDP and VNC
• RAW TCP/IP. This protocol allows to forward local TCP/IP connections on the client station to a
target server using local TCP/IP port forwarding. The SSH proxy acts as an SSH server whose
function is only to provide local TCP/IP port forwarding. If a shell session channel is opened at
the beginning, it will then monitor the forwarding actions performed.
WALLIX Bastion offers a Web interface (also called "GUI"), compatible with Internet Explorer,
Chrome and Firefox to monitor activity and connections and also configure its components.
4.2. Positioning of WALLIX Bastion in the

network infrastructure
WALLIX Bastion is positioned between a low trust domain and a high trust domain.
The high trust domain is represented by the set of devices isolated by WALLIX Bastion.
These devices and their related accounts are called "target accounts" in the WALLIX Bastion
terminology.
The low trust domain is represented by the population with direct access to WALLIX Bastion:
• the company’s personnel

• the Internet zone
For users of the solution, access to the target accounts (in the high trust domain) is only possible
through WALLIX Bastion.
16
Figure 4.1. WALLIX Bastion in the network infrastructure
4.3. The concept of WALLIX Bastion ACLs

WALLIX Bastion features an advanced rights management engine relying on ACLs to determine
who has access to what, when and with which protocol(s).
These ACLs consist of the following objects:
• users: i.e. physical users of WALLIX Bastion from internal and/or external user directory
• user groups: a set of users
• devices: i.e. physical or virtualized devices to which access is requested via WALLIX Bastion
• target accounts: the accounts declared on a device or an application
• target groups: a set of target accounts
• applications: any type of application and services running on a device or a set of devices
In WALLIX Bastion, an authorization must be set to grant a user the access to a target account.
Authorizations are declared between a group of users and a group of target accounts (which means
that each target account must belong to a target group, and that each user must belong to a user
group).
The authorization allows users in group X to access target accounts in group Y, via protocols A,
B, or C.
Other elements are added to these primary entities to allow you to define:
• connection time frames

• criticality of access to target resources
• whether the session is recorded or not
• the type of user authentication procedure
You can also define a number of various WALLIX Bastion administrator profiles, with a full access
to the WALLIX Bastion features or limited rights to specific features. As an example, you can define
that WALLIX Bastion auditors will only access audit data or allow WALLIX Bastion administrators
to add/edit users, configure the system administration, manage authorizations, etc.
17
4.4. Roll-out
WALLIX Bastion includes a set of import tools to facilitate roll-out.
However, to ensure WALLIX Bastion is successfully implemented, we recommend inventorying:
• the roles of users who must have access to the target accounts
• the roles of users who must administer WALLIX Bastion
• the target devices and target accounts to be accessed through WALLIX Bastion
You must be able to answer the following questions for each user:
• does this user have the right to administer the solution, and if so, which rights should be assigned
to him or her?
• does this user need to access target accounts?
• when does the user have the right to log on?
• can the user access critical resources?
You must be able to answer the following questions for each target device or target account:
• is this target account or device critical? (then each time a critical device is accessed, a notification
is sent to the administrator)
• should user sessions on this account be recorded?
• which protocol(s) can be used to access this target account or device?
4.5. Rights of the user connected to WALLIX

Bastion
Depending on the rights assigned to a user during the configuration of his/her profile, this user will
only be able to access the functionalities of WALLIX Bastion he/she has permission to.
A user will only be allowed to display data existing within the application if the “View” right for the
related functionality is set in his/her profile.
A user will be allowed to access the various data creation, modification and deletion pages if the
“Modify” right for the related functionality is set in his/her profile.
For further information on the configuration of user profiles, refer to Section 9.3, “User
profiles”, page 86.
4.6. Data encryption

Many types of sensitive data may be stored in WALLIX Bastion and in particular:
• primary authentication information, i.e. information related to WALLIX Bastion authentication

• secondary authentication information, i.e. information related to target authentication
• passwords to access authentication services
• WALLIX Bastion configuration backups
All sensitive data is encrypted to ensure security.
18
Access to targets via the various services (RDP or SSH) generates data that is also encrypted.
Cryptography specifications to secure data gathered in WALLIX Bastion are described here below.
4.6.1. Administration with HTTPS protocol (Web interface

and API)
TLSv1.3 cipher:
• TLS_AES_256_GCM_SHA384
• TLS_CHACHA20_POLY1305_SHA256
TLSv1.2 cipher:
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1)
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1)
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1)
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
4.6.2. Administration with SSH protocol

Key exchange algorithms:
• curve25519-sha256
• curve25519-sha256@libssh.org
• diffie-hellman-group-exchange-sha256
Server host key algorithms:
• ecdsa-sha2-nistp256
• ssh-ed25519
Cipher algorithms:
• aes128-ctr
• aes192-ctr
• aes256-ctr
• aes128-gcm@openssh.com
• aes256-gcm@openssh.com
• chacha20-poly1305@openssh.com
Integrity algorithms:
• hmac-sha2-256-etm@openssh.com
• hmac-sha2-512-etm@openssh.com
• hmac-sha2-256
• hmac-sha2-512
19
4.6.3. RDP (TLS based) primary connection algorithms

TLSv1.3 cipher:
• TLS_CHACHA20_POLY1305_SHA256
TLSv1.2 cipher:
• TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
• TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
• TLS_RSA_WITH_AES_256_GCM_SHA384
• TLS_RSA_WITH_AES_256_CBC_SHA256
• TLS_RSA_WITH_AES_128_GCM_SHA256
• TLS_RSA_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
• TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
• TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
• TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
• TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_DHE_RSA_WITH_AES_256_CCM
• TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
• RSA_WITH_AES_256_CCM_8
• RSA_WITH_AES_256_CCM
• RSA_WITH_AES_128_CCM_8
• RSA_WITH_AES_128_CCM
• ECDHE-ARIA256-GCM-SHA384
• ECDHE-ARIA128-GCM-SHA256
• DHE_RSA_WITH_AES_256_CCM_8
• DHE_RSA_WITH_AES_128_CCM_8
• DHE_RSA_WITH_AES_128_CCM
• DHE-RSA-ARIA256-GCM-SHA384
20
• DHE-RSA-ARIA128-GCM-SHA256
• ARIA256-GCM-SHA384
• ARIA128-GCM-SHA256
4.6.4. SSH primary connection algorithms

• curve25519-sha256@libssh.org
• diffie-hellman-group-exchange-sha256
Host key algorithms:
• ssh-ed25519
• ssh-rsa
• rsa-sha2-256
• rsa-sha2-512
Cipher algorithms:
• aes128-ctr
• aes192-ctr
• aes256-ctr
• chacha20-poly1305@openssh.com
Integrity algorithms:
• hmac-sha2-256
• hmac-sha2-512
4.6.5. Secondary connection algorithms

These algorithms depend on the protocols supported by the targets.
21
Chapter 5. Specific features

5.1. WALLIX Session Manager
This specific feature of WALLIX Bastion 9.0.2 is available according to your software license
contract.
This feature allows the administrator to:
• identify the users who are connected to specific devices and monitor their activity: sessions can
be viewed in real-time through the WALLIX Bastion Web administration interface or downloaded
to be viewed locally on the administrator's workstation
• review video-recorded activity from a privileged user session
• get a direct resource access using native clients such as PuTTY, WinSCP, MSTC or OpenSSH
• define and configure connection policies through mechanisms available for RDP, VNC, SSH,
TELNET, RLOGIN and RAW TCP/IP protocols
For further information, refer to Chapter 12, “Session management”, page 218.
5.2. WALLIX Password Manager

This specific feature of WALLIX Bastion 9.0.2 is available according to your software license
contract.
This feature allows the administrator to:
• secure target account passwords and SSH keys

• manage checkout and check-in actions for target account credentials
• change or generate target account passwords
• define a password change policy which can be selected during the creation/modification of a
global domain
• select a password change plugin among the list configured in WALLIX Bastion during the creation/
modification of a global or local domain
For further information, refer to Chapter 11, “Password management”, page 201.
5.3. Password external vault

WALLIX Bastion provides a modular approach to password vault management.
This setup allows a cluster of Bastions to handle sessions and user accesses related to accounts
managed by only one Bastion in the cluster. Account management in this context refers to concepts
such as credential change (password and SSH key) and checkout policy.
The local vault is the default vault. Accounts stored in this vault are managed by the local Bastion.
These accounts can be used either for session or credential access via the Web interface or the
REST API Web Service.
The external vaults are represented in the local Bastion via plugins. The plugins implement the link
allowing the local Bastion to communicate with the external vault.
22
Currently, the “Bastion” external password vault plugin is available to connect and use the password
vault provided by a WALLIX Bastion.
From the local Bastion's point of view, the “Bastion” plugin represents the password vault provided
by the remote Bastion. Accounts stored in this vault are managed by the remote Bastion and are
usable by the local Bastion either for session or credential access via the Web interface or the REST
API Web Service. In order to be used by the local Bastion these accounts need to be imported into
this local Bastion.
The local Bastion uses the remote Bastion's REST API Web Service to establish a secure
communication channel allowing to checkout or check in the accounts' credentials and also extend
the checkout duration (if set on the checkout policy on the remote Bastion).
“CyberArk Enterprise Password Vault”, “HashiCorp Vault” and “Thycotic Secret Server” external
password vault plugins are also embedded in WALLIX bastion to connect and use password vaults
of the privilege management solutions provided by these companies.
External vault accounts are mapped into the local Bastion through global domains acting as external
vault account containers. Several domains may point to the same external vault.
For further information on how to setup the local Bastion to use external vault accounts, refer to
Section 10.3, “Domains”, page 148, Section 10.7, “External password vault plugins”, page 187
and Section 11.1, “User authorizations on passwords”, page 201.
5.4. High-Availability
The High-Availability (HA) feature of WALLIX Bastion 9.0.2 delivers continuous WALLIX Bastion
service through a failover (also called "active/passive") bi-device cluster (access to target devices
and the Web console, session recordings), in the event that the "Master" device becomes
unavailable.
This automatic transfer to the second cluster node (i.e. the "Slave") works by:
• sharing a virtual IP address between the two Bastions in the cluster and hiding the actual IP
addresses from the users
• mirroring the configuration data, the connection logs and the files containing the session
recordings, as well as the WALLIX Bastion configuration files on the second cluster node using
DRBD (Distributed Replicated Block Device)
• an email notification mechanism advising the WALLIX Bastion administrator if:
– service is switched to degraded mode (the "Slave" node has taken over)
– the "Slave" node is unavailable
– a fault is detected (service unavailable, etc.)
– disk synchronization is ended.
For further information, refer to Section 8.14, “High-Availability”, page 65.
23
Chapter 6. Getting started with WALLIX

Bastion
6.1. Pre-configuration of TCP and UDP network
ports
6.1.1. Communication from WALLIX Bastion
The following ports should be opened to allow communication from WALLIX Bastion:
• SSH: 22
• RDP: 3389
• HTTP/HTTPS: 80/443
• SMTP: 25
• SMTPS: 465
• SMTP+STARTTLS: 587
• NTP: 123
• DNS: 53
• Kerberos external authentication: 88
• LDAP external authentication: 389
• LDAP over SSL external authentication: 636
• RADIUS external authentication: 1812
• TACACS+ external authentication: 49
• NFS network storage: 2049
• SMB/CIFS network storage: 445
• SMB for password management: 139 | 445
• Syslog: 514
• SNMP: 162 for trap notifications
6.1.2. Communication to WALLIX Bastion

The following ports should be opened to allow communication to WALLIX Bastion:
• SSH/SFTP/TELNET/RLOGIN proxy: 22
• RDP/VNC proxy: 3389
• SNMP: 161 for read/write access to OIDs
• WALLIX Bastion administration command line interface (SSHADMIN console): 2242
• WALLIX Bastion administration Web interface (GUI): 443
24
6.2. Using the command line to connect to

WALLIX Bastion
An SSH daemon listening on port 2242 allows you to connect to an administration shell.
For security reasons, all system passwords must be immediately changed on first connection.
Important:
Please remember your new password as it is the only way to connect again.
When WALLIX Bastion is initially installed, a graphical mode displays dialog boxes to guide you
through the configuration steps.
The procedure below illustrates the main steps to configure the WALLIX Bastion connection.
1. First step: choose the keyboard layout language you wish to use
If the current keyboard layout language is detected, it is then highlighted in the list. If this
language is not in the list, you can select "More options..." to display more choices.
2. Second step: set the password for the "wabadmin" user
The default credentials are as follows:
• Password: SecureWabAdmin
You are requested to change the default password for the "wabadmin" user. Enter and confirm
this new password.
By default, the "wabadmin" user is configured with minimum privileges. Follow next step to
configure the "wabsuper" user to access higher privileges.
3. Third step: set the password for the "wabsuper" user
Once the new password for the "wabadmin" user has been confirmed, you are requested to
enter and confirm the new password for the "wabsuper" user.
The "wabsuper" password can be passed through the "super" command to access higher
privileges, including the ability to get access to "root" privileges using the "sudo" command,
which uses the same password. Once you are logged in as "root", you can use a set of scripts
to manage the day-to-day operation of WALLIX Bastion.
Follow next step to configure the GRUB password.
4. Fourth step: set the password for the "GRUB" user
Once the new password for the "wabsuper" user has been confirmed, you are requested to
change the default password for the "GRUB" user.
You will be given the option to use the same password as the one entered previously for the
"wabsuper" user or set a new password.
Important:
Only ASCII characters are supported. If the password specified for the "wabsuper"
user contains non-ASCII characters, then it cannot be used as the same password
for the "GRUB" user: you are required to set a different password.
25
Warning:
Under VMware, once the initial installation has been performed and after the system
reboot, the input of the password for the "GRUB" user matches by default the US
QWERTY keyboard layout.
The default credentials are as follows:

• Login: wabbootadmin
• Password: SecureWabBoot (this default password is modified during this step)
Use the following command if you wish to change this password later:
wabsuper@wab$ WABChangeGrub
Beware of special characters and typing errors as the input cannot be corrected.
However, the "Esc" key allows you to fully delete the input.
Follow next step to configure the password for the “wabupgrade” user.
5. Fifth step: set the password for the “wabupgrade” user
Once the new password for the “GRUB” user has been confirmed, you are requested to enter
and confirm the new password for the “wabupgrade” user.
Important:
The “wabupgrade” user can only perform upgrades to higher versions of WALLIX
Bastion or hotfix installations.
6. Lastly, sixth step: define the network configuration
Once the new password for the “wabupgrade” user has been defined, you are requested to set
the network configuration.
6.3. Browsing through the menu of the Web

interface
Menu Sub-menu Actions
My preferences Change the user preferences
See Section 7.3, “Setting your

preferences”, page 36
My Sessions Display the user authorizations on sessions and
authorizations access targets
See Section 12.1, “User authorizations on

sessions”, page 218
Passwords Display the user authorizations on passwords and
access the target credentials
See Section 11.1, “User authorizations on

passwords”, page 201
26

Audit Current sessions List connections and logouts
See Section 12.3.1, “Current sessions”, page 223

Session history List closed connections and display session recordings
See Section 12.3.4, “Session history”, page 225

Account history List the account activities
See Section 12.3.6, “Account history”, page 231

Approval history List the current and expired approval requests
See Section 12.3.7, “Approval history”, page 232

Authentication List the primary authentications
history
See Section 12.3.8, “Authentication
history”, page 233
Connection Generate connection statistics graphs
statistics
See Section 12.3.9, “Connection
statistics”, page 234
Users Accounts Manage and import (.csv file and LDAP directory)
WALLIX Bastion users
See Section 9.1, “User accounts”, page 72

Groups Manage and import (.csv file) WALLIX Bastion user
groups
See Section 9.2, “User groups”, page 82

Profiles Manage and import (.csv file) WALLIX Bastion user
profiles
See Section 9.3, “User profiles”, page 86

Targets Devices Manage and import (.csv file) target devices
See Section 10.1, “Devices”, page 124

Applications Manage and import (.csv file) target applications
See Section 10.2, “Applications”, page 136

Domains Manage and import (.csv file) global and local domains
See Section 10.3, “Domains”, page 148

Accounts Manage and import (.csv file) target accounts
See Section 10.4, “Target accounts”, page 159

Clusters Manage and import (.csv file) clusters of jump servers
See Section 10.6, “Clusters”, page 184

Groups Manage and import (.csv file) target groups
See Section 10.5, “Target groups”, page 172
27

Password vault Display the list of available external password vault
plugins plugins
See Section 10.7, “External password vault

plugins”, page 187
Checkout policies Manage password checkout policies
See Section 10.8, “Checkout policies”, page 193

Authorizations Manage Manage and import (.csv file) authorizations between
authorizations target groups and user groups
See Chapter 14, “Authorization

management”, page 269
My current approvals Manage the current approval requests and provide
answers
See Section 14.5, “View the current

approvals”, page 273
My approval history List the current and expired approval requests
See Section 14.6, “View the approval

history”, page 274
Session Connection policies Manage authentication mechanisms for proxies (RDP,
management VNC, SSH, TELNET, RLOGIN and RAW TCP/IP)
See Section 12.4, “Connection policies”, page 236

Recording options Manage options for session recording storage
See Section 12.5, “Session recording

options”, page 239
Password Password change Manage password change policies
management policies
See Section 11.3, “Password change
policies”, page 214
Password change Display the list of available plugins for password
plugins change
See Section 11.2, “Password change

plugins”, page 203
Configuration Configuration Configure specific WALLIX Bastion aspects (e.g. the
options GUI options, the RDP proxy, the SSH proxy, etc.)
See Chapter 8, “Appliance configuration”, page 39

Time frames Manage time frames
See Section 14.8, “Time frames

configuration”, page 277
External Manage external authentication methods (LDAP,
authentications Active Directory, Kerberos, RADIUS)
28

See Section 9.8, “External authentication
LDAP/AD domains Integrate user accounts via LDAP or Active Directory
Import (.csv file) LDAP/AD domains and LDAP

authentication mappings
See Section 9.9, “Configuration of LDAP or Active

Directory domain mapping”, page 114
Notifications Manage the notification mechanism
See Section 9.5, “Notification

Local password Manage the local password policy
policy
See Section 9.6, “Local password policy
Connection Configure the message displayed on a banner when a
messages user logs on to proxies
See Section 12.22, “Connection

messages”, page 261
X509 configuration Configure X509 certificate authentication
See Section 9.7, “X509 certificate authentication

API keys Manage API keys
See Section 16.3, “REST API key

management”, page 294
License Display and update license key
See Section 8.2, “License”, page 43

Encryption Set the encryption protection
See Section 8.3, “Encryption”, page 45

Audit logs Display the content of the "wabaudit" file
See Section 8.5, “System logs”, page 47

System Status Display general information on system status
See Section 8.4, “System status”, page 46

Network Configure network settings
See Section 8.6, “Network”, page 48

Time service Configure time service settings (NTP)
See Section 8.7, “Time service”, page 50

Remote storage Manage remote storage of session recordings
See Section 8.8, “Remote storage”, page 51
29

SIEM integration Manage routing of logs to other network devices
See Section 8.9, “SIEM integration”, page 52

SNMP Manage the SNMP agent
See Section 8.10, “SNMP”, page 53

SMTP server Configure the mail server for notification sending
See Section 8.12, “SMTP server”, page 59

Service control Define service mapping with network interfaces and
WALLIX Bastion services to be enabled/disabled
See Section 8.11, “Service control”, page 57

Syslog Display the content of the "syslog" file

Boot messages Display the content of the "dmesg" file

Backup/Restore Save and restore a WALLIX Bastion configuration
See Section 8.13, “Backup and

Restoration”, page 60
Import/Export CSV Import data from a .csv file
Export data as a .csv file, a .zip or .tar.gz archive
See:
Section 9.1, “User accounts”, page 72,
Section 9.2, “User groups”, page 82,
Section 9.3, “User profiles”, page 86,
Section 10.1, “Devices”, page 124,
Section 10.2, “Applications”, page 136,
Section 10.3, “Domains”, page 148,
Section 10.4, “Target accounts”, page 159,
Section 10.6, “Clusters”, page 184,
Section 10.5, “Target groups”, page 172,
Section 14.1, “Add an authorization”, page 269,
Section 9.9, “Configuration of LDAP or Active Directory

domain mapping”, page 114
Users from LDAP/AD Import users from an LDAP or AD directory
See Section 9.1, “User accounts”, page 72
30
6.4. Availability of specific management

features
6.4.1. Session management
The "Session Management" menu and the "Sessions" entry in "My Authorizations" can only be
managed if the WALLIX Session Manager feature is associated with your license key.
6.4.2. Password management

The "Password Management" menu and the "Passwords" entry in "My Authorizations" can only be
managed if the WALLIX Password Manager feature is associated with your license key.
6.5. Managing data search, sort and layout

customization in the tables of the Web interface
The WALLIX Bastion Web interface includes functionalities that enable you to search, sort,
customize and delete the data displayed within the tables.
Note:
When long data appears truncated within a table (for example: “abcdefghijk...”), its whole
textual value can be displayed in a tool tip by hovering the mouse over the data for 0.5
second.
6.5.1. Search data

The search fields located in most column headers of the Web interface tables are used to search
for data and are displayed by clicking on the icon . Then, enter a term and click on the “Search”
button. An active search is symbolized by the colored icon .
It is also possible to search for data on multiple columns by repeating the previous actions in each
column concerned.
The wildcard symbol ✱ can also be used in the search fields to perform a search based on specific
criteria. This character can be placed anywhere to replace any string (including empty strings) in
the search terms.
The table below illustrates the possible search types using the wildcard symbol ✱:
Search string Returns only lines with at least one column matching...
rdp* any string starting with the word “rdp” (e.g.: RDPDevice1)
*rdp any string ending with the word “rdp” (e.g.: ServiceRdp)
*rdp* or rdp any string including the word “rdp”, regardless of the position of the keyword
in the character string found.
r*p any string starting with “r” and ending with “p”. (e.g.: Rdp, RP)
31
A search can be saved by activating the “Save search filter” button in the “Table settings” window
accessible via the icon . The search filter is then saved for the active table.
Note:
The search is not case-sensitive.
The search focuses on the entire table and not only on the active view.
The result of a single or multiple search can be deleted by clicking on the icon then on the “Reset”
button or, by clicking on the icon located in the upper right corner of the page.
6.5.2. Sort data

It is possible to sort the data displayed in the tables of the Web interface either alphabetically or
numerically and in either ascending or descending order by clicking in the column headers: up
arrow for sorting in ascending order; down arrow for sorting in descending order. An active sort is
symbolized by a colored arrow .
Note that a multiple sort can be performed by enabling the “Multiple sorting” button in the “Table
settings” window accessible via the icon . The multiple sort is then saved for the active table.
Note:
The sort applies to all the data contained in the table and not only to those of the active
view.
The table settings can be restored by disabling the “Multiple sorting” button or by clicking on “Reset
table user preferences”. These options are accessible via the icon .
6.5.3. Customize layout

The WALLIX Bastion Web interface includes the possibility to resize the tables by clicking on a
column separator and dragging it left or right to the desired width.
It is also possible to show or hide the columns of a table and to change the order in which they are
displayed via the “Table settings” window accessible via the icon .
In this window, you can make the following changes:
• change the order in which the columns are displayed by using the up and down arrows
• hide or show a column by deselecting or selecting the check box at the beginning of the line of
the relevant column. The columns are checked by default.
Warning:
The first column of a table or any column that contains an access link to another page
of the interface cannot be moved or hidden.
• if necessary, restore the table settings by clicking on “Reset table user preferences” located in
the “Table settings” window
32
6.5.4. Delete data

It is possible to delete data in the Web interface tables, at any time and on any page, by checking the
box at the beginning of the line of the data you wish to delete, and then by clicking on the “Delete”
button in the upper right corner of the page.
To delete all the data from a table, check the box in the table header and click on the “Delete” button
located in the upper right corner of the page.
Warning:
This action only deletes the data of the active view.
Any selection made using the check boxes can be canceled by clicking on the cross displayed
above the table, next to the summary for the number of selected entries.
33
Chapter 7. Login on the Web interface

Note:
It is possible to choose which interface will be displayed by default from the menu
“Configuration” > “Configuration options” > “GUI”. For further information, refer to
Section 8.1.1, “Configuring the Web user interface”, page 40.
7.1. Access to the Web administration interface

To access the Web administration interface of WALLIX Bastion, enter the following URL in your
browser's address bar:
https://bastion_ip_address/ui or https://<bastion_name>/ui
Warning:
Internet Explorer is not supported by the default interface.
Your browser must be configured to accept cookies and run JavaScript.
For security reasons, WALLIX Bastion checks that the hostname received in the URL
matches its FQDN, hostname or the interface's IP address. If it is not recognized, the
user will be redirected to the IP address of the network interface used. To prevent any
redirection, it is possible to add trusted hostnames and IP addresses via the option
“Trusted hostnames for HTTP_HOST header” accessible from the menu “Configuration”
> “Configuration options” > “Global”, section “main”.
WALLIX Bastion comes as standard with a factory-set administrator account whose default
credentials are as follows:
• User name: admin

• Password: admin
This default password can be changed. For further information, refer to Section 15.4, “Change
the password of the factory-set administrator account”, page 281.
For security reasons, it is required to change the administrator account password on first login. For
further information, refer to Section 7.3, “Setting your preferences”, page 36.
The login page of WALLIX Bastion supports the following authentication methods: password,
Kerberos, LDAP, RADIUS, TACACS+, PINGID and X509. In the case of an authentication via
Kerberos or X509 certificate, click on the corresponding button in the “Other authentication
method” section to access the Web interface. For further information on the configuration of these
authentication methods, refer to Section 9.8, “External authentication configuration”, page 107
and Section 9.7, “X509 certificate authentication configuration”, page 100.
On the other hand, the AD user can be prompted for password change after expiration on this
screen or when connecting to the RDP or SSH sessions. The prerequisites are then as follows:
• the minimum required version for the Active Directory server is Windows Server 2008 R2
34
• the option “AD user password change” (accessible from the menu “Configuration” >
“Configuration Options” > “Global” > section “main”) must be selected and
• at least one encryption protocol (either StartTLS or SSL) must be set on the authentication
method associated with the domain. For further information, refer to Section 9.8.1.3, “Add an
LDAP external authentication”, page 109 and Section 9.9, “Configuration of LDAP or Active
Directory domain mapping”, page 114.
Note:
The logo image, the product name as well as the display of the copyright notice
on the login screen can be managed from the menu “Configuration” > “Configuration
Options” > “GUI” > “oem” section. For further information, refer to Section 8.1, “Interface
configuration”, page 40.
The warning message on the login screen can be managed from the menu “Configuration”
> “Connection messages”. For further information, refer to Section 12.22, “Connection
messages”, page 261.
Figure 7.1. Login screen
Once you have successfully logged on, the following page is displayed:
35
Figure 7.2. WALLIX Bastion home page (displayed for an administrator profile)
7.2. Description of the home page

The WALLIX Bastion home page displays the following elements:
• a header containing:
– the name of the user who is logged on. When hovering the mouse over the user name area, a
contextual menu displays the entry for the “My preferences” page, the “Legacy interface” icon
to access the legacy interface, and the logout icon.
– the icon providing a menu to access the technical documentation delivered as a contextual
on-line help
– the icon providing an access to the possible notifications (the approval requests for the user
with the approver profile and the password expiration warning)
• a vertical menu on the left of the screen from which you can access all the WALLIX Bastion
administration functions. The layout of the Web interface is subdivided vertically and horizontally
so as to clearly structure it.
• a working area on which is displayed a welcome message. The information introduced by this
message can be hidden by clicking on the “Do not show again” button.
• a dashboard located at the bottom of the screen which provides the shortcuts to the most used
administration functions.
7.3. Setting your preferences

The “My preferences” page is accessible by hovering your mouse over your user name at the top
right of the screen. All users have access to this page, regardless of their administration rights.
On this page, the user has access to four tabs:
36
• “Profile”: to change the email address and to select the preferred language
• “Password”: to change the password (only if the user has been declared locally with a
“local_password” authentication)
• “SSH public key”: to drag-and-drop, upload or enter manually an SSH public key using RSA,
ED25519 or ECDSA algorithm, or to delete an existing SSH public key (only if the user has been
declared locally with a “local_sshkey” authentication)
Warning:
In the “SSH public key” tab, it is not possible to drag-and-drop, upload or enter manually
a key if no algorithm is allowed for the SSH key on the “Local Password Policy” page
from the “Configuration” menu. For further information, refer to Section 9.6, “Local
password policy configuration”, page 98.
This key must be in the OpenSSH format. Otherwise an error message is displayed.
If you use PuTTYgen to generate the key, you must save in a text file the public key
displayed in the OpenSSH format during the generation. As an example, this key is
labelled as follow:
“ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA0yR9lBQov6[.....]c3xu9p/xNjw==
rsa-key-20151204”
You can then upload this key on the “SSH public key” tab.
If a key already exists, you can load a private key using Puttygen in order to generate
the corresponding public key in the appropriate format.
• “GPG key”: to drag-and-drop, upload or display a GPG key, or delete an existing GPG key
Warning:
If the GPG key is not specified for the user with the “product_administrator” or
“operation_administrator” profile, then a warning email is sent daily to notify the user
of the missing declaration of the GPG key.
The sending of this warning email can be managed via the “Missing GPG key warning
email” option in the menu “Configuration” > “Configuration options” > “Global”. By
default, this option is enabled.
37
Figure 7.3. "My Preferences" page
7.4. Summary
In the modification pages of the Web interface, a summary is displayed on the right part of your
screen. It gives an overview of the data previously defined.
By clicking on the main entries of the summary, you are redirected to the concerned pages and
you can enter, add, edit or delete data. Note that you have the possibility to hide and show this
summary at any time.
38
Chapter 8. Appliance configuration

The “Configuration Options” page on the “Configuration” menu allows advanced configuration of
global WALLIX Bastion parameters.
Click on the needed option in the list to display the related parameters which can be configured
on the dedicated page for:
• the data retention policy. For further information, refer to Section 9.4, “User data retention
policy”, page 92.
• the global parameters
• the Web interface (“GUI”). For further information, refer to Section 8.1, “Interface
• the legacy Web interface (“GUI (Legacy)”)
• the license configuration
• the logger
• the configuration of the external modules
• the OEM (“OEM (Legacy GUI)”)
• the RDP proxy
• the RDP proxy session manager
• the REST API
• the options regarding session log retention. For further information, refer to Section 15.19, “Export
and/or purge session recordings automatically”, page 286 and Section 15.22, “Check integrity
of session log files”, page 288.
• the SSH proxy
• the Watchdog
On each of these pages, a useful description can be displayed for all the fields by selecting the
check box of the “Help on options” field at the top right of the page. This description includes the
appropriate format to be specified in the concerned field.
Warning:
The options displayed when the check box of the “Advanced options” field at the top right
of the page is selected should ONLY be changed upon request of the WALLIX Support
Team! An orange exclamation mark is displayed near the concerned fields.
39
Figure 8.1. "Configuration Options" page for SSH proxy with field descriptions
8.1. Interface configuration

The Web interface of WALLIX Bastion can be customized in order to match your specific needs.
8.1.1. Configuring the Web user interface

From the menu “Configuration” > “Configuration options” > “GUI”, under the “ui” section, you
can select in the field “Default user interface” the Web user interface which will be displayed by
default. For further information, refer to Figure 8.2, “"Configuration options" page for Web interface
configuration (GUI) - Part 1”, page 42.
If “current” is selected, then the user will be redirected to the login page of the default interface.
However, s/he will still have access to the legacy interface via the link “Legacy interface” that
appears when hovering over the user name at the top of the page.
If “legacy” is selected, then the user will be redirected to the login page of the legacy interface.
However, s/he will still have access to the default interface via the link “Switch to the default interface”
located at the top of the page or to both interfaces via:
https://bastion_ip_address/ui or https://<bastion_name>/ui for the default

interface
https://bastion_ip_address or https://<bastion_name> for the legacy interface
40
Note:
If the configuration option “Link switch default interface” (accessible from “Configuration”
> “Configuration options” > “GUI (Legacy)”) is deselected, then the link “Switch to the
default interface” will not be displayed on the home page of the legacy interface. The user
will then not be able to access the default interface.
8.1.2. Configuring the session timeout

From the menu “Configuration” > “Configuration options” > “GUI”, under the “ui” section, you can edit
in the field “Session timeout” the maximum time period for the session disconnection. For further
information, refer to Figure 8.2, “"Configuration options" page for Web interface configuration (GUI)
- Part 1”, page 42.
The session timeout value is set by default to 900 seconds. The timeout value cannot be lower
than 300 seconds.
The modification will apply at next login.
8.1.3. Configuring the debug mode

From the menu “Configuration” > “Configuration options” > “GUI”, under the “ui” section, you can
enable the debug mode by checking the “Debug” box. For further information, refer to Figure 8.2,
“"Configuration options" page for Web interface configuration (GUI) - Part 1”, page 42.
The debug mode provides information in the browser's JavaScript console regarding display issues
of the Web interface pages. This information may be sent to the WALLIX Support Team, if need be.
8.1.4. Configuring the OEM

From the menu “Configuration” > “Configuration options” > “GUI”, you have the possibility to
customize the Web interface by configuring, under the “oem” section:
• the product name displayed on the pages of the interface as well as on the Web browser tab
(“Product name”)
• the short version of the product name (“Product name short”)
• the name of the Support Team (“Product support name”)
• the display of WALLIX copyright on the login page (“Copyright login”)
• the small site icon displayed on the Web browser tab (“Favicon”)
• the logo displayed at the top of the left sidebar menu (“Logo”)
• the small version of the logo displayed at the top of the left sidebar menu when collapsed (“Logo
small”)
• the logo displayed on the login page (“Login page logo”)
• the welcoming title of the login page for each language supported by WALLIX Bastion (“Login
page title”)
• the color of the welcoming title and connection message displayed on the login page (“Login
page info color”)
• the background color of the login page's right side panel (“Login page background color”)
41
• the background image of the login page's left side panel (“Login page background image”)
Note that the images must be in PNG format and that it is possible to restore the default WALLIX
Bastion images by checking the box “Restore default image”.
Figure 8.2. "Configuration options" page for Web interface configuration (GUI) - Part 1
42
Figure 8.3. "Configuration options" page for Web interface configuration (GUI) - Part 2
8.2. License
The use of WALLIX Bastion is controlled by a license key. This key contains the elements included
in the sales contract and is provided by WALLIX. It is entered in WALLIX Bastion by the client via
the Web user interface.
From the "License" page on the "Configuration" menu, you can display the license properties and
update the license key.
According to the sales contract, the license mechanism can check:
• the license type for a perpetual license agreement (“Legacy Bastion license”)
• the pack for a subscription license agreement (“WALLIX license”)
• the add-ons for a subscription license agreement (“WALLIX license”)
• the license expiration date
43
Note:
When notifications are enabled for the license expiration warning, an email will be sent
15 days, 10 days, 5 days and 1 day before the license expiration date. For further
information, refer to Section 9.5, “Notification configuration”, page 93.
• the number of concurrent connections to the Bastion (i.e. primary connections)
Note:
Connections of the administrator account with the "product_administrator" profile are
not counted.
• the number of concurrent connections to targets (i.e. secondary connections)

• the number of users which can be named, i.e. the number of unique users declared in WALLIX
Bastion or who connected from an LDAP domain mapping
• the number of protected resources, i.e. the number of devices and applications declared in
WALLIX Bastion
• when WALLIX Session Manager is associated with the license key, the number of targets included
in groups which can be declared to initiate sessions
Note:
Each target is only counted once, regardless of the number of groups into which it is
included.
Target accounts which can be used as scenario accounts are not counted.
• when WALLIX Password Manager is associated with the license key, the number of targets
included in groups which can be declared to check out the accounts' credentials
Note:
Each target is only counted once, regardless of the number of groups into which it is
included.
• when WALLIX Password Manager is associated with the license key, the number of
clients using WALLIX Application-to-Application Password Manager (also called “WAAPM”).
Documentation related to WAAPM can be downloaded from WALLIX Support portal (https://
support.wallix.com [https://support.wallix.com/]).
To obtain a license, a context file must be created and sent to WALLIX Support (https://
support.wallix.com/). To do so, click on the “Download context file” button to generate and
download a context file and send it to the WALLIX Support Team which will provide you with a
license key update.
Once you have received the license update file, upload or drag-and-drop it in the “License update”
section and click on the “Apply” button.
It is possible to revoke the licenses installed on WALLIX Bastion by clicking on the “Revoke” button.
The legacy licenses (“Legacy Bastion license”) are revoked immediately. The current licenses
(“WALLIX license”) will become invalid 15 days after performing the revocation.
44
Warning:
In the context of a perpetual license (“Legacy Bastion license”), the latter is bound to the
MAC addresses of the first two interfaces of the Bastion (when more than one interface
is declared). If WALLIX Bastion is deployed on a virtual environment using two virtual
machines on two different nodes, make sure the MAC addresses are cloned to provide
redundancy. Moreover, we strongly recommend defining static MAC addresses to avoid
any change at reboot.
8.2.1. Managing the license key from the command line

The license key can be managed from the command line when logged in as "root".
To display the license properties and metrics:
wab2:~# WABGetLicenseInfo
To generate the license context file:
wab2:~# WABSetLicense -c -f <License context file>
To import a new license:
wab2:~# WABSetLicense -u -f <License update file>
To revoke the license:
wab2:~# WABSetLicense -d
Warning:
The legacy licenses (“Legacy Bastion license”) are revoked immediately. The current
licenses (“WALLIX license”) will become invalid 15 days after performing the revocation.
8.2.2. Managing the sending of notifications

Notifications can be sent to the administrator as soon as one of the license metrics has reached and/
or exceeded the given threshold(s), defined as a percentage. These thresholds can be managed
from “Configuration” > “Configuration options” > “License” > section “[main]”.
8.3. Encryption
The encryption of WALLIX Bastion secures your sensitive data (such as target accounts' credentials,
local users' passwords, Web interface connections, RDP and SSH connections, etc.) by using a
strong cryptographic algorithm. For further information on the cryptography specifications to secure
data gathered in the Bastion, refer to Section 4.6, “Data encryption”, page 18.
This algorithm uses an encryption key which is secret and unique to your WALLIX Bastion and
totally hidden from users.
It is recommended to secure this encryption key by defining an associated passphrase with a

minimum length of 12 characters when installing WALLIX Bastion, from the “Encryption” page on
the “Configuration” menu. The definition of the passphrase involves a more complex access to
45
WALLIX Bastion and raises the protection of your data as no malicious user who does not know
the passphrase can access your product.
It is essential to remember this passphrase as it will be required:
• when restoring the configuration of WALLIX Bastion (refer to Section 8.13, “Backup and
Restoration”, page 60). If you loose the passphrase, you will no longer be able to access your
data stored on remote storage.
• when rebooting the system. As long as the passphrase is not entered by the administrator with
the “product_administrator” profile in the Web administration interface, the “System” configuration
menu will be hidden and connections using WALLIX Bastion proxies will not be usable.
• when changing the passphrase. If you wish to change your passphrase, you have to enter the
current passphrase to be able to set a new one.
Important:
For security reasons, the passphrase can only be defined during the installation of
WALLIX Bastion. It will be impossible to define it afterwards.
Once a passphrase has been set, it can no longer be deleted. However, an existing
passphrase can be modified.
After initialization of the encryption, it is highly recommended to back up WALLIX Bastion

at least once to keep a copy of the encryption key in a safe place (refer to Section 8.13,
“Backup and Restoration”, page 60).
Once the encryption is configured, you can go back at any time to the “Encryption” page on the
“Configuration” menu either to check that your WALLIX Bastion is ready and secured or to change
the passphrase.
Figure 8.4. "Encryption" page
8.4. System status
46
From the "Status" page on the "System" menu, you can view the following system information:
• the current version of WALLIX Bastion

• the number of current RDP or SSH sessions initiated from WALLIX Bastion
Note:
It corresponds to the list of active connections on the "Current Sessions" page
displayed from the "Audit" menu.
• the CPU usage

• the RAM usage
• the swap usage
• the available space on the partition /var/wab (where the session recordings are saved)
Note:
The RAM usage does not include the system cache.
All log and debugging information files can be downloaded as a .zip archive by clicking on the button
"Download debug information" on the bottom of the page.
Figure 8.5. "Status" page
8.5. System logs

You can view and save system logs from the Web user interface.
All the files for these logs (with the .log extension) can be downloaded as a .zip archive by clicking
on the dedicated icon on the right part of the concerned page.
47
WALLIX Bastion gathers the following system logs:
• "syslog" displayed from the "Syslog" page on the "System" menu. This log shows the session logs,
i.e. the majority of messages on proxy operation or the use of the Web administration interface.
• "dmesg" displayed from the "Boot Messages" page on the "System" menu. This log shows the
system start log.
• "wabaudit" displayed from the "Audit Logs" page on the "Configuration" menu. This log shows
the connections and operations performed by the auditors and the administrators.
Furthermore, all log and debugging information files can be downloaded from the "Status" page on
the "System" menu.
Note:
Some system logs saved in partition /var/log are stored for a maximum time period
of 5 weeks.
8.6. Network
From the "Network" page on the "System" menu, you can define/edit the network configuration of
the appliance.
You can edit the following elements:
• the host name

• the domain name
• the configuration of network interfaces, including the bonding interfaces, the VLAN and virtual
ones.
Important:
The interface eth1 (port 2 on appliances) is only devoted to high-availability (HA)
interconnection. No other service can be mapped to this interface. For further
information, refer to Section 8.11.1, “Service mapping”, page 57.
You can also:
• add bonding interfaces
To do so, select the desired mode ("active-backup" or 802.3ad (LACP)") for the new bonding
interface in the frame "Interface bonding" then click on the "+" button to add this interface. It is
then required to link this "master" bonding interface to a "slave" physical interface in the frame
"Interfaces" by selecting its name in the list of the "Bonding interface" field.
Important:
interconnection. It cannot be selected for interface bonding.
An interface can only be disabled by deselecting the option "Enable IP" when the latter
is not mapped to any services on the "Service Control" page. For further information,
refer to Section 8.11, “Service control”, page 57.
48
To perform interface bonding, the "slave" physical interface cannot be linked to neither
a VLAN nor a virtual interface nor a route.
For further information on the modes "active-backup" and "802.3ad (LACP)" supported
for interface bonding, refer to https://www.kernel.org/doc/Documentation/
networking/bonding.txt.
• add routes
• define the default egress interface and the related gateway
• enable IP source routing
To define IP source routing and thus enable inputs and outputs on the same physical interface,
it is required to select the option "Enable IP source routing" in the frame "Routes". Routing is
then enabled for the physical and VLAN interfaces for which the option "Enable IP" is selected
in the frame "Interfaces".
Important:
interconnection. It cannot be selected for IP source routing.
The default egress interface can be selected among a list including the physical and
VLAN interfaces for which the option "Enable IP" is selected in the frame "Interfaces".
An interface can only be disabled by deselecting the option "Enable IP" when the latter
is not mapped to any services on the "Service Control" page. For further information,
refer to Section 8.11, “Service control”, page 57.
The IP address specified for the gateway must match the sub-network configured for
the egress interface selected. If the default gateway is not specified, then outbound
connections from the Bastion may fail.
• enable ICMP redirect
To define ICMP redirect, it is required to select the option "Enable ICMP redirect" in the frame
"Routes".
• define the entries in the "hosts" file
• add the DNS servers
Warning:
Before changing the WALLIX Bastion IP address used to communicate with the file server
configured with remote storage, we recommend disabling remote storage and re-enabling
it again once the address has been changed. For further information, refer to Section 8.8,
“Remote storage”, page 51.
49
Figure 8.6. "Network" page
8.7. Time service

From the "Time Service" page on the "System" menu, you can configure the time zone in which
WALLIX Bastion is located.
This setting is especially important, as:
• date and time in WALLIX Bastion must be synchronized with the Kerberos authentication servers
• WALLIX Bastion is the time reference for escalated audit information and time frame management
Note:
By default, the time service is active and synchronized with the Debian project time
servers.
50
Figure 8.7. "Time Service" page
8.8. Remote storage

From the "Remote Storage" page on the "System" menu, you can enable the export of session
video recordings to a remote file system by setting the connection to an SMB/CIFS, NFS or Amazon
EFS server.
Note:
WALLIX Bastion moves automatically the recordings of recently terminated sessions from
local storage to remote storage. For further information, refer to Section 15.20, “Move
local session recordings to remote storage”, page 287.
When remote storage is enabled but the file server is temporarily unavailable, the
various features of WALLIX Bastion can still be accessed. The session recordings are
nonetheless kept on local storage during server unavailability.
Specify the following elements to set the connection:
• the remote file system type: SMB/CIFS and NFS are supported
• the protocol version
Note:
If “Automatic” is selected, then WALLIX Bastion will try to detect the version
automatically.
For SMB/CIFS, “Automatic” detection does not support protocol versions prior to
SMBv2.1.
For NFS, “Automatic” detection does not support protocol versions NFSv4.1 and
NFSv4.2.
For Amazon EFS, only “Automatic” detection is available and selected by default.
• the IP address or FQDN of the file server

• the port number of the remote service (except for Amazon EFS)
51
• the remote directory in which the recordings will be stored (except for Amazon EFS)
You must also specify for SMB/CIFS:
• the user name to log on to the remote service

• the password
The "Activate" button enables the configuration.
Figure 8.8. "Remote Storage" page
8.9. SIEM integration

From the "SIEM Integration" page on the "System" menu, you can configure the routing of the
logged information to one or more other network devices through SIEM or syslog servers.
Warning:
This page is only displayed when the “SIEM” feature is associated with the license key.
Specify the following elements to set the routing through a SIEM server:
• the IP address or FQDN of the server

• the transmission protocol (UDP, TCP or TLS)
Note:
It is also possible to configure the TLS client through the addition of a specific
configuration file. For further information, refer to Section 15.25, “Configure TLS client
for SIEM integration”, page 289.
• the port number

• the log format (either the standard RFC 5424 format or the RFC 3164 format)
• when RFC 3164 is selected for the log format, you can choose as a timestamp format either the
RFC 3164 date format or the ISO format (YYYY-MM-DDTHH:MM:SS±TZ). The latter includes the
year and timezone.
52
Note:
When upgrading from a version earlier than WALLIX Bastion 6.2.3, the RFC 3164
format applies by default to all the servers previously configured on this page.
The RFC 3164 format always apply to backups created only on WALLIX Bastion version
6.x.
• the filter allowing to select the logged information categories to send through the server, i.e.
configuration changes, WALLIX Bastion audit and authentication logs, account activities, events
of RDP and SSH proxies and metadata of RDP, SSH and VNC sessions.
Note:
When upgrading from a version earlier than WALLIX Bastion 8.2, all the logged
information categories are selected by default for all the servers previously configured
on this page.
The logs will be sent to the selected IP address, port and via the selected transmission protocol
and also stored on the local file system so that they are always available on display on the "Audit
Logs" page, on the "Configuration" menu. For further information on this log, refer to Section 8.5,
“System logs”, page 47.
For further information on data export, refer to Chapter 17, “SIEM messages”, page 296.
Figure 8.9. "SIEM Integration" page
8.10. SNMP
WALLIX Bastion includes an embedded SNMP agent with the following properties:
• Protocol versions supported: 2c, 3

• MIBs implemented: MIB 2, DISMAN-EVENT-MIB
53
• Support of alert mechanisms ("traps") and notifications related to disk consumption and CPU load
• No ACL on the source IP address
Note:
Port 161 should be opened to allow communication to WALLIX Bastion for read/write
access to OIDs.
Port 162 should be opened to allow communication from WALLIX Bastion for trap
notifications.
A default minimum value set to 20 parallel connections is required for each port.
From the "SNMP" page on the "System" menu, you can configure this agent by defining the related
settings.
The "General Settings" section consists of the following fields:
• "Sysname": enter the name of the system, e.g., "WALLIX Bastion 9.0.2"
• "Syscontact": enter the email address of the system administrator, in format "root@yourdomain"
• "Syslocation": enter the system location
• "Sysdescr": enter a description, if needed. This field is empty by default.
• "Status": choose to enable or disable the SNMP agent. The agent is disabled by default.
• "Enable trap notifications": select the check box to enable SNMP trap notifications. Trap
notifications are disabled by default.
• "Trap sink": enter the address of the receiver. This field is displayed and required when trap
notifications are enabled.
The "SNMPv2 Settings" section consists of the following fields:
• "Disable SNMPv2": select the option to disable the SNMP protocol version 2c
• "Community": enter the community name used to connect to WALLIX Bastion. This field is
displayed and required when the SNMP protocol version 2c has been enabled.
• "Trap community": enter the community name used when trap messages are sent. This field is
displayed and required when trap notifications and the SNMP protocol version 2c have been
enabled.
The "SNMPv3 Settings" section consists of the following fields:
• "Authentication passphrase": enter and confirm the authentication passphrase. This field must
be longer than 8 characters. The authentication passphrase must be set at the same time as the
encryption passphrase.
• "Encryption passphrase": enter and confirm the secret key for encryption. This field must be longer
than 8 characters. The encryption passphrase must be set at the same time as the authentication
passphrase.
• "Trap receiver configuration": this sub-section is displayed when trap notifications have been
enabled and the SNMP protocol version 2c has been disabled. It consists of the following fields:
– "Trap user": enter the user name used to authenticate on the trap receiver. This field is empty
by default.
– "Security level": select the appropriate security level and specify the related fields depending
on the selection.
54
If "Authentication only" is selected, enter and confirm the authentication passphrase and select
the authentication ciphering scheme (SHA or MD5).
If "Authentication and encryption" is selected, enter and confirm both the authentication
and encryption passphrases and select the related ciphering schemes (SHA or MD5 for
authentication and AES or DES for encryption).
The "Threshold values ( % )" section allows to specify the values above which notifications are
triggered. It consists of the following fields:
• "Disk consumption": update the percentage value related to the disk consumption, if needed.
Notifications are sent when the disk consumption exceeds this value.
• "Average CPU load": update the percentage values related to the average CPU load for 1-minute,
5-minute and 15-minute time slices, if needed. Notifications are sent when these values are
exceeded.
The values entered in this section can be reset by clicking on the button "Reset default threshold
values" on the bottom-left of the section.
Warning:
By default, the SNMP agent is disabled and it can only be enabled via the Web interface.
By default, trap notifications are disabled and they can only be enabled via the Web
interface. When enabled, only acknowledged traps (i.e. INFORM traps) are sent.
By default, the SNMP protocol version 2c is disabled on a fresh WALLIX Bastion and can
only be enabled via the Web interface.
The SNMP protocol version 3 is always enabled. However, both authentication and
encryption passphrases must be set at the same time for proper operation.
When Bastions are configured in HA mode, the SNMP agent monitors all the nodes via
the virtual IP address.
Examples of use for SNMP protocol version 2c:
$ snmpget -v2c -c WALLIXdefault 192.168.0.5 system.sysDescr.0

SNMPv2-MIB::sysDescr.0 = STRING: "WALLIX Bastion Version 9.0.2"
$ snmpget -v2c -c WALLIXdefault 192.168.0.5 system.sysUpTime.0
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (65833) 0:10:58.33
$ snmpget -v2c -c WALLIXdefault 192.168.0.5 IF-MIB::ifHCOutOctets.1
IF-MIB::ifHCOutOctets.1 = Counter64: 255823831
Examples of use for SNMP protocol version 3:
$ snmpget -v3 -l authPriv -u wabsnmp -a SHA -A <authpass> -x AES -X <privpass>

192.168.0.5 system.sysDescr.0
SNMPv2-MIB::sysDescr.0 = STRING: "WALLIX Bastion Version 9.0.2"
192.168.0.5 system.sysUpTime.0
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (65833) 0:10:58.33
192.168.0.5 IF-MIB::ifHCOutOctets.1
IF-MIB::ifHCOutOctets.1 = Counter64: 255823831
55
Warning:
The system OIDs are defined in the MIB "SNMPv2-MIB". Please make sure this MIB is
installed on your client environment.
The SNMP agent can trace some specific data of WALLIX Bastion. A list of the variables
showing the data is available by downloading the following files:
• /usr/share/snmp/mibs/wallix/WALLIX-SMI and
• /usr/share/snmp/mibs/wallix/WALLIX-BASTION-MIB. This file WALLIX-
BASTION-MIB includes the descriptions of the variables and can be open with a text
editor.
These MIB files can also be downloaded as a .zip archive by clicking on the button
“Download MIB files” on the the top-right of the page.
The following command shows all the available variables:
• for SNMP protocol version 2c:
$ snmpwalk -v2c -c <community> 192.168.0.5 WALLIX-BASTION-

MIB::bastion
• for SNMP protocol version 3:
$ snmpwalk -v3 -l authPriv -u wabsnmp -a SHA -A <authpass> -x AES -

X <privpass> 192.168.0.5 WALLIX-BASTION-MIB::bastion
Figure 8.10. "SNMP" page with agent configuration
56
8.11. Service control

From the "Service Control" page on the "System" menu, you can define the service bindings for the
network interfaces and select the services to be enabled/disabled. For further information, refer to
Section 8.11.1, “Service mapping”, page 57 and Section 8.11.2, “Service activation”, page 58.
Figure 8.11. "Service Control" page
8.11.1. Service mapping

As an administrator, you can choose the services to be mapped to the network interfaces in the
"Service mapping frame". Thus it is possible to restrict the administration operations to a single
interface to improve the security of WALLIX Bastion.
Services are grouped into the following features:
• "User & audit features"

• "Administration features" and
• "High-Availability"
The "User & audit features" service group includes the access to targets and also historical data
and session recordings.
In order to be able to select the desired services, the network interfaces must be
previously configured on the "Network" page. For further information, refer to Section 8.6,
“Network”, page 48.
Important:
The interface eth1 (port 2 on appliances) is devoted, if present, to high-availability (HA)
interconnection. No other service can be mapped to it and the "High-Availability" service
cannot be mapped to any other interface. Therefore, the "High-Availability" service cannot
be selected if this interface is not present.
57
By default, the features specific to users (such as the target account access rights) and auditors
(such as the session audit rights) are not available on the Web administration interface but these can
be released by selecting the following check boxes: "User features (target account access rights)"
and "Audit features (session audit rights)".
A firewall is embedded in WALLIX Bastion, among other features, to protect WALLIX Bastion against
DDoS attacks. It is possible to restrict the parallel connections per IP to the Bastion to a pre-defined
number by selecting the option "Limit the number of parallel connections per IP" and specifying the
appropriate value in the field "Number of connections". The default value of this field is set to 10 and
the number of allowed parallel connections cannot exceed 999 connections per IP. As an example,
if the value entered in this field is "30" then a user can only perform 30 parallel connections to the
Bastion from his/her workstation.
The option "Enable path reverse filtering" is only relevant when WALLIX Bastion has two non-HA
interfaces configured with two different subnets (i.e. eth0 with subnet X and eth2 with subnet Y) and
the default route is set to one of the two interfaces (i.e. eth0).
By default, when a packet with a source IP address not belonging to subnet Y comes in through
interface eth2, WALLIX Bastion does not reply (no packet is going out through any of the two non-
HA interfaces). This is due to a reverse path filtering configuration set with the grsec kernel. For
further information on reverse path filtering, refer to http://tldp.org/HOWTO/Adv-Routing-
HOWTO/lartc.kernel.rpf.html.
If WALLIX Bastion should reply to the incoming packet (through the eth2 interface), then the reverse
path filtering should be unset.
When the option "Enable path reverse filtering" is selected, there is no reply from WALLIX Bastion
(on packets originating from a subnet different from the ingress interface).
When the option "Enable path reverse filtering" is deselected (by default), WALLIX Bastion replies
to all incoming packets (through the ingress interface).
8.11.2. Service activation

As an administrator, you can choose the services to be enabled in the "Service activation" frame.
The services which can be configured are as follows:
• GUI: WALLIX Bastion Web administration interface (port 443)

• RDP: RDP/VNC proxy (port 3389)
• SSH: SSH/SFTP/TELNET/RLOGIN proxy (port 22)
• SSHADMIN: WALLIX Bastion administration command line interface (port 2242)
When installing WALLIX Bastion, these services are automatically enabled by default.
In case of a restricted use of WALLIX Bastion, the administrator can activate/deactivate services
using a command line tool on the console or through the "ssh" command line interface (port 2242):
wabsuper$ sudo -i WABServices

##################################
# WALLIX Bastion Services Status #
##################################
gui : ENABLED
rdp : ENABLED
ssh : ENABLED
58
sshadmin : ENABLED
If no argument is entered, the current status of the service configuration is displayed.
The option "--help" lists the arguments which can be used to perform the configuration.
wabsuper$ sudo -i WABServices --help

usage: /opt/wab/bin/WABServices action [service's name]
Configure WALLIX Bastion Services
actions:
list list services status
enable enable a service
disable disable a service
The administrator must enter the following command to deactivate the GUI service:
wabsuper$ sudo -i WABServices disable gui

Configuration applied
Then, the administrator must enter the following command to activate it again:
wabsuper$ sudo -i WABServices enable gui

Configuration applied
8.12. SMTP server

From the "SMTP Server" page on the "System" menu, you can define/edit the mail server
configuration for the sending of notifications.
The SMTP server configuration page consists of the following fields:
• the protocol to use: SMTP (default value) or SMTPS or SMTP + STARTTLS

• the authentication method: None (default value), Automatic (the SMTP server chooses a method
automatically), PLAIN, LOGIN, SCRAM-SHA-1, CRAM-MD5, DIGEST-MD5 or NTLM
• the server address (IP or FQDN)
• the server port (default values: 25 for SMTP, 465 for SMTPS and 587 for SMTP+STARTTLS)
• the postmaster email which will receive emails from local services
• the sender name (default value: WALLIX Bastion)
• the certificate hash. This data must match the server certificate. This hash can be entered
manually or retrieved automatically by clicking on the "Check certificate" button. In this case, the
server address and port must be entered. When this hash has been entered manually, it can
be checked against the server certificate by clicking on the "Check certificate" button. In case
of mismatch between both certificates, an error is displayed and the hash can be modified by
clicking on the "Replace hash" button.
• the sender email
Caution:
The address specified in this field may also be used as a recipient for some system
alert emails.
• and possibly, a user name and password
59
To test the configuration, enter one or more destination addresses in the "Recipient emails for test"
field then click on the "Test" button.
Caution:
When WALLIX Bastion is configured in HA (or « High-Availability ») mode, the SMTP
server configuration is only spread out to the Slave node when the latter is switching from
Slave to Master.
Figure 8.12. "SMTP Server" page
8.13. Backup and Restoration

From the "Backup/Restoration" page on the "System" menu, you can back up or restore a copy of
your WALLIX Bastion configuration.
Each backup is encrypted using a 16-character key. You must know the backup key before
performing a restore operation.
If a passphrase was defined on the backed-up Bastion, then it has to be entered again at restore
operation.
Warning:
• Only backups created from WALLIX Bastion version 6.0 or later can be restored
• Session recordings are not saved during a backup/restore operation
• All data edited or added after a backup will be lost if the backup is restored
• The administrator will be logged off. He/she must log on again with one of the accounts
included in the backup, which might be different from those in the system before the
backup/restore was performed
• It is possible to set the number of days during which backups are kept. This parameter
can be managed via "Configuration" > "Configuration Options" > "Global", then enter
a positive integer in the field "Remove backup older than". All backups older than this
value expressed in number of days are then removed.
60
Figure 8.13. "Backup/Restore" page
8.13.1. Restoration of configuration files

When restoring, the configuration files related to specific settings located under the directory /etc/
opt/wab/ are restored aside of the current configuration which is thus not overwritten.
To use these elements, you will have to delete the current configuration files and rename in their
place the files restored from the backup which bare as an additional extension the name of the
backup followed by a timestamp set to the restoration time.
After renaming the files by removing the additional extension, you must restart the corresponding
services by entering the following commands:
# systemctl restart apache2

# systemctl restart mariadb.service
# systemctl restart wabengine
# systemctl restart wabrestapi
# systemctl restart wabgui
# systemctl restart sashimi
# systemctl restart redemption
However, most of configuration files specific to given services, keys and certificates are overwritten
in the current configuration during restoration.
These files are all located under the following directories:
• /var/wab/apache2/, as for example:

– the configuration for the X509 authentication activation status:
/var/wab/apache2/x509_ready
– the Apache server keys, certificates and CRLs for X509 authentication:
/var/wab/apache2/ssl.crt/*
/var/wab/apache2/ssl.crl/*
• /var/wab/etc/, as for example:
– the RDP proxy configuration:
61
/var/wab/etc/rdp/rdpproxy.ini
– the RDP proxy keys and certificate:
/var/wab/etc/rdp/*.pem
/var/wab/etc/rdp/rdpproxy.key
/var/wab/etc/rdp/rdpproxy.crt
– the SSH proxy private and public keys:
/var/wab/etc/ssh/*
Caution:
Note that properties related to the license, the FQDN and the MySQL database
password in /var/wab/etc/wabengine.conf/ are not overwritten during
restoration.
• /var/wab/config/, gathering system and network configuration files
8.13.2. Backup/Restoration from the command line

You can perform backup and restore operations using specific scripts.
8.13.2.1. Script for backup

wab2:~# /opt/wab/bin/wallix-config-backup.py -h
Usage: wallix-config-backup.py [options]
Options:
-h, --help show this help message and exit
-d DIRECTORY, --directory=DIRECTORY
Directory where you want to store your backup.
-s, --sdcard Set this option to store the Backup in the sdcard.
DIRECTORY is the directory path in which the backup file will be created.
Option -s can be used to create a copy on an external drive (SD Card or USB).
8.13.2.2. Script for restoration

wab2:~# /opt/wab/bin/wallix-config-restore.py -h
Usage: wallix-config-restore.py [options] -f FILENAME
wallix-config-restore.py [options] -s
Restores WALLIX Bastion backup from the specified file or from the sdcard. The
default behaviour is to restore the configuration part related to the network
page of the system settings menu only on the same host and in the same
standalone or HA mode. You can use options to ignore completely the system
settings and restore only the business data, or to force ignoring or restoring
62
the network part.
Options:
-f FILENAME, --file=FILENAME
Provide the full path of the Backup file (.wbk).
Conflicts with -s
-s, --sdcard Enter in interactive mode to select file on SDcard.
Conflicts with -f
-a, --aes Set this option to force use of AES256 instead of GPG
symmetric cipher (for compatibility with old backup
files).
-b, --blowfish Set this option to force use of Blowfish instead of
GPG symmetric cipher (for compatibility with old
backup files). Overridden by -a
-S, --nosystem Set this option to not restore any system settings.
-N, --nonetwork Set this option to never restore network and HA
settings. Overridden by -S
--forcenetwork Set this option to force restoration of network and HA
settings. (Not recommended). Overridden by -S
FILENAME is the backup file path.

Option -s can be used to restore from the external drive (sdcard or USB).
Options -a and -b should not normally be used. Without these options, the file is GPG decrypted.
Option -S can be used to not restore the part of the configuration of the system settings (set in the
"System" menu). In this case, only the business data will be restored.
Option -N can be used to not restore the network configuration set on the "Network" page in the
"System" men) and the network addresses of the peer and the cluster when HA is enabled.
Option --forcenetwork, whose use is not recommended, can be used to force restoration of
the part of the configuration corresponding to the network configuration (set on the "Network"
page in the "System" menu), when restoration is done on a different machine or in a different
HA/standalone mode. In this case, files that were not previously in /var/wab/config such
as file ha.py or the files corresponding the system MAC addresses will be restored by
suffixing their name with the name of the backup without extension. For example, if archive
bastion.myhost_2019-05-01_16-30-00.wbk contains MAC file 01_02_03_04_05_06.py
but the 01:02:03:04:05:06 MAC address is not present on the system, the file will be renamed
01_02_03_04_05_06.py.bastion.myhost_2019-05-01_16-30-00. You can delete those
files or use information they contain to update corresponding files on your system before restarting
services.
8.13.3. Automatic backup configuration

WALLIX Bastion performs an automatic backup configured in a cron job. By default, this is performed
every day at 6:50 p.m. in the time zone in which WALLIX Bastion is located, as defined in the
"Time Service" page on the "System" menu. For further information, refer to Section 8.7, “Time
service”, page 50.
The files are stored in the directory /var/wab/backups.
You can change the time and frequency of the backups in /etc/cron.d/wabcore by changing
the line that runs the WABExecuteBackup command.
The fields are crontab fields, namely MINUTE, HOUR, DAY_OF_MONTH, MONTH and DAY_OF_WEEK.
63
The values authorized in each field are as follows:
• MINUTE: from 0 to 59
• HOUR: from 0 to 23
• DAY_OF_MONTH: from 1 to 31
• MONTH: from 1 to 12
• DAY_OF_WEEK: from 0 to 7 (0 or 7 for Sunday)
Each field can also be filled with an asterisk "*" corresponding to all possible values. Lists are also
permitted, with the values separated by commas and intervals, separating the range with a hyphen,
e.g. "1,2,5-9,12-15,21".
You can also change the path and the value of the key used by editing the file /opt/wab/bin/
WABExecuteBackup and changing the DIR and KEY values at the beginning of the file.
It is possible to set a key used to encrypt the automatic backup at generation. This parameter can
be managed via "Configuration" > "Configuration Options" > "Global", then enter a 16-character
string in the field "Backup key".
8.13.4. Automatic backup purge

WALLIX Bastion performs the purge of automatic backup stored files in a cron job. By default, this is
performed every day at 3:42 a.m. in the time zone in which WALLIX Bastion is located, as defined in
the "Time Service" page on the "System" menu. For further information, refer to Section 8.7, “Time
service”, page 50.
You can define a limit in hours, days or months to keep traces or specify the minimum acceptable
free space by setting arguments on the line running the WABBackupPurge command.
wab2:~# WABBackupPurge -h
usage: WABBackupPurge [-h] [--age AGE] [--min-free MIN_FREE] [--priorize-free]
Purge WALLIX Bastion backups. If enough free space, no backup is deleted even
if older than the given age threshold.
optional arguments:
--age AGE, -A AGE Keep all traces younger than the given age in hours.
Valid suffixes are 'd[ays]' for days, or 'm[onths]'
for months. (default: 30d)
--min-free MIN_FREE, -F MIN_FREE
Free space minimum threshold in bytes. Valid suffixes
are 'KB' for 1000 bytes, 'KiB' for 1024 bytes, 'MB'
for 1.000.000 bytes, 'MiB' for 1.048.576 bytes, 'GB'
for 1.000.000.000 bytes, 'GiB' for 1.073.741.824
bytes, '%' for percentage of total disk space
(default: 10%)
--priorize-free, -p If provided, ignore AGE and try to free as much space
as possible until the free space threshold is reached.
When this command is launched, the purge is performed on the backup files until the threshold of
the minimum acceptable free space is greater than or equal to the MIN_FREE value.
Only backup files older than the AGE value are deleted except if the --priorize-free argument
is specified and until the value of the threshold of the minimum acceptable free space is greater
than or equal to the MIN_FREE value.
64
It is possible to set the number of days during which backups are kept from the Web interface. This
parameter can be managed via "Configuration" > "Configuration Options" > "Global", then enter a
positive integer in the field "Remove backup older than". All backups older than this value expressed
in number of days are then removed. When the WABBackupPurge command is launched, the value
in this field is then considered as the default value if the AGE argument is not specified.
8.14. High-Availability
8.14.1. Operating limitations and pre-requisites
The WALLIX Bastion 9.0.2 HA active/passive type cluster does not have a load balancing function.
Both devices must be linked directly to each other using a Ethernet crossover cable through RJ45
port labelled "2".
The HA interfaces on both the "Master" and the "Slave" nodes must be configured with static IP
addresses belonging to the same subnet.
The system must be configured (especially the /etc/hosts and /etc/network/interfaces

files) from the Web interface or using the WABHASetup script to prevent desynchronization with the
configuration files of the replicated file system.
Both cluster nodes must be strictly at the same level regarding their WALLIX Bastion version and
hotfix numbers.
Warning:
The WALLIX Bastion HA feature is designed to answer hardware issues related to disk,
motherboard, network card, etc and is not supported through virtual appliances.
In a virtual environment, the setup is different as there is no "hardware" part. We thus

recommend using the High-Availability feature provided by VMware. The High-Availability
provided by VMware is available from the entry level VMware license (VMware vSphere
Standard) and requires at least two hypervisors. For further information, see https://
www.vmware.com/uk/products/vsphere/high-availability.html
Please also refer to the Quick Start Guide for further information.
Caution:
The following precautions need to be observed before implementing a new node in an
existing High-Availability configuration:
• the new node must be strictly at the same level as the other node regarding the WALLIX
Bastion version and hotfix numbers
• the new node must have the same number of configured interfaces, including VIPs and
VLANs but excluding HA VIPs (interfaces suffixed with “ha”).
• storage capacity for the hard drive coming with the new node must be equal to or
greater than the one of the former node
• System time of the new node must be synchronized with the one of the other node
65
8.14.2. Cluster configuration

1. Check that both devices are linked directly to each other using a Ethernet crossover cable
through RJ45 port labelled "2".
2. Start the two machines of the cluster starting either by one or the other. The devices are
delivered pre-installed, but the cluster feature is not configured.
3. Use the "wabadmin" account to log directly onto the "Master" and "Slave" device consoles.
Caution:
All data on the "Slave" will be permanently deleted!
4. Enter the "super" command then the "sudo -i" command to sign in as a super-user.
5. Check that the clocks of both cluster nodes are synchronized using the Linux "date" command
or by synchronization with an NTP server, as explained on Section 5.3.4, “Time service
configuration” in the Quick Start Guide.
6. Carry out the send notification test (refer to Section 5.3.5, “SMTP server configuration” in the
Quickstart Guide) to check that an SMTP server is configured and operational.
7. Check that both devices are configured with a static IP address, their "eth1" interfaces are setup
and they have different machine names. If not, proceed to the required adjustments on the GUI.
Note the IP address of the "eth1" interface of the "Slave" node which is required for answering
to the "Slave IP:" question during the execution of the "WABHASetup" command as described
in next step.
8. Run the "WABHASetup" command on the "Master" device console and follow the instructions:
wabsuper$ WABHASetup
Slave IP:
HA Virtual IP:
HA Virtual netmask:
HA Notification mail address:
...
Note:
A log file wabhasetup.log is created in the directory from which this command has
been launched and stores the output of the operation.
The WABHASetup command requests the interface configuration for all the physical
and VLAN interfaces which are mapped with services. For further information on
service mapping configuration, refer to Section 8.11, “Service control”, page 57.
9. The WALLIX Bastion cluster is now configured and enabled.
8.14.3. Starting the cluster

The cluster is now accessible on the virtual IP addresses specified in the WABHASetup
configuration tool. Only these addresses should be provided to your users.
The following email is sent to the address indicated at the end of the WALLIX Bastion High-
Availability configuration.
Subject: [WAB] - The WALLIX Bastion HA has been configured
66
This notification sums up your HA configuration. Initial MASTER node: ... Initial SLAVE node: ...
HA Virtual ip: ...
8.14.4. Stopping/Restarting the cluster

The administrator can use the maintenance commands below to check cluster operation.
Note that "Start" and "Stop" commands will only apply to the local node.
# sudo systemctl stop wabha

# sudo systemctl start wabha
Warning:
To avoid unintentional switch, we recommend stopping the "Slave" node before the
"Master" one and start the "Slave" node after the "Master" one.
To check the current state of a node, the administrator can use the following maintenance command:
wabsuper$ /opt/wab/bin/WABHAStatus
8.14.5. Recovery from fatal error (WALLIX Bastion HA is

locked down)
If the WALLIX Bastion HA detects a malfunction that it cannot automatically resolve (by restarting
the service concerned), the switch-over procedure is locked.
The WALLIX Bastion HA sends a notification raising the detection of a fatal error, then creates the
lock file and stops. The presence of this file prevents the HA from restarting thereby preventing it
from attempting to resolve the problem indefinitely.
After resolving the malfunction, you must manually delete this lock file using the following command :
affected_node# rm /etc/opt/wab/ha/fatal_error
8.14.6. Network outages and Split-Brain

If the nodes are still connected to the network but no longer connected to each other (network cable
between two switches disconnected, etc.), the passive node will become the "Master" (standard
procedure since from its point of view the "Master" is no longer active). Therefore, we now have a
configuration with two "Master" nodes and the data in the shared volume will start to diverge.
When the connection is restored, the DRBD layer of the shared volume will detect the divergence
(known as "Split-Brain") and the cluster will stop working. Indeed, because both machines have
continued to operate independently, their data is incompatible and manual intervention is required.
As explained in the notification, it is up to the administrator to select the most up-to-date node to
resolve the divergence. The notification contains the list of the last files modified on both Bastions.
There are three possibilities:
1. The outage was short and the nodes were not used (no sessions created, no accounts added,
etc.): in this case, the administrator can choose either of the nodes as the reference "Master".
67
2. The outage was short and/or only one of the nodes was actually used (shown by the presence of
session files and of more recent modification dates on only one of the nodes). The administrator
must select this node as the new reference "Master".
3. The outage was complex and both nodes were used in parallel (which is unlikely, related to a
serious network failure). The administrator must then select a node to be the new reference
"Master" (the one with the most modifications) and back up the data from the other node. Lastly,
the data must be manually imported to the new "Master".
Once the reference "Master" is chosen, follow the procedure below to restore the cluster:
outdated_node# drbdadm secondary wab

ref_master# drbdadm primary wab
outdated_node# drbdadm invalidate wab
ref_master# (drbdadm cstate WALLIX Bastion | grep -q StandAlone) && drbdadm
connect wab
outdated_node# (drbdadm cstate WALLIX Bastion | grep -q StandAlone) && drbdadm
connect wab
ref_master# systemctl start wabha
outdated_node# systemctl start wabha
8.14.7. Reconfiguring the cluster network

Warning:
All cluster maintenance operations must be performed on the "Master" node.
When Bastions are configured in HA mode, it is no longer possible to make network changes, such
as IP addresses, from the GUI. As the disks of both machines are synchronized through the network,
you must connect to the "Master" node in SSH and run the following command:
wabsuper$ WABHASetup --reconfigure_hosts

...
8.14.8. Replacing a faulty machine

Warning:
In the event of a node replacement, first disconnect the faulty device and start the replacement
WALLIX Bastion. Make sure to configure it with the same static IP address as the faulty node, and
then enter this command on the operational node:
wabsuper$ WABHASetup --configure_new_slave

...
8.14.9. Recovering a faulty volume

Warning:
68
In the event of a file system integrity error, detectable through the kernel messages (i.e.: "File
system is now read-only due to the potential of on-disk corruption. Please
run fsck.ext4 once the file system is unmounted."), proceed as follows:
1. Enter "sudo -i WABHAInitd --force stop" to turn off HA on both nodes, starting with the "Slave".
2. Check that the shared file system is removed from both nodes by entering "sudo -i umount /
var/wab".
3. Disable DRBD on the "Slave" mode by entering "sudo -i drbdadm secondary wab".
4. Enable DRBD on the "Master" mode by entering "sudo -i drbdadm primary wab".
5. Enter "sudo -i fsck.ext4 -y -f /dev/drbd1" on the "Master" node.
slave_node# WABHAInitd --force stop

master_node# WABHAInitd --force stop
8.14.10. High-Availability operation tests

To check the various error recoveries managed by the WALLIX Bastion HA feature, we recommend
proceeding with the following tests before rolling out the solution. We will refer to the current "Master"
node as "WabA" and to the "Slave" node as "WabB" in the following subsections.
8.14.10.1. Switching from "Master" to "Slave" (software)

Action: Turn off HA on the "Master":
WabA# systemctl stop wabha
Consequence: the "Slave" will detect the fault.

Notification: [WAB] - WALLIX Bastion HA master WabA error detected by the WabB!
(HA_MASTER_FAULT) Reason: Service unreachable on master node!
Result: the "Slave" takes over
Notification: [WAB] - The WALLIX Bastion HA master WabB is online
Full resolution: restart HA on the "Master" and it will become the new "Slave"
WabA# systemctl start wabha
Notification: [WAB] - The WALLIX Bastion HA slave WabA is online
8.14.10.2. Switching from "Master" to "Slave" (hardware)

Action: Physically turn off the "Master" (disconnect the power cord):
Consequence: the "Slave" will detect the fault
Notification: [WAB] - WALLIX Bastion HA master WabA error detected by the WabB!
(HA_MASTER_FAULT) Reason: Host does not respond to ping...
Result: the "Slave" takes over
Notification: The [WAB] - WALLIX Bastion HA master WabB is online
Full resolution: restart the "Master" and it will become the new "Slave"
Notification: the [WAB] - WALLIX Bastion HA Slave WabA is online
69
8.14.10.3. Fault detected on the "Master"

Action: Inject a fault on the "Master" (i.e. ssh service disabled):
WabA# mv /etc/ssh/sshd_config /etc/ssh/sshd_config.tmp

WabA# systemctl stop ssh
Consequence: Both nodes will detect the fault (ssh not accessible)
Notifications: [WAB] - WALLIX Bastion HA master WabA error detected by WabA Reason: Service
ssh isn't responding and we couldn't restart it!
Notifications: [WAB] - WALLIX Bastion HA master WabA error detected by WabB Reason: Host
respond to ping but ssh service is down, will try to switch to master...
Result: the "Slave" will take over and the "Master" will be downgraded to "Slave"
Notification: [WAB] - The WALLIX Bastion HA Slave WabA is online
Full resolution: repair the fault so that WabA can become the "Master" again
WabA# mv /etc/ssh/sshd_config.tmp /etc/ssh/sshd_config

WabA# systemctl start ssh
8.14.10.4. Fault detected on the "Slave"

Action: Physically turn off the "Slave" (disconnect the power cord)
Consequence: the "Master" will detect the fault
Notification: [WAB] - The WALLIX Bastion HA slave WabB is no longer connected to master WabA!
Master data replication isn't working.
Result: data replication interrupted, but the volume is still working (in degraded mode)
Full resolution: restart the "Slave"
Notification: [WAB] - The WALLIX Bastion HA slave WabB is online
Note: If the volume of data on the degraded "Master" is negligible (e.g. no new session),
synchronization takes place instantaneously. If not, a notification is sent.
Notification: [WAB] - The WALLIX Bastion HA cluster synchronization completed! The data on both
nodes is now fully synchronized.
8.14.10.5. Loss of connectivity between both nodes

Action: Disconnect one of the network nodes or make sure that both Bastions cannot communicate,
e.g. with iptables:
WabA# iptables -A INPUT -s IpWabB -j DROP; iptables -A OUTPUT -d IpWabB -j DROP

WabB# iptables -A INPUT -s IpWabA -j DROP; iptables -A OUTPUT -d IpWabA -j DROP
Consequence: both nodes will detect the fault. The "Master" will continue to operate in degraded
mode.
Notification: [WAB] - The WALLIX Bastion HA slave WabB is no longer connected to master WabA!
Master data replication isn't working.
70
Notification: [WAB] - The WALLIX Bastion HA master WabA error detected by

sparewab2.corp.wallix.com Reason: Host does not respond to ping...
Consequence: the "Slave" will assume that the "Master" is turned off and will switch over to "Master"
and will operate in degraded mode.
Notification: [WAB] - The WALLIX Bastion HA slave WabA isn't connected to the master master
WabB anymore! Master data replication isn't working.
Result: the shared volume will start to diverge between both nodes. The most probable case is that
one of the nodes is no longer on the network, in which case the resolution is simple: reconnect both
Bastions or if you have used iptables:
WabA# iptables -F
WabB# iptables -F
Notification: [WAB] - The WALLIX Bastion HA disks diverged (split brain detected) The WALLIX
Bastion HA drbd shared volume is now disconnected. Peers have lost connection with each other
and both have switched to master node... Data can't be synced cleanly! You need to manually
discard the changes on one of the nodes.
Once you find out the out-of-date node, follow the procedure below:
failing_node# drbdadm secondary wab

recent_node# drbdadm primary wab
failing_node# drbdadm invalidate wab
failing_node# drbdadm connect wab
recent_node# systemctl start wabha
failing_node# systemctl start wabha
In full resolution, follow the instructions in the email:
WabB# drbdadm secondary wab

WabA# drbdadm primary wab
WabB# drbdadm invalidate wab
WabB# drbdadm connect wab
WabA# systemctl start wabha
WabB# systemctl start wabha
Notification: [WAB] - The WALLIX Bastion HA master WabA is online
Notification: [WAB] - The WALLIX Bastion HA slave WabB is online
71
Chapter 9. Users
The "Users" menu allows you to create and manage WALLIX Bastion users/administrators.
You can also configure the user groups to which the authorizations apply. For further information,
refer to Chapter 14, “Authorization management”, page 269.
Note:
User account names are not case sensitive but case is preserved as account is created.
9.1. User accounts

The "Accounts" page allows you to:
• list user accounts according to a filter on local accounts or domain accounts from LDAP and
Active Directory domains. When an LDAP or Active Directory domain is selected from the list,
then the users from the directory mapped with a user group in WALLIX Bastion are displayed.
For further information on this mapping, refer to Section 9.9, “Configuration of LDAP or Active
Directory domain mapping”, page 114.
• add/edit/delete a user account
• identify the users for whom the "Credential recovery" right is enabled in their profile: a key icon
is then displayed in the "Profile" column on the related line. These users receive an email
gathering the target account passwords in case of password change. For further information,
refer to Section 11.4, “"Break glass" mechanism configuration”, page 216.
For further information on user profiles, refer to Section 9.3, “User profiles”, page 86.
• release the lock of a user account by clicking on the padlock icon displayed in the "Status"
column on the related line. A user account is locked when the maximum number of allowed
authentication failures defined in the local password policy has been reached. For further
information, refer to Section 9.6, “Local password policy configuration”, page 98.
• identify the users for whom the account is active: a tick icon is then displayed in the "Status"
column on the related line.
• identify the users for whom the account has expired: an hourglass icon is then displayed in the
"Status" column on the related line. The account expiration date can be set during the creation
or modification of the account.
• identify the users for whom the account is disabled: a warning icon is then displayed in the
column "Status" column on the related line. The user account deactivation can be set during the
creation or modification of the account.
• access the detail of the account to view the user's rights on the GUI but also his/her authorizations
regarding devices, applications and target accounts
• import users from a .csv file which can be used to populate the WALLIX Bastion user database
For further information on how to search data and customize the layout in the tables of WALLIX
Bastion, refer to Section 6.5, “Managing data search, sort and layout customization in the tables
of the Web interface”, page 31.
72
Figure 9.1. "Accounts" page
9.1.1. Add a user

From the "Accounts" page, click on "Add a user" to display the user creation page.
The user creation page consists of the following fields:
• the user name used to log on to the Web user interface and proxies.
• a name, used to identify the person to whom the user name belongs
• an email address which can be modified later on by the user
• a field to upload a GPG public key: the user will receive the new password in an encrypted email.
This key can be modified later on by the user.
Warning:
If the GPG key is not specified for the user with the “product_administrator” or
“operation_administrator” profile, then a warning email is sent daily to notify the user
of the missing declaration of the GPG key.
The sending of this warning email can be managed via the “Missing GPG key warning
email” option in the menu “Configuration” > “Configuration options” > “Global”. By
default, this option is enabled.
• a preferred language, used to select the language in which the messages sent to the user from
the proxies are displayed. This choice can be modified later on by the user.
• a profile, used to define the user rights and limitations (refer to Section 9.3, “User
profiles”, page 86)
• a check box to indicate whether the user account is disabled. If so, this user will not be allowed to
log on to the WALLIX Bastion Web interface and proxies. This check box is deselected by default.
Caution:
If this check box is deselected and no rights are defined in the user profile, then the
user will not be allowed to log on to the WALLIX Bastion Web interface, the REST API
Web Service and RDP/SSH sessions.
73
• a field including a calendar (displayed with a right-click) to select, if needed, the account expiration
date
• a list of groups, used to select the groups into which the user should be included. You can
also add a user to a group in the add or edit page for a group (refer to Section 9.2, “User
groups”, page 82)
• an authentication procedure, which may be different for each user (refer to Section 9.8, “External
authentication configuration”, page 107). You can select several procedures to indicate the
backup servers for external authentications (LDAP, RADIUS, etc.)
• if the chosen authentication procedure is "local_password":
– a field to enter and confirm a password: there may be certain requirements regarding
the passwords the system will accept (refer to Section 9.6, “Local password policy
configuration”, page 98). This password can be modified later on by the user.
– a field to force the password change for the user. The latter will then receive a notification
message indicating that his/her account has been created and that the password must be
changed at first login (see also Section 8.12, “SMTP server”, page 59). If the administrator
forces password change, the user will have to change the password next time s/he will
authenticate either on the login screen of WALLIX Bastion or when connecting to the RDP or
SSH session. No access will be granted as long as the password is not changed.
• if the chosen authentication procedure is "local_sshkey", a field to upload or enter manually an
SSH public key using RSA, ED25519 or ECDSA algorithm. This key can be modified later on
by the user.
Warning:
It is not possible to set a key if no algorithm is allowed for the SSH public key on the
"Local Password Policy" page from the "Configuration" menu. For further information,
refer to Section 9.6, “Local password policy configuration”, page 98.
This key must be in the OpenSSH format. Otherwise an error message is displayed.
If you use PuTTYgen to generate the key, you must save in a text file the public key
displayed in the OpenSSH format during the generation. As an example, this key is
labelled as follow:
"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA0yR9lBQov6[.....]c3xu9p/xNjw==
rsa-key-20151204"
You can then upload this key on the dedicated area on this page.
If a key already exists, you can load a private key using Puttygen in order to generate
the corresponding public key in the appropriate format.
• if the chosen authentication procedure is "local_x509" a field to enter the DN (i.e. "Distinguished
Name") of the certificate to allow the user authentication (refer to Section 9.7.4, “User
authentication configuration”, page 103) when X509 authentication is set for WALLIX Bastion
• a source IP/subnet address or range of addresses to restrict the access to this address/range of
addresses for proxies and the Web interface.
74
Figure 9.2. "Accounts" page in addition mode
9.1.2. Edit a user

From the "Accounts" page, click on a user name and then on "Edit this user" to display the user
modification page.
The fields in this page are the same as those in the user creation page.
Note:
If the "password" field is not changed, the user password is not modified.
9.1.3. Delete a user

From the "Accounts" page, check the box at the beginning of the line(s) to select the related
account(s), then click on the trash icon to delete the selected line(s). WALLIX Bastion displays a
dialogue box requesting a confirmation before permanently deleting the line(s).
9.1.4. View the user's rights on the GUI

From the "Accounts" page, click on a user name to display the user data and expand the "Rights
on GUI" area to view the related data for this user.
75
9.1.5. View the devices, applications and target accounts

accessible by a user
From the "Accounts" page, click on a user name to display the user data and expand the following
areas to view the related authorizations:
• "Authorizations on devices": this area shows the list of the devices which can be accessed by
this user
Click on the icon at the beginning of a line to download the configuration file to establish a
connection.
• "Authorizations on applications": this area shows the list of the applications which can be
accessed by this user
Click on the icon at the beginning of a line to download the configuration file to establish a
connection.
• "Authorizations on accounts": this area shows the list of the target accounts which can be
accessed by this user
9.1.6. Import users

You can import users from:
• a .csv file or
• a company directory (LDAP or Active Directory) if you only want to replicate a snapshot of
your directory into the WALLIX Bastion database. You can use the LDAP domain integration
functionality that makes direct use of the directory (refer to Section 9.9, “Configuration of LDAP
or Active Directory domain mapping”, page 114).
9.1.6.1. Import users from a .csv file

You can import users from a .csv file which can be used to populate the WALLIX Bastion user
database:
• from the "CSV" page on the "Import/Export" menu. You can select the "Users" check box to import
the related data. The field and list separators can also be configured.
• or from the "Accounts" page on the "Users" menu. You can click on the "Import CSV file" icon at
the top right of the page to import the related data. You are then redirected to the "CSV" page on
the "Import/Export" menu: the "Users" check box is automatically selected to import the related
data. The field and list separators can also be configured.
The file must begin with a line containing the following tag:
#wab820 user
Important:
Data related to the users' password, SSH key or X509 DN is not provided in the .csv file
when exporting users. It must then be specified in the .csv file prior to import.
The update of existing data when importing a .csv file overwrites old data.
76
Each subsequent line must be formed as follows:
Field Type R(equired)/O(ptional) Possible values Default

value
Username Text R [aA-zZ], [0-9], '-', '_' N/A
Groups Text O [aA-zZ], [0-9], '-', '_' N/A
There can be several groups

for the same user.
If the user group does not

exist, it is created with the
default time frame set as
"allthetime".
Full name Text O Free text N/A
Source IPs IP/FQDN O [aA-zZ], [0-9], '-', '_' N/A
Can be either an IP address or

a domain or an IP range (e.g.
"10.10.10.11-10.10.10.42").
Profile Text R Profiles defined N/A
Account Date and O YYYY-MM-DD and HH:MM N/A
expiration time
date Date and time at which the
account will expire
User Text R Authentications defined N/A
authentications
There can be several
authentications for the same
user.
Public key Text Required when [aA-zZ], [0-9], '-', '_' N/A
authentication is
"local_sshkey"
The corresponding data

is not provided in
the .csv file when
exporting users. It must
then be specified in
the .csv file prior to
import.
Password Text Required when Free text N/A
authentication is
"local_password" Must be compliant with
the current password
The corresponding data policy (number of special
is not provided in characters, etc.).
the .csv file when
exporting users. It must When the import is performed
then be specified in from WALLIX Bastion 6.1:
• if this field is empty, then
import.
the password is deleted
77

value
during import. Caution!
The import cannot be
performed if there is
no other authentication
method (SSH key, etc.) for
the user.
• if this field is filled with the
[hidden] keyword, then
the existing password is not
modified. Caution! If there is
no existing password for the
account, then this field is set
at [hidden].
• if this field is filled with
a value other than the
[hidden]keyword, then
the password is updated
with this new value
Caution! When the import is

performed from a WALLIX
Bastion whose version is
earlier than 6.1 and if this field
is empty, then the password is
NOT deleted during import.
Email Text R Email address N/A
Force Boolean R True or False False
change
password
Lock counter Integer O Authentication failure counter 0
number
Positive integer number, will
lock out the user if greater
than or equal to the value
of the maximum number
of allowed authentication
failures per user specified in
the password policy.
Last Text O This field is ignored. N/A
connection
Preferred Text O "de" for German "en"
language
"en" for English
"es" for Spanish

"fr" for French
"ru" for Russian
78

value
Certificate Text Required when A certificate DN as mentioned N/A
DN authentication is in Section 9.7.4, “User
"local_x509" authentication
The corresponding data
is not provided in
the .csv file when
exporting users. It must
then be specified in
import.
Disabled Boolean O True or False False
Option used to define

if the user account is
disabled or not.
Example of import syntax:
#wab820 user
martin;linuxadmins;Pierre Martin;;user;;local;;jMpdu9/
x2z;martin@wallix.com;False;0;;fr
;/C=FR/O=Wallix/CN=PKI_USER;False
Once you have imported the .csv file, a summary report is displayed.
This report lists the number of elements which were created and updated in the WALLIX Bastion
database but also the rejected data. In case of rejection, the corresponding error is mentioned.
Figure 9.3. "CSV" page - "Users" option selected
9.1.6.2. Import users from an LDAP or AD directory
79
From the "Users from LDAP/AD" page on the "Import/Export" menu, you can import the user data
stored in a remote directory to populate the WALLIX Bastion internal ACL database.
This procedure only allows you to import users from a remote directory. If you wish to include users to
an LDAP domain from a directory and remain synchronized with any updates made in this directory,
refer to Section 9.9, “Configuration of LDAP or Active Directory domain mapping”, page 114.
Warning:
If the imported users should authenticate on the directory used for the import, you
must first create the authentication method (see also Section 9.8.1, “Add an external
authentication”, page 107).
Case 1: Import users from an LDAP directory without using Active Directory
To import users from an LDAP directory without using Active Directory, enter the fields on the "Users
from LDAP/AD" page as follows:
• "Server": enter a server address (IP or FQDN)

• "Port": the default connection port is specified. It can be modified if needed.
• "Active Directory": the check box must not be selected
• "Encryption": select the appropriate encryption protocol. The connection port is then updated
depending on the selection.
Note:
For further information on TLS configuration, refer to Section 15.24, “Configure TLS
options for LDAP external authentication”, page 289.
• "Base DN": specify the organization unit "Distinguished Name"

• "User name attribute": specify the name of the LDAP user attribute which will be used for the
WALLIX Bastion user name
• "User email attribute": enter the user’s email address attribute
• "Search filter": the query allowing to retrieve all the users from the directory is specified by default.
It can be modified to retrieve the appropriate users using LDAP syntax.
• "Bind method": select either the anonymous or the simple bind method. When the simple bind
method is selected, the "User" and "Password" fields are then displayed.
• "User" and "Password": specify a user name and a password to use for searching the user name
in the directory. These fields are not displayed when the anonymous bind method is selected.
Note:
The user must have read rights for the base DN used.
Case 2: Import users from an LDAP directory using Active Directory
To import users from an LDAP directory using Active Directory, enter the fields on the "Users from
LDAP/AD" page as follows:
• "Server": enter a server address (IP or FQDN)
80
• "Port": the default connection port is specified. It can be modified if needed.

• "Active Directory": select the check box
Note:
• "Base DN": depends on the domain name. For example, for the domain "mycorp.lan", the base
DN should be "dc=mycorp,dc=lan"
• "User name attribute": the connection attribute is "sAMAccountName"
• "User email attribute": enter the user’s email address attribute
• "Search filter": the query allowing to retrieve all the users from the directory is specified by default.
It can be modified to retrieve the appropriate users using AD syntax.
• "Bind method": select either the anonymous or the simple bind method. When the simple bind
method is selected, the "User" and "Password" fields are then displayed.
• "User" and "Password": specify a user name and a password to use for searching the user name
in the directory. These fields are not displayed when the anonymous bind method is selected.
Note:
Once the fields are entered, click on the "Import" button.
If the import is successful, a page listing the users extracted from the directory is displayed: choose
the users you wish to import in WALLIX Bastion by selecting the check box at the beginning of the
concerned line. Before final import, you must assign an authentication and a profile to the selected
users. A user group and a domain name can also be assigned to the selection.
Click on the "Import" button to import data on the user database of WALLIX Bastion.
Once the import operation is performed, a summary report is displayed. This report lists the number
of users which were created/rejected in the WALLIX Bastion database. In case of rejection, the
corresponding error is mentioned.
Note:
The user name of the imported user is based on the following syntax:
• “domain_name\sAMAccountName” for an LDAP directory without using Active

Directory or
• “domain_name\uid” for an LDAP directory using Active Directory
81
Figure 9.4. "Users from LDAP/AD" page
9.2. User groups

The "Groups" page allows you to:
• list declared user groups

• add/edit/delete a group
• view the members of each group
• import user groups from a .csv file which can be used to populate the WALLIX Bastion user
database
Note:
The administrator cannot view on this page the profile defined for a group (displayed in
the “Profile” field) when this profile has at least one permission that the administrator's
profile cannot grant as a transferable right. For further information, refer to Section 9.3,
“User profiles”, page 86.
Figure 9.5. "Groups" page
9.2.1. Add a user group

From the "Groups" page, click on "Add a group" to display the user group creation page.
82
The user group creation page consists of the following fields:
• the group name

• a description
• the time frame(s) to apply
Note:
If several time frames are selected, the time frame applied is the combination of all the
selected times frames.
• a list to select the users in the group

• a list of actions to apply when certain character sequences (defined in the "Rules" field)
are detected in the upward flow from proxies (refer to Section 10.5.1.7.1, “SSH flow
analysis / Pattern detection”, page 175 and Section 10.5.1.7.2, “RDP flows analysis / Pattern
detection”, page 180)
Warning:
Character sequence detection is only enabled for data sent by the client to the
server and only for connections under specific protocols (available in the list from the
"Subprotocol" field).
• in case of LDAP/AD integration, as described in Section 9.9, “Configuration of LDAP or Active

Directory domain mapping”, page 114, the fields in the "LDAP authentication mapping" frame
allow to set the profile for the user group members and the DN of the directory group for each
link to a directory
Warning:
When there is no LDAP/AD domain configured in WALLIX Bastion, the "LDAP
authentication mapping" frame is not displayed on this page.
83
Figure 9.6. "Groups" page in addition mode
9.2.2. Edit a user group

From the "Groups" page, click on a group name and then on "Edit this group" to display the user
group modification page.
The fields in this page are the same as those in the user group creation page.
The field "Authorizations" lists the active authorizations linked to the user group.
Note:
The administrator cannot view the area “LDAP authentication mapping” when the
profile mapped to the group has at least one permission that the administrator's profile
cannot grant as a transferable right. For further information, refer to Section 9.3, “User
9.2.3. Delete a user group

From the "Groups" page, check the box at the beginning of the line(s) to select the group(s), then
click on the trash icon to delete the selected line(s). WALLIX Bastion displays a dialogue box
requesting a confirmation before permanently deleting the line(s).
Warning:
You cannot delete a user group linked to active authorizations (refer to Chapter 14,
“Authorization management”, page 269).
84
9.2.4. View the user group members

From the "Groups" page, click on a group name to display information regarding this group: the
"Users" field contains the list of the users in this group.
Figure 9.7. "Groups" page - Group information summary
9.2.5. Import user groups

From the "Groups" page, click on the "Import CSV file" icon at the top right of the page to import
the related data. You are then redirected to the "CSV" page on the "Import/Export" menu: the "User
groups" check box is automatically selected to import the related data. The field and list separators
can also be configured.
#wab820 usersgroup
Important:
Field Type R(equired)/ Possible values Default value

O(ptional)
Name Text R [aA-zZ], [0-9], '-', '_' N/A
Description Text O Free text N/A
Profile Text O Profiles defined N/A
Time frame Text R Time frames defined N/A
There can be several time

frames for the same user
group.
Users Text O Users defined N/A
There can be no user or one

or several users defined.
85
9.3. User profiles

The "Profiles" page allows you to:
• list user profiles

• add/edit/delete a user profile
• define the administration rights and limitations on WALLIX Bastion for a profile
• import user groups from a .csv file which can be used to populate the WALLIX Bastion user
database
9.3.1. Default profiles

WALLIX Bastion is configured with default user profiles. These predefined profiles displayed on the
"Profiles" page are as follows:
• "approver": this profile can accept/reject approval requests to access target accounts
• "auditor": this profile can view WALLIX Bastion audit data (refer to Section 12.3, “Audit
data”, page 223) but cannot access target accounts
• "operation_administrator": this profile can perform any operation. However, it has no access to
the following features: the "System" menu (including system backup and restoration), the "Audit"
menu, all the system logs and the target accounts.
• "disabled": this profile has no rights; it can be edited or deleted if unused but it should not be used
to disable a user account. We recommend selecting the "Disabled" option on the user account
add/edit page if you wish to disable a user. For further information, refer to Section 9.1, “User
accounts”, page 72.
Caution:
The "disabled" profile is only displayed on an upgraded version of WALLIX Bastion as it
is inherited by default from a former version. During the upgrade, users with the former
"disabled" profile are automatically linked to the "user" profile and the "Disabled" option
on the user account edit page is selected by default.
• "system_administrator": this profile has full system administration rights via the "System" menu.
It can change the appliance configuration, access the console to create and restore backups and
view all the system logs. However, this profile cannot access target accounts.
• "user": this profile has no administration rights but can access target accounts
• "product_administrator": this profile has full administration rights and can connect to target
accounts
Note:
The configuration for the factory-set administrator account is the
"product_administrator" profile.
9.3.2. Add a user profile
86
From the "Profiles" page, click on "Add a profile" to display the user profile creation page.
The user profile creation page consists of the following fields:
• the profile name

• an area ("Rights") to define the rights for the profile members
• an area ("Transferable rights") to define the rights which can be granted by the profile members.
This area is only displayed when the "Modify" right for the "Users", "User profiles" or "Settings"
feature is set on the "Rights" part.
• an area ("Other features") to specify limitations for the profile members
On the "Rights" part, you can set the authorizations for the main features of the Web interface
displayed from the WALLIX Bastion menu:
• "None": no rights: the menu entry will not appear when the user logs on
• "View": the user can view the elements created but cannot edit them
• "Modify": the user can view and edit elements
• "Execute" (only for backup/restoration): the user can perform a system backup or restoration
(refer to Section 8.13, “Backup and Restoration”, page 60)
Another option can be used to enable/disable the access to the target accounts.
The "Transferable rights" part is displayed if the "Modify" right for the "Users", "User profiles" or
"Settings" feature is set on the "Rights" part.
On the "Transferable rights" part, you can set the authorizations which can be granted by the profile
members. These authorizations are inherited from the rights set for the profile. The rights which can
be transferred by the profile members cannot overtake their own rights. As a consequence, a profile
cannot give permissions to modify a feature if it has not the right to modify this specific feature and
is not allowed to transfer this right (except for the "Session audit" and the "Target account access"
rights).
Note:
A user cannot view the profiles and the profile members having at least one permission
that this user does not have (except for the "Session audit" and the "Target account
access" rights).
However, this rule does neither apply to the "Groups" sub-entry in the "Users" menu nor
to the entries in the "Audit" menu.
On the "Dashboards" part, you can select the dashboards which can be viewed by the profile
members. The list of dashboards displayed on this area is inherited from the authorizations set for
your profile.
By default, the user associated with the “product_administrator” or “operation_administrator” profile
is allowed to view the “Administration” entry in the “Dashboards” menu.
By default, the user associated with the “product_administrator” or “auditor” profile is allowed to
view the “Audit” entry in the “Dashboards” menu.
On the "Other features" part, you can define limitations for the profile members from the following
fields:
• "IP limitations": define the source IP(s) to which the access is restricted for primary connection.
This address can be defined as a single IP address, a sub-network mask or a hostname.
87
• "User group limitations" and "Target group limitations": select the user groups and/or the target
groups which can only be viewed and managed by the profile members. The authorizations set
for the profile members will apply to these groups and the addition of users and/or target accounts
will be restricted to these groups.
If you define limitations on target groups, select from the list of values the default group to which
the new target accounts will belong.
The limitations which are defined on this section apply to the users linked to the profile, these can be
either local users or users imported from an LDAP/AD directory or members of a WALLIX Bastion
user group linked through an authentication mapping to a group from the LDAP/AD directory.
Warning:
If the target account access is allowed for a profile, we do not recommend defining
limitations for the profile members from the "Other features" part as it may lead to
functional inconsistencies.
Figure 9.8. "Profiles" page in addition mode
9.3.3. Edit a user profile

From the "Profiles" page, click on a profile name to display the user profile modification page.
The fields in this page are the same as those in the user profile creation page, except the "Profile
name" field which cannot be accessed.
Warning:
A predefined profile can neither be deleted nor edited.
9.3.4. Delete a user profile

From the "Profiles" page, check the box at the beginning of the line(s) to select the related profile(s),
then click on the trash icon to delete the selected line(s). WALLIX Bastion displays a dialogue box
88
Warning:
A predefined profile can neither be deleted nor edited.
You cannot delete a profile if at least one user is linked to this profile.
9.3.5. Import user profiles

From the "Profiles" page, click on the "Import CSV file" icon at the top right of the page to import the
related data. You are then redirected to the "CSV" page on the "Import/Export" menu: the "Profiles"
check box is automatically selected to import the related data. The field and list separators can also
be configured.
#wab820 profile
Important:
Field Type R(equired)/ Possible values Default

O(ptional) value
Rights Text R Rights defined for the profile N/A
members.
Possible values:
-: none
r: right to "View"
w: right to "Modify"
x: right to "Execute"
These rights are to be defined

in compliance with the order
of the WALLIX Bastion Web
interface features' list displayed
for a given profile.
List of the features in the

appropriate order and possible
rights for each:
- Session audit ('-', 'r')
- System audit ('-', 'r')
- Users ('-', 'r', 'w')
- User groups ('-', 'r', 'w')
89

O(ptional) value
- Targets & accounts ('-', 'r',
'w')
- Target groups ('-', 'r', 'w')
- Manage Authorizations ('-',

'r', 'w')
- Manage Approvals ('-', 'r', 'w')
- User profiles ('-', 'w')

- Settings ('-', 'r', 'w')
- System settings ('-', 'w')
- Backup/Restore ('-', 'x')
- Credential recovery ('-', 'x')
A profile with the definition

--rrrrw---wx- is granted the
following rights:
- Session audit: none
- System audit: none
- Users: right to "View"
- User groups: right to "View"
- Targets & accounts: right to

"View"
- Target groups: right to "View"
- Manage Authorizations:
right to "Modify"
- Manage Approvals: none
- User profiles: none
- Settings: none
- System settings: right to

"Modify"
- Backup/Restore: right to
"Execute"
- Credential recovery: none

Target Boolean R True or False False
account
access
90

O(ptional) value
IP limitations IP/subnet/ O [aA-zZ], [0-9], '-', '/', '.' N/A
hostname
e.g. for subnet: 1.1.1.0/24
There can be no network

address, one or several
addresses. In this case, they
must be separated by ";"
e.g.:
10.10.10.10;24.12.33.125
User group Boolean R True or False False
limitations
User groups Text O User groups defined N/A
There can be no user group

or one or several user groups
defined.
Target group Boolean R True or False False
limitations
Target Text O Target groups defined N/A
groups
There can be no target group
or one or several target groups
defined.
Default Text O Default target group defined N/A
target group
Transferable Text O Transferable rights defined for N/A
rights the profile members.
Possible values:
-: none
r: right to "View"
w: right to "Modify"
x: right to "Execute"
These rights are to be defined

in compliance with the profile
rights specified in the "Rights"
column.
List of the features in the

appropriate order and possible
rights for each:
- Session audit ('-', 'r')

- System audit ('-', 'r')
91

O(ptional) value
- Users ('-', 'r', 'w')
- Targets & accounts ('-', 'r',
'w')
- Manage Authorizations ('-',

'r', 'w')
- Manage Approvals ('-', 'r', 'w')
- User profiles ('-', 'w')

- Settings ('-', 'r', 'w')
- System settings ('-', 'w')
- Backup/Restore ('-', 'x')
- Credential recovery ('-', 'x')
A profile with the definition

--rrw---wx- is granted the
following rights:
- Session audit: none
- System audit: none
- Users: right to "View"
- Targets & accounts: right to

"View"
- Manage Authorizations:
right to "Modify"
- Manage Approvals: none
- User profiles: none
- Settings: none
- System settings: right to

"Modify"
- Backup/Restore: right to
"Execute"
- Credential recovery: none
9.4. User data retention policy
92
In the process of compliance with the GDPR requirements, WALLIX Bastion allows you to define
retention periods for the user data.
Warning:
When WALLIX Bastion is configured in High-Availability mode with DRBD, the user data
retention configuration is only spread out to the “Slave” node when the latter becomes
“Master” node after a switchover. It is recommended to force a DRBD switch in order to
display the new configuration on all nodes.
The “Data retention policy” section, available from “Configuration” > “Configuration options”, allows
you to configure the following options:
• “Remove user data older than”: it consists of deleting the users' data contained in the databases
of WALLIX Bastion, i.e. the data located in the following tables: account activity, answer,
approval, auth_log, session_log and user. Thus, all data older than the value defined in
this field in number of weeks (with the suffix “w” such as “10w” for 10 weeks) or in number of days
(with the suffix “d” such as “24d” for 24 days) is deleted. If no suffix is specified, then the value
is considered to be expressed in number of weeks.
Note:
The deletion of user data from the WALLIX Bastion databases is based on:
– for the account activity table: the date of the user's activity
– for the answer table: the creation date of the approval answer
– for the approval table: the end date of the approval
– for the auth_log table: the timestamp of the authentication logs
– for the user table: the deactivation date of the user
For further information on the session purge, refer to Section 15.18, “Export and/or
purge session recordings manually”, page 284 and Section 15.19, “Export and/or
purge session recordings automatically”, page 286.
• “Max delete objects”: it consists of the maximum number of objects, per data type, to delete from
the database. This field is displayed when the check box of the "Advanced options" field at the
top right of the page has been selected. It should ONLY be changed upon instructions from the
WALLIX Support Team!
• “Remove user logs older than”: it consists of deleting the users' data contained in the logs of
WALLIX Bastion, i.e. the data located in the files saved in partition /var/log: syslog, debug,
error, user.log, wabaudit.log and wabauth.log. Thus, all data older than the value
defined in this field in number of weeks (with the suffix “w” such as “20w” for 20 weeks) or in
number of days (with the suffix “d” such as “36d” for 36 days) is deleted. If no suffix is entered,
then the value is considered to be expressed in number of weeks. The maximum retention time
for the logs is 365 days or 52 weeks.
Warning:
If the defined value for the option “Remove user data older than” is higher than the one
set for “Remove user logs older than”, then the log retention time takes into account the
value defined for “Remove user data older than”.
9.5. Notification configuration
93
WALLIX Bastion allows you to define notifications which are triggered and sent to the user if some
specific events are detected, such as:
• a wrong primary authentication, i.e. user authentication failure on WALLIX Bastion

• a wrong secondary authentication, i.e. a target authentication failure
• a login or a password checkout on a critical target
• a new SSH key fingerprint saved
• a wrong SSH key fingerprint detected
• an integrity error
Note:
When notifications are enabled for this event type, the email summarizes errors for
sessions older than 3 days by default. It is however possible to set a different value
for this number of days. To edit this parameter, go to “Configuration” > “Configuration
options” > “Session log policy”, then enter a positive integer in the field “Summarize
error older than” below section “IntegrityChecker”. If “0” is entered in this field, then
there is no error summary in the notification email.
• a RAID error
• a pattern detection during analysis of an RDP or SSH flow
• a license expiration warning
Note:
When notifications are enabled for this event type, the warning email will be sent 15
days, 10 days, 5 days and 1 day before the license expiration date.
It is also possible to define thresholds to trigger a notification to the administrator when
one of the license metrics has reached and/or exceeded these thresholds. For more
information, refer to Section 8.2.2, “Managing the sending of notifications”, page 45.
• a password expiration alert

• a disk space alert
From the “Notifications” page of the “Configuration” menu, you can add, edit or delete notifications.
9.5.1. Add a notification

From the “Notifications” page of the “Configuration” menu, click on the “+ Add” button to display
the notification creation page.
The notification creation page consists of the following fields:
• the notification name

• the notification description
• a toggle button to enable or disable the email notification. By default, the notification is enabled.
• the recipient's email address
94
Note:
Once you have entered a valid email address, click on “+” at the end of the field to
add it to the recipient list. Once an email address is added, you have the possibility to
delete it from the list by clicking on the “-” red icon.
You can add as many recipients as necessary.
• the language in which the notification will be issued to the recipient

• check boxes to select the event types which will trigger the notification
Figure 9.9. "Notifications" page in addition mode
Note:
You can configure the settings for sending emails on the “SMTP Server” page of the
“System” menu (refer to Section 8.12, “SMTP server”, page 59).
9.5.2. Edit a notification

From the “Notifications” page of the “Configuration” menu, click on a notification name. The
modification page opens and it is possible to edit the data already entered.
The fields of this page are the same as those on the notification creation page, except for the “Name”
field which cannot be edited.
9.5.3. Delete a notification
95
From the “Notifications” page of the “Configuration” menu, check the box at the beginning of the
line to select the notification you wish to delete, then click on the “Delete” button. WALLIX Bastion
displays a dialogue box requesting a confirmation before permanently deleting the notification.
9.5.4. Create custom notification templates

You can create custom notification templates from the command line in order to:
• modify the subject and body of the notifications to your specific needs
• send notifications in HTML format
Note:
Once a custom notification template has been created, the notification will be sent in the
following order:
• First, the custom notification in the user's language if a corresponding template exists.
For example: approval_pending_user_fr.txt
• Or the custom notification in English if a corresponding template exists. For example:
approval_pending_user_en.txt
• Or the default notification of WALLIX Bastion in the user's language. For example:
approval_pending_user.txt
To create a custom notification template, follow the steps below:
1. Connect to WALLIX Bastion via SSH.

2. Create a notification template in .txt format in the directory /var/wab/etc/notifier/.
Caution:
The name of the custom notification templates must be the same as the name of the
default notification templates, followed by the language suffix.
For example: approval_pending_user_en.txt.
To display the list of default notifications in order to copy the name, run
the following command: ls /opt/wab/lib/python3.7/site-packages/
wallixgenericnotifier/templates/mail.
3. Customize the notification template according to the following rules:

• The first line corresponds to the subject of the notification. It must fit on a single line
• The second line must contain two consecutive hyphens that indicate the separation between
the subject and the body of the notification. They will not be displayed in the mail received
by the user
• The other lines correspond to the body of the notification
• If necessary, the same variables as those of the default notifications can be
used. Their format must be as follow: {{name}}. The list of these variables is
available in the following directory: /opt/wab/lib/python3.7/site-packages/
wallixgenericnotifier/templates/mail/.
The table below lists the additional variables available for the custom notifications:
96
WALLIX Bastion's variables Description

{{ product_name }} Product name (“WALLIX Bastion” by default)
{{ product_name_short }} Short version of the product name (“Bastion” by
default)
{{ product_support_name }} Name of the Support Team (“WALLIX” by default)
{{ notifier.ip }} WALLIX Bastion user interface's IP address
{{ notifier.hostname }} WALLIX Bastion's hostname
{{ notifier.fqdn }} WALLIX Bastion's FQDN (if the FQDN is not set,
the hostname is used by default)
The table below lists the variables available for the custom approval notifications sent to users
asking for approval (all the templates: approval_*_user.txt):

{{ target }} Target name
{{ name }} Name of the user asking for approval
{{ answer_user }} Name of the approver (for a notification sent after
an answer)
{{ begin }} Start time (format: “YYYY-MM-DD hh:mm”)
{{ end }} End time (format: “YYYY-MM-DD hh:mm”)
{{ duration }} Duration, in time units (“h” for hours, “m” for
minutes)
{{ approvers }} Comma-separated list of approver names
{{ reason }} Reason given by the approver (for a notification
sent after an answer)
The table below lists the variables available for the custom approval notifications sent to
approvers (all the templates: approval_*_approver.txt):

{{ approval_uid }} UID of the approval request
{{ user }} Name of the user asking for approval
{{ target }} Target name
{{ begin }} Start time (format: “YYYY-MM-DD hh:mm”)
{{ end }} End time (format: “YYYY-MM-DD hh:mm”)
{{ duration }} Duration, in time units (“h” for hours, “m” for
minutes)
{{ approvers }} Comma-separated list of approver names
{{ reason }} Approval comment (“-” if not set)
{{ ticket }} Approval ticket (“-” if not set)
Example of custom notification template:
Your access request on {{ target }}
97
--
Target: {{ target }}
between {{ begin }} and {{ end }} ({{ duration }})
Your access request has been sent.
You will be promptly notified after your request is reviewed.

--
Your {{ product_name_short }} administrator.
4. If necessary, add the <html> element in the template in order to send a custom notification in
the HTML format as shown in the example below:
Your access request on {{ target }}
--
<html>
Target: {{ target }}
 
between {{ begin }} and {{ end }} ({{ duration }})
 
Your access request has been sent.
 
You will be promptly notified after your request is reviewed.
 
--
 
Your {{ product_name_short }} administrator.
</html>
9.6. Local password policy configuration

The password policy establishes a set of rules for storing local passwords. These rules define the
level of complexity for the password.
From the “Local Password Policy” page on the “Configuration” menu, you can define the password
policy and configure the password expiration time.
This page consists of the following fields:
• the password validity period in number of days. After this period, the user will be prompted for
password change on the login screen of WALLIX Bastion or when connecting to the RDP or SSH
session. We recommend configuring this setting for a period of less than one year.
• the period in number of days before the display of the first password expiration warning. We
recommend setting this period to a value of at least 20 days.
• the maximum number of authentication failures allowed per user. We recommend setting this
number to a value of at most 5 authentication attempts.
• the number of previous passwords which cannot be reused. We recommend rejecting at least
the last 4 passwords.
• the minimum length of the password. This value must be greater than the sum of the other length
constraints. We recommend setting this length to a value of at least 12 characters.
• the minimum number of special characters in the password. We recommend setting this number
to a value of at least 1 character.
• the minimum number of uppercase letters in the password. We recommend setting this number
98
• the minimum number of lowercase letters in the password. We recommend setting this number
• the minimum number of digits in the password. We recommend setting this number to a value
of at least 1 character.
• a list to select one or several algorithms allowed for the SSH public key. If the “RSA” algorithm is
selected, the minimum key length must be entered in the “Minimum RSA key length” field. This
value must not be lower than 1024 bits.
Note:
If no algorithm is selected, then the definition of the SSH public key cannot be performed
on the “My Preferences” page and the SSH public key cannot be set for the local user
on the “Accounts” page from the “Users” menu.
• a toggle button to allow passwords similar to the user name. We do not recommend allowing
similarity.
• a button to upload the file containing the list of banned passwords.
Note:
The file containing the list of banned passwords must be in a UTF-8 format.
• a button to download the file containing the list of banned passwords.
Figure 9.10. "Local Password Policy" page
99
9.7. X509 certificate authentication

configuration
X509 certificate authentication is supported by WALLIX Bastion to allow users to authenticate with
certificates.
From the “X509 configuration” page on the “Configuration” menu, you can configure X509
authentication as well as Certificate Revocation Lists (CRLs) and the Online Certificate Status
Protocol (OCSP). To do so, select “Certificates”, “CRL” or “OCSP” from the drop-down list.
9.7.1. Setting X509 certificate authentication

9.7.1.1. Prerequisites for the configuration
Before setting up X509 authentication, make sure you have the following required elements:
• the public key in PEM format of the Certificate Authority which issued this server certificate. The
certificate may be auto-signed or issued by an accredited authority.
• the certificate in PEM format for the WALLIX Bastion Web server
• the private key in PEM format for this server certificate
9.7.1.2. X509 configuration

On the “Certificates” page, please follow the following steps to configure and enable the X509
authentication:
• In the “X509 server certificates” section:

1. Upload the CA certificate in PEM format (it contains the public key). If several CA certificates
exist, it is necessary to combine the certificates by pasting the content of each certificate one
after another in a single PEM format file before uploading it.
2. Upload the server certificate in PEM format (it contains the public key) or the chained
certificate.
Warning:
If the signature algorithm of the server certificate is too weak, an error message is
displayed during the upload. Please contact the WALLIX Support Team for more
information.
3. Upload the server private key in PEM format.

• In the “X509 authentication” section, enable the authentication with the “Enable X509
authentication” button.
• Click on the “Apply” button to enable the X509 authentication and restart the Web interface of
WALLIX Bastion. This process may take a few seconds.
Warning:
If the X509 authentication is enabled, TLSv1.3 cryptographic algorithm for HTTPS
connection will be deactivated. However, this algorithm is activated by default when the
X509 authentication is disabled.
100
Note:
The WALLIX Bastion Web interface and the REST API Web Service are not available
during this set-up phase. The connections on the interface are thus disconnected.
However, RDP and SSH sessions are not affected.
Figure 9.11. "X509 configuration" page for the upload of certificates
9.7.2. CRL management

On the “CRL” page, please follow the following steps to manage CRLs:
1. Upload a CRL (Certificate Revocation List) file.

2. Specify an address from which the CRL is fetched automatically and hourly.
3. Enable the “Enable CRL checking” button to perform a check on the CRL. The check is disabled
by default.
4. Click on the “Apply” button.
Note:
The CRL files are stored in the directory /var/wab/apache2/ssl.crl/.
An uploaded file gathering several CRLs will be divided into several unit CRL files.
An uploaded CRL will only replace an old one if the number corresponding to the
“CRLNumber” is greater than or equal to the one of this former version.
This list can also be updated using a dedicated command. For further information, refer
to Section 15.28, “Update the CRL (Certificate Revocation List)”, page 292.
101
Figure 9.12. "X509 configuration" page for CRL configuration
9.7.3. OCSP management

The OCSP provides information on the certificate revocation status when a user connects to a
server using an SSL certificate. The OCSP responder receives the request and returns a response
message indicating that:
• the certificate is valid or

• the certificate is revoked or
• the information related to the certificate is unknown
On the “OCSP” page, please follow the following steps to manage the OCSP:
1. Select one of the three directives.

2. Specify the URL of the proxy which will be used for the queries to the OCSP responder. The
OCSP responder used is extracted from the certificate itself.
3. Specify the URI of the default OCSP server which will be used to override the OCSP responder.
4. Enable the “Enable OCSP validation of client certificate chain” button to validate certificates in
the client's certificate chain with an OCSP responder.
102
Figure 9.13. "X509 configuration" page for OCSP configuration
9.7.4. User authentication configuration

From the “Accounts” page on the “Users” menu, you need to configure the user's authentication
method.
The “Local authentication - X509” section and the “Certificate DN” field appear on the page when
adding or editing a user (refer to Section 9.1, “User accounts”, page 72). To associate the user
with the certificate, the DN (i.e. "Distinguished Name") of the certificate must be entered in the
“Certificate DN” field as follows:
CN=Lucas Martin,O=MyCorp,L=PARIS,ST=IDF,C=FR
When the certificate is used, the associated user will then be authenticated on WALLIX Bastion.
Caution:
Some certificates include the attribute "emailAddress" mentioned as "E =... " in the
certificate DN. This attribute must be replaced by "emailAddress =... " in the field provided.
Note:
The certificates must be signed by the same Certificate Authority as the Web server
certificate.
The Unicode character set is supported in the DN if the certificate is UTF-8-encoded

according to RFC2253, if not, only standard ASCII code is supported.
The maximum supported length of a DN is 1,024 bytes (the exact number of characters
may be less depending on the length of the UTF-8 encoding).
103
Figure 9.14. "Accounts" page in modification mode with the "Certificate DN" field
9.7.5. X509 authentication

9.7.5.1. X509 authentication on the Web interface
Upon the next log on, the WALLIX Bastion authentication page displays a new link to complete the
authentication using an SSL certificate.
104
Figure 9.15. Login screen with X509 authentication
Users and administrators can then log on using a saved certificate stored in the browser.
Figure 9.16. User authentication using an SSL certificate
9.7.5.2. X509 connection to the target

When the user authenticates via a X509 certificate, the connection process to a target is as follows:
1. The user connects to a target device using an RDP or SSH client.

2. The proxy asks WALLIX Bastion for the user's authentication method on the Web interface.
3. If the user is using X509 authentication, a connection confirmation request is displayed on the
Web interface.
4. The user must confirm the request to automatically authenticate on the target.
105
S/he can choose to accept or reject multiple automatic connections for RDP sessions, SSH
sessions or both for a given time period expressed in seconds by enabling the “Also applies to
all connections for:” button and configuring the fields underneath this button.
Figure 9.17. Confirmation request to connect to a target
Warning:
The browser and the RDP or SSH client must be both running on the same workstation
(then use the same IP) to allow the connection confirmation request display.
The maximum duration value during which automatic connections are allowed can be
defined in the field “X509 automatic sessions timer” from “Configuration” > “Configuration
Options” > “Global”. This duration cannot exceed 60 seconds and is set to 15 seconds by
default. The user cannot specify in the popup window a duration greater than this value.
If the authentication is based on account mapping, the user must enter his/her password
on the target.
9.7.6. Disable and unset X509 certificate authentication

mode
On the “Certificates” page, you can disable or unset the X509 certificate authentication.
• To disable X509 authentication, follow these steps:

1. Disable the “Enable X509 authentication” button in the “X509 authentication” section.
• To unset the X509 authentication, click on the “Unset X509 configuration” button.
Warning:
The Web interface is restarted. Thus, no user connections must be active.
The default configuration is restored: the certificates are deleted and new auto-signed
certificates are generated.
Users can no longer log on using their certificates.
106
Figure 9.18. "X509 configuration" page
9.8. External authentication configuration

The external authentication methods which can be defined in WALLIX Bastion are used to set the
user authentication on the application.
An external authentication method is linked to a user account during the creation or modification of
the account. For further information, refer to Section 9.1.1, “Add a user”, page 73.
WALLIX Bastion supports the following authentication methods:
• LDAP
• Active Directory
• Kerberos
• RADIUS
From the "External Authentications" page on the "Configuration" menu, you can add, edit or delete
external authentication configurations.
Note:
The default authentication configured on WALLIX Bastion is "local". This external
authentication method allows users to log on using the product’s internal data engine.
9.8.1. Add an external authentication
107
From the "External Authentications" page, click on "Add an authentication" to display the external
authentication creation page.
The external authentication creation page consists of the following fields:
• an authentication type: you must select the appropriate type to display the required fields for the
authentication definition
• an authentication name
• a server address (IP or FQDN)
• a connection port
Refer to the sections below to get specific information on the creation of external authentications
on this page.
Figure 9.19. "External Authentications" page in addition mode for LDAP authentication
9.8.1.1. Add a Kerberos external authentication

For Kerberos authentications, as a prerequisite, the Kerberos infrastructure, the browser and SSH
proxy client must be appropriately configured to be able to authenticate.
Enter the required fields as follows:
• "Key distribution center": specify the domain name or the IP address of the KDC server
• "Realm name": specify the domain name (REALM)
• "Keytab file": the keytab files used for service authentication must be uploaded. Each uploaded
keytab file is merged with the previously loaded files.
If an HTTP service is present in the keytab file, the Kerberos support is activated for GUI
authentication; it requires to add the iwab suffix to the url: https://bastion_ip_address/
iwab or https://<bastion_name>/iwab
HOST services are used for Kerberos authentication with the SSH proxy. It is then possible
to use a "forwardable" ticket to connect to a target within the same Kerberos domain using
108
account mapping (refer to Section 10.4.1, “Add a target account to a global domain”, page 159,
Section 10.4.2, “Add a target account to a device”, page 163 or Section 10.4.3, “Add a target
account to an application”, page 165).
• "Use primary domain name": this option is only relevant when this authentication is used as a
second factor after first authenticating via LDAP. Select the check box to force the mention of the
domain name in the login (e.g. "user@domain") during second authentication.
In order for a Kerberos authenticated user (via the GUI or the SSH proxy) to be acknowledged by
WALLIX Bastion, at least one of the following two conditions is required:
• the user is defined locally on WALLIX Bastion and the appropriate Kerberos external
authentication is configured for this user or
• the user is an LDAP user mapped to a WALLIX Bastion defined group. In this case, at least one
of the following configurations is required:
– a mapping must be defined on WALLIX Bastion for the LDAP domain of the user and the
Kerberos domain name matches the LDAP domain name (case insensitive) or
– a default mapping is defined on WALLIX Bastion.
9.8.1.2. Add a Kerberos-Password external authentication

This authentication is seen as a standard authentication (i.e. by providing login and password) by
the user. WALLIX Bastion then acts as a Kerberos client.
For Kerberos-Password authentications, as a prerequisite, the Kerberos infrastructure must be

appropriately configured to be able to authenticate.
Enter the required fields as follows:
• "Key distribution center": specify the domain name or the IP address of the KDC server
• "Realm name": specify the domain name (REALM)
• "Keytab file": the keytab files used for service authentication must be uploaded. Each uploaded
keytab file is merged with the previously loaded files.
In order for a Kerberos-Password authenticated user to be acknowledged by WALLIX Bastion, at

least one of the following two conditions is required:
• the user is defined locally on WALLIX Bastion and the appropriate Kerberos-Password external
authentication is configured for this user or
• Kerberos-Password is used as a second factor after first authenticating via LDAP with or without
using Active Directory
9.8.1.3. Add an LDAP external authentication

Case 1: Add an LDAP external authentication without using Active Directory
To add an LDAP external authentication without using Active Directory, enter the fields on the
"External Authentications" page as follows:
• "Timeout (s)": specify the maximum time period (expressed in seconds) for connection attempt
to the LDAP server. This value is set to 3 seconds by default.
109
Caution:
This timeout applies to all new LDAP external authentications. The LDAP external
authentications inherited from an earlier version of WALLIX Bastion keep the former
timeout value defined.
• "Active Directory": the check box must not be selected

Note:
• "Base DN": specify the organization unit "Distinguished Name"

• "Login attribute": specify the login attribute used for connection. By default, this connection
attribute corresponds to "uid". The "mail" attribute can be specified in this field to allow users
associated with this authentication to use their email when logging on to the Web interface. The
following login formats are then supported:
– jdoe@mycompany.com@domain. The format is "login@domain" with the email defined as
login (i.e. "jdoe@mycompany.com")
– domain\\jdoe@mycompany.com. The format is "domain\\login" with the email defined as login
(i.e. "jdoe@mycompany.com")
– jdoe@mycompany.com with the domain defined as the default LDAP/AD domain
• "User name attribute": specify the user name attribute. The user name attribute must be the name
of the LDAP attribute where the WALLIX Bastion user name is stored. By default, it corresponds
to "uid".
• "Bind method": select either the anonymous or the simple bind method.
When the anonymous bind method is selected, the "User"/"Password" fields and the "Client key
and certificate" field are not displayed.
When the simple bind method is selected and no encryption protocol is specified, the "User" and
"Password" fields are required.
When the simple bind method is selected and the chosen encryption protocol is either "StartTLS"
or "SSL", the "User"/"Password" fields and the "Client key and certificate" field are optional.
However, it is required to enter at least one of them (either the "User"/"Password" pair or the
"Client key and certificate" field).
• "User" and "Password": specify a user name and a password to use for searching the WALLIX
Bastion user name in the directory. These fields are not displayed when the anonymous bind
method is selected.
Note:
• "Description": enter a description if needed
110
• "CA certificate": this field is displayed when either "StartTLS" or "SSL" is selected as the
encryption protocol. Browse a path to upload the CA certificate file. This certificate is checked
against the LDAP server during connection.
Important:
The hostname specified in the “Server” field must be copied to the “CN” field in the
certificate.
• "Client key and certificate": this field is displayed when the simple bind method is selected and the
chosen encryption protocol is either "StartTLS" or "SSL". Browse a path to upload the private key
and certificate used to connect and authenticate on the LDAP server by providing a PKCS#12
file. Once the file has been uploaded, a passphrase can be provided for the certificate on the
dedicated field. The certificate is checked against the CA certificate during connection.
Once the fields are entered, it is possible to test the LDAP external authentication configuration by
clicking on the "Test" button. A test in progress can be cancelled at any time.
Case 2: Add an LDAP external authentication using Active Directory
Important:
When using this method, the user can be prompted for password change after expiration
on the login screen of WALLIX Bastion or when connecting to the RDP or SSH session.
The prerequisites are then as follows:
• the minimum required version for the Active Directory server is Windows Server 2008
R2
• the option “AD user password change” (accessible from the menu “Configuration” >
“Configuration Options” > “Global” > section “main”) must be selected and
• at least one encryption protocol must be set for this method in the "Encryption" field
(i.e. either "StartTLS" or "SSL").
To add an LDAP external authentication using Active Directory, enter the fields on the "External
Authentications" page as follows:
to the LDAP server. This value is set to 3 seconds by default.
Caution:
This timeout applies to all new LDAP external authentications. The LDAP external
• "Active Directory": select the check box

111
Note:
• "Base DN": depends on the domain name. For example, for the domain "mycorp.lan", the base
DN should be "dc=mycorp,dc=lan".
• "Login attribute": specify the login attribute used for connection. By default, this connection
attribute corresponds to "sAMAccountName". The "mail" attribute can be specified in this field
to allow users associated with this authentication to use their email when logging on to the Web
interface. The following login formats are then supported:
– jdoe@mycompany.com@domain. The format is then "login@domain" with the email defined
as login (i.e. "jdoe@mycompany.com")
– domain\\jdoe@mycompany.com. The format is then "domain\\login" with the email defined as
login (i.e. "jdoe@mycompany.com")
– jdoe@mycompany.com with the domain defined as the default LDAP/AD domain.
The "UserPrincipalName" can also be specified in this field. If so, the user must use this attribute
as defined by the administrator to log on.
• "User name attribute": specify the user name attribute. By default, it corresponds to
"sAMAccountName".
• "Bind method": select either the anonymous or the simple or the SASL (based on GSS-API) bind
method.
Note:
The SASL bind method based on GSS-API must be selected when the LDAP user is
included in the "Protected Users" group.
When the anonymous bind method is selected, the "User"/"Password" fields and the "Client key
and certificate" field are not displayed.
When the simple bind method is selected and no encryption protocol is specified, the "User" and
"Password" fields are required.
When the simple bind method is selected and the chosen encryption protocol is either "StartTLS"
or "SSL", the "User"/"Password" fields and the "Client key and certificate" field are optional.
However, it is required to enter at least one of them (either the "User"/"Password" pair or the
"Client key and certificate" field).
When the SASL (based on GSS-API) bind method is selected and the chosen encryption protocol
is either "StartTLS" or "SSL", the "User and "Password" fields are required.
• "User" and "Password": specify a user name and a password to use for searching the WALLIX
Bastion user name in the directory. These fields are not displayed when the anonymous bind
method is selected.
Note:
112
• "CA certificate": this field is displayed when either "StartTLS" or "SSL" is selected as the
encryption protocol. Browse a path to upload the CA certificate file. This certificate is checked
against the LDAP server during connection.
Important:
The hostname specified in the “Server” field must be copied to the “CN” field in the
certificate.
• "Client key and certificate": this field is displayed when the simple bind method is selected and the
chosen encryption protocol is either "StartTLS" or "SSL". Browse a path to upload the private key
and certificate used to connect and authenticate on the LDAP server by providing a PKCS#12
file. Once the file has been uploaded, a passphrase can be provided for the certificate on the
dedicated field. The certificate is checked against the CA certificate during connection.
Once the fields are entered, it is possible to test the LDAP external authentication configuration by
clicking on the "Test" button. A test in progress can be cancelled at any time.
9.8.1.4. Add a RADIUS external authentication

For RADIUS authentications, WALLIX Bastion supports the challenge-response mechanism.
Enter the fields as follows:
• “Timeout (s)”: specify the maximum time period (expressed in seconds) for connection attempt
to the server. This value is set to 5 seconds by default.
Caution:
This timeout applies to all new RADIUS external authentications. The RADIUS external
• “Secret”: enter the packet encryption key

• “Description”: enter a description if needed
• “Use mobile device”: this option is only relevant when this authentication is used as a second
factor after first authenticating via LDAP. Select the check box to display a message on the login
page informing the user that s/he must authenticate via a push notification sent to his/her mobile
device.
• “Use primary domain name”: this option is only relevant when this authentication is used as a
domain name in the login (e.g. “user@domain”) during second authentication.
Note:
In the context of second factor authentication, if a user performs several connections and
the client's IP address is the same as the one used for the previous authentication then
s/he is not prompted to authenticate again.
9.8.1.5. Add a PingID external authentication
113
For PingID authentications, enter the fields as follows:
to the server. This value is set to 30 seconds by default.
• "Properties file": browse a path to upload the PingID properties file (named
pingid.properties) containing several account-specific settings. This file can be downloaded
from the PingID administrator interface.
• "Force OTP": select the check box to force the one-time password (or “OTP”) authentication only.
In this case, no other authentication method will be suggested.
Note:
The WALLIX Bastion administrator should remind the user to specify only the login field
to access the Web interface when authenticating via PingID.
9.8.2. Edit an external authentication

From the "External Authentications" page, click on an authentication name and then on "Edit this
authentication" to display the authentication modification page.
The fields in this page are the same as those in the external authentication creation page.
9.8.3. Delete an external authentication

From the "External Authentications" page, check the box at the beginning of the line(s) to select the
related authentication(s), then click on the trash icon to delete the selected line(s). WALLIX Bastion
displays a dialogue box requesting a confirmation before permanently deleting the line(s).
Warning:
You cannot delete an external authentication if at least one user is linked to this
authentication.
9.9. Configuration of LDAP or Active Directory

domain mapping
WALLIX Bastion can directly import users defined in LDAP/AD directories so as to avoid you to
create them locally within the application.
WALLIX Bastion user account management can be used in conjunction with one or more LDAP or
Active Directory (AD) directories. In this case, the user accounts are no longer stored locally in the
WALLIX Bastion configuration. The appropriate account information is retrieved from the directory
whenever a user connects to one of the WALLIX Bastion services.
In order to integrate an LDAP or AD domain into WALLIX Bastion, you must add the external
authentications (LDAP or AD) used to allow connection to directories (refer to Section 9.8, “External
authentication configuration”, page 107).
114
From the "LDAP/AD Domains" page on the "Configuration" menu, you can define, configure, edit,
delete and import domains. You can also import LDAP authentication mappings from the "CSV"
page on the "Import/Export" menu.
Note:
It is possible to configure the TLS options to allow the request of a given CA certificate to
authenticate on the LDAP server by editing the file /etc/ldap/ldap.conf. For further
information on this file, refer to http://www.openldap.org/software/man.cgi?
query=ldap.conf.
9.9.1. Add an LDAP/AD domain

From the "LDAP/AD Domains" page on the "Configuration" menu, click on "Add a domain" to display
the LDAP/AD domain creation page.
A domain gathers the attributes of the directory schema to use in order to find the necessary
attributes for an account in the Bastion.
These attributes are listed in the various areas on the "LDAP/AD Domains" page.
The area in the upper part of the page lists the following main properties for the domain:
• the WALLIX Bastion's domain name

• a description
• the default domain option: this check box can be selected to allow the stripping of the domain
part (i.e. @domain) from the user login when authenticating on WALLIX Bastion. Thus local users
defined in WALLIX Access Manager can be mapped to users in the Bastion's domain.
• the LDAP/AD domain name
• the selection of the directory type to be used from the list of values in the "Available directories"
frame then, the choice among the suggested authentications for this type. If you select several
directories, they are used one after the other when a user is connecting, until a response is
received from the server. This allows resilience in case of a directory server failure as long as the
configurations (users, groups, etc.) are the same.
• if needed, the selection of secondary authentication type to be used from the list of values in the
"Available secondary authentications" frame to allow two-factor authentication on the domain. If
you select several authentications (the latter must be of same type, e.g. only RADIUS or PINGID,
etc.), they are used one after the other when a user is connecting, until a response is received
from the server. This allows resilience in case of a secondary authentication server failure as long
as the configurations are the same.
Note:
Except for LDAP external authentication, all external authentications defined from the
"External Authentications" page on the "Configuration" menu can be used as secondary
authentications, after first LDAP authentication.
The area “User attributes” lists the following attributes:
115
• the user: the schema’s attribute is indicated in the "User name attribute" field on the "External
Authentications" page (refer to Section 9.8.1, “Add an external authentication”, page 107). By
default, WALLIX Bastion uses “sAMAccountName” with AD or “uid” with LDAP.
• the group attribute: describes a user group membership. The default value is “memberOf” for
an AD server and “(&(ObjectClass=posixGroup)(memberUid=${uid}))” for an LDAP
server. This is an LDAP query used to find the groups containing the user defined by his or her
“uid”. By default, some servers may not support for each account the list of the groups to which it
belongs. It is therefore necessary to specify an additional query. The “${uid}” syntax is specific
to the Bastion; the “uid” attribute can be replaced by any user attribute. If the LDAP server
supports the “memberOf” value, its use is then recommended. This is the case with OpenLDAP
servers configured with the “memberOf” overlay.
It is possible to manage recursive groups with an AD server. In this case, the default value has
to be changed with the query below:
(&(ObjectClass=group)(member:1.2.840.113556.1.4.1941:=${distinguishedName}))
This query can be slower than the default one.

• the display name attribute: usually the “displayName” attribute with AD and “cn” attribute with
LDAP.
• the email attribute: the user’s email address attribute (AD and LDAP).
• the default mail domain: the domain component used to build the user's email address if not found
in the directory. This address is built by appending the domain to the user name.
• the language attribute: usually the “preferredLanguage” attribute (AD and LDAP).
• the default language: default language of the domain members if the language is not defined in
the directory.
The area “X509 options” lists the following properties:
• an option to select X509 authentication: if this option is selected, users can only authenticate
on the LDAP/AD domain through X509 certificate authentication method. When this option is
selected, the fields on this area are then enabled.
• the condition to match an LDAP/AD domain with the X509 certificate. If no condition is specified
in the field “Matching condition”, the LDAP/AD domain can then be used for X509 authentication
regardless of the certificate.
This condition is formatted according to the following available variables retrieved from the
certificate:
Variables of WALLIX Bastion Description

${issuer} Issuer DN of client’s certificate
${issuer_c} Country name in Issuer DN
${issuer_l} Locality name in Issuer DN
${issuer_o} Organization name in Issuer DN
${issuer_ou} Organization Unit name in Issuer DN
${issuer_cn} Common name in Issuer DN
${issuer_st} State or Province name in Issuer DN
${issuer_email} Email Address in Issuer DN
${subject} Subject DN in client’s certificate
116
Variables of WALLIX Bastion Description

${subject_c} Country name in Subject DN
${subject_l} Locality name in Subject DN
${subject_o} Organization name in Subject DN
${subject_ou} Organization Unit name in Subject DN
${subject_cn} Common name in Subject DN
${subject_st} State or Province name in Subject DN
${subject_email} Email Address in Subject DN
${subject_uid} UID in Subject DN
${mail} Server certificate’s subjectAltName extension entries of
type rfc822Name
${msupn} Client certificate’s subjectAltName extension entries of
type otherName, Microsoft User Principal Name form
${dns} Server certificate’s subjectAltName extension entries of
type dNSName
${username} Common name from Subject DN or local part of Subject
DN if Subject DN is an email (e.g.: “local-part@domain”)
For example, the matching condition below will associate the domain with a certificate issued
by an organization whose name (“issuer_o”) includes “Company Ltd.” OR a certificate whose
common name (“issuer_cn”) includes “Security Cert” and whose user's organization unit
(“subject_ou”) correspond to “Finance&Accounting”:
${issuer_o}~Company Ltd. || ${issuer_cn}~Security Cert &&

${subject_ou}=Finance&Accounting
The operator “&&” (i.e. “AND”) has precedence over the operator “||” (i.e. “OR”). Values are case
sensitive whereas variables are not.
Important:
The format corresponds to the syntax used in advanced search filters in the REST API.
For further information, refer to the related online help page at this address:
https://bastion_ip_address/api/doc/Usage.html#search
• the LDAP/AD search filter to retrieve users within the domain. This data is expressed using LDAP
filter syntax but any available variables as listed for field “Matching condition” can also be used.
Note:
All the variables specified in the field “Search filter” must be present in the certificate
to provide a valid LDAP/AD filter and retrieve users accordingly.
For example, the filter syntax below will retrieve LDAP/AD users whose “cn” is the
“subject_cn” of the certificate or whose “uid” is the “subject_uid” of the certificate and whose
“preferredLanguage” attribute is “fr”:
(&(|(cn=${subject_cn})(uid=${subject_uid}))(preferredLanguage=fr))
117
For example, the filter syntax below will retrieve AD users whose local part of the
“userPrincipalName” is the “subject_cn” of the certificate and whose domain includes either
“company.com” or “biz.company.com”:
(|(userPrincipalName=${subject_cn}@company.com)(userPrincipalName=
${subject_cn}@biz.company.com))
• when using X509 authentication with an Active Directory server, the mention of the domain name
to match the SAN email. The domain is used to check the email field from the X509 Subject
Alternative Name (SAN) extension.
It is then necessary to create LDAP/AD authentication mappings by linking the groups from the
LDAP/AD directory with the WALLIX Bastion user groups in the area “LDAP authentication mapping”
at the bottom of the page.
A mapping links the WALLIX Bastion user group specified in the “User group” field with a group
from the directory by specifying the value to map for the group attribute defined above (e.g. its full
DN for “memberOf”) in the “LDAP group” field. If the WALLIX Bastion group is not already mapped,
you must also select the WALLIX Bastion profile for the group members in the “Profile” field.
If no mapping is found when a user connects, the latter can be placed in a default group. To do
this, select the available check box on the left of the line to declare the corresponding group as the
“Default group for users without group in this domain” option. This option provides WALLIX Bastion
access to any user defined in the directory.
The mappings can also be edited on the user group modification page (refer to Section 9.2, “User
groups”, page 82).
Note:
In the area “LDAP authentication mapping”, the administrator cannot view the mappings
whose profiles have at least one permission that the administrator's profile cannot
grant as a transferable right. For further information, refer to Section 9.3, “User
118
Figure 9.20. "LDAP/AD Domains" page in addition mode
9.9.2. Edit an LDAP/AD domain

From the "LDAP/AD Domains" page, click on a domain name to display the domain modification
page.
The fields in this page are the same as those in the external domain creation page, except the
"WALLIX Bastion domain name" field which is not displayed.
9.9.3. Delete an LDAP/AD domain
119
From the "LDAP/AD Domains" page, check the box at the beginning of the line(s) to select the
related authentication(s), then click on the trash icon to delete the selected line(s). WALLIX Bastion
Warning:
You cannot delete a domain if at least one user group is mapped to this domain.
9.9.4. Import LDAP/AD domains

From the "LDAP/AD Domains" page, click on the "Import CSV file" icon at the top right of the page
to import the related data. You are then redirected to the "CSV" page on the "Import/Export" menu:
the "LDAP/AD domains" check box is automatically selected to import the related data. The field
and list separators can also be configured.
#wab820 domain
Important:

O(ptional)
Name for the WALLIX

Bastion domain
Is default Boolean R True or False False
domain
LDAP domain Text R [aA-zZ], [0-9], '-', '_' N/A
Name for the defined LDAP

domain
X509 Boolean R True or False False
authentication
SAN email DN Text O [aA-zZ], [0-9], '-', '_' N/A
Domain name for the defined Empty if Check

SAN email SAN x509v3 email
= False
User Text R [aA-zZ], [0-9], '-', '_' N/A
authentications
External authentications
defined
At least one external

authentication must be
defined
120

O(ptional)
User Text O [aA-zZ], [0-9], '-', '_' N/A
secondary
authentications External secondary
authentications defined
Group attribute Text O [aA-zZ], [0-9], '-', '_' LDAP-AD:
"memberOf"
Group attribute defined
LDAP:
"(&(ObjectClass=posixGroup)
(memberUid=
${uid}))"
Full name Text O [aA-zZ], [0-9], '-', '_' LDAP-AD:
attribute "displayName"
Full name attribute defined LDAP: "cn"
Email attribute Text O [aA-zZ], [0-9], '-', '_' "mail"
Email attribute defined

Language Text O [aA-zZ], [0-9], '-', '_' "preferredLanguage"
attribute
Language attribute defined
Default Text R Default language of the "de" for German"
language domain's members if the
language is not defined in the "en" for English
directory. "es" for Spanish
"fr" for French
"ru" for Russian

Default email Text R Default domain for the "wallix.com"
domain defined email. Spaces and
special characters are not
allowed.
X509 condition Text O Condition to match an LDAP/ N/A
AD domain with the X509
certificate. This condition
is formatted according to
the variables retrieved from
the certificate. For further
information, refer to the table
listing these variables in
Section 9.9.1, “Add an LDAP/
AD domain”, page 115.
X509 search Text O LDAP/AD search filter to N/A
filter retrieve users within the
domain. Expressed using
LDAP filter syntax but any
available variables as listed
for field "X509 condition" can
121

O(ptional)
also be used. For further
information, refer to the table
listing these variables in
Section 9.9.1, “Add an LDAP/
AD domain”, page 115.
9.9.5. Import LDAP/AD mappings on user groups

From the "CSV" page on the "Import/Export" menu, select the "LDAP/AD mappings on user groups"
check box to import the related data. The field and list separators can also be configured.
#wab820 usersgroupmappings
Important:

O(ptional)
Canonical name for the

WALLIX Bastion user group
concerned by the mapping
This user group must exist

with a defined profile.
Domain Name Text O [aA-zZ], [0-9], '-', '_' N/A
Canonical name for the

LDAP domain concerned by
the mapping
This LDAP domain must

exist.
If no domain name and no

LDAP group is specified, then
all the existing mappings for
the group are deleted during
import.
LDAP groups Text O Rule allowing to define the N/A
users in the LDAP domain
122

O(ptional)
mapped to the WALLIX
Bastion user group.
It indicates the value to
map for the defined group
attibute (e.g. its full DN for
"memberOf").
For example:
'CN=Account Mapping users,
CN=Users,DC=2008,
DC=system,DC=enterprise'
IMPORTANT: If this string

includes spaces and/or
commas, then it must be
entered between simple
quotes (as shown in the
above example).
If no LDAP group is specified,
then all the existing mappings
for the group/domain pair are
deleted during import.
If an LDAP group is specified

without an LDAP domain,
then the import fails.
123
Chapter 10. Targets

The “Targets” menu allows you to create and manage devices, applications, domains, accounts and
groups which can be accessed from WALLIX Bastion.
This chapter describes the menu elements, i.e. the following pages:
• “Devices” (refer to Section 10.1, “Devices”, page 124)

• “Applications” (refer to Section 10.2, “Applications”, page 136)
• “Domains” (refer to Section 10.3, “Domains”, page 148)
• “Accounts” (refer to Section 10.4, “Target accounts”, page 159)
• “Clusters” (refer to Section 10.6, “Clusters”, page 184)
• “Groups” (refer to Section 10.5, “Target groups”, page 172)
• “Password vault plugins” (refer to Section 10.7, “External password vault plugins”, page 187)
• “Checkout policies” (refer to Section 10.8, “Checkout policies”, page 193)
• “Discovery” (refer to Section 10.9, “Discovery”, page 195)
10.1. Devices
A device is characterized by a physical or virtual equipment for which WALLIX Bastion manages
the access to sessions or passwords.
The “Devices” page on the “Targets” menu allows you to:
• list devices
• add, edit and delete a device
• filter devices using tags. For further information, refer to Section 10.1.3, “Use tags to organize
devices”, page 131.
It is possible to import devices from a .csv file to populate the WALLIX Bastion resource database.
For further information, refer to Section 10.1.5, “Import devices”, page 132.
10.1.1. Add a device

From the “Devices” page on the “Targets” menu, click on the “+ Add” button to display the device
creation page.
The device creation page consists of the following tabs: “General”, “Services”, “Local
domains”,“Local accounts”, “Global accounts”, “Groups”, “Certificates” and “Tags”.
10.1.1.1. Define general data

The “General” tab allows you to enter the following fields:
• the device name: this is the name users will use to access the device. It can be unrelated to the
machine’s DNS name. An existing name cannot be assigned to another device.
• an alias: it can be used as a second name for the device. The device name has priority over the
alias. An existing alias cannot be assigned to another device.
124
• the device IP address or FQDN: it corresponds to a network address
It is possible to define a set of targets belonging to a subnet. It is achieved by entering a subnet

instead of the IP address during the creation of device by using a CIDR notation (<network
address>/<number of mask bits>), e.g.: 192.168.0.15/24.
• a description
Note:
Once you have entered the general data in the “General” tab and clicked on “Apply”, you
can access the other tabs of the device creation page.
Figure 10.1. "Devices" page in addition mode
10.1.1.2. Manage services

The “Services” tab allows you to list, add, edit and delete services which can be accessed on this
device.
To add a service, click on the “+ Add” button and select the desired protocol from the list. A window
opens and allows you to select and enter the following fields:
• the service name: this is the name users will use to access the service. The name can be unrelated
to the protocol name and the port number.
• the default port
• a connection policy defining the authentication mechanism for the service on this device. For
further information, refer to Section 12.4, “Connection policies”, page 236.
You can declare a connection scenario for the connection policies based on the TELNET or
RLOGIN protocols. For further information, refer to Section 12.14, “TELNET/RLOGIN connection
scenario on a target device”, page 245.
You can declare a startup scenario for the connection policies based on the SSH protocol. For
further information, refer to Section 12.16, “SSH startup scenario on a target device”, page 247.
• a global domain: it is required to select a global domain in order to create targets for applications
and clusters
125
• a list of proxy options for RDP and SSH connections. For further information, refer to
Section 10.1.6, “SSH specific options”, page 134 and Section 10.1.7, “RDP specific
options”, page 135.
Note:
If you want to add more than one specific service, you can repeat this process as many
times as necessary.
Once you have added a service, you have the possibility to add it to a group in order to configure
a target group for session management through account mapping and/or interactive login. The
resource associations can also be managed from the “Groups” page (for further information, refer
to Section 10.5.1, “Add a target group”, page 172).
To add a service to a group, check the box at the beginning of the line of the concerned service
and click on the “Add to group” button. A window opens and allows you to enter and select the
following fields:
• the group name: you can select an existing group or create a new one
• a description
• the target type: either account mapping or interactive login
• the services
Note:
After clicking on the “Add and continue” button, the data is saved and you have the
possibility to associate the service with another group and/or target type. Otherwise, click
on the “Add and close” button to save the data and close the window.
10.1.1.3. Manage local domains

The “Local domains” tab allows you to list and delete local domains associated with the device.
These local domains are associated with the device from:
• the “Local accounts” tab on the “Devices” page or

• the device account creation page of the “Accounts” page which can be accessed from the
“Targets” menu (for further information, refer to Section 10.4.2, “Add a target account to a
device”, page 163)
10.1.1.4. Manage local accounts

The “Local accounts” tab allows you to list, add, edit and delete local accounts on the device.
To add a local account, click on the “+ Add” button. A window opens and allows you to select and
enter the following fields:
• on the “General” tab:

– the local domain name to associate with the device: you can select an existing local domain
or create a new one
– the account name: this is the name users will use to access the local account
– the account login
– a field to associate resources: a resource association is required to create targets for
applications and clusters
126
– a description
– the checkout policy
– a toggle button to enable or disable the automatic password change for this account
– a toggle button to enable or disable the automatic SSH key change for this account
• on the “Password” tab:
– a password and its confirmation
– a toggle button to enable or disable the manual change of the password and its propagation
on the target
Note:
You have the possibility to delete a password already set for this account by clicking
on the “Delete password” button.
• on the “SSH private key” tab:

For the “Private key generation” page:
– the signature system of the private key
– the corresponding SSH public key in the OpenSSH or ssh.com format
For the “Private key uploading” page:
– the SSH private key in the OpenSSH or PuTTY format
– the corresponding passphrase (if any has been defined)
– a toggle button to enable or disable the manual change of the SSH private key and its
propagation on the target
Note:
You have the possibility to delete an SSH private key already set for this account by
clicking on the “Delete existing SSH private key” button.
Once you have added a local account on the device, you have the possibility to add it to a group
in order to configure:
• a target group for session management from an account (for further information, refer to
Section 10.5.1.2, “Configure a target group for session management from an account in the
vault”, page 172)
• a target group for session management for a scenario account (for further information,
refer to Section 10.5.1.3, “Configure a target group for a scenario account during SSH
session”, page 173)
• a target group for password management from an account (for further information, refer to
Section 10.5.1.6, “Configure a target group for password management from an account in the
vault”, page 175)
Note:
The resource associations can also be managed from the “Groups” page (for further
information, refer to Section 10.5, “Target groups”, page 172).
127
To add a local account to a group, check the box at the beginning of the line to select the concerned
local account, then click on the “Add to group” button. A window opens and allows you to enter and
select the following fields:
• a description
• the target type: either account for session management or scenario account for session
management or account for password management
• the service (if it is required for the selected target type)
• the local accounts
Note:
possibility to associate the local account with another group and/or target type and/or
service. Otherwise, click on the “Add and close” button to save the data and close the
window.
10.1.1.5. Manage global accounts

The “Global accounts” tab allows you to list, add, edit and delete global accounts belonging to a
global domain already existing within WALLIX Bastion.
To add a global account, click on the “+ Add” button. A window opens and allows you to select and
enter the following fields:
• on the “General” tab:

– the global domain name
– the account name: this is the name users will use to access the global account
– the account login
– a field to associate resources: a resource association is required to create targets for
applications and clusters
– a description
– the checkout policy
– a toggle button to enable or disable the automatic password change for this account
– a toggle button to enable or disable the automatic SSH key change for this account
– the certificate validity period if the account is defined on a domain associated with a Certificate
Authority. If no value is entered in this field, then the certificate is valid for an unlimited period.
• on the “Password” tab:
– a password and its confirmation
– a toggle button to enable or disable the manual change of the password and its propagation
on the target
Note:
You have the possibility to delete a password already set for this account by clicking
on the “Delete password” button.
128
• on the “SSH private key” tab:
For the “Private key generation” page:

– the signature system of the private key
For the “Private key uploading” page:

– the SSH private key in the OpenSSH or PuTTY format
– the corresponding passphrase (if any has been defined)
– a toggle button to enable or disable the manual change of the SSH private key and its
propagation on the target
Note:
You have the possibility to delete an SSH private key already set for this account by
clicking on the “Delete existing SSH private key” button.
• on the “References” tab:
This tab lists the references used to manage service accounts. The references for this global
account can be managed from the “References” tab in the account modification page, accessible
from “Targets” > “Accounts” > “Global accounts”. For further information, refer to Section 10.4.1.4,
“Define references for service account management”, page 162.
Once you have added a global account, you have the possibility to add it to a group in order to
configure a target group for session management from an account (for further information, refer
to Section 10.5.1.2, “Configure a target group for session management from an account in the
vault”, page 172).
Note:
The resource associations can also be managed from the “Groups” page (for further
To add a global account to a group, check the box at the beginning of the line to select the concerned
global account, then click on the “Add to group” button. A window opens and allows you to enter
and select the following fields:
• a description
• the target type: account for session management
• the service
• the global accounts
Note:
possibility to associate the global account with another group and/or service. Otherwise,
click on the “Add and close” button to save the data and close the window.
129
10.1.1.6. Manage the target groups associated with the device

The “Groups” tab allows you to list, edit and delete resource associations which already exist with
the device.
Note:
Target accounts and services must exist for the device to be able to manage associations.
By clicking on a group name, you are redirected to the data modification page of this group. You
can then configure, edit or delete the data related to this group. For further information, refer to
Section 10.5, “Target groups”, page 172.
10.1.1.7. View and delete certificates or keys on the device

From the “Devices” page, click on a device name to display the device data and click on the
“Certificates” tab to view the list of certificates or keys on this device.
To delete a certificate or a key, check the box at the beginning of the line to select the certificate or
the key you wish to delete, then click on the “Delete” button.
Caution:
A user is allowed to display the certificates on the device if the “View” right for the “Targets
& accounts” feature is set in his/her profile (refer to Section 9.3, “User profiles”, page 86).
A user is allowed to delete the certificates on the device if the “Modify” right for the “Targets
& accounts” feature is set in his/her profile (refer to Section 9.3, “User profiles”, page 86).
10.1.1.8. Manage the association of tags with the device

The “Tags” tab allows you to list, add and delete tags on the device.
These tags allow you to organize your devices in a consistent and relevant way in order to quickly
identify a specific device. For further information, refer to Section 10.1.3, “Use tags to organize
devices”, page 131.
Note:
Each device can have a maximum of 64 tags.
To add a tag, click on the “+ Add” button. A window opens and allows you to select and enter the
following fields:
• “Key”: this is the key of the tag. You can select an existing key or create a new one. The key is
limited to 512 characters.
• “Value”: this is the value of the key. You can select an existing value or create a new one. The
value is limited to 256 characters.
Warning:
It is not possible to add tags with identical keys on the same device.
130
Keys and values are case sensitive and accept UTF-8 characters. Spaces are forbidden
at the beginning and end of the “Key” and “Value” fields.
A tag cannot be edited. In order to change a key and/or a value, it is necessary to delete
the tag and create a new one.
To delete a tag, check the box at the beginning of the line to select the tag you wish to delete, then
click on the “Delete” button.
Warning:
If you delete a device, the associated tags are also deleted.
10.1.2. Edit a device

From the “Devices” page on the “Targets” menu, click on a device name. The modification page
opens and it is possible to edit the data already entered.
For further information on how to enter data in the tabs, refer to Section 10.1.1, “Add a
device”, page 124.
10.1.3. Use tags to organize devices

From the “Devices” page on the “Targets” menu, you can view all the tags associated to your devices
but also add and remove tags.
Theses tags will be used to organize the devices listed in this table and will thus allow you to quickly
identify the devices on which actions must be performed.
Note:
Each device can have a maximum of 64 tags.
10.1.3.1. Add tags

From the “Devices” page on the “Targets” menu, check the box at the beginning of the line of the
device(s) you want to add tags on, then click on the “Add targets” button. The window “Add targets
to devices” opens and allows you to select and enter the following fields:
• “Key”: this is the key of the tag. You can select an existing key or create a new one. The key is
limited to 512 characters.
• “Value”: this is the value of the key. You can select an existing value or create a new one. The
value is limited to 256 characters.
Warning:
It is not possible to add tags with identical keys on the same device.
Keys and values are case sensitive and accept UTF-8 characters. Spaces are forbidden
at the beginning and end of the “Key” and “Value” fields.
A tag cannot be edited. In order to change a key and/or a value, it is necessary to delete
the tag and create a new one.
131
Once the fields are selected and entered, click on the “Add and continue” button to save the new
data and to continue the creation of tags. Otherwise, click on the “Add and close” button to save
the data and close the window.
10.1.3.2. Filter devices

From the “Devices” page on the “Targets” menu, you can filter devices using tags from the “Tags”
column.
Click on the icon in the header of the “Tags” column to display the search field. By clicking in
this field, you access a list of all the tag keys and tag values existing in WALLIX Bastion. Enter
then select the key or the value of the desired tag and click on the “Search” button. The devices
corresponding to the filter are listed in the table. An active filter is symbolized by the orange icon .
To delete a filter, click on the icon at the top right of the table or click on the icon then on
the “Restore” button.
10.1.3.3. Remove tags

From the “Devices” page on the “Targets” menu, check the box at the beginning of the line of the
device(s) from which you want to remove one or more tags, then click on the “Remove tags” button.
The window “Remove tags from devices” opens and allows you to select the keys or the values you
want to remove. Once selected, click on “Remove and close” button.
10.1.4. Delete a device

From the “Devices” page on the “Targets” menu, check the box at the beginning of the line to select
the device(s) you wish to delete, then click on the “Delete” button. WALLIX Bastion displays a
Warning:
You cannot delete a device on which target accounts are declared.
10.1.5. Import devices

From the “CSV” page on the “Import/Export” menu, select the “Devices” check box to import the
related data. The field and list separators can also be configured.
#wab820 resource
Important:

O(ptional) value
Device name Text R [aA-zZ], [0-9], '-', '_' N/A
Alias Text O Free text N/A
132

O(ptional) value
Network IP/ R [aA-zZ], [0-9], '-', '/', '.' N/A
address FQDN/
Subnet e.g. for subnet: 1.1.1.0/24
Local domain Text O Local domains created via the N/A

association with a device or a target
account
There can be no local domain, one

or several local domains (created on
this device)
Service/ Text O To specify a global domain for a N/A
Protocol/Port/ subprotocol:
Con-nection
Policy/Sub- name/PROTOCOL/port/
protocol connection_poli-cy/
my_global_domain/subprotocol1|
subpro-tocol2
Important: if there is no global

domain, respect the following syntax:
name/PROTOCOL/port/
connection_policy//subprotocol1|
subprotocol2
name: Free text

(1)
PROTOCOL : Protocol name: see
below
port: Port number (optional)
connection_policy: Connection policy

name
(2)
subprotocol : Subprotocol name
(optional): see below
(1)
PROTOCOL: one of the following values: SSH, TELNET, RLOGIN, RDP, VNC, RAWTCPIP.
(2)
subprotocol for SSH: one of the following values: SSH_SHELL_SESSION,
SSH_REMOTE_COMMAND, SSH_SCP_UP, SSH_SCP_DOWN, SSH_X11, SFTP_SESSION,
SSH_DIRECT_TCPIP, SSH_REVERSE_TCPIP, SSH_AUTH_AGENT,
SSH_DIRECT_UNIXSOCK, SSH_REVERSE_UNIXSOCK. For further information, refer to
Section 10.1.6, “SSH specific options”, page 134.
subprotocol for RDP: one of the following values: RDP_CLIPBOARD_UP,
RDP_CLIPBOARD_DOWN, RDP_CLIPBOARD_FILE, RDP_PRINTER, RDP_COM_PORT,
RDP_DRIVE, RDP_SMARTCARD, RDP_AUDIO_OUTPUT, RDP_AUDIO_INPUT. For further
information, refer to Section 10.1.7, “RDP specific options”, page 135.
If subprotocol is not specified, all the subprotocols are added. The value for the other protocols is
exactly the same as PROTOCOL and can be omitted.
133
To specify several subprotocols within the same protocol, do not repeat all the structure but separate
subprotocols using a pipe “|” as shown in the example below:
rdp/RDP/3389/RDP//RDP_CLIPBOARD_UP|RDP_CLIPBOARD_DOWN|RDP_PRINTER|RDP_COM_PORT|
RDP_DRIVE|RDP_SMARTCARD
Figure 10.2. "CSV" page - "Devices" option selected
10.1.6. SSH specific options

The following options, which mainly determine the channels authorized for the session, are provided
for the SSH protocol:
• SSH_SHELL_SESSION: starts a shell session

• SSH_REMOTE_COMMAND: runs remote commands
• SSH_SCP_UP: transfers files to a target device (SCP upload from client to server)
• SSH_SCP_DOWN: transfers files from a target device (SCP download from server to client)
• SSH_X11: displays X11 applications running on a target device
• SFTP_SESSION: bi-directional transfers of files via SFTP protocol (SFTP session)
• SSH_DIRECT_TCPIP: allows direct TCP/IP port forwarding (from client to server)
• SSH_REVERSE_TCPIP: allows reverse TCP/IP port forwarding (from server to client)
134
• SSH_AUTH_AGENT: allows agent authentication forwarding (multi-hops auth-agent)

• SSH_DIRECT_UNIXSOCK: allows direct Unix socket forwarding (from client to server)
• SSH_REVERSE_UNIXSOCK: allows reverse Unix socket forwarding (from server to client)
Each of these subprotocols is covered by a specific authorization on WALLIX Bastion.
If you do not have rights for the appropriate subprotocol, you may not be authorized to start a remote
shell session or transfer a file.
Note:
Some clients also need the option SSH_SHELL_SESSION to list the directories when
they are used in SCP mode.
Some session options must be associated with others to be fully operational:
- SSH_X11 must be associated with SSH_SHELL_SESSION or

SSH_REMOTE_COMMAND (at least one of the two)
- SSH_AUTH_AGENT must be associated with SSH_SHELL_SESSION or

SSH_REMOTE_COMMAND (at least one of the two)
- SSH_REVERSE_TCPIP must be associated with SSH_SHELL_SESSION
- SSH_REVERSE_UNIXSOCK must be associated with SSH_SHELL_SESSION
SSH_SHELL_SESSION, SSH_REMOTE_COMMAND, SSH_SCP_UP/DOWN and

SFTP_SESSION allow the opening of session channels. By default, only one session
channel can be open during an SSH connection (or session). To allow the opening of
several session channels, the option “Allow multi channels” must be selected at the
level of the SSH connection policy (which can be accessed from “Session Management”
> “Connection Policies”. For further information, refer to Section 12.4, “Connection
policies”, page 236).
10.1.7. RDP specific options

The following options, which mainly determine the authorized actions for the session, are provided
for the RDP protocol:
• RDP_CLIPBOARD_UP: allows data transfer via the clipboard from the client to the RDP session
• RDP_CLIPBOARD_DOWN: allows data transfer via the clipboard from the session to the RDP
client
• RDP_CLIPBOARD_FILE: allows file transfer from the copy/paste function via the clipboard
• RDP_PRINTER: allows use of local printers in the remote session
• RDP_COM_PORT: allows use of local serial and parallel ports in the remote session
• RDP_DRIVE: allows use of local drives in the remote session
• RDP_SMARTCARD: allows use of local smartcards in the remote session
• RDP_AUDIO_OUTPUT: allows audio playback from the session to the RDP client
• RDP_AUDIO_INPUT: allows audio recording from the client to the RDP session
Each of these subprotocols is covered by a specific authorization on WALLIX Bastion.
135
If you do not have rights for the appropriate subprotocol, you may not be authorized to transfer data
via the clipboard or use your local drive in the remote session.
Note:
Some session options must be associated with others to be fully operational:
- RDP_CLIPBOARD_FILE must be associated with RDP_CLIPBOARD_UP to transfer a
file via the clipboard from the client to the RDP session
- RDP_CLIPBOARD_FILE must be associated with RDP_CLIPBOARD_DOWN to
transfer a file via the clipboard from the session to the RDP client
10.2. Applications
WALLIX Bastion enables you to manage application sessions through a jump server on which
the application itself is installed. The user logs on to WALLIX Bastion and chooses an application
in the selector (refer to the figure 10.3, “Application session flow”, page 136). WALLIX Bastion
then initiates an RDP session and automatically launches the application by providing it with the
necessary account information (user name and password). The application session is then recorded
as an RDP session.
Important:
It is not possible to run an application whose linked target operates under a Windows 10
operating system as the remote desktop service does not support the "alternate shell"
function.
Warning:
In order to allow WALLIX Bastion to manage the connections to an application, the latter
must be able to receive the user name and password to be used for the connection as
command-line arguments.
Figure 10.3. Application session flow

The "Applications" page allows you to:
• list applications
• add/edit/delete an application
136
• import applications from a .csv file which can be used to populate the WALLIX Bastion resource
database
10.2.1. Configure the jump server

Servers from Windows Server 2003 are supported as jump servers. From Windows Server 2008,
the "Terminal Services" or "Remote Desktop" role must be installed.
Warning:
Please note that after the 120-day grace period expires, you must install Client Access
Licenses (CAL) in order to continue to use these services.
You must provide the user with the right to launch the application. This can be done by providing
access to unlisted programs or by adding the application to the authorized programs as described
below.
If you use the session probe mode, it is necessary to publish the command prompt (cmd.exe) as
the RemoteApp program. For further information regarding this mode and the configuration, we
strongly advise you to refer to Section 12.19, “Using the session probe mode”, page 252.
• Providing access to unlisted programs

1. Click on the "Start" menu.
2. Select "All Programs" > "Administrative Tools" > "Remote Desktop Services" and then click
on "RemoteApp Manager".
3. In the "Overview" frame, click on the "Change Terminal Server Settings".
4. On the "Terminal Server" tab, in the "Access to unlisted programs" frame, select "Allow users
to start both listed and unlisted programs on initial connection".
• Adding the application to the listed program

2. Select "All Programs" > "Administrative Tools" > "Remote Desktop Services" and then click
on "RemoteApp Manager".
3. In the "Actions" frame, click on "Add RemoteApp Programs".
4. Choose the application in the list displayed by selecting the related check box and then edit
its properties to allow the use of command line arguments.
We recommend setting the lowest possible value as the maximum period during which a
disconnected user session is kept active on the server running Terminal Server. To do so, you can
proceed as follows:

2. Select "All Programs" > "Administrative Tools" > "Remote Desktop Services" and then click on
"Remote Desktop Session Host Configuration" to set the timeout to 1 minute. To do so:
• in the "Connections" frame, select the "RDP-Tcp" connection
• on the "Sessions" tab, select "Override user settings" and set the value in the "End a
disconnected session" field to 1 minute.
137
You can also use group policies to manage this setting.
You can allow several connections with the same target account on a jump server.
Under Windows Server 2008 or later:

"Remote Desktop Session Host Configuration".
3. In the "Edit settings" frame, under "General", double-click on "Restrict each user to a single
session" and deselect the check box.
Alternatively, you can use the corresponding setting with an account policy.
Under Windows Server 2012 or later, you must set an additional setting in order to allow access to
a client that does not use network-level authentication. To do so:
1. Open the "Server Manager" application and select "Remote Desktop Services".
2. Select the needed collection in "Collections". "Quick Session Collection" corresponds to the
default collection.
3. In the "Properties" frame, select "Edit Properties".
4. In the "Security" section, deselect the "Allow connections only from computers running Remote
Desktop with Network Level Authentication (more secure)" check box.
10.2.2. Configure the application launch using RemoteApp

mode
The RemoteApp mode enables to make applications (as defined via "Targets" > "Applications") that
are accessed remotely through RDP appear as if they are running on the user's local computer.
Thus, this mode allows to start a remote desktop session that appears as a single application
window. Instead of being presented to the user in the desktop of the RDP client, the RemoteApp
application is integrated with the client's desktop. The RemoteApp application runs in its own
resizable window, can be dragged between multiple monitors, and has its own entry in the taskbar.
The RemoteApp mode is enabled by default when accessing applications. This parameter can be
managed via "Configuration" > "Configuration Options" > "GUI (Legacy)", then select/deselect the
option "Rdp remote app mode".
The window resizing is enabled by default for the RemoteApp application. This parameter can be
managed via "Configuration" > "Configuration Options" > "RDP proxy", then select/deselect the
option "Allow resize hosted desktop" below section "remote program". When this functionality is
enabled, a pin icon is displayed on the right upper part of the RemoteApp window hosting the classic
RDP session. The window can be resized when the pin points to the left.
The RemoteApp session closes 20 seconds after the last window or taskbar icon has been closed.
This period can be shortened by defining a time period before the display of a disconnect message
to close the session. This period can be set on the field "Remote programs disconnect message
display" on the configuration page related to the connection policy for the RDP protocol. This page
can be accessed from "Session Management" > "Connection Policies".
On the other hand, it may be necessary to convert RemoteApp session to Alternate Shell session
to be able to access a published RemoteApp application via a jump server for a session initiated
by Access Manager. This can be done by selecting the option “Wabam uses translated remotapp”,
138
below section “rdp”, on the configuration page related to the connection policy for the RDP protocol.
This page can be accessed from "Session Management" > "Connection Policies".
Warning:
This field is displayed when the check box of the "Advanced options" field at the top right
of the page has been selected. It should ONLY be changed upon instructions from the
Important:
The RemoteApp sessions of a user connected simultaneously on one or several
applications are split by default when displayed from the "Current Sessions" and
"Session History" pages below the "Audit" menu). If the option "Rdp enable sessions
split" (accessible from "Configuration" > "Configuration Options" > "GUI (Legacy)" >
"main" section) is deselected, it may be possible to get an overlay view of these sessions.
The client Remote Desktop Connection (MSTSC) connected to Windows Server 2008
or 2012 does not allow several RemoteApp programs to share the same RDP session.
There will be as many RDP sessions created as the number of RemoteApp programs
launched.
Display issues related to the Microsoft client have been reported when using RemoteApp
mode and multiple monitors. Dysfunctions occur when the primary monitor is not located
in the upper left part of the virtual screen. The recommended workaround is to locate
the primary monitor in the upper left part of the virtual screen. Refer to https://
go.microsoft.com/fwlink/?LinkId=191444 for further information on the virtual
screen.
The session probe mode can be used to run the applications defined within the Bastion.
This operating mode provides the benefit of blocking the launch of child processes.
This is not the case when using the RemoteApp native mode. However, the restrictions
defined during the creation of the RemoteApp program in Windows (which may concern
user groups, command-line arguments allowed, etc.) will not apply. This mode can
be managed via "Session Management" > "Connection Policies > "RDP", then select/
deselect the option "Use session probe to launch remote program" below section "rdp".
For further information regarding the "session probe" mode, refer to Section 12.19, “Using
the session probe mode”, page 252.
10.2.3. Automate connections to an application using AutoIt

scripts
Note:
To automate connections to Web applications, refer to Section 10.2.4, “Automate
connections to a Web application using WALLIX Application Driver”, page 141.
Business applications usually implement an authentication screen to allow a user to only access
the needed data. The authentication step checks the login and the password manually entered by
this user. The latter has then the knowledge of this sensitive information.
To restrict disclosing of such information, we recommend using AutoIt scripts. These scripts are
supported by WALLIX Bastion and can be used, in particular, to fill in credential forms automatically.
139
With this process, the application's credential information is retrieved through the RDP virtual
channel. In such a case, the user has no access to this information.
When technical constraint is strong and safety risk is low, the credential information can also be
passed the application to as command line arguments. However, we do not recommend using such
an approach as the application user may easily access the information.
To allow AutoIt scripts retrieving credential information through the RDP virtual channel, the latter
must be enabled from "Configuration" > "Configuration Options" > "RDP proxy" then enter the name
of this virtual channel in the field "Auth channel" below section "mod_rdp". The symbol "*" tells
WALLIX Bastion to use the default name being wablnch. Note that WALLIX Bastion and the AutoIT
script must both use the same virtual channel name to operate properly.
Once the virtual channel is enabled, the AutoIt script must be deployed on the server running
Terminal Server then added to the listed RemoteApp programs:
Note:
The WALLIX Support Team can provide you with a generic AutoIt connection script. Feel
free to contact the Team, should you have any other questions (refer to Chapter 18,
“Contact WALLIX Bastion Support”, page 328).

"RemoteApp Manager".
3. In the "Actions" frame, click on "Add RemoteApp Programs".
4. Choose the path of the AutoIt executable script in the list displayed by selecting the related
check box.
Next, when configuring the application from the "Applications" page on WALLIX Bastion:
• enter the connection URL in the "Parameters" field

• enter the path of the AutoIt executable script in the "Application path" field
Example:
In the above example, the script WABIELogon_VC_64.exe launches Internet Explorer, retrieves
the credential information from the virtual channel and establishes a connection to the application.
Once the application is configured, it can be linked to a target group from "Targets" > "Groups".
140
10.2.4. Automate connections to a Web application using

WALLIX Application Driver
WALLIX Application Driver is a tool used for accessing Web applications by automatically injecting
credentials (user name and password) in authentication forms.
Note:
To automate connections to non Web-based applications, refer to Section 10.2.3,
“Automate connections to an application using AutoIt scripts”, page 139.
Application Driver retrieves the authentication information from the application via an RDP virtual
channel and connects the user automatically.
The authentication forms are thus filled without user intervention and sensitive data is not disclosed
during the authentication phase.
Application Driver can be used without specific deployment (refer to Section 10.2.4.1, “Using
WALLIX Application Driver without specific deployment”, page 141) or by manual deployment
(refer to Section 10.2.4.2, “Using WALLIX Application Driver via a manual deployment”, page 142).
Note:
WALLIX Bastion and Application Driver must use the same virtual channel's name to
operate properly.
To configure the virtual channel, it is necessary to enter the name of the RDP virtual
channel in the field “Auth channel” located in “Configuration” > “Configuration options” >
“RDP proxy” > [mod_rdp] section.
By default, the symbol “*” is already specified and tells WALLIX Bastion to use the virtual
channel's default name: wablnch.
10.2.4.1. Using WALLIX Application Driver without specific deployment

10.2.4.1.1. Prerequisites
The session probe mode must be enabled in order to use Application Driver without specific
deployment.
The prerequisites for the automatic deployment of Application Driver are the same as the
prerequisites for running Session Probe. For further information, refer to Section 12.19, “Using the
session probe mode”, page 252.
10.2.4.1.2. Requirements to launch the Web application

The setup must be performed from the “Applications” page in the “Targets” menu:
1. In the “Application path” field, enter either the value “__APP_DRIVER_IE__” to select the launch
of the Web application using Internet Explorer or the value “__APP_DRIVER_CHROME_UIA__”
to select the launch of the Web application using Google Chrome or the value
__APP_DRIVER_EDGE_CHROMIUM_UIA__ to select the launch of the Web application using
Microsoft Edge based on Chromium.
2. In the “Parameters” field, specify the necessary parameters to launch the Web application
according to the selected browser. For further information, see Section 10.2.4.3, “Parameters
of WALLIX Application Driver for the launch of the Web application”, page 143.
141
Example for the launch of the Web application using Internet Explorer:
10.2.4.2. Using WALLIX Application Driver via a manual deployment

Application Driver can be deployed manually through an executable file as well as configuration
scripts provided to the administrators of the jump servers upon request to the Support Team.
Please contact the Team for further information (see Chapter 18, “Contact WALLIX Bastion
Support”, page 328).
However, we recommend rather using WALLIX Application Driver in connection with the session
probe mode. For further information, refer to Section 10.2.4.1, “Using WALLIX Application Driver
without specific deployment”, page 141. You can, however, deploy Application Driver manually.
10.2.4.2.1. Manual deployment
1. Download the AppDriver.exe file and the scripts WABChromeLogonUIA.lua and

WABIELogon.lua provided by the Support Team to the target server used to execute Web
applications.
Note:
The script WABChromeLogonUIA.lua will be used to select the launch of the Web
application using Google Chrome and the script WABIELogon.lua will be used to
select the launch of the Web application using Internet Explorer.
2. Copy the AppDriver.exe file to a dedicated folder, for example: C:\AppDriver

\AppDriver.exe.
3. Copy both scripts to this same folder.
10.2.4.2.2. Requirements to launch the Web application
The setup must be performed from the “Applications” page in the “Targets” menu:
142
1. In the “Parameters” field, specify either the path to the script WABChromeLogonUIA.lua or
the path to the script WABIELogon.lua according to the selected browser for the launch of
the Web application as well as the necessary parameters. For further information on the latter,
see Section 10.2.4.3, “Parameters of WALLIX Application Driver for the launch of the Web
application”, page 143.
2. In the “Application path”, enter the path to the AppDriver.exe file.
Example for the launch of the Web application using Google Chrome:
10.2.4.3. Parameters of WALLIX Application Driver for the launch of the Web
application
Mandatory parameters
Parameter Description
/e:URL=<URL> Defines the Website URL.
/lua_file:<Lua script file name> Applies only when using WALLIX Application Driver via
a manual deployment. Sets the Lua script's path used to
open the Web session.
Optional parameters for Internet Explorer

/e:EnterInPasswordField=Yes Validates the form by pressing the return key in
the password-input field. Is ignored when a two-
page login is used. Is not compatible with the
option /e:EnterInsteadClicking=Yes.
/e:EnterInsteadClicking=Yes Validates the form by pressing the return key
in the text-input fields instead of clicking on the
"Submit" button.
143
Optional parameters for Internet Explorer

/e:FirstPageReadyElementId=<Element ID> Defines a HTML element id determining that the
first Web page is fully loaded and ready in the
case of a two-page login.
/e:PasswordFieldId=<password field ID> Defines the password field id on the login Web
page. Is ignored when a two-page login is used.
/e:PreSignInLinkClassName=<link class name> Defines a HTML anchor link class name
determining that the page is fully loaded and
ready.
/e:SecondPageReadyElementId=<Element ID> Defines a HTML element id determining that the
second Web page is fully loaded and ready in the
case of a two-page login.
/e:SendInputInsteadSetValue=Yes Simulates keystrokes instead of entering a value
in the text-input field.
/e:SubmitButtonId=<Button Id> Defines the "Submit" button id on the login Web
/e:TwoPageSignIn=Yes Enables a two-page login.
/e:UsernameFieldId=<username field ID> Defines user name field id on the login Web
Optional parameters for Google Chrome

/e:DisableKioskMode=Yes Prevents the launch of Google Chrome in Kiosk
mode.
/e:IgnoreCertificateErrors=Yes Requests Google Chrome to ignore certificate check
errors.
/e:RemoveDomainFromUsername=Yes Removes @<domain> from the login.
/e:TwoPageSignIn=Yes Enables two-page login.
/e:HTTPAuthentication=Yes Enables the connection via the HTTP authentication
pop-up.
/e:UseEdgeChromium=Yes Applies only when using WALLIX Application Driver
via a manual deployment. Uses Microsoft Edge based
on Chromium instead of Google Chrome.
10.2.5. Add an application

From the "Applications" page, click on "Add an application" to display the application creation page.
The application creation page consists of the following fields:
• the application name which is internal to WALLIX Bastion

• a description
• the parameters, i.e. the command line arguments. The latter are concatenated to the application
path. To insert the user name, password and application ID into the command line, the variables
${USER}, ${PASSWORD} and ${APPID} are respectively used for the corresponding value.
144
WALLIX Bastion automatically replaces them with the appropriate information related to the
account selected by the user and the application ID.
• a list of values to select a connection policy defined on the RDP protocol for the connection on
the application target,
• the path of the application executable and the directory in which the application runs. In the case
of a cluster, you must provide these values for each device. For further information, refer to the
section 10.6, “Clusters”, page 184.
To enable users to connect to the application, you must now link the accounts with it as described in
Section 10.4, “Target accounts”, page 159. User access rights, like those of devices, are managed
using authorizations (permissions). The RDP protocol must therefore be used.
Figure 10.4. "Applications" page in modification mode
10.2.6. Edit an application

From the "Applications" page, click on an application name and then on "Edit this application" to
display the application modification page.
The fields in this page are the same as those in the application creation page.
10.2.7. Delete an application

From the "Applications" page, check the box at the beginning of the line(s) to select the related
application(s), then click on the trash icon to delete the selected line(s). WALLIX Bastion displays
a dialogue box requesting a confirmation before permanently deleting the line(s).
Warning:
You cannot delete an application on which target accounts are declared.
10.2.8. Add an account to the application

From the "Applications" page, click on an application name to display the application data and
expand the "Accounts on application" area to display the list of the accounts associated with the
application.
145
Click on "Add an account" to create an account for the application: you access the account
creation page. For further information, refer to Section 10.4.3, “Add a target account to an
application”, page 165.
10.2.9. Manage the resource associations with the

application
From the "Applications" page, click on an application name to display the application data and
expand the "Accounts on application" area to display the list of the accounts associated with the
application.
Each line shows an association and consists of the following fields:
• the target account name

• the domain name
• the service
• the resources
Click on "Manage association" to manage the resource associations: you access a page with the
list of the available resource(s) and selected one(s) for the application. Move a resource from the
"Available accounts" frame to the "Selected accounts" one in order to perform the association. And
conversely, move a resource from the "Selected accounts" frame to the "Available accounts" one
in order to remove the association.
10.2.10. Import applications

From the "Applications" page, click on the "Import CSV file" icon at the top right of the page to
import the related data. You are then redirected to the "CSV" page on the "Import/Export" menu:
the "Applications" check box is automatically selected to import the related data. The field and list
separators can also be configured.
#wab820 application
Important:

O(ptional) value
Local domain Text O There can be no local domain, one N/A
or several local domains created
on this application
Global domain Text O There can be no global domain, N/A
one or several existing global
domains
Target Text R Format for an application on a N/A
device: account@domain@my_
146

O(ptional) value
device:rdp, rdp being the name of
the protocol defined on the device
Format for an application on a
cluster: name of the cluster
Parameters Text O Command line arguments. N/A
The variables ${USER},
${PASSWORD} and ${APPID}
can be used to insert the user
name, password and application
ID.
Paths Text R For an application on a device: N/A
path of the application
For an application on
a cluster: target1= 'path1'
target2='path2', for each target
of the cluster,with target1 in
format account@domain@my_
device:rdp
Startup Text O For an application on a cluster: N/A
directories
target1='wdir1' target2='wdir2'
Connection Text O Name of the connection policy on RDP
policy the RDP protocol
Figure 10.5. "CSV" page - "Applications" option selected
147
10.3. Domains
A global domain is a management entity grouping multiple target accounts which can be used to
authenticate across multiple devices. This entity offers the significant advantage of expanding and
synchronizing the password change at once for all the accounts on the devices associated with
the domain.
A global domain can also be associated with a password external vault. In this case, this domain
groups accounts which are managed externally through the association of an external vault plugin.
As a result, a password change mechanism cannot be applied to the related accounts within
WALLIX Bastion. For further information, refer to Section 5.3, “Password external vault”, page 22.
A local domain is a management entity grouping multiple target accounts which can be used to
authenticate on a single device only. This entity offers the significant advantage of expanding and
synchronizing the password change at once for all the accounts associated with the domain.
Local domains are created through the association with a device or a target account. For
further information, refer to Section 10.1, “Devices”, page 124 and Section 10.4, “Target
The "Domains" page allows you to:
• list global or local domains according to a dedicated filter on the domain type
• identify domains which are associated with a Certificate Authority
• identify domains for which the password change is enabled
• identify domains which are associated with an external password vault
• add/edit/delete a global domain
• edit a local domain
• import global or local domains from a .csv file which can be used to populate the WALLIX Bastion
resource database
• change the passwords for all the accounts on the global domain
148
10.3.1. Add a global domain

Warning:
Local domains are created through the association with a device or a target account. For
further information, refer to Section 10.1, “Devices”, page 124 and Section 10.4, “Target
From the "Domains" page, make sure that "Global" is selected in the "Display domain type" field on
the top of the page. Click on "Add a global domain" to display the global domain creation page.
The global domain creation page consists of the following fields:
• the domain name: a WALLIX Bastion internal representation of the domain used to display
accounts and targets on the Web user interface or during RDP/SSH sessions
• the domain real name: the name of the external domain if the created domain is a mapping of
an external domain (LDAP, AD, NIS). The domain real name is ignored when password change
is performed on Unix-derived targets.
• a description
• the vault type: choose whether the domain is associated with an external password vault or a
local one
Warning:
This field is only displayed when the “External Vaults” feature is associated with the
license key.
• if the chosen vault type is "Local" or the “External Vaults” feature is not associated with the
license key, options to define an SSH Certificate Authority to be associated with the domain for
the connection. The Certificate Authority (or "CA") is represented by a private/public SSH key
pair. It is possible to:
– generate a key: in this case, select the appropriate key type and length from the list (RSA 2048
by default) or
– browse a path to upload the file containing an existing key (in the OpenSSH or PuTTY key
formats) and specify the corresponding passphrase (if any defined)
For further information, refer to Section 10.3.2, “Associate the domain with an SSH Certificate
Authority”, page 150.
• if the chosen vault type is "Local" or the “External Vaults” feature is not associated with the license
key, an option to enable the password change for the accounts on this domain and, if enabled:
– the password change policy to be selected for this domain. For further information, refer to
Section 11.3, “Password change policies”, page 214.
– the password change plugin to be selected for this domain and the related parameters to be
specified. For further information, refer to Section 11.2, “Password change plugins”, page 203.
Note:
The CA public key is transferred to the target device (for a local domain) or the target
server (for a global domain) when a password change plugin is set on the concerned
domain and the WALLIX Password Manager feature is associated with the license key.
149
• if the chosen vault type is "External", select the vault plugin for this domain and specify the related
parameters. For further information, refer to Section 5.3, “Password external vault”, page 22 and
Section 10.7, “External password vault plugins”, page 187.
Warning:
This field is only displayed when the “External Vaults” feature is associated with the
license key.
• the Kerberos parameters: the Kerberos parameters are only supported by the WindowsService
plugin. When the chosen password change plugin is “WindowsService” and the transport protocol
defined for this plugin is “Kerberos”, then specify the following fields on the global domain page of
the administrator account selected during the definition of the reference (for further information,
refer to Section 11.2.13, “WindowsService plugin”, page 213 and Section 10.4.1.4, “Define
references for service account management”, page 162):
– “Kerberos realm”: specify the Kerberos realm
– “Kerberos KDC”: specify the domain name or the IP address of the KDC server
– “Kerberos port”: specify the port number of the KDC server. The default port is 88.
Figure 10.6. "Domains" page in addition mode
10.3.2. Associate the domain with an SSH Certificate

Authority
A Certificate Authority (or "CA") can be associated with a local (domain type "Local for a device") or
a global domain (when the latter is not associated with an external vault). It is then used to certify
the SSH keys for the target accounts. A CA is defined by an SSH key pair (a private key and a
public one). The CA private key signs the public keys of the target accounts on the domain. These
signed public keys are also called "certificates" and are used by the SSH client to allow connection
to a target server. The certificates are checked against the CA public key by the target server during
connections.
It is no longer necessary to copy the target accounts' public keys to the target servers.
Simply copy the CA public key to /etc/ssh/wallix_ca_user.pub or another file, reference
it in the sshd daemon's configuration file using keyword TrustedUserCAKeys as follows:
TrustedUserCAKeys /etc/ssh/wallix_ca_user.pubthen restart the ssh daemon.
When a password change plugin is set on the domain, WALLIX Bastion transfers the CA public key
and the subsequent configuration to the target device (for a local domain) or the target server (for
a global domain). Furthermore, the public SSH key of the administrator account is not signed. To
150
allow SSH authentication using this account, the public key must be present on the target server
(usually in the file authorized_keys located in the home directory of the target account).
When a CA is associated with a domain, the public SSH keys for all the target accounts on this
domain are automatically signed by the CA. The summary page of an account on a domain which is
associated with a CA will therefore allow to download the corresponding signed certificate, instead
of an SSH public key. Furthermore, when a user wishes to check out the credentials of a target
account on a domain associated with a CA, the option to download the certificate is added. The
private key alone is not sufficient for authentication.
10.3.3. Edit a global or a local domain

From the "Domains" page, select "Global" or "Local for a device" or "Local for an application" in the
"Display domain type" field on the top of the page according to the domain type you wish to modify.
Click on a domain name and then on "Edit this global domain" or "Edit this local domain" to display
the corresponding domain modification page.
The fields in this page are the same as those in the global domain creation page.
When the password change is enabled on the domain, the "Administrator account" field allows you
to select the target account which will be used to change the password on another target account
in the event of a password mismatch between WALLIX Bastion and the device. This process is
called "reconciliation".
Warning:
The administrator account is required on the local domain when using Fortinet FortiGate
or IBM 3270 password change plugin. This account should be first added to the domain
from the "Domain accounts" area on the domain summary page, once the domain
creation step has been completed. For further information, refer to Section 10.3.4, “Add
an account to the global or a local domain”, page 152. Once the "Enable password
change" option has been selected on the domain modification page, select this account
from the list in the "Administrator account" field prior to select the plugin in the "Password
change plugin" field.
When the global domain is associated with an external vault, the related information is displayed on
the domain summary page, from the "External vault plugin" and the "Vault plugin parameters" fields.
If an SSH Certificate Authority has been set for this domain (domain type is "Global" or "Local for
a device"), a line with the CA private key type and length is displayed on the domain modification
page. It is then possible to:
• delete this key and/or

• replace this key:
– either by generating a new one: in this case, select the appropriate key type and length from
the list (RSA 2048 by default)
– or browsing a path to upload the file containing an existing key (in the OpenSSH or PuTTY key
formats) and specify the corresponding passphrase (if any defined)
• download the corresponding public key in the OpenSSH or ssh.com formats on the domain
summary page, from the "CA public key" field
Note:
If the CA private key defined for the domain is changed, then the SSH keys for all the
accounts on this domain are re-signed with the new Certificate Authority.
151
The CA public key is transferred to the target device (for a local domain) or the target
server (for a global domain) when a password change plugin is set on the concerned
domain and the WALLIX Password Manager feature is associated with the license key.
For further information, refer to Section 10.3.2, “Associate the domain with an SSH
Certificate Authority”, page 150.
10.3.4. Add an account to the global or a local domain

From the "Domains" page, select "Global" or "Local for a device" or "Local for an application" in the
"Display domain type" field on the top of the page according to the domain type you wish to display.
Click on a domain name to display the domain data and expand the "Domain accounts" area to
view the list of the existing accounts on the domain.
Click on "Add an account" to create an account on the domain: you access the account
creation page. For further information, refer to Section 10.4.1, “Add a target account to a global
domain”, page 159 to add a global domain account or refer to Section 10.4.2, “Add a target account
to a device”, page 163 to add a device account or refer to Section 10.4.3, “Add a target account
to an application”, page 165 to add an application account.
10.3.5. Change the passwords for all the accounts on the

global domain
From the "Domains" page, make sure that "Global" is selected in the "Display domain type" field on
the top of the page. Select a global domain for which the password change is enabled to display the
domain data. You can expand the "Domain accounts" area to view the list of the existing accounts
on this domain. Click on the "Change passwords" button on the right part of the page to change
instantly the passwords for all the accounts on this domain. WALLIX Bastion displays a dialogue
box requesting a confirmation before performing this action.
Note:
The "Change passwords" button on the right part of the page is displayed when an
administrator account is defined for the domain.
The passwords are changed in accordance with the password change policy selected
for the global domain. For further information, refer to Section 11.3, “Password change
policies”, page 214.
10.3.6. Change the passwords for all the accounts on the

local domain
From the "Domains" page, make sure that "Local for a device" or "Local for an application" is
selected in the "Display domain type" field on the top of the page. Select a local domain for which the
password change is enabled to display the domain data. You can expand the "Domain accounts"
area to view the list of the existing accounts on this domain. Click on the "Change passwords" button
on the right part of the page to change instantly the passwords for all the accounts on this domain.
WALLIX Bastion displays a dialogue box requesting a confirmation before performing this action.
Note:
The "Change passwords" button on the right part of the page is displayed when an
administrator account is defined for the domain.
152
The passwords are changed in accordance with the password change policy selected
for the local domain. For further information, refer to Section 11.3, “Password change
10.3.7. Revoke the signed certificate for the accounts on the

domain associated with a Certificate Authority
From the "Domains" page, make sure that "Global" or "Local for a device" is selected in the "Display
domain type" field on the top of the page. Select a domain which is associated with a Certificate
Authority to display the corresponding data. Expand the "Domain accounts" area to view the list of
the existing accounts on this domain. You can then:
• either revoke the certificates for all the accounts on the domain by clicking on "Revoke all" on
the header column
• or revoke the certificate of a given account by clicking on the "Revoke" button at the end of the
concerned line
A revocation list is automatically generated and transferred to the target server to mention that this
or these certificates can no longer be used for connection.
10.3.8. Delete a global domain

From the "Domains" page, make sure that "Global" is selected in the "Display domain type" field
on the top of the page. Check the box at the beginning of the line(s) to select the related global
domain(s), then click on the trash icon to delete the selected line(s). WALLIX Bastion displays a
10.3.9. Import global domains

From the "Domains" page, make sure that "Global" is selected in the "Display domain type" field
on the top of the page. Click on the "Import CSV file" icon at the top right of the page to import the
related data. You are then redirected to the "CSV" page on the "Import/Export" menu: the "Global
domains" check box is automatically selected to import the related data. The field and list separators
can also be configured.
#wab820 globaldomain
Important:

O(ptional) value
Real name Text O Free text N/A
Admin account Text O An existing account on the N/A
domain
153

O(ptional) value
This field is only taken into
account when the domain
exists and the account has
been created on this domain.
Empty if an external vault plugin

is defined for the domain
Password change Text R/O Password change policy N/A
policy defined
Required when the
password change Empty if an external vault plugin
is enabled (one of is defined for the domain
the 4 last fields is
entered)
Password change Text R/O Password change plugin N/A
plugin defined
Required when the
password change Empty if an external vault plugin
is enabled (one of is defined for the domain
entered)
Password change Text R/O All the needed arguments for N/A
infos the password change plugin
Required for given defined
plugin types
Required for given plugins
Format: key1=value1
key2=value2
Cisco: host (required),

enable_password (required),
port (optional)
Windows:
domain_controller_address
(required)
Unix: host (required),

port (optional), root_password
(optional - root password
can only be defined if
an admin_account has been
previously selected)
Oracle: host (required),

port (optional), service_name
(required), admin_mode
(optional and set as "Normal"
by default if not entered).
The possible values for the
admin_mode field are as
154

O(ptional) value
follows: "Normal", "SYSDBA",
"SYSOPER" and "SYSASM"
Empty if an external vault plugin
is defined for the domain
155

O(ptional) value
External vault Text O External vault plugin defined N/A
plugin
Empty if the password change
is enabled for the domain
External vault Text Required when All the needed arguments N/A
infos the external vault for the external vault plugin
plugin is defined defined
Format: key1=value1
key2=value2
Bastion: api_url (required),

api_key (optional),
service_login (optional),
service_password (optional)
The API URL must start

with “https://” and end with “/
api/vX.Y”. The minimum API
version supported is 2.3.
Empty if the password change

is enabled for the domain
Figure 10.7. "CSV" page - "Global domains" option selected
10.3.10. Import local domains
156
From the "Domains" page, make sure that "Local for a device" or "Local for an application" is
selected in the "Display domain type" field on the top of the page. Click on the "Import CSV file" icon
at the top right of the page to import the related data. You are then redirected to the "CSV" page
on the "Import/Export" menu: the "Local domains" check box is automatically selected to import the
#wab820 localdomain
Important:

O(ptional) value
Device Text R/O At least one device or an N/A
application must be defined
Application Text R/O At least one device or an N/A
application must be defined
Admin account Text O An existing account on the N/A
domain
This field is only taken into

account when the domain
exists and the account has
been created on this domain.
Password Text R/O Password change policy N/A
change policy defined
Required when the
password change
is enabled (one of
entered)
Password Text R/O Password change plugin N/A
change plugin defined
Required when the
password change
is enabled (one of
entered)
Password Text R/O All the needed arguments for N/A
change infos the password change plugin
Required for given defined
plugin types
Required for given plugins
Format: key1=value1
key2=value2
157

O(ptional) value
Cisco: port (optional),
enable_password (required)
Windows: no specific
parameter to set
Unix: port (optional),

root_password (optional)
For devices:
Oracle: port (optional),
service_name (required),
admin_mode (optional and set
as "Normal" by default if
not entered). The possible
values for the admin_mode
field are as follows: "Normal",
"SYSDBA", "SYSOPER" and
"SYSASM"
For applications:
Oracle: host (required),
port (optional), service_name
(required), admin_mode
(optional and set as "Normal"
by default if not entered).
The possible values for the
admin_mode field are as
follows: "Normal", "SYSDBA",
"SYSOPER" and "SYSASM"
158
Figure 10.8. "CSV" page - "Local domains" option selected
10.4. Target accounts

An account is an entity (managed by WALLIX Bastion or by an external password vault) that allows
a user to be authenticated to a system and to be granted a defined level of authorization to access
resources on that system, for management purposes. An account belongs to a domain.
A target account is characterized by the association of the following entities: a device and a service
and an account.
It exists three target account types:
• Global account: the account is defined on a global domain and is used to access services
on devices in this domain and to manage service accounts (for further information on the
management of service accounts, refer to Section 10.4.1.4, “Define references for service
account management”, page 162)
• Device account: the account is defined on a device and is only used for accessing a service on
this device
• Application account: the account is defined for an application only (an account to access the jump
server–the target device on which the application is running–might be necessary)
The “Accounts” page on the “Targets” menu allows you to:
• list the target accounts and the domains, devices and applications declared on them
• add, edit and delete an account
It is possible to import target accounts from a .csv file to populate the WALLIX Bastion resource
database. For further information, refer to Section 10.4.8, “Import target accounts”, page 168.
10.4.1. Add a target account to a global domain
159
From the “Accounts” page on the “Targets” menu, select “Global accounts” from the drop-down list
then click on the “+ Add” button to display the global domain account creation page.
This page consists of the following tabs: “General”, “Password”, “SSH private key” and
“References”.

The “General” tab allows you to select and enter the following fields:
• the name of the global domain to which you want to add an account. It will not be possible to edit
the name of the global domain once you have clicked on “Apply”.
• the account name: this is the internal representation of the account in WALLIX Bastion. This
information is displayed on the session selector and on the account's credential checkout page
on the Web interface. This name must be unique within the WALLIX Bastion domain.
Important:
When the account is created on a global domain associated with an external
password vault linked to the Bastion plugin (refer to Section 10.7.1, “Bastion
plugin”, page 188 for further information), its name must be formed as
follows: “account_name\\global_domain” or “account_name\\local_domain\\device” or
“account_name\\local_domain\\application”. Note that “\\” must be used as a separator.
“account_name” corresponds to the name of an account on the remote WALLIX
Bastion.
“global_domain” and “local_domain” correspond respectively to a global and a local
domain on the remote WALLIX Bastion.
“device” and “application” correspond respectively to a device and an application on
the local domain on the remote WALLIX Bastion.
• the account login: this is the user name of the remote account. This information is not displayed
on the session selector or on the account's credential checkout page on the Web interface.
• a field to associate resources: a resource association is required to create targets for applications
and clusters. To associate resources, select a device and a service in the drop-down lists and
click on “+”. Once created, it is possible to delete this association by clicking on the “-” red icon.
You can associate as many resources as necessary.
• a description
• the checkout policy to associate with the account. For further information, refer to Section 10.8,
“Checkout policies”, page 193.
• a toggle button to enable or disable the automatic password change for this account. See
Section 4.6, “Data encryption”, page 18 for the data encryption information related to password
storage.
• a toggle button to enable or disable the automatic SSH key change for this account
• the certificate validity period if the account is defined on a domain associated with a Certificate
Authority. The appropriate format is as follows:
[number of weeks]wk[number of days]d[number of hours]h[number of
minutes]min[number of seconds]s
If no value is entered in this field, then the certificate is valid for an unlimited period.
160
Note:
can access the other tabs of the global domain account creation page.
Figure 10.9. "New global domain account" page
10.4.1.2. Define password

From the “Password” tab, enter and confirm the password of the account.
You also have the possibility to manually change and instantly propagate the password of the
account on the target by using the toggle button “Propagate credential change”.
Once you have defined the password for the account, click on “Apply”.
Note that you can delete a password already set for this account by clicking on the “Delete
password” button.
10.4.1.3. Define SSH private key

From the “SSH private key” tab, you can define the private key for the SSH connection in two ways:
• either by generating a key:

1. Select “Private key generation” from the drop-down list.
2. Choose the appropriate private key signature system in the list entitled “Private key signature
system”.
• or by uploading a key:
1. Select “Private key uploading” from the drop-down list.
2. Drag-and-drop a file or browse a path to upload the file containing an existing private key (in
the OpenSSH or PuTTY key format) in the “Upload SSH private key” section.
3. Specify the corresponding passphrase (if any defined) in the “Passphrase” field.
4. Enable the “Propagate credential change” button to change the SSH private key of the
account and instantly propagate it on the target.
161
Once you have defined the SSH private key for the account, click on “Apply”.
You have now the possibility to download the corresponding SSH public key in the OpenSSH or
ssh.com format from the “Download SSH public key” button.
Note that you can delete the SSH private key defined for this account by clicking on the “Delete
existing SSH private key” button.
10.4.1.4. Define references for service account management

The “References” tab allows you to list, add, edit and delete references to a service account.
Within the context of a service account password change, the password used by a service must
be updated with this new password.
The definition of references allows to simplify the password change process on services. These
references are used by WALLIX Bastion to launch the automatic propagation of the new password
on the device(s) on which the service is deployed.
To add a reference, click on the “+ Add” button. A window opens and allows you to select and enter
the following fields:
• the name of the reference

• a description
• the global domain on which the WindowsService plugin has been configured (for further
information, refer to Section 11.2.13, “WindowsService plugin”, page 213)
Warning:
The only purpose of this global domain is to configure the WindowsPlugin. No accounts
should be defined on this domain.
• the device or the devices on which the service is deployed

• the global domain on which the administrator account is defined and the name of the administrator
account used by the WindowsService plugin
To delete a reference, check the box at the beginning of the corresponding line, then click on the
“Delete” button.
Warning:
If you delete a global account, the associated references are also deleted.
10.4.1.5. Associate account with group

Once you have created a global domain account, you have the possibility to add it to a group in
order to create a target account for session management or password management.
Note:
This association type can also be managed from the “Groups” page (for further
162
To add a global domain account to a group, check the box at the beginning of the line to select the
related global account, then click on the “Add to group” button. A window opens and allows you to
enter and select the following fields:
• the group name: select an existing group or create a new one

• the group description
• the target type: select the relevant target type to create the association for session management
or password management
• the field "From": select the desired resource type for the resource association
• the device or application on which the account will be defined
• the service (if it is required)
• the global account
Note:
possibility to manage new resource associations. Otherwise, click on the “Add and close”
button to save the data and close the window.
10.4.2. Add a target account to a device

From the “Accounts” page on the “Targets” menu, select “Device accounts” from the drop-down list
then click on the “+ Add” button to display the device account creation page.
This page consists of the following tabs: “General”, “Password” and “SSH private key”.

• the name of the device to which you want to add an account. It will not be possible to edit the
name of the device once you have clicked on “Apply”.
• the local domain name: you can select an existing local domain or create a new one. It will not
be possible to edit the name of the local domain once you have clicked on “Apply”.
• a field to associate resources: a resource association is required to create targets for applications
and clusters. To associate resources, select a service in the drop-down list and click on “+”. Once
created, it is possible to delete this association by clicking on the “-” red icon. You can associate
as many resources as necessary.
• a description
storage.
163
• a toggle button to enable or disable the automatic SSH key change for this account
Note:
can access the other tabs of the device account creation page.

password” button.
10.4.2.3. Define SSH private key

From the “SSH private key” tab, you can define the private key for the SSH connection in two ways:
• either by generating a key:

1. Select “Private key generation” from the drop-down list.
2. Choose the appropriate private key signature system in the list entitled “Private key signature
system”.
• or by uploading a key:
1. Select “Private key uploading” from the drop-down list.
2. Drag-and-drop a file or browse a path to upload the file containing an existing private key (in
the OpenSSH or PuTTY key format) in the “Upload SSH private key” section.
3. Specify the corresponding passphrase (if any defined) in the “Passphrase” field.
4. Enable the “Propagate credential change” button to change the SSH private key of the
account and instantly propagate it on the target.
Once you have defined the SSH private key for the account, click on “Apply”.
You have now the possibility to download the corresponding SSH public key in the OpenSSH or
ssh.com format from the “Download SSH public key” button.
Note that you can delete the SSH private key defined for this account by clicking on the “Delete
existing SSH private key” button.

Once you have created a device account, you have the possibility to add it to a group in order to
create a target account for session management or password management.
Note:
164
To add a device account to a group, check the box at the beginning of the line to select the related
device account, then click on the “Add to group” button. A window opens and allows you to enter
and select the following fields:

• the local account.
Warning:
The account is displayed in the list as many times as there are services defined on
the device to which it belongs. Make sure to select only the relevant account(s) for the
association to the group.
Note:
possibility to associate the local account with another group and/or target type. Otherwise,
10.4.3. Add a target account to an application

From the “Accounts” page on the “Targets” menu, select “Application accounts” from the drop-down
list then click on the “+ Add” button to display the application account creation page.
This page consists of the following tabs: “General” and “Password”.

• the name of the application to which you want to add an account. It will not be possible to edit
the name of the application once you have clicked on “Apply”.
• the local domain name: you can select an existing local domain or create a new one. It will not
be possible to edit the name of the local domain once you have clicked on “Apply”.
• a description
storage.
165
Note:
can access the “Password” tab of the application account creation page.

password” button.

Once you have created an application account, you have the possibility to add it to a group in order
to create a target account for session management or password management.
Note:
To add an application account to a group, check the box at the beginning of the line to select the
related application account, then click on the “Add to group” button. A window opens and allows
you to enter and select the following fields:

• the local account
Note:
possibility to associate the local account with another group and/or target type. Otherwise,
10.4.4. Edit a target account

From the "Accounts" page on the “Targets” menu, click on an account name to display the related
modification page. You can then edit the data already entered.
For further information on how to enter data in the tabs, refer to Section 10.4.3, “Add a target account
to an application”, page 165 to edit a global domain account or refer to Section 10.4.2, “Add a
target account to a device”, page 163 to edit a device account or refer to Section 10.4.3, “Add a
target account to an application”, page 165 to edit an application account.
166
Warning:
You cannot edit the login, password, SSH private key and checkout policy of a target
account on the Web interface or via the REST API when the related credentials are being
checked out. The credentials must first be checked in using the “Force check-in option”
to be able to edit the corresponding fields. For further information, refer to Section 12.3.6,
“Account history”, page 231.
When the global domain account is defined on a domain associated with a Certificate
Authority, it is possible to edit the certificate validity period or to enter it if it has not been
defined previously. The appropriate format is as follows:
[number of weeks]wk[number of days]d[number of hours]h[number of

minutes]min[number of seconds]s
However, if this value is edited or defined at this point, the former validity period still
applies and the new validity period for the certificate will apply at next SSH key change.
10.4.5. Change the credentials automatically for one or

several accounts
From the “Accounts” page on the “Targets” menu, you have the possibility to launch the automatic
password and SSH private key change for one or more accounts of the following types: global
domain account, device account and application account.
To do this:
1. Select the desired account type from the drop-down list

2. Check the box at the beginning of the line(s) to select the target account(s) which belong(s) to
a domain enabling the credential change
3. Click on the “Automatic credential change” button
4. Select the credential type(s) you want to change and the relevant account(s) in the new window
5. Click on “Apply and close” to launch the automatic credential change for the account(s).
The credentials are now changed on WALLIX Bastion and on the related target(s).
Note:
The automatic credential change is only possible for accounts belonging to a domain on
which the password change is enabled.
Once this change has been launched, the credentials are instantly changed on WALLIX
Bastion and propagated on the related target(s).
The credentials are automatically changed:
• in accordance with the password change policy selected for the domain. For further
information, refer to Section 11.3, “Password change policies”, page 214.
• when the checkout policy allows the password change at check-in. For further
information, refer to Section 10.8, “Checkout policies”, page 193.
167
10.4.6. Change the credentials manually for a given target

account
From the “Accounts” page on the “Targets” menu, you have the possibility to manually change an
account password and/or SSH private key and to instantly propagate the change on the target.
To do this, select the desired account type from the drop-down list and click on the account name
in order to open the related modification page. You can then:
• on the “Password” tab: enter and confirm the new password of the account and enable the toggle
button “Propagate credential change”
• on the “Private key uploading” page of the “SSH private key” tab: upload the new key and enable
the toggle button “Propagate credential change”
Once you have entered the fields and enabled the propagation toggle button, click on “Apply” to
propagate the new password and/or SSH private key on the target.
Note:
The manual credential change is only possible for accounts belonging to a domain on
which the password change is enabled.
Once this change has been launched, the credentials are instantly changed on WALLIX
Bastion and propagated on the related target(s).
The credentials are changed:
• in accordance with the password change policy selected for the domain. For further
information, refer to Section 11.3, “Password change policies”, page 214.
• when the checkout policy allows the password change at check-in. For further
information, refer to Section 10.8, “Checkout policies”, page 193.
10.4.7. Delete a target account

From the “Accounts” page on the “Targets” menu, check the box at the beginning of the line to select
the target account(s) you wish to delete, then click on the “Delete” button. WALLIX Bastion displays
10.4.8. Import target accounts

From the “CSV” page on the “Import/Export” menu, select the “Accounts” check box to import the
#wab820 account
Important:
168

O(ptional) value
Login Text R Free text N/A
Password Text O Free text N/A
Authentication can be
performed either by password
or by a private key or both or
none of them.
When the import is performed

from WALLIX Bastion 6.1:
• if this field is empty, then the

password is deleted during
import
• if this field is filled with the
the existing password is not
modified. Caution! If there is
no existing password for the
at [hidden].
[hidden]keyword, then the
password is updated with
this new value

is empty, then the password is
NOT deleted during import.
Private key Text O Free text N/A
Authentication can be
performed either by password
or by a private key or both or
none of them.
When the import is performed

from WALLIX Bastion 6.1:
• if this field is empty, then the

private key is deleted during
import
169

O(ptional) value
the [hidden] value, then
the existing key is not
modified. Caution! If there
is no existing key for the
at [hidden].
the key is updated with this
new value

is empty, then the key is NOT
deleted during import.
As the private key is a
long length value, it must be
specified between quotes for
the import.
Passphrase Text O Free text N/A
Passphrase for the private key.

This field is used when a new
private key is specified in the
"Private key" field.
Automatically Boolean R True or False False
change password
Automatically Boolean R True or False False
change SSH key
Checkout policy Text R Checkout policy defined N/A
Domain Text R For an account on a device: N/A
Device • domain: local domain of the

device
Application
• device: name of the device
Resources/
• resources: related services
Services
(optional and must exist on
the device)
For an account on an
application:
• domain: local domain of the

application
170

O(ptional) value
• application: name of the
application
For an account on a global

domain:
• domain: name of the global

domain
• resources: device on the
domain, expressed with
the syntax device:protocol
(optional)
Example of import syntax for a device, domain and application:
#wab820 account
my_device_user;device_user_login;description;False;P4sSw0rD;;False;default;
local_domain_1;my_device;;my_domain_user;domain_user_login;description;True;
P4sSw0rD;;False;default;my_global_domain;;;device_on_domain:rdpmy_app_user;
app_user_login;description;False;P4sSw0rD;;True;default;local_domain_1;;my_application;
Figure 10.10. "CSV" page - "Accounts" option selected
171
10.5. Target groups

The “Groups” page on the “Targets” menu allows you to:
• list the declared target groups

• add, edit and delete a group
• view the target accounts included in each group
• configure a group for session management and password management
It is possible to import target groups from a .csv file to populate the WALLIX Bastion resource
database. For further information, refer to Section 10.5.4, “Import target groups”, page 183.
10.5.1. Add a target group

From the “Groups” page on the “Targets” menu, click on the “+ Add” button to display the group
creation page.
This page consists of the following tabs: “General”, “Session management targets”, “Password
management targets” and “Restrictions”.

The “General” tab allows you to enter the following fields:
• the new target group name

• a description
Note:
can access the other tabs of the group creation page.
10.5.1.2. Configure a target group for session management from an account in

the vault
This procedure consists in defining, within a group, the target accounts which can be accessed
remotely from an RDP or an SSH client.
1. From the “Session management targets” tab, select “Account” from the drop-down list then click
on the “+ Add” button to display the resource association creation page.
2. In the “From” field, select the desired value to perform the association: “A device and related
local accounts”, “A device and global accounts”, “An application and related local accounts” or
“An application and global accounts”.
3. Depending on the chosen value, select the device or the application concerned by the
association in the next field.
4. In the “Service” field, select the service (if necessary) which will be used to access the target
account(s).
172
5. Once all the fields are entered, the list of available accounts is displayed. Check the box at the
beginning of the line of the desired target account(s) in order to perform the association.
6. Click on the “Add and continue” button to save the data and proceed with the creation of other
associations within the group. Otherwise, click on “Add and close” to save the data and close
the resource association creation page.
Note:
At least one local and/or global account must exist for the device and the application to
be able to manage this association.
At least one service must exist on the device to be able to manage this association.
You can delete an association by checking the box at the beginning of the line of the concerned
account(s) and then by clicking on the “Delete association(s)” button. WALLIX Bastion displays a
10.5.1.3. Configure a target group for a scenario account during SSH session
This procedure consists in defining, within a group, the target accounts which can be used by a
startup scenario once the SSH session has been initiated. These accounts are called “scenario
accounts”. For further information, refer to Section 12.16, “SSH startup scenario on a target
1. From the “Session management targets” tab, select “Scenario account” from the drop-down list
then click on the “+ Add” button to display the resource association creation page.
local accounts” or “A global domain and related accounts”.
3. Depending on the chosen value, select the device or the global domain concerned by the
association in the next field.
4. Once the fields are entered, the list of available accounts is displayed. Check the box at the
Note:
At least one local account must exist on the device and/or one global account must exist
on the global domain to be able to manage associations.
10.5.1.4. Configure a target group for session management through account

mapping
The procedure below consists in defining, within a group, the targets which can be accessed through
account mapping.
An access through account mapping can be defined on a resource (device+service or application)
when a service is saved on this resource.
173
Warning:
The authentication method PASSWORD_MAPPING must be selected in the connection
policy associated with the target to be able to connect to this target using the
account mapping mechanism (for further information, refer to Section 12.4, “Connection
Account mapping with the authentication method PASSWORD_MAPPING is not

functional if the user authenticates via a method with no password exchange such as:
• Kerberos or X509 certificate for WALLIX Bastion

• SAML or X509 certificate for WALLIX Access Manager
1. From the “Session management targets” tab, select “Account mapping” from the drop-down list
services” or “Applications”.
3. If you wish to access a device, select the one concerned by the association in the next field.
4. Once the fields are entered, the list of available services and applications is displayed. Check
the box at the beginning of the line of the desired service(s) or application(s) in order to perform
the association.
10.5.1.5. Configure a target group for session management through interactive

login
This procedure consists in defining, within a group, the targets which can be accessed through
interactive login.
An access through interactive login can be defined on a resource (device+service or application)

when a service is saved on this resource.
Note:
The authentication method PASSWORD_INTERACTIVE must be selected at the level of
the connection policy associated with the target to be able to connect to this target using
the interactive login mechanism (for further information, refer to Section 12.4, “Connection
1. From the “Session management targets” tab, select “Interactive login” from the drop-down list
services” or “Applications”.
3. If you wish to access a device, select the one concerned by the association in the next field.
174
4. Once the fields are entered, the list of available services and applications is displayed. Check
the box at the beginning of the line of the desired service(s) or application(s) in order to perform
the association.
10.5.1.6. Configure a target group for password management from an account in

the vault
This procedure consists in defining, within a group, the target accounts for which the password
can be checked out/viewed. For further information, refer to Section 11.1, “User authorizations on
passwords”, page 201.
1. From the “Password management targets” tab, click on the “+ Add” button to display the
resource association creation page.
local accounts”, “A global domain and related accounts” or “An application and related local
accounts”.
3. Depending on the chosen value, select the device, the global domain or the application
concerned by the association in the next field.
4. Once the fields are entered, the list of available account(s) is displayed. Check the box at the
10.5.1.7. Manage the restrictions
10.5.1.7.1. SSH flow analysis / Pattern detection

When creating/editing user groups or target groups, you can define “restrictions” through a set of
actions to apply when certain character sequences are detected in the upward flow from SSH proxy
by enabling/disabling pattern detection. The data analyzed is the data entered by the user.
Note:
A set of allowed commands can be defined as regular expressions for remote command
execution for subprotocol SSH_REMOTE_COMMAND. For further information,
refer to Section 10.5.1.7.1.5, “Patterns of allowed commands for subprotocol
SSH_REMOTE_COMMAND”, page 179.
To add a restriction, click on the “Restrictions” tab then on the “+ Add” button to display the dedicated
creation window. The relevant actions must be selected in the “Action” field and the corresponding
rules must be defined in the “Rules” field.
175
In the event of detection, the corresponding action will apply: session disconnection for the “Kill”
action or sending of a notification for the “Notify” action.
Warning:
Character sequence detection is only enabled for data sent by the client to the server.
The list of patterns applied is the sum of those present in the user groups and the target groups.
The linked action is the most restrictive: if the “Kill” action is in one of the groups, then this action
will be selected.
The rules must be entered as regular expressions, with one expression per line.
Furthermore, pattern detection is case-sensitive.
E.g.: to prevent files from being deleted, the expressions to enter in the “Rules” field are as follows:
unlink\s+.*
rm\s+.*
10.5.1.7.1.1. Warning for “Kill” actions

By default, the “Kill” action will disconnect the session at first detection.
It is however possible to define a detection count with blocking and warning before the session
disconnection.
This can be done through the definition of a global option for SSH proxy: from the “Configuration
Options” page on the “Configuration” menu, select “SSH proxy” in the list to access the SSH proxy
configuration page, then enter a positive integer in the “Warning count” field. This value is “0” by
default.
For example, if you enter “5” in this field, the user will be warned five times upon detection (while
preventing execution of the command) before disconnecting the session at the sixth detection.
Warning:
By default, the keyboard inputs not displayed on the terminal (e.g. passwords) are
not logged within WALLIX Bastion, unless the option “Log all kbd” is enabled on the
configuration page for the related connection policy. However, a malicious user can force
the display permanently during the session using the following command:
stty -echo
In such a case, the session can then be disconnected by defining the following “Kill” rule
in the “Restrictions” tab of the “Groups” page:
10.5.1.7.1.2. File transfers

For subprotocols SFTP_SESSION, SSH_SCP_UP and SSH_SCP_DOWN, it is possible to set a
pattern based on the file size to detect transfer of large files. The syntax is as follows:
$filesize:>X
X is the size expressed in bytes.

A trailing letter (such as “m”, “k”, “g”) can be specified to provide a scaling factor as described in
the table below:
176
Letter Scaling factor

k 1 000
m 1 000 000
g 1 000 000 000
10
K 1024 (2 )
20
M 1 048 576 (2 )
30
G 1 073 741 824 (2 )
Table 10.1. Scaling factor
10.5.1.7.1.3. Data download restriction
For subprotocols SSH_SHELL_SESSION, SSH_REMOTE_COMMAND, TELNET and RLOGIN, it

is possible to set a pattern based on the definition of a limit for downloading data from the server
to the client's desktop. The syntax is as follows:
$downsize:>X
X is the maximum data amount size expressed in bytes.
A trailing letter (such as “m”, “k”, “g”) can be specified to provide a scaling factor as described in
the table below:
Letter Scaling factor

k 1 000
m 1 000 000
g 1 000 000 000
10
K 1024 (2 )
20
M 1 048 576 (2 )
30
G 1 073 741 824 (2 )
Table 10.2. Scaling factor
10.5.1.7.1.4. Detections of Cisco IOS commands
CISCO routers under IOS are quite restrictive for command input but support auto completion and
partial input when command prefixes are unambiguous.
It is therefore necessary to use a specific extension of the rules syntax to forbid or allow some
commands in the most exhaustive way on such a system.
Warning:
A target having this type of detection rules will be considered as a CISCO IOS device.
It should therefore not be used for another kind of device such as Linux/Unix under risk
of malfunction.
This syntax extension can be used with subprotocols SSH_SHELL_SESSION, RLOGIN or TELNET
(according to the kind of connection), for any kind of action.
Two modes are available:
177
• White list of commands: only the listed commands are allowed. The syntax to use in the “Rules”
field is as follows: $acmd:[command list]
• Black list of commands: any commands are allowed except those in the list. The syntax to use
in the “Rules” field is as follows: $cmd:[command list]
The command list is delimited by square brackets, each command being separated by a comma.
For example: [enable, show kerberos, access-template, configure terminal]
A command can contain a “:” separator to indicate the end of the unambiguous prefix. The
command itself must not contain any “:” character. For example for the commands "en[able]",
"sh[ow] kerb[eros]", "access-t[emplate]", and "conf[igure] t[erminal]" the list would be: [en:able,
sh:ow kerb:eros, access-t:emplate, conf:igure t:erminal]
Example of white list:
$acmd:[en:able, sh:ow kerb:eros, access-t:emplate, conf:igure t:erminal]

$acmd:[sh:ow]
Example of black list:
$cmd:[en:able, sh:ow]
In case of multiple declarations, all lists of the same kind are merged.
If both white and black lists are declared together, detection will be done from the white list where
commands from the black list have been removed.
By default, implicitly, the commands “alias” and “prompt” will be added to a black list and the
command “exit” will be added to a white list.
Example of detection using the white list: [w:here, sh:ow ke:rberos, co:nnect]
Input Detection
show Yes
show kerb No
sh ke c No
show kron schedule Yes
show ip arp Yes
config t Yes
where No
w No
alias show display Yes
exit No
Table 10.3. Cisco IOS Detection with white list
Example of detection using the black list: [w:here, sh:ow ke:rberos, co:nnect]
Input Detection
show No
show kerb Yes
178
Input Detection
sh ke c Yes
show kron schedule No
show ip arp No
config t No
where Yes
w Yes
alias show display Yes
exit No
Table 10.4. Cisco IOS Detection with black list
10.5.1.7.1.5. Patterns of allowed commands for subprotocol SSH_REMOTE_COMMAND
A set of allowed commands can be defined as regular expressions for remote command execution.
A command mismatch will then be detected.
The syntax is as follows:
$allow:<re_1>
Commands matching the regular expression <re_1> are thus allowed. The others are detected.
If several expressions prefixed with “allow” are defined, a command matching one of them will be
allowed.
The following sequence:
$allow:<re_1>
$allow:<re_2>
...
$allow:<re_n>
can also be specified as follows:
$allow:<re_1> |<re_2>| ... |<re_n>
Rules defined as standard regular expressions are also checked. Thus, a rule defined as an allowed
regular expression and a standard regular expression will be detected and, the corresponding action
will then be performed.
Example of detection for rule: $allow:abc
Input Detection
abc No
cde Yes
Table 10.5. Commands
Examples of detection for rules:
$allow:abc
$allow:ps.*
179
Input Detection
abc No
cde Yes
ps aux No
ps aux | grep eggs No
ls Yes
Examples of detection for rules:
$allow:abc
$allow:ps.*
ps.*\|
Input Detection
abc No
cde Yes
ps aux No
ps aux | grep eggs Yes
ls Yes
10.5.1.7.2. RDP flows analysis / Pattern detection
When creating/editing user groups or target groups, you can define “restrictions” through a set of
actions to apply when certain character sequences are detected in RDP keyboard flows (the data
analyzed is the data entered by the user) and or the window title bars (the data analyzed is the data
displayed on the screen). This is performed by enabling/disabling pattern detection.
To add a restriction, click on the “Restrictions” tab then on the “+ Add” button to display the dedicated
creation window. The relevant actions must be selected in the “Action” field and the corresponding
rules must be defined in the “Rules” field.
In the event of detection, the corresponding action will apply: session disconnection for the “Kill”
action or sending of a notification for the “Notify” action.
Warning:
Character sequence detection is only enabled for data sent by the client to the server.
The list of patterns applied is the sum of those present in the user groups and the target groups.
The linked action is the most restrictive: if the “Kill” action is in one of the groups, then this action
will be selected.
The rules must be entered as regular expressions, with one expression per line.
Furthermore, pattern detection is case-sensitive.
An expression prefixed with “$kbd:” will only match keyboard input.
180
An expression prefixed with “$ocr:” or without any prefix will only match the title bars of active
windows (and not those of the inactive windows).
An expression prefixed with “$kbd-ocr:” or “$ocr-kbd:” will match keyboard input and title bars of
active windows.
E.g.: to ensure files are not deleted from the command prompt (cmd.exe), the expressions to enter
in the "Rules" field are as follows:
$kbd:del\s+.*
$kbd:erase\s+.*
To forbid opening the command prompt itself:
$ocr:Command Prompt
$ocr:.*\\cmd.exe
The following prefixes provide basic string searching:
• “$content:” searches for a string

• “$exact-content:” searches for an entire string. It becomes “content:” when it is used with “$kbd:”.
• “$regex:” searches for a regular expression. This is the default behavior.
• “$exact-regex:” searches for a regular expression formed with “^pattern$”
E.g.: “$content,ocr:abc.exe” will match all windows containing “abc.exe”.
“.” is not considered as a regular expression character.
“-” is the separator character for “$ocr:” and “$kbd:”. The supported separator characters are “-”
and “,”.
Warning:
If you choose to kill the session when a specific window title bar is displayed, users will
not be able to reconnect until this window is closed or its title changed because their
sessions will be killed again immediately.
10.5.1.7.3. Import/export restrictions for target groups and user groups
You can import the restrictions defined during the creation or modification of user groups
or target groups. These restrictions define the actions to apply when certain character
sequences are detected in the upward flow from proxies (refer to Section 10.5.1.7.1, “SSH flow
analysis / Pattern detection”, page 175 and Section 10.5.1.7.2, “RDP flows analysis / Pattern
detection”, page 180).
From the “CSV” page on the “Import/Export” menu, select the “Restrictions” check box to import the
#wab820 restriction
Important:
181

O(ptional) value
There can only be a single group

name
Type Text R Target / User N/A
Action Text R "Kill" / "Notify" N/A
Rules Text R Regular expressions, with one N/A
expression per line
There can be rules on both user

groups and target groups on the
same file
Subprotocol Text R Name of the subprotocol N/A
Caution:
A user is allowed to export restrictions if at least the “View” right for the “Targets &
accounts” feature is set in his/her profile (refer to Section 9.3, “User profiles”, page 86).
If only the “View” right for the “Targets & accounts” feature is set in the profile, then the
user will be able to export restrictions on target groups only.
If the “View” right for the “Users” feature is also set in the profile, then the user will be able
to export the restrictions defined on the user groups he/she is allowed to view (depending
on the limitations set for the profile. For further information, refer to Section 9.3, “User
profiles”, page 86).
If only the “View” right for the “Users” feature is set in the profile, then the user will not
be able to export any restriction.
10.5.2. Edit a target group

From the “Groups” page on the “Targets” menu, click on a group name to display the related
modification page. It is then possible to edit the data already entered.
For further information on how to enter data in the tabs, refer to Section 10.5.1, “Add a target
group”, page 172.
10.5.3. Delete a target group

From the “Groups” page on the “Targets” menu, check the box at the beginning of the line(s) to
select the target group(s) you wish to delete, then click on the “Delete” button. WALLIX Bastion
182
Warning:
You cannot delete a target group linked to active authorizations (refer to Chapter 12,
“Session management”, page 218).
10.5.4. Import target groups

From the “CSV” page on the “Import/Export” menu, select the “Target groups” check box to import
the related data. The field and list separators can also be configured.
#wab820 targetsgroup
Important:

O(ptional)
There can only be a single group

name
Target Text O Selected target accounts for N/A
accounts session management
There can be no target account, one

or several target accounts defined in
each category or in all categories at
the same time
A target account can be defined on

a global domain (and not on a local
domain)
Format for target accounts:
account@domain@device:protocol
Account Text O Selected account mapping targets N/A
mapping
Format for account mapping
targets:
device:protocol
Interactive Text O Selected interactive login targets N/A
login
Format for interactive login targets:
device:protocol
Accounts Text O Selected target accounts for N/A
password management
183

O(ptional)
Format for target accounts:
account@domain or
account@domain@device or
account@domain@application
Scenario Text O Selected scenario accounts N/A
Format for scenario accounts:
account@domain or
account@domain@device
Figure 10.11. "CSV" page - "Resource groups" option selected
10.6. Clusters
A cluster is a group of jump servers. The use of a cluster in place of a single device allows application
load sharing and High-Availability. The jump server used to run an application is selected in two
steps. WALLIX Bastion firstly sorts the servers, beginning with the one that has the fewest open
sessions, and then tries to connect to each server until it succeeds.
184
The "Clusters" page allows you to:
• list the clusters and the target accounts declared on each.

• add/edit/delete a cluster
• import clusters from a .csv file which can be used to populate the WALLIX Bastion resource
database
10.6.1. Add a cluster

From the "Clusters" page, click on "Add a cluster" to display the cluster creation page.
The cluster creation page consists of the following fields:
• the cluster name

• a description
• the targets which can be selected to belong to the cluster: move a target from the "Available
Target accounts" frame to the "Selected Target accounts" one in order to choose the target. And
conversely, move a target from the "Selected Target accounts" frame to the "Available Target
accounts" one in order to remove the association.
You can perform a search among the list of the frames by entering data in the area near the
magnifier icon.
You can perform multi-selection among the list of the frames.
Figure 10.12. "Clusters" page in addition mode
10.6.2. Edit a cluster
185
From the "Clusters" page, click on a cluster name and then on "Edit this group" to display the cluster
modification page.
The fields in this page are the same as those in the cluster creation page.
10.6.3. Delete a cluster

From the "Clusters" page, check the box at the beginning of the line(s) to select the related cluster(s),
then click on the trash icon to delete the selected line(s). WALLIX Bastion displays a dialogue box
10.6.4. Import clusters

From the "Clusters" page, click on the "Import CSV file" icon at the top right of the page to import the
related data. You are then redirected to the "CSV" page on the "Import/Export" menu: the "Clusters"
check box is automatically selected to import the related data. The field and list separators can also
be configured.
#wab820 cluster
Important:

O(ptional)
Target account Text R/O Target accounts defined N/A
At least one target account or

one account mapping target or
one interactive login target must
be defined
There can be no target, one or

several targets defined in each
category or in all categories in
the cluster
Account Text R/O Account mapping targets N/A
mapping defined

be defined

186

O(ptional)
the cluster
Interactive login Text R/O Interactive login targets defined N/A

be defined

the cluster
Figure 10.13. "CSV" page - "Clusters" option selected
10.7. External password vault plugins

From the "Password Vault Plugins" page on the "Targets" menu, you can view the list of the plugins
configured in WALLIX Bastion. For further information, refer to Section 5.3, “Password external
vault”, page 22.
Warning:
This page is only displayed when the “External Vaults” feature is associated with the
license key.
187
An external password vault plugin can be selected during the creation of a global domain (refer to
Section 10.3, “Domains”, page 148) and several parameters can be set depending on the chosen
plugin.
Figure 10.14. "Password Vault Plugins" page
10.7.1. Bastion plugin

This plugin allows access to the password vault of a remote WALLIX Bastion via the REST API
Web service. For further information, refer to Section 5.3, “Password external vault”, page 22.
The parameters to be set for this plugin during the creation of a global domain (refer to Section 10.3,
“Domains”, page 148) are defined as follows:
• API URL: URL of the REST API to access the vault. This parameter is required. This URL must
start with “https://” and end with “/api/vX.Y”. The minimum API version supported is 2.3.
• API key: key to connect to the REST API. If a key is entered, it must be entered again for
confirmation. This key must be generated on the remote WALLIX Bastion.
• Service account login: login of the service account to connect to the REST API. This login must
correspond to the user name of an account on the remote WALLIX Bastion.
• Service account password: password of the service account to connect to the REST API. If a
password is entered, it must be entered again for confirmation.
10.7.2. CyberArk Enterprise Password Vault plugin

This plugin allows access to the password vault of the CyberArk Enterprise Password Vault privilege
management solution via the REST API Web service. For further information, refer to Section 5.3,
“Password external vault”, page 22.
• API URL: URL of the REST API to access the vault. This parameter is required. This URL must
start with “https://” and end with “/PasswordVault”.
• Safe name: name of the container in the CyberArk Enterprise Password Vault privilege
management solution into which the secrets are stored. This parameter is required.
188
correspond to the user name of an account in the CyberArk Enterprise Password Vault privilege
management solution.
• Maximum checkout duration (minutes): maximum time interval, expressed in minutes, during
which checkout can be performed. At the end of this period, an automatic check-in is performed
by the system. If "0" is entered in this field, then no automatic check-in is performed.
10.7.3. HashiCorp Vault plugin

This plugin allows access to the vault of the HashiCorp Vault secret management solution via
the REST API Web service. For further information, refer to Section 5.3, “Password external
vault”, page 22.
10.7.3.1. Configuration in the HashiCorp Vault secret management solution

The following parameters must be set for the vault secret engine:
• Type: Key/Value (KV)

• Engine version: Version 1
The secret data is structured as follows within the solution:
1. Vault root
└── 2. Name of the secret engine
├── 3. Account name in WALLIX Bastion
├── Login (field “login”)
├── Password (field “password”)
├── SSH certificate (field “ssh_certificate”)

└── SSH key (field “ssh_key”)
└── Other account name in WALLIX Bastion
├── Login (field “login”)
├── Password (field “password”)
├── SSH certificate (field “ssh_certificate”)

└── SSH key (field “ssh_key”)
Each secret engine is associated with a domain.
Account data within the solution is UTF-8-encoded.
The login and at least one credential (password or SSH key) are required.
The SSH key must be entered in the OpenSSH or PEM formats. The certificate corresponds to the
content of a signed public key which can be downloaded from the Web interface of WALLIX Bastion.
189
Figure 10.15. Example: Secret data for account “user1” within engine
“engine_one” in HashiCorp Vault secret management solution
10.7.3.2. Configuration in WALLIX Bastion

• API URL: URL of the REST API to access the vault. This parameter is required.
• Secret engine path: access path to the vault secret engine. This parameter is required.
• Token: token to access the vault through the “Token” authentication method. If a token is entered,
it must be entered again for confirmation.
• Username: login of the account to access the vault through the “Userpass” authentication method.
This login must correspond to the user name of an account in the HashiCorp Vault secret
management solution.
• Password: password of the account to access the vault through the “Userpass” authentication
method. If a password is entered, it must be entered again for confirmation.
• PKCS#12 file: browse a path to upload a PKCS#12 file so as to provide the private and public
keys to access the vault through the “TLS Certificate” authentication method.
• PKCS#12 file passphrase: passphrase to unlock the keys provided via the PKCS#12 file for the
“TLS Certificate” authentication method. If a passphrase is entered, it must be entered again for
confirmation.
• Role name: name of the role associated with the Certificate Authority (or "CA") on the server of
the HashiCorp Vault secret management solution.
10.7.4. Thycotic Secret Server plugin

This plugin allows access to the vault of the Thycotic Secret Server secret management solution
via the REST API Web service. For further information, refer to Section 5.3, “Password external
vault”, page 22.
190
This plugin allows checkout and check-in operations on passwords and SSH keys of the target
accounts. However, it does not allow to extend the checkout duration for the credentials.
Some features in the Thycotic Secret Server secret management solution are not supported by
WALLIX Bastion. Therefore, the secrets managed by accounts enabling at least one of the following
features cannot be accessed:
• DoubleLock protection is set

• an approval is required
• a comment is required
10.7.4.1. Plugin parameters

• API URL: URL of the REST API to access the vault. This parameter is required. This URL
must start with “https://” and end with “/SecretServer”, e.g. “https://vault.mycompany.com/
SecretSever”.
correspond to the user name of an account in the Thycotic Secret Server secret management
solution.
• Login field: name of the field storing the account login in the Thycotic Secret Server secret
management solution. This name is case-sensitive. This parameter is required and contains
“Username” as a default value.
Warning:
The “Service account login” and “Service account password” fields are optional. If no
service account is used, the user must then provide a password when authenticating
via RDP or SSH proxies or the Web interface to access the vault of the Thycotic Secret
Server secret management solution. As authentications through X509 certificate, SSH
key or Kerberos ticket do not work in this context, it is required to define a service account.
10.7.4.2. Accessing the vault

The workflow to access the vault and retrieve the secret of an account is as follows:
• If the user has authenticated using a login and a password, then these credentials are used to
access the server of the Thycotic Secret Server secret management solution.
• If the user has authenticated using a Kerberos ticket or an SSH key or X509 certificate (or any
other authentication method without providing a password), the service account is used to retrieve
the secret. In this case, the service account must have at least the same rights as the user.
• If none of these methods works, then access to the vault to retrieve a secret will fail.
10.7.4.3. Retrieving the account's secret

In order to be able to retrieve the secret (i.e. the password or the SSH key) of an account in
the Thycotic Secret Server secret management solution, the latter must be mapped into WALLIX
Bastion through a global domain acting as an external vault account container.
191
The search is done through the specification of the secret ID number of the external vault's account
in the “Login” field of the target account in WALLIX Bastion. This target account is then used to map
the account in the vault of the Thycotic Secret Server secret management solution.
Example: Search for account whose secret ID corresponds to “26”:
- On Thycotic Secret Server solution interface, the parameters of the account are as follows:
The URL mentioned on the above screenshot shows that the secret ID of the concerned account
is “26”.
- On WALLIX Bastion Web interface, the parameters defined for the Thycotic Secret Server plugin
are as follows:
As mentioned on the above screenshot, the value in “Login field” corresponds to the field
name storing the account login in the Thycotic Secret Server secret management solution, i.e.
“Username”. The value of the account login stored in the “Username” field is then “root”, as shown
on the previous screenshot.
- On WALLIX Bastion Web interface, the parameters defined for the target account are defined as
follows:
192
As mentioned on the above screenshot:
• the “Name” field contains the target account name which will be displayed on the selector of the
proxy client, i.e. “SSH_root”
• the “Login” field includes the secret ID number “26” to map the account in the Thycotic Secret
Server solution and retrieve the corresponding secret
Warning:
As the “Login” field includes the secret ID number, the option “copy from name” must
not be selected. This field must not correspond to the user name of the remote account.
10.8. Checkout policies

A checkout policy defines the settings concerning the account checkout process. It can be selected
during the creation or modification of a target account. For further information, refer to Section 10.4,
“Target accounts”, page 159.
During the credential checkout process, the user has access to the following information:
• the login of the account
• the password if it has been defined for the account either on the local or the remote WALLIX
Bastion
• the SSH private key if it has been defined for the account either on the local or the remote WALLIX
Bastion
• the certificate (i.e. the signed SSH public key) if the account is defined on a domain associated
with a Certificate Authority
The “Checkout policies” page on the “Targets” menu allows you to:
• list the checkout policies

• add, edit and delete a checkout policy
Warning:
A default checkout policy called “default” is configured on WALLIX Bastion. You can edit
this policy but you cannot delete it.
193
10.8.1. Add a checkout policy

From the “Checkout policies” page on the “Targets” menu, click on the “+ Add” button to display
the checkout policy creation page.
This creation page consists of the following tabs: “General” and “Accounts”.
The “General” tab allows you to enter:
• the checkout policy name

• a description
• a toggle button to enable the lock of the account during the checkout process to prevent
concurrent use by multiple users
• if the lock is enabled:
– the checkout duration in hours, minutes and seconds. This field must be entered.
– the checkout duration extension in hours, minutes and seconds
– the maximum checkout duration in hours, minutes and seconds
Note:
This field must be entered if both the checkout duration and checkout extension have
been set. Moreover, this duration must be greater than or equal to the sum of the
values defined for the checkout duration and the extension.
If the duration extension is not set, this field must be empty or the value entered must
be the same as the one defined for the checkout duration.
– a check box to enable the password change at check-in
Figure 10.16. "Checkout Policies" page in addition mode
194
The “Accounts” tab allows you to:
• list the accounts associated with the related checkout policy. To do so, select the desired account
type from the drop-down list.
• edit an account associated with the checkout policy. To do so, select the desired account type from
the drop-down list, then click on the name of the account to display the related modification page.
For further information, refer to Section 10.4.1, “Add a target account to a global
domain”, page 159 to edit a global domain account, to Section 10.4.2, “Add a target account
to a device”, page 163 to edit a device account and to Section 10.4.3, “Add a target account to
an application”, page 165 to edit an application account.
• delete accounts linked to the checkout policy. To do so, select the desired account type from the
drop-down list, then check the box at the beginning of the line of the account(s) and click on the
“Delete” button.
10.8.2. Edit a checkout policy

From the “Checkout policies” page on the “Targets” menu, click on a policy name to display the
related modification page. You can edit the data already entered.
For further information on how to enter data in the tabs, refer to Section 10.8.1, “Add a checkout
policy”, page 194.
Warning:
If access to target accounts is not allowed for a profile, then the profile members can
neither delete nor edit a password checkout policy.
10.8.3. Delete a checkout policy

From the “Checkout policies” page on the “Targets” menu, check the box at the beginning of the
line of the policy(ies) you wish to delete, then click on the “Delete” button. WALLIX Bastion displays
a dialogue box requesting a confirmation before permanently deleting the selected line(s).
Warning:
You cannot delete a password checkout policy if at least one target account is linked to
this policy.
If access to target accounts is not allowed for a profile, then the profile members can
neither delete nor edit a password checkout policy.
10.9. Discovery
WALLIX Bastion embeds a specific module to provide continuous automatic discovery of assets on
configured networks and Active Directories and onboard the desired results.
The “Discovery” entry allows you to:
• configure the scans

• launch the scans manually
• set a periodic scan launch
195
• view the results of the scan jobs

• view the list of the discovered assets and onboard them within WALLIX Bastion
Note:
The “Discovery” entry will not be displayed on the Web interface if the “Enable
modules” option, accessible from “Configuration” > “Configuration options” > “Module
configuration”, section “main” is deselected. This option is displayed when the check box
of the “Advanced options” field at the top right of the page has been selected. It should
ONLY be changed upon instructions from the WALLIX Support Team!
The “View” right for the “Targets & accounts” and the “Settings” features must be set in
the user profile in order to view the pages in the “Discovery” entry.
The “Modify” right for the “Targets & accounts” and the “Settings” features must be set in
the user profile in order to modify the pages in the “Discovery” entry.
10.9.1. Configure a network scan

From the “Discovery” entry in the “Targets” menu, select “Scan configuration” then click on the “+
Add [Network]” button to display the scan configuration creation page.
• the scan name

• a description
• the subnets specified using a CIDR notation (<network address>/<number of mask bits>), e.g.:
192.168.0.15/24. Once you have entered a valid address, click on “+” at the end of the field. Once
a subnet is added, you have the possibility to delete it by clicking on the “-” red icon. You can
add as many subnets as necessary.
• the protocol and port associations. To create an association, select a protocol in the drop-down list
then specify the related port and click on “+”. Once created, it is possible to delete this association
by clicking on the “-” red icon. You can create as many associations as necessary.
• the SSH banner filters specified using regular expressions. Only devices with a banner matching
these regular expressions will be discovered. Once you have entered an expression, click on
“+” at the end of the field. Once an expression is added, you have the possibility to delete it by
clicking on the “-” red icon. You can add as many expressions as necessary.
• the scan periodicity, i.e. the frequency at which the scan is automatically triggered. The format
of the “Scan periodicity” field corresponds to the cron syntax. This field supports the usual
syntax on 5 fields <Minute> <Hour> <Day_of_the_Month> <Month_of_the_Year>
<Day_of_the_Week> and aliases @.
For example, if 0 0 * * * or @daily is entered in this field, then the scan job is set to
run once a day at midnight. For further information, refer to https://en.wikipedia.org/w/
index.php?title=Cron#CRON_expression.
List of values are available below this field to define clearly this period using the cron syntax.
If this field is left empty, then no periodicity is set.
196
• an option to enable the periodicity and thus set the automatic scan launch
• the email addresses of the recipients to be notified at the end of the scan. Once you have entered
an email, click on “+” at the end of the field. Once an email is added, you have the possibility to
delete it by clicking on the “-” red icon. You can add as many emails as necessary.
Once you have entered the fields, click on “Apply” to save the configuration or click on “Apply and
launch” to launch the scan immediately.
10.9.2. Configure an Active Directory scan

From the “Discovery” entry in the “Targets” menu, select “Scan configuration” then click on the “+
Add [Active Directory]” button to display the scan configuration creation page.
• the scan name

• a description
• an external authentication. Select an LDAP external authentication using Active Directory in the
drop-down list or click on the link below the field to be redirected to the authentication creation
page. For further information on the creation of an external authentication using Active Directory,
refer to Section 9.8.1.3, “Add an LDAP external authentication”, page 109.
• an LDAP/AD search filter. The default query “(objectClass=Computer)” retrieves all the
computers from the directory. This query can be refined with additional criteria.
• the Distinguished Names (or “DNs”) of the entries in the directory. Once you have entered a DN,
click on “+” at the end of the field. Once a DN is added, you have the possibility to delete it by
clicking on the “-” red icon. You can add as many DNs as necessary.
• the protocol and port associations. To create an association, select a protocol in the drop-down list
then specify the related port and click on “+”. Once created, it is possible to delete this association
by clicking on the “-” red icon. You can create as many associations as necessary.
• the SSH banner filters specified using regular expressions. Only devices with a banner matching
these regular expressions will be discovered. Once you have entered an expression, click on
“+” at the end of the field. Once an expression is added, you have the possibility to delete it by
clicking on the “-” red icon. You can add as many expressions as necessary.
• the scan periodicity, i.e. the frequency at which the scan is automatically triggered. The format
of the “Scan periodicity” field corresponds to the cron syntax. This field supports the usual
syntax on 5 fields <Minute> <Hour> <Day_of_the_Month> <Month_of_the_Year>
<Day_of_the_Week> and aliases @.
For example, if 0 0 * * * or @daily is entered in this field, then the scan job is set to
run once a day at midnight. For further information, refer to https://en.wikipedia.org/w/
If this field is left empty, then no periodicity is set.
• an option to enable the periodicity and thus set the automatic scan launch
• the email addresses of the recipients to be notified at the end of the scan. Once you have entered
an email, click on “+” at the end of the field. Once an email is added, you have the possibility to
delete it by clicking on the “-” red icon. You can add as many emails as necessary.
Once you have entered the fields, click on “Apply” to save the configuration or click on “Apply and
launch” to launch the scan immediately.
197
10.9.3. Launch a scan manually

From the “Discovery” entry in the “Targets” menu, select “Scan configuration” to display the list of
the configured scans.
To launch one or several scans manually:
1. Check the box at the beginning of the line of the scan(s) you wish to launch.
2. Click on the “Launch manually” button to launch the scan(s) immediately.
10.9.4. Set a periodic scan launch

From the “Discovery” entry in the “Targets” menu, select “Scan configuration” to display the list of
the configured scans.
To set a periodic launch:
1. Click on the scan name to display the related configuration page.

2. Set the frequency at which the scan is automatically triggered in the “Scan periodicity” field.
This field supports the usual syntax on 5 fields <Minute> <Hour> <Day_of_the_Month>
<Month_of_the_Year> <Day_of_the_Week> and aliases @.
For example, if 0 0 * * * or @daily is entered in this field, then the scan job is set to run
once a day at midnight. For further information, refer to https://en.wikipedia.org/w/
3. Select the “Enable periodicity” option.
4. Click on the “Apply” button. The scan will then be automatically launched according to the
periodicity.
Note:
The time at which the next scan job will be triggered is displayed in the “Next job”
column in the list of the configured scans.
10.9.5. View the results of a scan job

From the “Discovery” entry in the “Targets” menu, select “Job list” to display the list of the scan jobs.
Each line provides the following information:
• the job start date and time

• the job type
• the job status
• the job duration
• the number of discovered devices matching the scan filters
• the scan name
• the subnets for a network scan
• the Distinguished Names for an Active Directory scan
198
The “Job list” page allows you to:
• get information on a job by clicking on the data in the “Start date” column: it contains an access link
to a dedicated page. The “General” tab displays the scan configuration properties and the number
of discovered devices matching the scan filters. The “Raw results” tab lists all the discovered
assets during a successful job.
• cancel a running job if needed. To do so, select the desired job(s) whose status is “Running” by
checking the box at the beginning of the line(s) and click on the “Cancel” button.
• access the scan configuration page to edit the properties by clicking on the link in the “Scan
name” column.
10.9.6. Onboard discovered devices in WALLIX Bastion

From the “Discovery” entry in the “Targets” menu, select “Devices” to display the list of the
discovered devices.
By default, the table displays the list of the devices which can be onboarded on the “To onboard”
view.
To onboard devices at once:
1. Check the box at the beginning of the line of the devices you wish to onboard.
2. Click on the “Onboard” button. The devices are then onboarded within WALLIX Bastion and can
be managed from the “Devices” page on the “Targets” menu.
Note:
The status of the device is automatically set as “Onboarded” on the “General” tab
(accessible from the “Devices” page on the “Targets” menu).
To edit the properties of a device before onboarding:
1. Check the box at the beginning of the line of the device you wish to onboard.
2. Click on the data in the “Name” column and edit the desired data in the “Device to onboard”
window.
3. Click on the “Apply and onboard” button. The device is then onboarded within WALLIX Bastion
and can be managed from the “Devices” page on the “Targets” menu.
Note:
The status of the device is automatically set as “Onboarded” on the “General” tab
(accessible from the “Devices” page on the “Targets” menu).
The page allows you to:
• get information on the related jobs by clicking on the data in the “First discovery” and “Last
discovery” columns: they contain an access link to a dedicated page. The “General” tab displays
the scan configuration properties and the number of discovered devices matching the scan filters.
The “Raw results” tab lists all the discovered assets during the job.
• hide irrelevant devices if needed. To do so, select the desired devices by checking the box at the
beginning of the lines and click on the “Hide” button. The corresponding devices are then listed
on the “Hidden” view. They can be displayed again on the “To onboard” view by clicking on the
199
“Unhide” button. Hidden devices can also be onboarded if needed by clicking on the “Onboard”
button.
200
Chapter 11. Password management

Warning:
The "Password Management" menu and the "Passwords" entry in "My Authorizations"
can only be managed if the WALLIX Password Manager feature is associated with the
license key (refer to Section 5.2, “WALLIX Password Manager”, page 22).
11.1. User authorizations on passwords

From the "Passwords" page on the "My Authorizations" menu, the user can view the list of the target
accounts for which s/he is authorized to check out the credentials.
For each account, the user has the possibility to perform the following actions:
• click on "View" at the beginning of the line to display in another page the credentials of the related
account. In this case, the lock has been disabled at the level of the checkout policy associated
with this account: several users can then access the credentials at the same time.
• click on "Check out" at the beginning of the line to display in another page the credentials of
the related account in another page. In this case, the lock has been enabled at the level of the
checkout policy associated with this account: only this user can access the credentials at this
time. For further information, refer to Section 10.8, “Checkout policies”, page 193.
Important:
If an approval is not necessary to access the credentials or has been accepted by
approvers, the user can directly check outs the data. Otherwise, an error message
is displayed and the user must send a request to access the credentials. For
further information, refer to Section 11.1.1, “Password access through an approval
workflow”, page 202.
In the event of an ongoing password change, the concerned account cannot be

checked out. An error message is then displayed informing the user that the account
is temporarily unavailable for checkout.
• click on "Check out remotely" at the beginning of the line to display in another page the credentials
of the related external vault account.
• identify the account being locked consequently to an ongoing checkout. In this case, no action
can be performed until the release of this lock.
• send a request to approvers to access the account's credentials by clicking on "Request" in the
"Approval" column at the end of the line. For further information, refer to Section 11.1.1, “Password
access through an approval workflow”, page 202.
When the user has access to the page listing the account's credentials, s/he can view:
• the name of the account being checked out mentioned above the frame
• the login of the account
• the credentials of the account, which can be:
– the password if it has been defined for the account either on the local or the remote WALLIX
Bastion
201
– the SSH private key if it has been defined for the account either on the local or the remote
WALLIX Bastion. This key can be downloaded in the OpenSSH or PuTTY key formats and can
be encrypted with a passphrase entered in the dedicated field.
– the certificate (i.e. the signed SSH public key) if the account is defined on a domain associated
with a Certificate Authority. This certificate can be downloaded in the OpenSSH or ssh.com
formats.
On the page listing the account's credentials, the user can also:
• click on the "Check in" button to end check out. The user is then redirected to the page listing
the authorized target accounts. If the lock has been enabled in the checkout policy associated
with this account, this action also releases the lock of the account. For further information, refer
to Section 10.8, “Checkout policies”, page 193.
• click on the "Extend checkout" button if a checkout extension has been defined in the checkout
policy associated with the account. Otherwise this button is not displayed. This action extends the
checkout duration and can then be performed several times as long as the maximum duration has
not been reached. For further information, refer to Section 10.8, “Checkout policies”, page 193.
When the lock has been enabled in the checkout policy associated with this account, the latter
remains locked for the period defined within this policy. It is then necessary to click on the "Check
in" button to release the lock of the account before the end of checkout duration. Nonetheless,
the account is automatically checked in at the end of this duration and the user is redirected
to the page listing the authorized target accounts. The remaining time before automatic check-
in is displayed below the credentials. For further information, refer to Section 10.8, “Checkout
11.1.1. Password access through an approval workflow

If an approval workflow has been defined to be authorized to access the target credentials, the
user can send a request for approval to the approvers by clicking on "Request" in the "Approval"
column. The "Approval request" page is then displayed and the request start date, time and duration
must be entered. A comment to enter the reason for approval request and a ticket reference may
also be displayed and entered respectively in the "Comment" field and the "Ticket reference" field if
the corresponding options were enabled during the authorization definition. For further information,
refer to Section 14.7, “Approval workflow”, page 275.
Once the request is performed, the user is redirected on the "Passwords" page and then he/she
can view the status of the sent approval requests on the bottom table.
• the target for which a request is demanded

• the request start date and time
• the request duration
• the ticket reference associated with the request
• the current quorum
• the status of the request
• the answers of the approvers
The user can click on the notepad icon at the beginning of the line to get a detailed view of the
request. The page provides a "Cancel request" button to cancel the approval requests which are
still valid.
202
Note:
A script can be called during the approval request creation, but also at the beginning and
end of each session within the request duration period, to manage the approval in an
external ticketing system. To do so, the path to this script is to be entered in the "Ticketing
interface path" field via "Configuration" > "Configuration Options" > "Global".
The script is then systematically called even if a ticket number is not specified in the
"Ticket" field. When the script receives a ticket number expected in format: "ticket=1234",
WALLIX Bastion takes into account this number and not the one specified in the "Ticket"
field.
Figure 11.1. "My Authorizations" menu - "Passwords" page
11.2. Password change plugins

From the "Password Change Plugins" page on the "Password Management" menu, you can
view the list of the plugins configured in WALLIX Bastion and the credential changes supported
(password or SSH key) for each domain type.
A password change plugin can be selected during the creation/modification of a global or local
domain (refer to Section 10.3, “Domains”, page 148) and several parameters can be set depending
on the chosen plugin.
Figure 11.2. "Password Change Plugins" page
11.2.1. Plugin matrix

The two tables below illustrate the main credential change characteristics for each plugin.
Table 11.1, “Plugin matrix - Part 1”, page 205, lists the following plugins:
203
• Cisco
• Dell iDRAC
• Fortinet FortiGate
• IBM 3270
• Juniper SRX
• LDAP and
• MySQL
204
Plugin Plugin TCP Password SSH key change SSH key Host Administrator Who is the
name version port no. change on global on global or and/or SSH key account Administrator
or local domain? local domain? certificate shared required on account?
supported? with domain?
proxies?
Cisco 1.0.2 22 Global/Local - - No No User with "superuser"
for a device privileges /
administrator account
set for the device
Dell 1.1 22 Global/Local - - No No Root user with
iDRAC for a device "Administrator"
account privileges
Fortinet 1.0 22 Global/Local Local for a Key Yes Yes "admin" account with
FortiGate for a device device only the "super_admin"

account profile
205
IBM 3270 1.0.0 623 Local for a - - No No User allowed to
device only change passwords
Juniper 1.0 22 Local for a - - No No "admin" user with
SRX device only "super-user" privileges
LDAP 1.0 389 Global/Local - - No No User allowed to
for a device change passwords
MySQL 1.0.3 3306 Global/Local for - - No No Superuser account
a device and with full privileges
an application
Table 11.1. Plugin matrix - Part 1
Table 11.2, “Plugin matrix - Part 2”, page 207, lists the following plugins:
• Oracle
• Palo Alto PA-500
• Unix
• Windows and
• WindowsService
206
Plugin Plugin TCP Password SSH key change SSH key Host Administrator Who is the
name version port no. change on global on global or and/or SSH key account Administrator
or local domain? local domain? certificate shared required on account?
supported? with domain?
proxies?
Oracle 1.0.2 1521 Global/Local for - - No No User with the "ALTER
a device and USER" system privilege
an application
Palo Alto 1.0 22 Local for a - - No No Administrative
PA-500 device only account with
superuser privileges
Unix 1.1.1 22 Global/Local Global/Local Key and Yes No Root account
for a device for a device certificate with UID="0"
Windows 1.0.1 445 Global/Local - - No No Local administrator

for a device account or domain
207
account with the
"Reset password"
right set for the other
accounts on the domain
Windows 1.0 5985 and/ Global/Local - - No Yes Administrator
Service or 5986 for a device account with Remote
Management
(WinRM) enabled
Table 11.2. Plugin matrix - Part 2
11.2.2. Cisco plugin

The parameters to be set for this plugin during the creation/modification of a global or local domain
(refer to Section 10.3, “Domains”, page 148) are defined as follows:
• Host: device hostname or IP address. This parameter is only required for a global domain.
• Port: device port number (SSH default port: 22)
• Enable password: privilege elevation password of the "enable" command. This parameter is
required.
11.2.3. Dell iDRAC plugin

• Index: index of the privileged account. By default, it corresponds to index 2. This parameter is
required.
• iDRAC version: device version. By default, it corresponds to Dell iDRAC8. This parameter is
required.
11.2.4. Fortinet FortiGate plugin

• Configuration: character string referring to the section of the configuration. Only the configuration
for the default "System admin" is currently supported.
Warning:
The administrator account is required on the local domain for this plugin. This
account should be first added to the domain from the "Domain accounts" area on
the domain summary page, once the domain creation step has been completed. For
further information, refer to Section 10.3.4, “Add an account to the global or a local
domain”, page 152. Once the "Enable password change" option has been selected on the
domain modification page, select this account from the list in the "Administrator account"
field prior to select the Fortinet FortiGate plugin in the "Password change plugin" field.
11.2.5. IBM 3270

The parameters to be set for this plugin during the creation/modification of a local domain for a
device only (refer to Section 10.3, “Domains”, page 148) are defined as follows:
• Port: system port number (3272 over TLS default port: 623). This parameter is required.
208
• Scenario: scenario labelled in plain text played by the plugin to change passwords. This
parameter is required.
This scenario includes the following commands and also accepts comments and empty lines:
• EXPECT: expects to receive a specific character string at a given offset which must be absolute,
starting from line 1 in the upper part of the terminal
• IF EXPECT/ELSE/FI: expects to receive a specific character string at a given offset which must
be absolute, starting from line 1 in the upper part of the terminal. If the string is found, the condition
in the TRUE block element is executed. Otherwise, the condition in the ELSE block element is
executed if the latter exists.
• MOVE_TO: moves the cursor to a given position starting from line and column 1 in the upper part
of the terminal (for example, command MOVE_TO:5:18 moves the cursor to line 5 column 18)
• PUT: writes a specific character string at the cursor position
• SEND_ENTER | SEND_PF3 | SEND_PF4 | SEND_PF5 | SEND_PF6 | SEND_PF7 | SEND_PF8: these
commands send the specific key (e.g. ENTER or PF7) to the terminal
• LOG_ERROR: writes the message specified as a parameter into the error logs
• LOG_SCREEN: writes the whole 3270 terminal screen and cursor position into the error logs
• QUIT: ends the session. The password is considered as unchanged.
The following variables are interpreted at runtime:
• $admin_login: sends the administrator user name

• $admin_password: sends the administrator password
• $account: sends the target account name for which the password is currently being changed
• $old_password: sends the old password
• $new_password: sends the new password. The password is considered as changed if the script
for the scenario has been executed successfully.
Scenario example:
An AS/390 emulator with 3270 capabilities can be found at http://www.canpub.com/teammpg/de/

sim390/.
#######
# Script for MUSIC AS/390 emulator
# with TN3270 support
#######
####
# Welcome screen
EXPECT:16:Multi-User System for
SEND_ENTER
####
# Login screen
EXPECT:3:MUSIC Userid:
PUT:$account
MOVE_TO:5:18
PUT:$old_password
209
SEND_ENTER
####
# Login errors
IF EXPECT:7:Password incorrect
LOG_ERROR:Bad password !
QUIT
FI
IF EXPECT:7:Userid is not authorized

LOG_SCREEN
LOG_ERROR:Bad username
QUIT
FI
####
#
EXPECT:1:Userid last signed
SEND_ENTER
####
# Change password
EXPECT:12:Change password
PUT:7
SEND_ENTER
EXPECT:17:Enter your current MUSIC sign-on password

PUT:$old_password
SEND_ENTER
EXPECT:19:Enter a new MUSIC sign-on password

PUT:$new_password
SEND_ENTER
EXPECT:23:Please enter the new password again

PUT:$new_password
SEND_ENTER
####
# End of changing password
IF EXPECT:4:SELECT OPTION
PUT:X
ELSE
# Quit with an error
LOG_ERROR:Password has not been changed
# Print the terminal screen to syslog
LOG_SCREEN
QUIT
FI
# End of script. If reached, password has been successfully changed
Warning:
The administrator account is required on the local domain for this plugin when the
variables $admin_login and $admin_password are specified in the scenario. This
210
account should be first added to the domain from the "Domain accounts" area on
domain”, page 152. Once the "Enable password change" option has been selected on the
domain modification page, select this account from the list in the "Administrator account"
field prior to select the IBM 3270 plugin in the "Password change plugin" field.
11.2.6. Juniper SRX plugin

The parameter to be set for this plugin during the creation/modification of a local domain for a device
only (refer to Section 10.3, “Domains”, page 148) are defined as follows:
11.2.7. LDAP plugin

• Host: server hostname or IP address. This parameter is required.

• Port: server port number (default port: 389). This parameter is required.
• Encryption: encryption protocol to use: STARTTLS (default value), TLS or None. This parameter
is required.
• Active Directory: option to select if the password change is associated with Active Directory.
• Network timeout: maximum time period expressed in seconds for connection attempt to the
server.
• Administrator Bind DN | Administrator password: Bind DN and password of the administrator
allowed to connect to the LDAP or Active Directory. These parameters are required.
e.g. for LDAP Bind DN: “CN=administrator, DC=mycompany, DC=com”
e.g. for Active Directory Bind DN: “administrator@mycompany.com”
Warning:
If an administrator account has been set on the domain for this plugin, then the
parameters of this account will be used to connect to the LDAP or Active Directory.
Those defined in the “Administrator Bind DN” and “Administrator password” fields are
then not considered.
This account should be first added to the domain from the "Domain accounts" area on
domain”, page 152. Once the "Enable password change" option has been selected on
the domain modification page, select this account from the list in the "Administrator
account" field prior to select the LDAP plugin in the "Password change plugin" field.
• Password attribute: password attribute required for password change. It corresponds to the LDAP
attribute “userPassword” by default. This parameter is required.
• User DN format: syntax of the user DN used to specify the account concerned by password
change. By default, it corresponds to the string “CN=${USER},DC=dev,DC=example,DC=com”
211
where parameter “${USER}” will be replaced by the user name. This format is also used for the
administrator account which may be set on the domain for this plugin. This parameter is required.
• Custom parameters: additional custom attributes to be specified for password change.
These parameters may be required by the server and depend on its configuration. Each
“parameter=value” pair must be labelled on a single line.
11.2.8. MySQL plugin

• Host: database hostname or IP address. This parameter is only required for a global domain.
• Port: database port number
11.2.9. Oracle plugin

This plugin allows you to change the Oracle database password.
• Host: database hostname or IP address. This parameter is only required for a global domain.
• Port: database port number
• Service name: database service name (SID). This parameter is required.
• Admin mode: connection mode for the administrator account. The relevant mode can be selected
from the list of values. This parameter is set to implement reconciliation. When reconciliation is
implemented, the password is changed and the locked account is released.
11.2.10. Palo Alto PA-500 plugin

The parameter to be set for this plugin during the creation/modification of a local domain for a device
only (refer to Section 10.3, “Domains”, page 148) is defined as follows:
• Port: server port number (SSH default port: 22)
11.2.11. Unix plugin

• Host: system hostname or IP address. This parameter is only required for a global domain.
• Port: system hostname or IP address (SSH default port: 22)
• Root password: password to connect as "root".
The root account may not be able to connect to the target to perform the password change via
SSH under certain circumstances, for security reasons. In this case, the plugin will refer to the
administrator account set for the domain to connect to the target and then use the root password
via the "su" command.
When reconciliation is needed, the authentication with password or SSH key is attempted for the
administrator account.
212
11.2.12. Windows plugin

• Domain controller address: domain controller hostname or IP address. This parameter is only
required for a global domain.
• Administrator login and administrator password: login and password of a privileged account which
is allowed to change passwords of other accounts. These parameters are optional but note that
WALLIX Bastion cannot define the new password of an account if the former one is unknown.
These parameters correspond to the credentials of the account selected in the "Administrator
account" field defined on the domain page (refer to Section 10.3, “Domains”, page 148) and are
set to implement reconciliation.
To allow full operation of the automatic password change process on a standalone Windows
Server, this privileged account must be included in the administrator group.
To allow full operation of the automatic password change process on a Windows Server
configured with Active Directory, this privileged account must have the "Reset password" right
set for the other accounts on the domain. For further information on how to delegate permission
to reset passwords of Active Directory user accounts, refer to https://www.petri.com/delegate-
permission-reset-ad-user-account-passwords.
Warning:
To allow full operation of the automatic password change process in WALLIX Bastion, we
strongly recommend changing the default value set for the minimum password age at the
level of the Windows password policy. This value should be set to "0":
• on a standalone Windows Server, the minimum password age should be changed in

the Windows security settings for local accounts at the level of the local policy via "Local
Security Policy" > "Account Policies" > "Password Policy" > "Minimum password age".
• on a Windows Server configured with Active Directory, the minimum password age
should be changed in the Windows security settings at the level of the group
policy for accounts on domains via "Group Policy Management Editor" > "Computer
Configuration" > "Windows Settings" > "Security Settings" > "Account Policies" >
"Password Policy" > "Minimum password age".
On the other hand, to avoid any timeout error when performing password change
on a target under Windows Server 2012, we recommend enabling the rule “Netlogon
Service(NP-In)” in the Windows firewall advanced settings.
11.2.13. WindowsService plugin

This plugin allows the automatic propagation of a new password on a Windows Service following
the password change of a service account. For further information on the management of service
accounts, refer to Section 10.4.1.4, “Define references for service account management”, page 162.
Warning:
To allow full operation of the password change process on a Windows service, the
installation of PowerShell 3.0 or later and the activation of WinRM are required on the
Windows server.
213
The parameters to be set for this plugin during the creation/modification of a global domain (refer
to Section 10.3, “Domains”, page 148) are as follows:
• Name: name of the Windows Service for which the password must be changed. This parameter
is required.
• Transport: transport protocol used to authenticate to the WinRM server: Kerberos (default value),
CredSSP or NTLM. This parameter is required.
Warning:
If the transport protocol defined for this plugin is Kerberos, then the fields “Kerberos
realm”, “Kerberos KDC” and “Kerberos port” must be specified on the global domain
page of the administrator account selected during the definition of the reference. For
further information, refer to Section 10.3.1, “Add a global domain”, page 149.
• Restart the service: option to select if the Windows Service must be restarted after the password
change. When the Windows Service is deployed on multiple Windows servers, this service is
restarted successively on each server after the password change, in order to avoid an interruption
of the service.
11.3. Password change policies

A password change policy defines the password (i.e. password, SSH key or both) change
settings and can be selected during the creation/modification of a global/local domain. For further
information, refer to Section 10.3, “Domains”, page 148.
Warning:
All passwords for which automatic change is configured, as described in Section 10.4.5,
“Change the credentials automatically for one or several accounts”, page 167, will be
replaced. You must therefore check that the emails containing the new passwords have
indeed been received and can be unencrypted. You are recommended to do so by testing
the process on a single, non-administrator account.
WALLIX Bastion's performances can be affected by a large number of password changes.
This number can be set in the “Credential change thread pool dimension” field, accessible
from “Configuration” > “Configuration options” > “Global” > “Main” section. This field is
displayed when the “Advanced options” check box at the top right of the page is selected
and should ONLY be changed upon instructions from the WALLIX Support Team!
From the “Password change policies” page on the “Password management” menu, you can list,
add, edit or delete password change policies.
Warning:
A default password change policy called “default” is configured in WALLIX Bastion. This
policy can neither be deleted nor edited.
11.3.1. Add a password change policy
214
From the “Password change policies” page, click on “+ Add” to display the password change policy
creation page.
• the policy name

• a description
• the password change periodicity, i.e. the frequency at which the password change is automatically
triggered. The format of the “Change periodicity” field corresponds to the cron syntax. This
field supports the usual syntax on 5 fields <Minute> <Hour> <Day_of_the_Month>
<Month_of_the_Year> <Day_of_the_Week> and aliases @.
For example, if 0 0 * * * or @daily is entered in this field, then the password change job is set
to run once a day at midnight. For further information, refer to https://en.wikipedia.org/
w/index.php?title=Cron#CRON_expression.
List of values are available below this field to define clearly this period using cron syntax.
If this field is left empty, then no period of change is set.

• a dropdown list to indicate if the policy concerns either a change of password or SSH key or both
When the selected policy concerns a password change, the “Password generation” section
becomes accessible and lists the following fields:
• the password length, i.e. the number of characters the password must contain
• the number of non-alphanumeric ASCII characters (or special characters) which must be present
in the password
• the number of lowercase letters which must be present in the password
• the number of uppercase letters which must be present in the password
• the number of digits which must be present in the password
• the characters which must be excluded from the password. Once you have entered a character
in the field, click on “+” to add it to the forbidden character list. Once a character is added, you
have the possibility to delete it from the list by clicking on the “-” red icon.
When the selected policy concerns an SSH key change, the “SSH key generation” section becomes
accessible and lists the following fields:
• a list of values to select the SSH key type and

• depending on this selection, a list of values to specify the key size
You will find below a summary table of the SSH key types and the corresponding sizes allowed:
Key type Size allowed

RSA 1024 bits | 2048 bits | 4096 bits | 8192 bits
DSA 1024 bits
ECDSA 256 bits | 384 bits | 521 bits
ED25519 N/A
When the selected policy concerns a password change and an SSH key change as well, both
sections become accessible and list the fields described above.
215
Figure 11.3. "Password Change Policies" page in addition mode
11.3.2. Edit a password change policy

From the “Password change policies” page, click on a policy name to display the related modification
page. It is then possible to edit the data already entered.
Warning:
If the target account access is not allowed for a profile, then the profile members can
neither delete nor edit a password change policy.
11.3.3. Delete a password change policy

From the “Password change policies” page, check the box at the beginning of the line(s) to select the
password change policy(ies) you wish to delete, then click on the “Delete” button. WALLIX Bastion
Warning:
neither delete nor edit a password change policy.
11.4. "Break glass" mechanism configuration

WALLIX Bastion implements a "break glass" mechanism which allows a user to get the credentials
of the target groups gathered in the Bastion, i.e. login, cn (“common name”), passwords and SSH
keys. This may be useful in the event of the unavailability of WALLIX Bastion.
Credentials in the bastion are automatically sent to the user every night at 2:34 a.m. in the time
zone in which WALLIX Bastion is located (as defined in the "Time Service" page on the "System"
menu): s/he receives an encrypted email containing the list of all the credentials for the target groups
gathered in the Bastion, depending on the scope of the limitations set for his/her profile.
216
Furthermore, the user receives an encrypted email containing the new password and/or SSH key
for the target account whenever the latter is changed (automatically or manually), depending on
the password change and checkout policies linked to the account. For further information, refer to
Section 10.4.5, “Change the credentials automatically for one or several accounts”, page 167 and
Section 10.4.6, “Change the credentials manually for a given target account”, page 168.
Important:
The user is notified when the following conditions are fulfilled:
• a public GPG key is declared for the user (refer to Section 7.3, “Setting your
preferences”, page 36)
• the user has the right to get the list of all the credentials in WALLIX Bastion: the
"Execute" right for the "Credential recovery" feature is set in his/her profile (refer to
Section 9.3, “User profiles”, page 86)
• the change (either automatic or manual) must be enabled:
– at the level of the domain: a password change policy and a password change
plugin must be linked to the domain. For further information, refer to Section 10.3,
“Domains”, page 148, Section 11.3, “Password change policies”, page 214 and
Section 11.2, “Password change plugins”, page 203.
– at the level of the target account: a checkout policy must be linked to the account
and the automatic password and/or SSH key change must be set, if so. For further
information, refer to Section 10.4, “Target accounts”, page 159 and Section 10.8,
Note:
The email containing the list of all the credentials can be decrypted using a PGP-
compatible tool. It is then required to decrypt the attachment separately and use a CSV
or JSON-compatible tool to open the attachment in this format.
Notifications related to successive credential changes at check-in and notifications which

were not sent due to network failures are grouped to be sent by email within the next
15 minutes.
217
Chapter 12. Session management

Warning:
The "Session Management" menu and the "Sessions" entry in "My Authorizations" can
only be managed if the WALLIX Session Manager feature is associated with your license
key (refer to Section 5.1, “WALLIX Session Manager”, page 22).
A latency period can occur when displaying the “Sessions” page in the “My authorizations”
menu due to a large volume of sessions existing in the Bastion. To improve the page
load performance, it is necessary to deselect the option “Session last connection date”
accessible from “Configuration” > “Configuration options” > “GUI (Legacy)” > section
“main”. Note that when the option “Session last connection date” is deselected, the data
in the “Last connection” column is no longer displayed.
12.1. User authorizations on sessions

From the "Sessions" page on the "My Authorizations" menu, the user can view the list of the targets
to which he/she is authorized to access.
The user can access the target by clicking on one of the following icons at the beginning of the
concerned line:
• : this icon allows the user to download an RDP configuration file or a shell script with the SSH
command (WALLIX-PuTTY on Windows or SSH on other systems) he/she can save to establish a
connection from an RDP or an SSH client (filename suffix .puttywab or .xsh or .rdp under Windows
and .sh or .remmina under Linux). In this case, the WALLIX Bastion password is required for the
connection.
• : “Instant access (one-time password, limited in time)”: this icon allows the user to open the file
to immediately establish a connection from an RDP client (filename suffix .rdp under Windows
and .sh or .remmina under Linux). In this case, no password is required but the access is granted
for a limited period of time. This icon is also displayed for the connection to an application.
• : “Instant access with WALLIX-PuTTY (one-time password, limited in time)”: this icon allows
the user to open the file to immediately establish a connection from an SSH client (filename suffix
.puttywab or .xsh under Windows and .sh under Linux). In this case, no password is required but
the access is granted for a limited period of time. For SSH authentication, see also Section 12.2,
“Target connection in interactive mode for SCP and SFTP protocols”, page 222.
Note:
The display of icons, and consequently the access to the file to establish a connection,
depends on the parameters set for the connection and file types related to RDP and SSH
according to the operating system via "Configuration" > "Configuration Options" > "GUI
(Legacy)", in the following fields:
• “Rdp connection links” and “Ssh connection links”

• “Rdp windows filetype” and “Rdp other os filetype”
• “Ssh windows filetype” and “Ssh other os filetype”
When the authorization concerns a RAWTCPIP service, only the application WALLIX-
PuTTY allows the user to download or open the file to establish the connection (filename
218
suffix .puttywab). For further information on WALLIX-PuTTY, refer to Section 12.1.1,

“Specific options for SSH sessions”, page 219.
Note:
In a load balancing process, it is possible to specify the WALLIX Bastion's FQDN or IP
address to which the user will be redirected to when accessing a target via "Configuration"
> "Configuration Options" > "GUI (Legacy)":
• in the field "Connection file fqdn standard": when the target is accessed by downloading
the configuration file
• in the field "Connection file fqdn otp": when the target is instantly accessed with one-
time password method.
12.1.1. Specific options for SSH sessions

The downloadable file type on Windows platforms for SSH sessions can be selected from
"Configuration" > "Configuration Options" > "GUI (Legacy)", then select the appropriate value in
"Ssh windows filetype".
To use the .puttywab files on Windows, the application WALLIX-PuTTY has to be downloaded and
installed from the link "Download WALLIX-PuTTY" displayed at the top of the page. This link is
only displayed when the workstation is running under Windows and the user is also authorized to
connect to at least one SSH target. The installation sets the file association so that the application
is started automatically. The installation does not require administrative privileges. However, the
installation is only operational for the logged user and not for all users of the workstation.
12.1.2. Specific options for RDP sessions

The link "Download RDP configuration file" displayed at the top of the page allows the user
to download an RDP configuration file with the RemoteApp mode enabled. The user can then
save the file to establish a connection to an application in interactive mode via the RDP client
selector. This link is only displayed when the RemoteApp mode is enabled and the user is also
authorized to connect to at least one application. The RemoteApp mode is enabled by default when
accessing applications (as defined via "Targets" > "Applications"). This parameter can be managed
via "Configuration" > "Configuration Options" > "GUI (Legacy)", then select/deselect the option "Rdp
remote app mode".
The "Options" area at the top left of the page allows the user to select the resolution and the color
depth for the RDP client window. The settings are saved for the workstation being used. Thus a user
can establish an RDP connection through a desktop or a laptop with different resolution settings
for each workstation.
For further information on RemoteApp mode, refer to Section 10.2.2, “Configure the application
launch using RemoteApp mode”, page 138.
Warning:
The RemoteApp sessions of a user connected simultaneously on one or several
applications are split by default when displayed from the "Current Sessions" and
"Session History" pages below the "Audit" menu). If the option "Rdp enable sessions
219
split" (accessible from "Configuration" > "Configuration Options" > "GUI (Legacy)" >
"main" section) is deselected, it may be possible to get an overlay view of these sessions.
The client Remote Desktop Connection (MSTSC) connected to Windows Server 2008
or 2012 does not allow several RemoteApp programs to share the same RDP session.
There will be as many RDP sessions created as the number of RemoteApp programs
launched.
Display issues related to the Microsoft client have been reported when using RemoteApp
mode and multiple monitors. Dysfunctions occur when the primary monitor is not located
in the upper left part of the virtual screen. The recommended workaround is to locate
the primary monitor in the upper left part of the virtual screen. Refer to https://
go.microsoft.com/fwlink/?LinkId=191444 for further information on the virtual
screen.
On the other hand, to allow glyphs support between iOS client and the RDP proxy and thus display
text properly on the selector when accessing sessions from mobile devices, the option "Bogus ios
glyph support level" is selected by default. This parameter can be managed via "Configuration" >
"Configuration Options" > "RDP proxy" > section "client".
Moreover, as the support of Unicode character set for keyboard event is necessary to operate
the Remote Desktop Connection client under iOS, the option "Unicode keyboard event support" is
selected by default. This parameter can be managed via "Configuration" > "Configuration Options"
> "RDP proxy" > section "globals".
As the keyboard behavior for VNC sessions depends on the target server environment, options
allow to declare this environment and allow the corresponding behavior. These options can be
managed below the "vnc" section on the configuration page related to the connection policy for the
VNC protocol. This page can be accessed from "Session Management" > "Connection Policies":
• when "Server unix alt" is selected

– on a Unix environment, the target server can receive any Unicode character sent by the client
– on a Windows environment, the target server forbids any Unicode character but allows special
characters using AltGr+€ key combination
• when "Server is apple" is selected, keyboard specificities related to Apple VNC server are
supported.
12.1.3. Session access through an approval workflow

If an approval workflow has been defined to be authorized to access the target, the user can send
a request for approval to the session access by clicking on "Request" in the "Approval" column.
The "Approval request" page is then displayed and the request start date, time and duration must
be entered. A comment to enter the reason for approval request and a ticket reference may also
be displayed and entered respectively in the "Comment" field and the "Ticket reference" field if
the corresponding options were enabled during the authorization definition. For further information,
refer to Section 14.7, “Approval workflow”, page 275.
Once the request is performed, the user is redirected on the "Sessions" page and then he/she can
view the status of the sent approval requests on the bottom table.

220

The user can click on the notepad icon at the beginning of the line to get a detailed view of the
request. The page provides a "Cancel request" button to cancel the approval requests which are
still valid.
Note:
A script can be called during the approval request creation, but also at the beginning and
end of each session within the request duration period, to manage the approval in an
external ticketing system. To do so, the path to this script is to be entered in the "Ticketing
interface path" field via "Configuration" > "Configuration Options" > "Global".
The script is then systematically called even if a ticket number is not specified in the
"Ticket" field. When the script receives a ticket number expected in format: "ticket=1234",
WALLIX Bastion takes into account this number and not the one specified in the "Ticket"
field.
When this script is called, it receives as a parameter the path to a file providing all the
session information.
Example of information provided in the file during the approval request creation:
[request]
user=johndoe
target=target1@local@repo:SSH
date=2017-09-22 10:12:19
duration=300
ticket=1234
comment=I have to install patches
session_id=
session_start=0
session_end=0
target_host=
Example of information provided in the file at the beginning of the session:
[request]
user=johndoe
date=2017-09-22 10:12:00
duration=300
ticket=1234
session_id=15ea8a529008635d5254006c3e07
session_start=2017-09-22 10:12:29
session_end=0
target_host=host1.mydomain.lan
Example of information provided in the file at the end of the session:
221
[request]
user=johndoe
date=2017-09-22 10:12:00
duration=300
ticket=1234
session_id=15ea8a529008635d5254006c3e07
session_start=2017-09-22 10:12:30
session_end=2017-09-22 10:12:34
target_host=host1.mydomain.lan
Figure 12.1. "My Authorizations" menu - "Sessions" page
12.2. Target connection in interactive mode for

SCP and SFTP protocols
As SCP and SFTP protocols do not allow a secondary interactive mode, it is necessary to add
specific options during primary connection (i.e. the connection initiated between a user and WALLIX
Bastion) to be prompted for target connection information, displayed as prompts or dialog boxes,
using primary interactive keyboard ("keyboard interactive"). This system assumes that the client
supports the interactive keyboard authentication method ("keyboard interactive").
The question mark “?” is a forbidden character in the user name (or login) but it can be used as
a separator to specify options (on the right) requesting clearly a prompt to enter the login and/or
a password to connect to the target.
The “p” option requests the target password.
The “l” option requests the target login.
The question mark “?” without any option requests the target password by default.
Examples:
Login: “wabuser”: no additional prompt
Login: “wabuser?”: target password is prompted
Login: “wabuser?p”: target password is prompted
Login: “wabuser?l”: target login is prompted
222
Login: “wabuser?lp”: target login is prompted first then target password is prompted
The password is required when the authentication method PASSWORD_INTERACTIVE has been
selected at the level of the connection policy associated with the target (for further information, refer
to Section 12.4, “Connection policies”, page 236).
12.3. Audit data

The "Audit" menu allows the auditor to view WALLIX Bastion audit data and mainly connection
histories.
An auditor is a user who has been designated by a WALLIX Bastion administrator with the right to
audit: the "View" right for the "Session audit" feature is set in his/her profile (refer to Section 9.3,
“User profiles”, page 86).
12.3.1. Current sessions

From the "Current Sessions" page on the "Audit" menu, the auditor can view the list of the active
connections during which RDP or SSH sessions were initiated from WALLIX Bastion and are still
on-going. Note that active connections on the Web interface during which sessions are not initiated
are then not shown on this list.
Note:
The generic term "connection" will be used throughout this section to refer to both SSH
and RDP connections.
On the top of the page, the auditor can choose to enable/disable automatic refresh of current session
data. When the corresponding option is enabled, you can set the refresh frequency. This may be
particularly useful when selecting the active connections to close.
• the user (set as follows: user@machine(ip))

• the target accessed (set as follows: account@target:service)
• the target host or IP address
• the description of the source (RDP or SSH) and destination protocols
Note:
Specific keywords must be entered in the “Search:” field above the table header to
search for RDP sessions:
– the rdp:app keyword to search for application sessions
– the rdp:notapp keyword to search for sessions which are not application sessions
• the connection start time

• the connection duration
The auditor can also close one or more connections on this page: to do so, it is necessary to check
the box at the beginning of the line(s) to select the related connection(s), then click on the red
icon, on the column header, to close the corresponding connection(s). WALLIX Bastion displays a
dialogue box requesting a confirmation before permanently closing the connections(s).
223
Users connected through RDP or SSH are then informed that the connection has been closed by
the administrator, as shown below:
Figure 12.2. SSH connection closed by the administrator
Note:
When closing a connection, the auditor can prevent the local user from connecting again.
This action can be set via "Configuration" > "Configuration Options" > "GUI (Legacy)",
then select the option "Audit kill session lock user". This option is deselected by default:
the function is disabled.
12.3.2. Current sessions in real-time view

From the "Current Sessions" page on the "Audit" menu, the auditor can view the current RDP or
SSH sessions in real-time when the session recording option has been enabled at the level of
the authorization defined for the user group and the target group. For further information, refer to
Chapter 14, “Authorization management”, page 269.
The auditor can click on the magnifying glass icon at the beginning of the concerned line in the
list to open a window to view the session in real-time. He/she can click again on this icon to close
the window.
Note:
The auditor can view the current SSH session even if the session recording option has
not been enabled at the level of the authorization defined for the user group and the target
group.
In the context of an RDP session, the auditor can enable the “Allow rt without recording”
option accessible from “Configuration” > “Configuration options” > “RDP proxy” > section
“video” to view the current RDP session for which the session recording option has not
been enabled in the authorization, defined for the user group and the target group. For
further information, refer to Chapter 14, “Authorization management”, page 269.
224
By enabling the “Enable osd 4 eyes” option accessible from “Configuration” >
“Configuration options” > “RDP proxy” > section “client”, a message is displayed for the
user to inform him/her that the session is being audited as soon as the auditor starts
viewing the RDP session in real-time.
12.3.3. Session sharing and remote control on RDP current

sessions
From the "Current Sessions" page on the "Audit" menu, the auditor can initiate a process to remotely
control a current RDP session shared by the user.
Warning:
Session sharing and remote control on RDP current sessions are available through
WALLIX Bastion for targets under Windows Server 2012 and later versions supporting
“Remote Desktop Shadowing” feature for remote control.
The advanced configuration option “Session shadowing support” (accessible from
"Configuration" > "Configuration Options" > "RDP proxy" then section "mod_rdp") must
be enabled to allow session sharing and remote control on RDP current sessions through
WALLIX Bastion.
During this process, the auditor's session is recorded only if the user's session is also
recorded.
The process sequence is as follows:

1. First, the user connects to an RDP target and initiates a session.
2. From the "Current Sessions" page on the "Audit" menu, the auditor can then click on the session
remote control icon at the beginning of the concerned line in the list. This action launches
the download of a file on the workstation which will allow the auditor to immediately establish a
connection to the user's session from an RDP client (filename suffix .rdp under Windows and .sh
or .remmina under Linux).
3. Remote control requires the user's permission: a window is then displayed on the user's session
to request approval for a limited period of time.
4. The auditor can execute the downloaded file to immediately establish a connection to the user's
session from the RDP client.
Note:
Only a single remote control request can be sent during the user's session.
The auditor will not be able to remotely control the user's session as long as the latter
has not accepted the request on the dedicated window.
12.3.4. Session history

From the "Session History" page on the "Audit" menu, the auditor can view the history of all
connections to targets made through WALLIX Bastion and also visualize the session recordings
(refer to Section 12.3.5, “Session recordings”, page 227).
225
Caution:
An auditor with limitations set on his/her profile can see the session history only if s/he is
allowed to view the authorization set for the session. This authorization is defined for a
user group and a target group s/he is allowed to view.
Warning:
This page shows only the closed sessions on targets. To get the view on the current
sessions, refer to Section 12.3.1, “Current sessions”, page 223.
This page does not show user authentications and thus user authentication failures
due to access rights. To get this information, refer to Section 12.3.8, “Authentication
history”, page 233. SIEM messages provide more information on authentications and
access rights. For further information, refer to Chapter 17, “SIEM messages”, page 296.
Figure 12.3. "Session History" page
• the user name and source IP for the connection (set as follows: name@ipsource)
• the target accessed (set as follows: account@target:service)
• the target host or IP
• the source and destination protocols
Note:
Specific keywords must be entered in the “Search:” field above the table header to
search for RDP sessions:
– the rdp:app keyword to search for application sessions
– the rdp:notapp keyword to search for sessions which are not application sessions
• the connection start time

• the connection end time
• the connection duration
• the file size of the session recording. For further information, refer to Section 12.3.5, “Session
recordings”, page 227.
226
Note:
The file size of the session recording is not displayed when session has been initiated
from a version earlier than WALLIX Bastion 6.2.
• an icon representing the result of the connection. In the event of a failure, an auditor can get
more detail on the connection issue (e.g. wrong password, authentication to target failed, target
resource not available, session killed by the administrator or by a “Kill” action, etc.) by clicking
on the icon. This description can be updated if needed. In case of success, an auditor can add a
description in a dedicated area by clicking on the icon. The addition of comments into this area
is logged in the WALLIX Bastion audit log (i.e. "wabaudit"). For further information regarding this
log, refer to Section 8.5, “System logs”, page 47.
•
the icon is displayed when the session has been shared between the user and the auditor
with remote control. The information can then be displayed by hovering the mouse over the icon:
it corresponds either to the auditor's remote control session or the user's controlled session.
Filters can be defined on the top of the page to facilitate the search and restrict the display to relevant
records. The available filters are based on:
• a sort on the display of either all data or only the existing device or only the existing application
• the definition of a period
• the definition of the last N days
• a search for text occurrences in the columns. For further information, refer to Section 6.5.1,
“Search data”, page 31.
Note:
Only the last 1,000 records are displayed in the Web user interface. The occurrence filter
is applied to these 1,000 records. Older sessions can only be retrieved through the date
range filter.
All data in this page can be downloaded as a .csv file.
12.3.5. Session recordings

A session video viewer is embedded in WALLIX Bastion and allows a direct access to the RDP or
SSH session recordings without requiring any specific browser plugin, application or video codec
to be installed.
Session recordings are stored in partition /var/wab/recorded/ (for local storage) or /
var/wab/remote/recorded/ (for remote storage) and can be archived or purged using a
dedicated script. For further information, refer to Section 15.18, “Export and/or purge session
recordings manually”, page 284 and Section 15.19, “Export and/or purge session recordings
automatically”, page 286.
Encryption and signature of session recordings can be set on the "Recordings Options" page from
the "Session Management" menu. For further information, refer to Section 12.5, “Session recording
options”, page 239.
From the "Session History" page on the "Audit" menu, the auditor can view and download the RDP
or SSH session recordings. To do so, the session recording option has been enabled beforehand at
the level of the authorization defined for the user group and the target group. For further information,
refer to Chapter 14, “Authorization management”, page 269.
227
Some icons may be displayed at the beginning of the lines to allow specific actions:
• : this icon allows the auditor to download the session recording in the unprocessed format
ttyrec for the SSH session or in the pcap format (which can be viewed with the packet analyzer
Wireshark) for the RAWTCPIP session
• : this icon allows the auditor to download the visible content of the SSH session in a flat text
format (txt)
• : this icon allows the auditor to display the page to view the recording of the session. Then a
viewer allows to go through the session video. The session information is displayed on the top
of the page.
When viewing an SSH session, it is possible to get the transcription of the video and the session
metadata but also download the files transferred during the session in the dedicated areas below
the viewer.
Figure 12.4. "Session History" page - SSH session view
228
When viewing an RDP session, it is possible to:

– generate then download the whole film by first clicking on the "Generate" button below the
viewer, then by clicking on the icon displayed as soon as generation is completed.
Note:
When replaying the video of a RemoteApp application session, the area of the
content displayed in the RDP viewer can be set. This parameter can be managed
from "Configuration" > "Configuration Options" > "RDP proxy" then below section
"video", select the appropriate value in "Smart video cropping".
The recording for a session based on the RDP protocol includes both video and
automatic OCR of the applications running on the remote machine by detecting title
bars.
The algorithm used to detect the title bar content is very fast and thus allows real-time
execution. However, it only works with "Windows Standard" windows and a default
font size of 96PPP with a colour depth of 15 bits or more (15, 16, 24 or 32 bits, it does
not work in 8-bit mode). In its current version, the OCR function will not work if the
title bar style is changed, even to a style that is visually very similar, for example to
"Windows classic", or if the title bar colour, style, font size or resolution is changed. In
addition, OCR is configured to detect only the title bars of applications closed using
229
the three icons: close icon, minimize icon and maximize icon. If the title bar contains
an icon, this will generally be replaced by question marks before the recognized text.
Figure 12.5. Viewer

– browse quickly through the film in the viewer, from a given period, by clicking on the thumbnails
on the "Screenshot list" area.
Figure 12.6. "Screenshot list" area

– download the session data by clicking on the icon on the "Session data" area. If the OCR
option is enabled, the titles of applications detected in the film by the OCR module are indexed
230
and displayed in this area. It is then possible to click on the entries in this list to browse quickly
through the film in the viewer.
Figure 12.7. "Session data" area

– download the files transferred during the session from the area "Transferred files".
• : this icon allows the auditor to display a detailed page of the approval request (with all
the approvers’ answers et comments included). This icon is displayed on the line when the
corresponding session went through an approval workflow. For further information, refer to
Section 14.7, “Approval workflow”, page 275.
12.3.6. Account history

From the "Account History" page on the "Audit" menu, the auditor can:
• check the activity on the accounts

• view the password change history
• force a check-in operation on the account's credentials
On the "Activity" column, the auditor can click on "Show" to view the activity history for the account
on a dedicated page. This page displays a table listing the check-in and checkout operations on
the account's credentials recorded at a given date and time.
Caution:
An auditor with limitations set on his/her profile can see the activity history for the account
only if s/he is allowed to view both groups in the authorization set to view the account's
credentials.
On the "History" column, the auditor can click on "Show" to view the password change history for
the account on a dedicated page. This page displays information related to the password or SSH
key changes for the account at a given date and time.
Caution:
An auditor with limitations set on his/her profile can see the password change history for
the account only if s/he is allowed to view the related account.
On the "Actions" column, the "Force check-in" option is available for the accounts which are checked
out by users. The auditor can click on this option to check-in the credentials for the related account.
Note that the current RDP or SSH session will not be closed when the account's credential check-
in is forced.
231
Note:
The "Force check-in" option is always available for the accounts defined on a global
domain associated with an external password vault. In this case, the "External vault"
column contains a check mark for the relevant accounts.
The following account activities are stored in /var/log/vault-activity.log:
• checkout
• checkout duration extension
• check-in and automatic check-in
• forced check-in
This information can be sent to a SIEM software if the routing is configured on WALLIX Bastion.
For further information, refer to Section 8.9, “SIEM integration”, page 52.
Note:
Some system logs saved in partition /var/log are stored for a maximum time period
of 5 weeks.
Figure 12.8. "Account History" page
12.3.7. Approval history

From the "Approval History" page on the "Audit" menu, you can view all the approval requests
(pending or expired) sent to access sessions. For further information on approvals, refer to
Section 14.7, “Approval workflow”, page 275.
When the auditor displays the detail of a "pending" request, this action is logged in the WALLIX
Bastion audit log (i.e. "wabaudit"). For further information regarding this log, refer to Section 8.5,
“System logs”, page 47.
Caution:
An auditor with limitations set on his/her profile can see the approval history only if s/he is
allowed to view the authorization set to demand an approval request. This authorization
is defined for a user group and a target group s/he is allowed to view.
232

• the definition of the last N days
Note:
range filter.

• the demanding user
• the request end date and time
A click on the notepad icon at the beginning of the line allows the auditor to get a detailed view
of the request.
Figure 12.9. "Approval History" page
12.3.8. Authentication history

From the "Authentication History" page on the "Audit" menu, the auditor can view the authentication
attempts on the proxy’s RDP and SSH interfaces (respectively on ports 3389 and 22).
233

• the definition of the last N days, weeks or months
Note:
range filter.
• the event date

• the user name provided (WALLIX Bastion user name)
• the source IP address
• the login result
• the result of the connection shown as an icon representing either a success or a failure
• the diagnosis which provides more detail on the connection result
Figure 12.10. "Authentication History" page
12.3.9. Connection statistics

From the "Connection Statistics" page on the "Audit" menu, the auditor can view statistical
information on connections made through WALLIX Bastion for a given period of time. This period
may be a date range or a number of days before the current date.
At the top left of the page, the auditor can select the type of statistical information he/she wishes to
view in the list of values: either "Statistics" or "Unused resources".
If "Statistics" (by default) is selected by the auditor, the display can be restricted to the most/less
frequently occurring events (target connections by device or by user or by date, etc.): a maximum
number of 35 elements can be displayed.
234
The following options can be selected for the report generation:
• the number of target connections by device

• the number of target connections by target account
• the number of WALLIX Bastion connections by user
• the number of target connections by user
• the target connections by duration
• the total target connection duration by user
• the number of target connections by date
• the maximum parallel target connections by date
Filters can be defined at the bottom of the page to facilitate the search and restrict the display to
relevant records. The available filters are based on the selection among the WALLIX Bastion users
and/or devices and/or targets.
Once the charts have been generated, the auditor can click on those related to the WALLIX Bastion
and target connections to get the corresponding detail on the "Authentication History" page (refer
to Section 12.3.8, “Authentication history”, page 233) or the "Session History" page (refer to
Section 12.3.4, “Session history”, page 225).
A table in the header of the generated graphs lists the selected filters and a button below the graphs
allows to download a .csv file presenting the related data.
If "Unused resources" is selected by the auditor, he/she can view the unused users or targets for a
given period of time. This period may be a date range or a number of days before the current date.
The data can either be displayed as a list directly on the current page or downloaded as a .csv file.
Figure 12.11. "Connection Statistics" page
235
Figure 12.12. Example of statistical report
12.4. Connection policies

From the "Connection Policies" page on the "Session Management" menu, you can add, edit or
delete connection policies. The latter are defined as the authentication mechanisms available in
WALLIX Bastion.
236
The mechanisms available for RDP, VNC, SSH, TELNET, RLOGIN and RAW TCP/IP protocols are
predefined in WALLIX Bastion and can neither be deleted nor edited.
A connection policy can be selected during the creation/modification of a device and is

associated with a specific service on the device. For further information, refer to Section 10.1,
“Devices”, page 124.
On each of these pages, a useful description can be displayed for all the fields by selecting the check
box of the "Help on options" field on the right of the page. This description includes the required
format to be specified when entering data in the concerned field.
Warning:
The specific options displayed when the check box of the "Advanced options" field at
the top right of the page is selected should ONLY be changed upon instructions from
the WALLIX Support Team! An icon representing an exclamation mark on an orange
background is displayed near the concerned fields.
Figure 12.13. "Connection Policies" page
12.4.1. Add a connection policy

From the "Connection Policies" page, you can add a connection policy:
• by clicking on "Add a connection policy" to display the policy creation page

• by duplicating an existing policy in order to use its parameters: click on the icon in the "Action"
column on the right of the concerned line in the table to display the policy creation page with the
parameters inherited from the chosen policy. In this case, only the "Policy name" and "Description"
are not inherited from the chosen policy and are empty.
The connection policy creation page consists of the following fields:
• the connection policy name

• a description
• the selection of the relevant protocol (automatically entered if you create a policy from the
parameters of an existing one)
• the selection of the authentication methods and the parameters specific to the chosen protocol
237
• the definition of a transformation rule to get a login for secondary connection. For further
information, refer to Section 12.6, “Transformation rule to get a login for secondary
connection”, page 239.
• the definition of a transformation rule to get the credentials of an account in the vault. For further
information, refer to Section 12.7, “Transformation rule to get credentials of an account in the
vault of WALLIX Bastion”, page 240.
For the connection policies based on the TELNET or RLOGIN protocols, a sequence of commands
must be entered in the "Scenario" field to define an authentication. A connection scenario is defined
by default but it can be modified. For further information, refer to Section 12.14, “TELNET/RLOGIN
connection scenario on a target device”, page 245.
For the connection policies based on the SSH protocol, a startup scenario can be entered in the
"Scenario" field (below the "startup scenario section) to perform specific actions at the beginning
of the session. For further information, refer to Section 12.16, “SSH startup scenario on a target
The session probe can be enabled for the connection policies based on the RDP protocol. For
further information, refer to Section 12.19, “Using the session probe mode”, page 252.
Figure 12.14. "Connection Policies" page in addition mode for RLOGIN protocol
12.4.2. Edit a connection policy

From the "Connection Policies" page, click on a policy name and then on "Edit this connection
policy" to display the connection policy modification page.
The fields in this page are the same as those in the connection policy creation page, except the
"Protocol" field which cannot be accessed.
Warning:
neither delete nor edit a connection policy.
12.4.3. Delete a connection policy

From the "Connection Policies" page, check the box at the beginning of the line(s) to select the
related policy(ies), then click on the trash icon to delete the selected line(s). WALLIX Bastion
238
Warning:
You cannot delete a connection policy when the latter is linked to a device (at the level
of the service on the "Devices" page). For further information on how to link a connection
policy on a device, refer to Section 10.1.1, “Add a device”, page 124.
neither delete nor edit a connection policy.
12.5. Session recording options

From the "Recordings Options" page on the "Session Management" menu, you can set or unset
encryption and signature of session recordings.
These records can be viewed from the "Session History" page on the "Audit" menu. For further
information, refer to Section 12.3.4, “Session history”, page 225 and Section 12.3.5, “Session
The encrypted recordings can only be read by the WALLIX Bastion instance which created them.
The encryption algorithm used is AES 256 CBC. Signature is done by calculating an HMAC SHA
256 fingerprint. The fingerprint is checked at playback.
Figure 12.15. "Recording Options" Page
12.6. Transformation rule to get a login for

secondary connection
A transformation rule based on a character string can be defined to get a login for connection on
a target account through a mapping from:
• a user account login if the target account is included in a group configured for account
mapping (for further information, refer to Section 10.5.1.4, “Configure a target group for session
management through account mapping”, page 173)
• a login of an account in the vault of WALLIX Bastion it the target account is included in a group
configured for session management from accounts in the vault (for further information, refer to
Section 10.5.1.2, “Configure a target group for session management from an account in the
vault”, page 172).
This rule is set in the "Transformation rule " field on the configuration page for the related connection
policy, accessible from "Session Management" > "Connection Policies".
239
The character string includes the required field ${LOGIN} and possibly the optional field ${DOMAIN}
in an LDAP mapping context.
The transformation rule returns the string and replaces the fields ${LOGIN} and ${DOMAIN} with
the appropriate values (i.e. the login and domain).
The result corresponds to the login for connection on the target.
Note:
The transformation rule defined is ignored if the target account is included in a
group configured for interactive login (for further information, refer to Section 10.5.1.5,
“Configure a target group for session management through interactive login”, page 174).
Example 12.1. Examples of transformation rules:

'${DOMAIN}WIN2k3\${LOGIN}': addition of a suffix in the domain
'${LOGIN}': login forcing without any domain
'${LOGIN}@DOMAIN1': use of a different domain
12.7. Transformation rule to get credentials of

an account in the vault of WALLIX Bastion
A transformation rule based on a character string can be defined to get the credentials of an existing
account in the vault of WALLIX Bastion for a target account configured for account mapping. It
allows to map a user account with this account in the vault.
This transformation rule only applies when:
• the target account is included in a group configured for account mapping (for further information,
refer to Section 10.5.1.4, “Configure a target group for session management through account
mapping”, page 173)
• the authentication method PUBKEY_VAULT and/or PASSWORD_VAULT must be selected at the
level of the connection policy associated with the target
This rule is set in the "Vault transformation rule " field on the configuration page for the related
connection policy, accessible from "Session Management" > "Connection Policies".
The character string includes the following fields:
• ${USER}. This field is replaced by the user login

• ${DOMAIN}. This field is replaced by the user domain in the context of LDAP mapping
• ${USER_DOMAIN}. This field is replaced by the user login + "@" + user domain, if any
• ${GROUP}. This field is replaced by the user group concerned by the authorization
• ${DEVICE}. This field is replaced by the device name
A regular expression (or "regex") can be specified for transformation using this syntax: ${USER:/
regex/substitution}. For example, all user logins beginning with "A" will be replaced by "B" if the
${USER} variable is specified as follows: ${USER:/Â/B}.
240
The transformation rule returns the string and replaces the fields with the appropriate values.
The result corresponds to the syntax of the existing account in the vault and for which credentials
are to be retrieved.
Example 12.2. Example of transformation rule:

${USER:/âdm_/adm_domain1_}@domain1
The syntax is a regular expression which can be read as follows:
• ${USER: the transformation process is to be applied on the user login part

• /âdm_: the check is to be performed on the login beginning with "adm_"
• /adm_domain1_: if the previous condition is fulfilled, then the login is replaced with this value
• @domain1: this suffix is added and placed after the variable replaced
If the login of the connecting user begins with "adm_ ", this part is then replaced with
"adm_domain1_". Then, "@domain1" is added at the end of the login syntax.
In the above example, the user login "adm_jdoe" is then replaced with "adm_domain1_jdoe".
12.8. Using an antivirus software or a DLP (Data

Loss Prevention) solution with ICAP
Connections to ICAP servers provided by antivirus software or DLP (Data Loss Prevention)
solutions can be configured to verify the validity of files transferred during RDP and SSH sessions.
The files which can be verified are those transferred via subprotocols SFTP and SCP
(SFTP_SESSION, SSH_SCP_UP and SSH_SCP_DOWN) during SSH session and from the copy/
paste function via the clipboard (RDP_CLIPBOARD_FILE) during RDP session.
File verification does not interfere with file transfer. The status returned by the ICAP server is logged:
• in the session metadata displayed from the "Session History" page on the "Audit" menu,
in the "Session metadata" area. For further information, refer to Section 12.3.4, “Session
history”, page 225 and Section 12.3.5, “Session recordings”, page 227.
• in SIEM messages, if the routing to a SIEM software is configured on WALLIX Bastion. For
further information, refer to Section 8.9, “SIEM integration”, page 52 and Chapter 17, “SIEM
12.8.1. Configuration of connection to ICAP servers

An ICAP server can be configured for each protocol (RDP and SSH) and for each transfer direction,
i.e.:
• for the files transferred as an “upload” operation from client to server (e.g. an antivirus software)
and
• for the files transferred as a “download” operation from server to client (e.g. a DLP solution)
The settings of ICAP servers can be defined from "Configuration" > "Configuration Options" > "RDP
proxy" (for RDP protocol) or "SSH proxy" (for SSH protocol) within the following sections:
241
• [icap_server_up] to configure the ICAP server for files transferred as an “upload” operation and
• [icap_server_down] to configure the ICAP server for files transferred as an “download” operation
For each ICAP server, these settings are as follows:
• “Host”: IP address or FQDN of the ICAP server

• “Port”: port of the ICAP server
• “Service name”: service name on the ICAP server
• “Tls”: option to select if TLS is enabled on the ICAP server
12.8.2. Enabling file verification

File verification can be enabled or disabled from "Session Management" > "Connection Policies" >
"RDP" (for RDP protocol) or "SSH" (for SSH protocol). By default, file verification is disabled.
In section [file_verification], the parameters to be entered are as follows:
• “Enable up”: option to select to enable verification of files transferred as an “upload” operation
by the ICAP server. The latter is configured in section [icap_server_up] from the configuration
options of the related proxy (accessible from "Configuration" > "Configuration Options" > "RDP
proxy" or "SSH proxy").
• “Enable down”: option to select to enable verification of files transferred as a “download” operation
by the ICAP server. The latter is configured in section [icap_server_down] from the configuration
options of the related proxy (accessible from "Configuration" > "Configuration Options" > "RDP
proxy" or "SSH proxy").
When the connection policy is defined on the RDP protocol, the section [file_verification] also
allows to enter the following parameters:
• “Clipboard text up”: option to select to enable verification of text transferred as an “upload”
operation from the copy/paste function via the clipboard by the ICAP servers. The “Enable up”
option must be selected to allow this verification.
• “Clipboard text down”: option to select to enable verification of text transferred as a “download”
operation from the copy/paste function via the clipboard by the ICAP servers. The “Enable down”
option must be selected to allow this verification.
12.8.3. Blocking file transfer on invalid verification

When file verification is enabled from the connection policy defined on the RDP or the SSH protocol
(see Section 12.8.2, “Enabling file verification”, page 242), the transfer of files detected as invalid
during verification can be blocked. This action can be carried out when using file copy/paste function
on the RDP protocol or during file transfer via SCP or SFTP on the SSH protocol (using FileZilla,
OpenSSH or WinSCP clients).
To do so, on the configuration page for the related connection policy, the parameters to be entered
in section [file_verification] are as follows:
• “Block invalid file up”: option to select to block file transfer for an “upload” operation when files
have been detected as invalid during verification
• “Block invalid file down”: option to select to block file transfer for a “download” operation when
files have been detected as invalid during verification
242
12.8.4. Enabling file storage on invalid verification

When file verification is enabled from the connection policy defined on the RDP or the SSH protocol
(see Section 12.8.2, “Enabling file verification”, page 242), the invalid transferred files can be
stored.
To do so, on the configuration page for the related connection policy, the option “On invalid
verification” in the field “Store file” below section [file_storage] must be selected.
The invalid transferred files can be viewed and downloaded from the "Session History" page on
the "Audit" menu, in the "Transferred files" area. For further information, refer to Section 12.3.4,
“Session history”, page 225 and Section 12.3.5, “Session recordings”, page 227.
Note:
Session recording must be enabled for the authorization defined (see Section 14.1, “Add
an authorization”, page 269) to allow the auditor to view and download the transferred
files from the "Session History" page on the "Audit" menu.
12.9. Enabling storage of files transferred

during the RDP or SSH session
The files transferred during the RDP or SSH session can be stored.
To do so, on the configuration page for the related connection policy, accessible from "Session
Management" > "Connection Policies" > "RDP" (for RDP protocol) or "SSH" (for SSH protocol), the
option “Always” in the field “Store file” below section [file_storage] must be selected.
The transferred files can be viewed and downloaded from the "Session History" page on the "Audit"
menu, in the "Transferred files" area. For further information, refer to Section 12.3.4, “Session
Note:
Session recording must be enabled for the authorization defined (see Section 14.1, “Add
an authorization”, page 269) to allow the auditor to view and download the transferred
files from the "Session History" page on the "Audit" menu.
12.10. Enabling smart card authentication on

targets for RDP protocol
WALLIX Bastion offers users the possibility to authenticate on Windows targets via the RDP protocol
with smart cards connected on the client desktop and the associated PIN code.
Please refer to the Release Notes document to view the list of smart cards compatible with WALLIX
Bastion.
Note:
The smart card authentication is only possible for the connection to targets through the
interactive login mechanism.
243
To enable this authentication method, you must:
• Select the “RDP SMARTCARD” proxy option for the RDP service associated with the related
device from the menu “Targets” > “Devices” then “Services” tab
• Select the “Force smartcard authentication” option accessible from “Session management” >
“Connection policies” > “RDP”, section [rdp].
Warning:
After enabling this option, Network Level Authentication (NLA) will be disabled.
The credentials of a possible associated target account can no longer be used.
12.11. Configuration of recorded sensitive data

in logs for RDP protocol
It is possible to configure the display or hiding of given sensitive data in logs during the recorded
RDP session.
Thus, the option “Keyboard input masking level”, accessible from “Session Management” >
“Connection Policies” > “RDP”, below section “session log” allows to configure if keyboard inputs,
passwords or unidentified texts are displayed or hidden in the session metadata.
This information can be viewed from the "Session History" page on the "Audit" menu, in the "Session
metadata" area. For further information, refer to Section 12.3.4, “Session history”, page 225 and
Section 12.3.5, “Session recordings”, page 227.
12.12. Allowing or rejecting dynamic virtual

channels for RDP protocol
Dynamic virtual channels can be open during connection to the RDP session to transfer any type
of data.
It is possible to configure the dynamic virtual channels which can be allowed or rejected during the
RDP session.
These channels can be specified in the fields "Allowed dynamic channels" and "Denied dynamic
channels" below the "rdp" section on the configuration page related to the RDP connection policy.
By default, all dynamic virtual channels are allowed. The configuration in the field "Denied dynamic
channels" has precedence over the one set in the field "Allowed dynamic channels".
When attempting to open a dynamic virtual channel, the information related to its authorization or
rejection is logged:
• in the session metadata displayed from the "Session History" page on the "Audit" menu,
in the "Session metadata" area. For further information, refer to Section 12.3.4, “Session
• in SIEM messages, if the routing to a SIEM software is configured on WALLIX Bastion. For
further information, refer to Section 8.9, “SIEM integration”, page 52 and Chapter 17, “SIEM
244
Warning:
Rejecting dynamic virtual channels may disturb RDP connections.
12.13. Log configuration of all the keyboard

input for RLOGIN, SSH and TELNET protocols
The log of all keyboard input, whether displayed or not on the terminal, can be configured for all the
connection policies based on RLOGIN, SSH and TELNET protocols.
This full log can be enabled by selecting the option "Log all kbd" on the configuration page for the
related connection policy, accessible from "Session Management" > "Connection Policies".
When this option is disabled, then only keyboard input displayed on the terminal is logged.
This information can be viewed from the "Session History" page on the "Audit" menu, in the "Session
metadata" area. For further information, refer to Section 12.3.4, “Session history”, page 225 and
Section 12.3.5, “Session recordings”, page 227.
Warning:
When this option is enabled, the passwords entered during session are logged and then
displayed as plain text.
12.14. TELNET/RLOGIN connection scenario on

a target device
An authentication sequence can be declared by specifying the "Scenario" field on the configuration
page related to the connection policy for the TELNET or RLOGIN protocol. This page can be
accessed from "Session Management" > "Connection Policies". For further information, refer to
Section 12.4, “Connection policies”, page 236.
This sequence can be used to interpret commands sent by an interactive shell and to automate
logon. This pseudo language includes the following syntax:
• SEND: sends a character string

• EXPECT: expects to receive a character string within the next 10 seconds. This value must be
labelled in the server's language.
• (?i): ignores the case
• $login: sends a user name
• $password: sends a password
The following sequence (supported on a 3Com Superstack switch accessible via TELNET):
SEND:\r\n
EXPECT:(?i)login:
SEND:$login\r\n
EXPECT:(?i)Password:
SEND:$password\r\n
is interpreted as follows:
245
• sends a carriage return

• expects to receive the "login" string (ignoring the case)
• sends the user name followed by a carriage return
• expects to receive the "password" string (ignoring the case)
• sends the password followed by a carriage return
This sequence should also work for TELNET servers running under Windows.
For TELNET servers running under Unix or Linux, you should rather use the following sequence:
EXPECT:(?i)login:
SEND:$login\n
SEND:$password\n
For RLOGIN devices, only the password is expected. As an example, the following authentication
sequence has been tested for a RLOGIN connection to a Debian 5.0 lenny system:
SEND:$password\n
Note:
As a rule of thumb, login is already provided for SSH connections (in keyboard interactive
mode) and RLOGIN connections. It is necessary to provide it in the sequence only for
TELNET connections.
12.15. Configuration of cryptographic

algorithms supported on target devices
The cryptographic algorithms supported on target devices can be configured in the pages related
to the connection policies for the RDP or SSH protocols as detailed in the following sections.
12.15.1. SSH cryptographic settings on target devices

The cryptographic algorithms allowed on target devices can be declared by specifying them in the
fields below the "algorithms" section on the configuration page related to the connection policy for
the SSH protocol. This page can be accessed from "Session Management" > "Connection Policies".
When no algorithm is entered, then all algorithms supported by the SSH proxy are allowed on the
target devices.
By default, no algorithm is listed in the fields to ensure highest compatibility with target servers.
Warning:
This section is displayed when the check box of the "Advanced options" field at the top
right of the page has been selected. It should ONLY be changed upon instructions from
the WALLIX Support Team!
12.15.2. RDP cryptographic settings on target devices
246
The cryptographic algorithms allowed on target devices can be declared by specifying them in
specific fields below the "rdp" section on the configuration page related to the connection policy for
the RDP protocol. This page can be accessed from "Session Management" > "Connection Policies".
These fields are as follows:
• “Tls min level”: minimum TLS version level supported. By default, no minimum level is set in this
field to ensure highest compatibility with target servers.
• “Tls max level”: maximum TLS version level supported. By default, no maximum level is set in
this field to ensure highest compatibility with target servers.
• “Cipher string”: additional cryptographic algorithms used for TLSv1.2 connections supported
by client. By default, no value is specified in this field to apply system-wide configuration
corresponding to SSL security level 2. The value “ALL” must be set to support all cryptographic
algorithms and ensure highest compatibility with target servers.
• “Show common cipher list”: option to select to show in log files the list of common algorithms
supported by client and server
12.16. SSH startup scenario on a target device

A startup scenario can be declared by specifying the "Scenario" field below the "startup scenario"
section on the configuration page related to the connection policy for the SSH protocol. This page
can be accessed from "Session Management" > "Connection Policies".
For example, it can be used at the beginning of the SSH Shell session to assign the user the "root"
privileges using "su" and "sudo" commands without having knowledge of the password.
Note:
A startup scenario can also be used for Shell sessions on TELNET and RLOGIN
protocols. It can be declared by specifying the “Scenario” field below the “startup
scenario” section on the configuration page related to the connection policy defined for the
TELNET or RLOGIN protocol. This page can be accessed from “Session management”
> “Connection policies”.
12.16.1. Commands
A scenario is a sequence of commands separated by a carriage return: a line of the scenario
corresponds to a command.
A command is defined by a type and value pair separated by a colon ':' TYPE:VALUE.
A command starting with # will be ignored.
This startup scenario consists of a sequence of commands based on response request and data
sending. These commands are executed at the beginning of a Shell session related to an SSH
target. The syntax includes the following commands:
• SEND: this command sends the value associated with the server and goes ahead with the
scenario.
The associated value may include a token (refer to Section 12.16.2, “Token”, page 248).
See the example below to send the interactive "sudo" command:
247
SEND:exec sudo -i
• EXPECT: this command waits for a response from the server in relation to the associated value
before continuing the execution of the scenario.
The associated value is a regular expression. It may include a token (refer to Section 12.16.2,
“Token”, page 248) which will be interpreted before the regular expression. This value must be
labelled in the server's language.
See the example below to wait for a command prompt:
EXPECT:.*@.*:~$
If after a given period of time, no response from the server corresponds to the associated value,
then the scenario fails.
A scenario failure ends the session.

During the scenario execution, no action from the user is permitted except the use of CTRL+C or
CTRL+D to stop the process. This causes the scenario failure and ends the session.
The user takes over the terminal when the scenario has been successfully completed.
12.16.2. Token
The value of a command may include a token.
A token is a part of the value which will be replaced by an attribute provided by the SSH proxy or
WALLIX Bastion.
A token is represented by the following syntax: ${type} or ${type:param} and is defined by a
type and an optional parameter.
The following token types can be used: login, password and user.
There is no parameter to provide for the user token type.
If no parameter is provided for the token types login and password, then the attribute will be the
one of the target account in the current session.
• ${login}: login of the current target account

• ${password}: password of the current target account
• ${user}: login of the primary account, i.e. login of the WALLIX Bastion user
If a parameter is provided, it specifies the account in WALLIX Bastion for which the parameters
("login" and "password") are to be retrieved.
• ${login:account@domain}: login of a global domain account

• ${password:account@domain}: password of a global domain account
• ${login:account@domain@}: login of an account on the current local domain for a device
• ${password:account@domain@}: password of an account on the current local domain for a
device
It is also possible to use placeholder attributes in the token parameter to specify a given scenario
account. The following placeholder attributes can be used:
• <user>: user name
248
• <user_group>: user group name of the current authorization

• <target_group>: target group name of the current authorization
• <authorization>: name of the current authorization
• <account>: account name of the current target
• <account_domain>: account's domain name of the current target
• <device>: device name of the current target
• <service>: device's service name of the current target
As an example, the token ${password:<user>_root@domain} for the user “wabuser” will be

superseded by ${password:wabuser_root@domain} and then replaced by the password of
the scenario account wabuser_root@domain (global account).
As an example, the token ${login:<account>_<device>@sqldomain} for a user
connected to the target admin@local@sqldevice:SSH:adminauth will be superseded by
${login:admin_sqldevice@sqldomain} and then replaced by the login of the scenario
account admin_sqldevice@sqldomain (global account).
The scenario fails if no attribute has been retrieved for the token.
See the example below of a script for privilege elevation using the "sudo" command:
SEND:exec sudo -i
EXPECT:password.*:
SEND:${password}
See the example below of a script for switching user on a "root" account on the same device using
the "su" command:
SEND:exec su - root
EXPECT:Password:
SEND:${password:root@local@}
See the example below of an interactive access to a MySQL database on a global domain in WALLIX
Bastion:
SEND:exec mysql -u ${login:<account>_<device>@sqldomain} -p mybdd
EXPECT:password:
SEND:${password:login:<account>_<device>@sqldomain}
12.16.3. Startup scenario configuration

A startup scenario configured in the section "startup_scenario" for the connection policies based
on the SSH protocol.
This mode can be enabled by selecting the "Enable" check box on the configuration page related to
the connection policy for the SSH protocol. This page can be accessed from "Session Management"
> "Connection Policies".
This section consists of the following fields:
• "Enable": this check box allows to enable or disable the startup scenario. By default, this option
is disabled.
• "Scenario": a startup scenario can be declared in this field.
• "Show output": this check box allow to display or hide inputs/outputs on the Shell during the
scenario execution. By default, this option is enabled.
249
• "Timeout": this field allows to define the time period (expressed in seconds) before the failure of
an EXPECT command.
Warning:
This field is displayed when the check box of the "Advanced options" field at the top
• "Ask startup": this check box allows to enable or disable a prompt to ask the user if he/she wishes
to run the scenario. By default, the scenario is necessarily executed.
Warning:
This field is displayed when the check box of the "Advanced options" field at the top
12.17. Transparent mode configuration for RDP

and SSH proxies
The transparent mode allows the proxy to intercept network traffic for a target even when the user
specifies the target's address directly, instead of using the WALLIX Bastion address.
This mode can be enabled from "Configuration" > "Configuration Options":
• on the "RDP proxy" configuration page by selecting "Enable transparent mode" below section
"globals"
• on the "SSH proxy" configuration page by selecting "Enable transparent mode" below section
"main"
In order to use the transparent mode, the network should be configured in a way that the RDP or
SSH traffic going to the targets is first redirected to a WALLIX Bastion user network interface. It
could be achieved using routing rules. WALLIX Bastion then acts as a gateway.
The proxy intercepts the traffic sent to the TCP port 3389 (for RDP and VNC protocols). Any traffic
not destined to WALLIX Bastion but intercepted by the WALLIX Bastion on any other port (other
that 3389) is lost.
The proxy picks up automatically the target by looking at the destination IP address of the
connection. When only a single target is identified by the address, the connection is performed
automatically without the display of the selector. In the other cases, the selector displays the list of
targets matching this address.
Moreover, it is possible to define a set of targets belonging to a subnet. This is achieved by entering
a subnet instead of an IP address in the "Device host" field during the creation of the device, from
the "Devices" page, by using a CIDR notation (<network address>/<number of mask bits>). For
further information on this configuration, refer to Section 10.1.1, “Add a device”, page 124.
If the destination IP address of the connection corresponds to several targets and at least of one
these is defined by an IP address (or FQDN), then the targets defined by subnets are ignored.
When only a single target is identified by the address, the connection is performed automatically
without the display of the selector.
250
Once the RDP or SSH transparent mode is enabled, the following parameters can be set to control
the proxy behavior:
• The option "Auth mode passthrough" (accessible from "Configuration" > "Configuration Options"
> "SSH proxy" for SSH; or "Configuration" > "Configuration Options" > "RDP proxy sesman"
for RDP) enables or disables authentication delegation. The latter prevents WALLIX Bastion
from performing the authentication when it receives a connection request. The request is
then forwarded directly to the target and WALLIX Bastion authorizes the connection if the
authentication by the target is successful. It allows to deploy WALLIX Bastion in an environment
where only the target knows the credentials; this is the case for some configurations of VMware
Horizon View for instance.
• The "Default login" field (accessible from "Configuration" > "Configuration Options" > "SSH proxy"
for SSH; or "Configuration" > "Configuration Options" > "RDP proxy sesman" for RDP) allows to
specify WALLIX Bastion user different from the RDP or SSH identity. In this case, the sessions and
their records will be associated to this WALLIX Bastion user. The RDP or SSH identity information
is registered in the target field when available.
12.18. Enabling KeepAlive function for the

proxies
The KeepAlive function allows to keep a session open even if there is no network traffic between
WALLIX Bastion and the client or the target server. A message is then sent by WALLIX Bastion to
the client or the target server to keep the connection between them.
12.18.1. Enabling KeepAlive function for connection

between the RDP proxy and the RDP client
This function is enabled when the time interval between two KeepAlive messages is set. This interval
is expressed in milliseconds. This parameter can be managed via "Configuration" > "Configuration
Options" > "RDP proxy", then specify the appropriate value in the option "Rdp keepalive connection
interval". This value is set to "0" by default: the function is then disabled.
Warning:
RDP clients based on FreeRDP may conflict with KeepAlive messages.

between the SSH proxy and the SSH client
This function is enabled when the time interval between two KeepAlive messages is set. This interval
is expressed in seconds. This parameter can be managed via "Configuration" > "Configuration
Options" > "SSH proxy", then specify the appropriate value in the option "Client keepalive". This
value is set to "120" by default: the function is then enabled for a time interval set to 2 minutes
between two KeepAlive messages.
Warning:
251

between the SSH proxy and the SSH target server
This function is enabled by specifying the following fields below the “session” section on the
configuration page related to the connection policy for the SSH protocol, accessible from "Session
Management" > "Connection Policies":
• "Server keepalive type": this option enables the sending of the Keepalive message to the server
and also allows to choose the packet type to send. The value "none" is selected by default: the
function is then disabled.
• "Server keepalive interval": this option allows to specify the time interval in seconds between two
KeepAlive messages, when the function has been enabled by selecting the packet type to send
from the option "Server keepalive type". This value is set to "0" by default: the function is then
disabled.
Warning:
These fields are displayed when the check box of the "Advanced options" field at the top
right of the page has been selected. They should ONLY be changed upon instructions
from the WALLIX Support Team!
12.19. Using the session probe mode

The session probe allows the collection of a rich set of session metadata related to the activity of
users. This information can be sent to a SIEM software to identify significant events. For further
information, refer to Section 8.9, “SIEM integration”, page 52.
The session probe requires no specific deployment. It runs in the user's RDP session according to
his/her privileges. Consequently, it does not increase the attack surface of the information system.
This mode can be enabled by selecting the option "Enable session probe" on the configuration page
related to the connection policy for the RDP protocol. This page can be accessed from "Session
Management" > "Connection Policies".
Metadata collected by the session probe refers to the following events:
• change of active window

• operation on a button in a window
• selection of a radio button or a check box in a window
• change of content in a text field on a window
• change of the layout of the keyboard keys
• starting and ending of a process
• exchange of files via the clipboard
• exchange of files via redirected local drives
The session probe can also block the TCP jump connections. A jump connection passes through a
WALLIX Bastion target to access another machine on the internal network. The session probe can
then detect and stop this type of connection.
The session probe provides protection of the passwords entered in the session by detecting the
input cursor into password input fields or a UAC (User Account Control) window. When such an
252
event occurs in the session, the session probe informs WALLIX Bastion so that the latter can pause
the collection of keyboard input data.
12.19.1. Default operating mode

The session probe is enabled by default on the configuration page related to the connection policy
for the RDP protocol, which can be accessed from "Session Management" > "Connection Policies".
If startup fails, WALLIX Bastion can be configured to try a new connection without using session
probe. This catch-up mechanism ensures the access to a usable RDP session but lengthens the
time required to set up the connection. The default operation mode has been designed for the
parameter setting phase and should not be used for production purpose.
If the session probe stops for any reason, WALLIX Bastion will stop the current session.
As for a classic RDP session, if the user disconnects without closing a session using the session
probe, the session will continue to operate through the remote desktop service (for a predetermined
period). During this time interval, the user can return to the session exactly where s/he left it.
To ensure security, the session probe implements a mechanism which prevents the user from
recovering an incompatible session instead of the current one.
The discrepancies which may prevent a session to be recovered by another one are as follows:
• a difference in primary account

• a difference in the target type ("device" or "application")
• a difference in the target application
If WALLIX Bastion detects that it is not possible to recover the RDP session, the current connection
is closed and a new one will take over in a transparent way for the user.
12.19.2. Choice of the launcher

The smart launcher is used by default for a normal RDP session. However, the standard launcher
can be used by editing the connection policy, which can be accessed from "Session Management"
There is an exception: when the RDP client has specified a program to run at connection startup,
then the standard launcher is used for the session probe.
The connection to an application (as defined via "Targets" > "Applications") can only be made
through the standard launcher. This selection is automatically performed by the RDP proxy.
12.19.3. Prerequisites
The session probe operates under a Windows operating system with the Remote Desktop services
supporting the "alternate shell" function.
Environments under Windows XP and servers from Windows Server 2003 support the smart
launcher.
When the smart launcher is used:
• the redirection of clipboard must be allowed by Remote Desktop Services (or Terminal Services)
on the target. This is the default setting.
• the keyboard shortcut Windows+R must be enabled at the level of the group policies for
the target (this is the default setting). Keyboard shortcuts can be disabled via "Local Group
253
Policy Editor" > "User Configuration" > "Administrative Templates" > "Windows Components" >
"Windows Explorer" or "File Explorer" > "Turn off Windows+X hotkeys" or "Turn off Windows Key
hotkeys".
The standard launcher only operates on targets under Windows Server and Windows XP
environments. It does not support targets under Windows 7, 8.x and 10.
From Windows Server 2008 and only when the standard launcher is used, it is
necessary to publish the "Command Prompt" (cmd.exe) as the RemoteApp program.
For further information, refer to https://technet.microsoft.com/en-gb/library/
cc753788.aspx. Moreover, all command line parameters must be allowed for this
program by selecting the radio button "Allow any command-line parameters" in the
"Remote Desktop Connection Program properties" dialog box. For further information, refer
to https://blogs.technet.microsoft.com/infratalks/2013/02/06/publishing-
remoteapps-and-remote-session-in-remote-desktop-services-2012/.
The redirection of local disks must be allowed by Remote Desktop Services (or Terminal Services)
on the target. This is the default setting.
The temporary folder of the secondary account (Windows account) must allow at least 5MB free
disk space.
The Windows user account must be able to launch batch script and executables from his own
temporary directory (this is the default setting). It is possible to set a software restriction via "Local
Group Policy Editor" > "Computer configuration" > "Windows Settings" > "Security Settings" >
"Software Restriction Policies" by adding a new rule in "Additional Rules".
When opening a new RDP session, applications that launch automatically at startup and require a
user account control (UAC) confirmation request may block the session probe. We recommend not
configuring the automatic launch of applications requiring a UAC confirmation request.
12.19.4. Configuration
The configuration of the session probe is set on the configuration page related to the connection
policy for the RDP protocol, which can be accessed from "Session Management" > "Connection
Policies". The section "session probe" lists the following parameters:
"Enable session probe" field
Select/deselect the check box to enable/disable the session probe.
"Use smart launcher" field
Select/deselect the check box to enable/disable the use of the Smart Launcher when launching
the session probe.
Warning:
Targets under Windows XP and Windows Server 2003 and later versions are supported.
Unless you wish to use the session probe when running an application, it is not necessary
to publish the command prompt (cmd.exe) as the RemoteApp program to use the smart
launcher.
The redirection of clipboard must be enabled by Terminal Services to be able to use the
smart launcher (this is enabled by default).
254
"Enable launch mask" field

The session probe is loaded by a batch script. Without WALLIX Bastion, this script will cause the
display of a non-user friendly black console window in the RDP session. Moreover, the user may
interact with it and disrupt the loading process. Enabling the launch mask can block the display as
well as mouse and keyboard inputs during the loading of the session probe loading phase. As a
consequence, the console window becomes invisible.
Data displayed in the console window is useful to diagnose any loading problem concerning the
session probe. This is the reason why the user has the possibility to disable the launch mask.
Warning:
"On launch failure" field

Select the desired behavior in the event of a failed launch of the session probe.
The option "0: ignore failure and continue" may not operate properly under some versions of
Windows.
"Launch timeout" field
This field is used when the behavior selected in the "On launch failure" field corresponds to "1:
disconnect user". It allows to specify the waiting time (expressed in milliseconds) before WALLIX
Bastion considers the failure of the session probe launch.
Warning:
"Launch fallback timeout" field

This field is used when the behavior selected in the "On launch failure" field corresponds to "0:
ignore failure and continue" or "2: reconnect without Session Probe". It allows to specify the waiting
time (expressed in milliseconds) before WALLIX Bastion considers the failure of the session probe
launch.
Warning:
"Start launch timeout timer only after logon" field

Select the check box to optimize the launching of the session probe.
Warning:
Only servers from Windows Server 2008 and above are supported!
255
"Keepalive timeout" field
This field allows to specify the maximum waiting time (expressed in milliseconds) between the
issue from WALLIX Bastion of a request from KeepAlive to the session probe and the receipt of
the corresponding response.
WALLIX Bastion sends KeepAlive messages to the session probe on a regular basis. Without a
response from the latter and at the expiration of the period defined here, WALLIX Bastion will
consider that the session probe is no longer active and will stop the connection.
WALLIX Bastion can also stop the connection when the behavior selected in the "On keepalive
timeout" field corresponds to "1: disconnect user".
Warning:
"On keepalive timeout" field
Select the desired behavior when a loss of response to the KeepAlive message is detected.
The option "2: freeze session and wait for next keepalive response" freezes the current session
and displays an error message. The session will be reactivated upon receipt of the response to the
KeepAlive message.
"End disconnected session" field
If this check box is selected then disconnected sessions will be automatically closed by the session
probe.
Warning:
A network failure may cause the disconnection of the current RDP sessions. If this option
is enabled, any unsaved data will be lost.
"Enable log" field
If this check box is selected then the log files for the Windows session are stored on the user's
temporary directory.
We recommend not keeping this log active for a long period as it may be rather verbose and cause
hard disk saturation.
Warning:
"Enable bestsafe interaction" field
Select/deselect the check box to enable/disable the interaction of the session probe with the
WALLIX BestSafe agent. For further information, refer to Section 12.20, “Using the session probe
mode with the WALLIX BestSafe agent”, page 259.
256
"Public session" field

If this check box is selected then a disconnected session (i.e. which has not been signed off by the
user) can be recovered by another user.
"Outbound connection monitoring rules" field
This field allows to specify the rules for blocking TCP jump connections.
These rules are generally formed as follows: <$prefix:><connection address:port>.
The rules are separated between them by a comma (",").
The following formats are allowed for the destination port:
• a specific port, e.g.: "3389"

• any port. In this case: "0" or "*"
• an inclusive port range, e.g.: "1024-65535". One of the two range values can be omitted. In this
case, "1" is the default value for the range beginning and "65535" is the default one for the range
end.
An authorization rule is formed with the $allow prefix. It allows the connection to remote hosts.
A notification rule is formed with the $notify prefix. It allows the connection to remote hosts and
the generation of a notification.
A prohibition rule is formed with the $deny prefix. It prohibits the connection. The $deny prefix
can be omitted. A rule formed with the $deny prefix has precedence over a rule formed with the
$notification prefix for the same connection address.
As an example, to prohibit all RDP jump connections, the following rule can be entered:
"$deny:0.0.0.0/0:3389" or "0.0.0.0/0:3389".
"Process monitoring rules" field
This field allows to specify the monitoring rules when processes are launched.
These rules are generally formed as follows: <$prefix:><search pattern>.
The rules are separated between them by a comma (",").
A notification rule is formed with the $notify prefix. It allows to generate a notification.
E.g.: $notify:notepad.exe: the opening of the application notepad.exe is notified but not forbidden.
A prohibition rule is formed with the $deny prefix. In addition to notification, it allows to stop the
process. The $deny prefix can be omitted. A rule formed with the $deny prefix has precedence
over a rule formed with the $notification prefix.
E.g. 1: $deny:notepad.exe: the opening of the application notepad.exe is forbidden and notified.
E.g. 2: notepad.exe,cmd.exe: the opening of the applications notepad.exe and cmd.exe is
forbidden and notified.
E.g. 3: $notify:notepad.exe,$deny:notepad.exe: same result as for E.g. 1 above.
Moreover, the rules formed with <$prefix:><@> apply to all the child processes of the application
(as defined via "Targets" > "Applications"). Thus, if this rule is:
• $deny:@, then the opening of any child process (whatever the name) is forbidden and notified
257
• $notify:@, then the opening of any child process (whatever the name) is notified but not forbidden
"Extra system processes" field
This field allows to specify the processes which must be ignored at end of application detection.
The processes are separated between them by a comma (",").
"Childless window as unidentified input fied" field
If this check box is selected then the data entered (such as passwords) in top-level windows of
applications are masked when no graphic component has been detected.
These windows are then considered as unidentified input fields.
Warning:
This parameter only works if the value “2: passwords and unidentified texts are masked”
has been selected in “Keyboard input masking level” below section “session log”, for
information display in the session metadata.
"Windows of these applications as unidentified input fied" field
If application executable files (e.g. "chrome.exe") are specified in this field, then the data entered
in the windows generated by these applications are masked.
These windows are then considered as unidentified input fields.
The executable files are separated between them by a comma (",").
Warning:
This parameter only works if the value “2: passwords and unidentified texts are masked”
has been selected in “Keyboard input masking level” below section “session log”, for
information display in the session metadata.
12.19.5. Launching the session probe from a specific

directory
By default, the session probe is executed automatically from the temporary directory of the Windows
user account when connecting to the target to perform an RDP session. However, hardware
restrictions may sometimes prevent this execution. It is then possible to define another directory
from which the session probe will be launched.
To enable the launch of the session probe from another location than the temporary directory of the
Windows user account, the procedure is as follows:
1. Create a new directory on the target which will be used as the startup directory by the session
probe.
Important:
All Windows users must have write permission.
2. Set an environment variable for all Windows users on the target pointing to this new directory.
258
Important:
The maximum length of the environment variable name is restricted to 3 characters.
3. Specify the name of this environment variable in the field “Alternate directory environment
variable” (displayed as an advanced option) below section “session probe” on the configuration
page related to the connection policy for the RDP protocol. This page can be accessed from
“Session Management” > “Connection Policies”.
Warning:
The session probe executable file will thus remain in the directory. This file will be
overwritten on next connection.
12.20. Using the session probe mode with the

WALLIX BestSafe agent
When the agent WALLIX BestSafe is deployed on a Windows target, it may interact with the session
probe to improve its collection of session metadata.
Note:
The interaction is supported from WALLIX BestSafe Enterprise version 4.0.0.
12.20.1. Enabling the interaction with the WALLIX BestSafe

agent
The session probe is enabled by default on the configuration page related to the connection policy
for the RDP protocol, which can be accessed from "Session Management" > "Connection Policies".
By default, the interaction with the WALLIX BestSafe agent is disabled. This parameter can be
managed via "Session Management" > "Connection Policies" > "RDP", then select the option
"Enable bestsafe interaction" below section "session probe".
12.20.2. Event logging

The session probe receives notifications of all events detected and/or generated by the WALLIX
BestSafe agent deployed on Windows targets. These notifications are then transferred and logged
to WALLIX Bastion through the session metadata and the SIEM messages.
12.20.3. Detection of outbound connections

The session probe automatically creates a monitoring rule from the WALLIX BestSafe agent in
order to be notified of outbound connections. When a notification is received from the agent,
the session probe responds according to the rules (allow, deny, or notify) set in the "Outbound
connection monitoring rules" field. For further information on this field, refer to Section 12.19.4,
“Configuration”, page 254. The initial operation is always provided on Windows targets on which
the WALLIX BestSafe agent is not deployed.
259
12.20.4. Detection of process launching

The session probe automatically creates a privilege rule from the WALLIX BestSafe agent in
order to be notified when processes are launched. When a notification is received from the
agent, the session probe responds according to the rules (allow, deny, or notify) set in the
"Process monitoring rules" field. For further information on this field, refer to Section 12.19.4,
“Configuration”, page 254. The initial operation is always provided on Windows targets on which
the WALLIX BestSafe agent is not deployed.
12.21. Load balancing with Remote Desktop

Connection Broker
Remote Desktop Connection Broker (RD Connection Broker) is a role service on Windows Server
2012 and 2016 operating systems providing the specific functionalities to:
• allow users to reconnect to their existing sessions in a load-balanced RD Session Host server
farm
• enable you to evenly distribute the session load among RD Session Host servers in a load-
balanced RD Session Host server farm
• provide users access to virtual desktops hosted on RD Virtualization Host servers and to
RemoteApp programs hosted on RD Session Host servers through RemoteApp and Desktop
Connection.
Figure 12.16. Load balancing
12.21.1. Prerequisites
WALLIX Bastion supports Remote Desktop Connection Broker with the following configuration:
• at least one server must have access to the role service RD Connection Broker
• at least one server must have access to the role service RD Licensing
• at least one server must have access to the role service RD Web Access
• role services RD Connection Broker, RD Licensing and RD Web Access can share the same
server
260
• several servers must have access to the role service RD Session Host
Caution:
We recommend not installing the role service RD Session Host on a server having access
to the role service RD Connection Broker.
RD Connection Broker cannot be used with a WALLIX Bastion cluster as a result of
interferences between both services. We strongly recommend giving priority to RD
Connection Broker in the context of load balancing.
It is not necessary to choose among Remote Desktop or RemoteApp collections when resources
are accessed via the WALLIX Bastion Web interface. Indeed, WALLIX Bastion uses RemoteApp
collections for all connections.
RD Connection Broker must be set on RD Session Host servers. This can be performed locally (on
each RD Session Host) with Local Group Policy Editor (gpedit.exe).
The values to edit are located on the following subfolders:
• Local Computer Policy

• Computer Configuration
• Administrative Templates
• Windows Components
• Remote Desktop Services
• Remote Desktop Session Host and
• RD Connection Broker
These values are as follows:
• Join RD Connection Broker

• Configure RD Connection Broker farm name
• Configure RD Connection Broker server name and
• Use RD Connection Broker load balancing
12.21.2. Configuration
RD Connection Broker must be declared on WALLIX Bastion as a target.
In order to reach directly RD Connection Broker (and not one of the RD Session Host), the field "Load
balance info" must be specified at the level of the RDP connection policy, via "Session Management"
This field must be entered with the information retrieved from the field "loadbalanceinfo:s:" in the .rdp
file saved from the Work Resources page on RD Web Access (https://<ip-rd_web_access>/
rdweb/).
Here is an example of such information: tsv://MS Terminal Services Plugin.1.Sessions.
For further information on connection policies, refer to Section 12.4, “Connection
12.22. Connection messages
261
From the “Connection messages” page on the “Configuration” menu, you can view and edit the
banner messages displayed to the users on primary and secondary connections according to their
preferred language. These messages are displayed on:
• the Web interface login screen

• the RDP proxy login screen
• the SSH terminal during authentication
Note:
These messages are not displayed to users for the following sessions: SFTP, SCP
or remote command (SSH_REMOTE_COMMAND) with an SSH key for primary
authentication or a Kerberos ticket.
Figure 12.17. "Connection messages" page
262
Chapter 13. Dashboards

The “Dashboards” menu provides a detailed analysis of all the connections made through WALLIX
Bastion in an administration or audit context, in the form of numerical data, tabular views and charts
over a given period of time.
Note:
The “Dashboards” entry will not be displayed on the Web interface if the “Enable
modules” option, accessible from “Configuration” > “Configuration options” > “Module
configuration”, section “main” is deselected. This option is displayed when the check box
of the “Advanced options” field at the top right of the page has been selected. It should
ONLY be changed upon instructions from the WALLIX Support Team!
13.1. Administration dashboard

From the “Administration” page on the “Dashboards” menu, it is possible to generate charts from
statistical data defined on the “Live” tab, or to obtain a detailed view of the numerical data in the
form of indicators on the “KPIs” tab.
The data viewable from this dashboard corresponds primarily to user connections and target
connections.
Important:
Only the user whose profile is associated with the “Administration” dashboard is allowed
to view the “Administration” entry in the “Dashboards” menu.
By default, the user associated with the “product_administrator” or

“operation_administrator” profile can access this menu entry.
13.1.1. View the data on the “Live” tab

The “Live” tab allows the user to generate charts based on the data entered in the filter areas
displayed at the top of the page:
• The “Time filter” area allows the user to define the period of time for which s/he wants to view
the data. By default, this period corresponds to the last 7 days and can be edited by clicking on
the “Last week” value under “Time range”. A window is then displayed: it is possible to select
a predefined period on the “Defaults” tab or to define a date range or a number of days before
the current date on the “Custom” tab. It is then necessary to click on “OK” to generate the charts
corresponding to this period.
• The “User group filter” area allows the user to restrict the display in the charts by selecting one
or more user groups, according to the selected period of time.
• The “Target group filter” area allows the user to restrict the display in the charts by selecting one
or more target groups, according to the selected period of time.
263
Each filter area displays an icon on the top right indicating the number of corresponding active
filters. It is possible to click on this icon to view the active filters under the “Applied filters” section in
a dedicated window. This window may also display the unset filters under the “Unset filters” section.
A click on each type of filters in these sections redirects to the corresponding filter area at the top
of the page to edit and/or add one or more criteria.
Once the relevant data is entered in the filter areas, a set of charts is displayed on the page and
the following actions are possible:
• highlight the desired data by clicking on the legend entry above the chart
• display the numerical data for a given day by hovering the mouse pointer over the chart
• edit the filters by clicking on the icon on the top right of the chart.
Figure 13.1. “Administration” page - “Live” tab
13.1.2. View the data on the “KPIs” tab

The “KPIs” tab provides a view of the numerical data in the form of indicators, including:
• the number of users connected over the defined period, the number of devices and accounts
declared within WALLIX Bastion
• the number of users connected, devices and accounts used for sessions over the last 7 days
compared to the previous week
• the number of users who have been inactive for 180 days and the number of devices and accounts
which have never been used for sessions.
A tabular view presents also the oldest connections by user groups and by target account groups.
264
Figure 13.2. “Administration” page - “KPIs” tab
13.1.3. Common features

On the top right corner of the dashboard page, a contextual menu offers the following actions:
• “Refresh dashboard”: this feature allows the user to instantly refresh all the components of the
dashboard
• “Set auto-refresh interval”: this feature allows the user to select a time interval between each
automatic refresh of the dashboard. This time interval is only saved for the current session.
• “Download as image”: this feature allows the user to download the dashboard in JPG format.
On the top right corner of each component of the “Live” and “KPIs” tabs, a contextual menu offers
the following actions:
• “Force refresh”: this feature allows the user to instantly refresh the data. The last refresh is also
indicated.
• “Maximize chart”: this feature allows the user to display the full screen view of the chart. It is
possible to return to the condensed view by clicking on the “Minimize chart” entry from this same
contextual menu.
• “Download chart”: this feature allows the user to download the chart in JPG format
• “Export CSV”: this feature allows the user to download the data of the chart as a .csv file.
13.2. Audit dashboard
From the “Audit” page on the “Dashboards” menu, it is possible to generate charts and tables from
statistical data defined in the filter areas.
The data viewable from this dashboard corresponds primarily to account, session, user group and
target account group activities.
265
Important:
Only the user whose profile is associated with the “Audit” dashboard is allowed to view
the “Audit” entry in the “Dashboards” menu.
By default, the user associated with the “product_administrator” or “auditor” profile can
access this menu entry.
13.2.1. View the data

At the top of the page, the filter areas allow the user to define relevant data to generate charts
and tables:
• The “Time filter” area allows the user to define the period of time for which s/he wants to view
the data. By default, this period corresponds to the last 7 days and can be edited by clicking on
the “Last week” value under “Time range”. A window is then displayed: it is possible to select
a predefined period on the “Defaults” tab or to define a date range or a number of days before
the current date on the “Custom” tab. It is then necessary to click on “OK” to generate the charts
corresponding to this period.
• The “User group filter” area allows the user to restrict the display in the chart by selecting one or
more user groups, according to the selected period of time.
• The “Target group filter” area allows the user to restrict the display in the chart by selecting one
or more target groups, according to the selected period of time.
Each filter area displays an icon on the top right indicating the number of corresponding active
filters. It is possible to click on this icon to view the active filters under the “Applied filters” section in
a dedicated window. This window may also display the unset filters under the “Unset filters” section.
A click on each type of filters in these sections redirects to the corresponding filter area at the top
of the page to edit and/or add one or more criteria.
Once the relevant data is entered in the filter areas, a set of charts and tables is displayed on the
page. These charts and tables include:
• the activities of the accounts and sessions

• the rankings of sessions, user groups, target account groups and devices.
It is possible to perform the following actions:
• highlight the desired data by clicking on the legend entry above the chart
• display the numerical data for a given day by hovering the mouse pointer over the chart
• edit the filters by clicking on the icon on the top right of the chart.
266
Figure 13.3. “Audit” page
13.2.2. Common features

On the top right corner of the dashboard page, a contextual menu offers the following actions:
• “Refresh dashboard”: this feature allows the user to instantly refresh all the components of the
dashboard
• “Set auto-refresh interval”: this feature allows the user to select a time interval between each
automatic refresh of the dashboard. This time interval is only saved for the current session.
• “Download as image”: this feature allows the user to download the dashboard in JPG format.
On the top right corner of each component of the “Audit” dashboard, a contextual menu offers the
following actions:
267
• “Force refresh”: this feature allows the user to instantly refresh the data. The last refresh is also
indicated.
• “Maximize chart”: this feature allows the user to display the full screen view of the chart. It is
possible to return to the condensed view by clicking on the “Minimize chart” entry from this same
contextual menu.
• “Download chart”: this feature allows the user to download the chart in JPG format
• “Export CSV”: this feature allows the user to download the data of the chart as a .csv file.
268
Chapter 14. Authorization management

WALLIX Bastion allows you to define authorizations. These authorizations determine which target
accounts and protocols users can use to access devices.
Authorizations are applied to user groups linked to target groups. All users in the same group inherit
the same authorizations.
From the "Manage Authorizations" page on the "Authorizations" menu, you can:
• list the declared authorizations

• add/edit/delete an authorization
• import authorizations from a .csv file which can be used to populate the WALLIX Bastion
authorization database
Figure 14.1. "Manage Authorizations" page
14.1. Add an authorization

From the "Manage Authorizations" page, click on "Add an authorization" to display the authorization
creation page.
An authorization is a link created between a user group and a target group. You can create several
authorizations between these two groups.
The authorization creation page consists of the following fields:
• the user group

• the target group
• the authorization name (note that character “&” is not allowed)
• a description
• a check box to indicate whether the targets concerned by the new authorization are critical or not
(a notification can be sent each time a critical target is accessed)
• a check box to enable or disable remote sessions. This option is selected by default for the new
authorization. In this case, you can select in the list of the frame below the protocols which can be
associated with a given user group and a given target group. Move a protocol from the "Available
protocols/subprotocols" frame to the "Selected protocols/subprotocols" one in order to choose
269
the protocol. And conversely, move a protocol from the "Selected protocols/subprotocols" frame
to the "Available protocols/subprotocols" one in order to remove the association.
• a check box to enable or disable session recording. The type of recording depends on the protocol
to access the device.
• a check box to enable or disable password checkout. This option is selected by default for the
new authorization.
• a check box to enable or disable an approval workflow for the new authorization. For further
information, refer to Section 14.7, “Approval workflow”, page 275.
Figure 14.2. "Manage Authorizations" page in addition mode
14.2. Edit an authorization

From the "Manage Authorizations" page, click on the notepad icon at the beginning of the desired
line to display the authorization modification page.
The fields in this page are the same as those in the authorization creation page, except the "User
group" and "Target group" fields which cannot be accessed.
14.3. Delete an authorization

From the "Manage Authorizations" page, check the box at the beginning of the line(s) to select the
related authorization(s), then click on the trash icon to delete the selected line(s). WALLIX Bastion
270
14.4. Import authorizations

From the "Manage Authorizations" page, click on the "Import CSV file" icon at the top right of the
page to import the related data. You are then redirected to the "CSV" page on the "Import/Export"
menu: the "Authorizations" check box is automatically selected to import the related data. The field
and list separators can also be configured.
#wab820 authorization
Important:

O(ptional)
Name Text R Name of the authorization N/A
created
User group Text R User group defined N/A
Target group Text R Target group defined N/A
(1)
Subprotocol Text R if Authorize Subprotocol name : see below N/A
sessions = True
There can be one or several
subprotocols
Is critical Boolean R True or False False
Is recorded Boolean R True or False False
Authorize Boolean R True or False False
password
checkout
Authorize Boolean R True or False False
sessions
Approval Boolean R True or False False
required
Has comment Boolean R True or False False
False if Approval
required = False
True if
Mandatory
comment = True
Mandatory Boolean R True or False False
comment
False if Approval
required = False
Has ticket Boolean R True or False False
271

O(ptional)
False if Approval
required = False
True if
Mandatory ticket
= True
Mandatory Boolean R True or False False
ticket
False if Approval
required = False
Approver Text R if Approval Approver groups defined N/A
groups required = True
There can be one or several Empty if
approver groups Approval
required = False
Active quorum Integer R Integer number between 0 and "0"
number the number of approvers in
groups
At least one quorum (active or

inactive) must be defined and
greater than 0
Inactive Integer R Integer number between 0 and "0"
quorum number the number of approvers in
groups
At least one quorum (active or

inactive) must be defined and
greater than 0
Single Boolean O True or False False
connection
False if Approval
required = False
Approval Integer O The value is set in minutes. "0"
timeout number
(1)Subprotocol: one of the following values:

SSH_SHELL_SESSION, SSH_REMOTE_COMMAND, SSH_SCP_UP, SSH_SCP_DOWN,
SSH_X11, SFTP_SESSION, RDP, VNC, TELNET, RLOGIN, SSH_DIRECT_TCPIP,
SSH_REVERSE_TCPIP, SSH_AUTH_AGENT, SSH_DIRECT_UNIXSOCK,
SSH_REVERSE_UNIXSOCK, RDP_CLIPBOARD_UP, RDP_CLIPBOARD_DOWN,
RDP_CLIPBOARD_FILE, RDP_PRINTER, RDP_COM_PORT, RDP_DRIVE, RDP_SMARTCARD,
RDP_AUDIO_OUTPUT, RDP_AUDIO_INPUT, RAWTCPIP
For further information, refer to Section 10.1.6, “SSH specific options”, page 134 and Section 10.1.7,
“RDP specific options”, page 135.
Example of import syntax:
#wab820 authorization
Group_users1;target_group1;SSH_SHELL_SESSION SFTP_SESSION;False;False;True;True;
description;False;False;False;False;False;group_approvers;1;2False;0
272
14.5. View the current approvals

From the "My Current Approvals" page, the approver can view all the current approval requests
sent from users to access targets or target credentials and to which s/he must provide an answer.

Figure 14.3. "My Current Approvals" page

On the top of the page, the approver can choose to enable/disable automatic refresh of current
approval data. When the corresponding option is enabled, you can set the refresh frequency.
By clicking on the notepad icon at the beginning of the line, the approver is redirected to the approval
request detail page:
Figure 14.4. "My Current Approvals" - Approval request detail page
273
On this page, the approver can:
• click on the "Notify approvers" button to notify approvers again

• view the answers from the other approvers
• indicate in the "Comment" area the reason of his/her approval/rejection regarding the request
• reduce the request period by changing the value in the "Duration" field
• reduce the timeout set for the connection by changing the value in the "Timeout" field. If the
user has not connected to the target and this timeout has been reached, then the status of the
"accepted" request automatically switches to "closed".
• click on the "Cancel", "Reject" or "Approve" button to perform the corresponding action
Since a session or the target credentials can still be accessed as long as an accepted request has
not expired, the approver can cancel a request before its expiration to inhibit further access from a
user to the target by clicking on the "Cancel" button.
For further information, refer to Section 14.7, “Approval workflow”, page 275.
14.6. View the approval history

From the "My Approval History" page, the approver can view all the approval requests which are
no longer pending for approval.

• the definition of the last N days, weeks or months
Note:
range filter.

274
Figure 14.5. "My Approval History" page
By clicking on the notepad icon at the beginning of the line, the approver is redirected to a detailed
view of all the answers for the request.
Since a session or the target credentials can still be accessed as long as an accepted request has
not expired, the approver can cancel a request before its expiration to inhibit further access from a
user to the target by clicking on the "Cancel request" button.
For further information, refer to Section 14.7, “Approval workflow”, page 275.
Figure 14.6. "My Approval History" - Approval request history detail page
14.7. Approval workflow

WALLIX Bastion supports dynamic authorizations using workflows. This mechanism is based on the
time frames defined for accessing targets or target credentials. Workflows endorse administrators to
further refine the access to sensitive resources and permit access outside the defined time frames.
When a user wants to initiate a connection to a target or access the target credentials, a request
is first sent to the approvers.
An approver is a user who has been designated by a WALLIX Bastion administrator with the right
to approve: the "Modify" right for the "Manage Authorizations" feature is set in the approver's profile
(refer to Section 9.3, “User profiles”, page 86).
Approvers can decide to allow or reject the connection to a target or the access to the target
credentials. A request is approved when a quorum has been reached. The quorum is the minimum
number of favorable answers required for a particular authorization.
275
14.7.1. Workflow configuration

Approval workflows are set at the level of the defined authorizations. For further information, refer
to Section 14.1, “Add an authorization”, page 269.
If the "Enable approval workflow" check box is selected during the authorization definition, a user
will have to obtain access to the target or the target credentials by demanding an approval request.
Approvers are then designated to answer requests for the defined authorizations by selecting the
appropriate groups of users: to do so, move the user groups from the "Available approver groups"
frame to the "Selected approver groups" one in order to choose the groups. And conversely, move
a user group from the "Selected approver groups" frame to the "Available approver groups" one in
order to remove the association.
The "Modify" right for the "Manage Authorizations" feature must be set for all users in the selected
groups in their user profile.
Upon approval requests issued by users wishing to connect to a target or access the target
credentials concerned by the authorization, all approvers in the selected groups are notified by
email. The latter contains a direct link for the approver to "My Current Approvals" page in the
"Authorizations" menu where the request can be answered. This feature is available for approvers
through the interface dedicated to the "User & audit features" service group. For further information,
refer to Section 8.11.1, “Service mapping”, page 57).
A request for a target is defined by at least the start date and time and the expected duration of the
session. It is also possible to define, optionally, a ticket number and a comment. For the defined
authorization, these attributes can be asked, always or never, depending on the option selected in
the "Comment" and "Ticket" fields during the authorization configuration.
It is possible to set the number of approvers needed to accept a request. This is configured by
setting a quorum. A quorum should be equal to or less than the number of available approvers.
During the authorization configuration, a quorum can be set:
• for active periods, by specifying a value in "Quorum in authorized time frames". A quorum for the
active periods equal to 0 means that approvals are not required for active periods.
• for inactive periods, by specifying a value in "Quorum outside authorized time frames". A quorum
for inactive periods equal to 0 means that no connections are ever possible during inactive
periods.
A single connection can be defined for the approval. The user is then restricted to connect only
once during the approval duration.
A timeout in format [hours]h[mins]m can be defined for the approval. If the user has not
connected to the target and this timeout has been reached, then the status of the "accepted" request
automatically switches to "closed". When the approver accepts the request, this value is set as the
maximum value in the "Timeout" field on the form. The approver can reduce this value.
14.7.2. Workflow steps

A user requests an approval either from the "My Authorizations" menu on the WALLIX Bastion Web
interface (for immediate or future access) or when connecting to an RDP or an SSH client (for
immediate access). All the approvers are notified by email. Approvers can then accept or reject a
request via the WALLIX Bastion Web interface.
The statuses of a valid request (its duration has not expired) can be either of the following:
• a request is marked as "accepted" when the quorum has been reached
276
Note:
When the first approver accepts the request and the start date and time have been
reached:
– the start date and time of the request are then updated with the start date and time
of this action
– the end date and time are then extended for the request duration from this action
• a request is marked as "rejected" and subsequently dismissed as soon as an approver rejects it.
The user is then notified by email of the reason for the rejection.
• a request is "pending" as long as the quorum has not been reached and it has not been rejected.
If the request is no longer valid (i.e. its duration has expired), it is then marked as "closed "and it
is no longer possible for an approver to answer the request. Likewise, it is not possible to answer
requests that have been accepted or rejected.
Note:
A request is also marked as "closed" if one of the following elements has been deleted:
the requesting user and/or the concerned target and/or the concerned authorization.
An "accepted" request switches automatically to the "closed" status if the user has not
connected to the target and the timeout defined for the approval has been reached.
Each approver is given the possibility to reduce the duration of a request. The duration is
incrementally decreased: a subsequent approver, when answering the same request, sees the
reduced period and not the original one.
Users can view approval statuses for their requests on the "My Authorizations" menu.
When the quorum is reached, the user is notified by email. The session can then be started or the
target credentials can then be accessed for the allocated duration. If the session is disconnected
before the end of the duration, the user can start a new session without a new approval as long
as the end of the period specified by the duration of the initial approval is not elapsed. In order to
prevent a user to reconnect after the initial session, approvers can cancel a request.
14.8. Time frames configuration

Time frames which can be defined in WALLIX Bastion are used to set the periods during which a
user can connect to targets.
A time frame is linked to one or several user groups. For further information, refer to Section 9.2,
“User groups”, page 82.
From the "Time Frames" page on the "Configuration" menu, you can add, edit or delete time frames.
Warning:
A default time frame called "allthetime" is configured on WALLIX Bastion. This time frame
allows users to connect to targets at any time and on any day. You cannot delete this
time frame.
The reference time used is the WALLIX Bastion local time.
277
14.8.1. Add a time frame

From the "Time Frames" page, click on "Add a time frame" to display the time frame creation page.
The time frame creation page consists of the following fields:
• the time frame name

• a description
• a check box to disable automatic disconnection at the end of the specified time period
• an expandable area to add one or more periods
Each period is a calendar period during which users can log on:
• between certain dates

• on certain weekdays
• between certain times on every authorized day
Figure 14.7. "Time frames" page in addition mode
14.8.2. Edit a time frame

From the "Time Frames" page, click on a time frame name to display the time frame modification
page.
The fields in this page are the same as those in the time frame creation page, except the "Time
frame name" field which cannot be accessed.
14.8.3. Delete a time frame

From the "Time Frames" page, check the box at the beginning of the line(s) to select the related
time frame(s), then click on the trash icon to delete the selected line(s). WALLIX Bastion displays
Warning:
You cannot delete a time frame when the latter is linked to a user group.
278
Chapter 15. Specific commands

The following sections present some commands which may be useful when administrating WALLIX
Bastion. All specific commands are not provided so we encourage you to contact the WALLIX
Support Team, should you have any other questions (refer to Chapter 18, “Contact WALLIX Bastion
Support”, page 328).
The table below summarizes the information detailed in the corresponding sections:
Command / Script Refer to...

bastion-traceman Section 15.20, “Move local session recordings to remote
storage”, page 287
WABBackupPurge Section 8.13.4, “Automatic backup purge”, page 64
WABChangeGrub Section 15.9, “Change the GRUB password”, page 282
WABChangeKeyboard Section 15.7, “Change the keyboard layout”, page 282
WABConsole Section 15.16, “Use WABConsole to change the user
password”, page 284
WABExecuteBackup Section 8.13.3, “Automatic backup
WABGetGuiUrl Section 15.8, “Get the GUI URL”, page 282
WABGetLicenseInfo Section 15.15, “Manage the license key”, page 283
WABCRLFetch Section 15.28, “Update the CRL (Certificate Revocation
List)”, page 292
WABGuiCertificate Section 15.26, “Change self-signed certificates of
services”, page 290
WABHASetup and WABHAStatus Section 15.13, “Configure High-Availability
(HA)”, page 283
WABInitReset Section 15.2, “Restore WALLIX Bastion to factory
settings”, page 280
WABJournalCtl Section 15.17, “Display the content of "journalctl"
logs”, page 284
WABNetworkConfiguration Section 15.10, “Change the network
WABResetCrypto Section 15.5, “Reset data encryption in WALLIX
Bastion”, page 281
WABRestoreDefaultAdmin Section 15.3, “Restore the factory-set administrator
account”, page 280 and Section 15.4, “Change
the password of the factory-set administrator
account”, page 281
WABSecurityLevel Section 15.11, “Change the security level
WABServices Section 15.12, “Configure services”, page 283
WABSessionLogExport Section 15.18, “Export and/or purge session
recordings manually”, page 284; see also
Section 15.19, “Export and/or purge session recordings
automatically”, page 286
279
Command / Script Refer to...

WABSessionLogImport Section 15.21, “Re-import archived session
recordings”, page 288
WABSessionLogIntegrityChecker Section 15.22, “Check integrity of session log
files”, page 288
WABSetLicense Section 15.15, “Manage the license key”, page 283
WABSshServerGenRsaKey.sh Section 15.26, “Change self-signed certificates of
services”, page 290
WABVersion Section 15.6, “Get the version information of WALLIX
Bastion”, page 281
wallix-config-backup.py Section 8.13.2, “Backup/Restoration from the command
line”, page 62
wallix-config-restore.py Section 8.13.2, “Backup/Restoration from the command
line”, page 62
15.1. Use the command line to connect to

WALLIX Bastion
For further information, refer to Section 6.2, “Using the command line to connect to WALLIX
Bastion”, page 25.
15.2. Restore WALLIX Bastion to factory

settings
You can execute the following command when logged in as "root" to restore WALLIX Bastion to
its factory settings:
# WABInitReset
A message is then displayed to request confirmation before restoring the settings. By default, this
command only restore the configuration for the keyboard layout, the GRUB menu and the users.
It is possible to restore all settings or a specific one using option --reset, as shown below:
# WABInitReset ––reset interfaces
When option --reset is used, no message is displayed to request confirmation before restoring
the settings.
The option -h shows the help message listing the arguments which can be used to perform this
action.
15.3. Restore the factory-set administrator

account
You can execute the following command when logged in as "root" to restore the factory-set
administrator account of WALLIX Bastion:
280
# WABRestoreDefaultAdmin
The default credentials of the factory-set administrator account are as follows:
• User name: admin

• Password: admin
This default password can be changed. For further information, refer to Section 15.4, “Change
the password of the factory-set administrator account”, page 281.
15.4. Change the password of the factory-set

administrator account
You can execute the following command when logged in as "root" to change the default password
of the factory-set administrator account of WALLIX Bastion:
# WABRestoreDefaultAdmin -c
Note:
The previous default password is not requested when performing this action.
15.5. Reset data encryption in WALLIX Bastion

You can execute the following command when logged in as "root" to restore the encryption key of
WALLIX Bastion:
# WABResetCrypto
A message is then displayed to request confirmation before resetting encryption.
Caution:
All data in WALLIX Bastion (user accounts, session recordings, etc.) is deleted when
encryption is reset!
It is therefore highly recommended to back up a copy of WALLIX Bastion configuration

BEFORE resetting encryption. For further information, refer to Section 8.13, “Backup and
Restoration”, page 60.
15.6. Get the version information of WALLIX

Bastion
You can execute the following command to get the version, build number and build date of WALLIX
Bastion:
# WABVersion
The history of all the installation operations (installation and upgrades of your WALLIX Bastion but
also installation or removal of Hotfixes) can be displayed when executing the following command:
281
# WABVersion -H
15.7. Change the keyboard layout

You can execute the following command to choose another keyboard layout language:
# WABChangeKeyboard
15.8. Get the GUI URL

You can execute the following command to get the URL of the Web interface:
# WABGetGuiUrl
15.9. Change the GRUB password

You can execute the following command to modify the GRUB password:
# WABChangeGrub
15.10. Change the network configuration

You can execute the following command to modify the network configuration set in WALLIX Bastion:
# WABNetworkConfiguration
However, the advanced configuration can only be performed from the "Network" page on
the "System" menu on the Web interface. For further information, refer to Section 8.6,
“Network”, page 48.
Note:
When WALLIX Bastion is configured in HA (or « High-Availability ») mode, this command
can only be executed on the "Master" node.
15.11. Change the security level configuration

You can execute the following command to modify the security level configuration set in WALLIX
Bastion:
# WABSecurityLevel
The security level set via this command affects both the HTTP and the SSH servers.
The default security level for the HTTP server is set to a high value. Only the following cryptographic
algorithms can then be used: ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-
GCM-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305,
ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-
AES256-SHA384, ECDHE-RSA-AES256-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-
RSA-AES128-SHA256.
The default security level for the SSH server is set to a low value, allowing any cryptographic
algorithms to be used.
282
The security level set via this command is preserved during upgrade.
Caution:
When WALLIX Bastion is configured in HA (or « High-Availability ») mode, the security
level for the SSH server set via this command is only spread out to the Slave node when
the latter is switching from Slave to Master.
15.12. Configure services

You can execute the following command to configure services:
# WABServices
For further information, refer to Section 8.11.2, “Service activation”, page 58.
15.13. Configure High-Availability (HA)

You can execute the following command to configure HA:
wabsuper$ WABHASetup
Note:
This command can only be executed on the "Master" node.
To check the current state of a node, you can use the following maintenance command:
wabsuper$ /opt/wab/bin/WABHAStatus
For further information, refer to Section 8.14, “High-Availability”, page 65.
15.14. Generate the report on the system status

A program allows you to get the information related to the status of WALLIX Bastion. It can be useful
to execute this program and send the generated report to the WALLIX Support Team when needed.
To get this program, log on to WALLIX Support portal (https://support.wallix.com
[https://support.wallix.com/]) then click on the "Downloads" tab and download the file
"sysinfo" below section "WALLIX Sysinfo".
Next, launch this program and send the file sysinfo.txt in the generated archive (sysinfo.gz)
to the WALLIX Support Team.
15.15. Manage the license key

You can execute the following command to display the license information:
# WABGetLicenseInfo
You can execute the following command to generate the license context file:
# WABSetLicense -c -f <License context file>
283
You can execute the following command to import a new license:
# WABSetLicense -u -f <License update file>
You can execute the following command to delete the license:
# WABSetLicense -d
For further information, refer to Section 8.2, “License”, page 43.
15.16. Use WABConsole to change the user

password
WALLIX Bastion 9.0.2 provides a command line interface allowing an administrator or a user to
execute specific operations.
The available commands are filtered according to the user profile.
To log on to the console, you can:
• either execute the following command:
# WABConsole
• or connect to the Bastion using an SSH client as follows:
$ ssh -t admin@wab.mycorp.lan console

admin@wab.mycorp.lan password:
wab> help
To obtain the list of commands, simply enter help on the console prompt.
Help is available for each command by entering either help or -h.
The command currently available for a user with the "product_administrator" profile is:
change_user_password.
The command currently available for a regular user is: change_password.
15.17. Display the content of "journalctl" logs

You can execute the following command to display the content of "journalctl" logs:
# WABJournalCtl
15.18. Export and/or purge session recordings

manually
You can execute the following script to export and/or purge session recordings:
# /opt/wab/bin/WABSessionLogExport -h
action.
284
Use this script to create an .archive file, saved in /var/wab/recorded/export_sessions,

including for the period defined:
• all RDP and SSH sessions

• a .csv file containing the export of the data viewed on the "Session History" page (refer to
Section 12.3.4, “Session history”, page 225).
Note:
Local archives are to be moved manually by the administrator to remote storage in /var/
wab/remote/recorded/export_sessions. However, a script allows to archive and/
or purge session recordings automatically. You can define options on the Web interface
of WALLIX Bastion to configure the actions which will be carried out by this script.
For further information, refer to Section 15.19, “Export and/or purge session recordings
All sessions for the period defined will also be removed, unless option -p has been used.
It is possible to archive and/or purge sessions according to their IDs using option --sessions.
It is possible to archive and/or purge only uncorrupted sessions using option --good-only.
It is possible to archive and/or purge only corrupted sessions using option -w or --wrong-only.
It is possible to archive and/or purge sessions depending on a given status (e.g. failed sessions,
interrupted sessions, etc.) using option --status.
It is possible to archive and/or purge only sessions stored on local storage using option --local-
storage.
It is possible to archive and/or purge only sessions stored on remote storage using option --
remote-storage.
It is possible to archive and/or purge traces related to targets under a given protocol (SSH, RDP,
etc.) using option --protocol.
It is possible to archive and/or purge only non-critical sessions using option --non-critical.
It is possible to archive and/or purge traces related to specific user(s) using option --user.
It is possible to archive and/or purge traces related to users in specific user group(s) using option
--user-group.
It is possible to archive and/or purge traces related to specific target(s) using option --target.
It is possible to archive and/or purge traces related to targets in specific target group(s) using option
--target-group.
It is possible not to archive traces using option -a. In this case, information on the concerned session
is displayed at the command line.
It is possible not to purge traces using option -p. In this case, information on the concerned session
is displayed at the command line.
It is possible to display orphan files related to purged sessions using option --show-orphans.
These files can be deleted using option -P or --purge-orphans. In this case, these files will not
be archived even if an archive is created.
It is possible to specify a passphrase for the archive using option --passphrase. The latter should
however not be used as the passphrase is displayed as a string on the command-line.
285
It is possible to specify a file descriptor to get the archive passphrase from using option --
passphrase-fd.
It is possible to specify a path to a file to get the archive passphrase from using option --
passphrase-file.
You can execute the following script to re-import the generated archive files:
# /opt/wab/bin/WABSessionLogImport -h
The option -h shows the help message listing the arguments which can be used to
perform this action. For further information, refer to Section 15.21, “Re-import archived session
A script allows to archive and/or purge session recordings automatically. You can define options
on the Web interface of WALLIX Bastion to configure the actions which will be carried out by
this script. For further information, refer to Section 15.19, “Export and/or purge session recordings
Another script also allows to move session recordings from a local storage to a remote
one. For further information, refer to Section 15.20, “Move local session recordings to remote
storage”, page 287.
15.19. Export and/or purge session recordings

automatically
A script launched in a cron job allows to archive and/or purge session recordings stored
in partition /var/wab/recorded/ (for local storage) or /var/wab/remote/recorded/ (for
remote storage). This script is executed by default every day at 4:00 a.m. in the time zone in which
WALLIX Bastion is located, as defined in the "Time Service" page on the "System" menu. For further
information, refer to Section 8.7, “Time service”, page 50.
The actions carried out by this script can be configured via the options in section "Retention Policy"
from "Configuration" > "Configuration Options" > "Session log policy":
• if a value is entered in the field “Remove sessions older than”, then all sessions older than this
value expressed in number of days (with suffix “d”, e.g. “20d” for 20 days) or in number of months
(with suffix “m”, e.g. “36m” for 36 months) are removed. If no suffix is entered, then the value is
considered by default as expressed in number of days.
• all the orphan files on remote storage are removed
• if a value is entered in the field “Archive sessions older than”, then all sessions older than this
value expressed in number of days (with suffix “d”, e.g. “20d” for 20 days) or in number of months
(with suffix “m”, e.g. “36m” for 36 months) are archived. If no suffix is entered, then the value is
considered by default as expressed in number of days. This operation applies to sessions on
both local and remote storage.
• if a path to a script is entered in the field “Post archive script”, then it is called to export archives.
Otherwise, archives are transferred on remote storage, if present.
• the elements on local storage are removed, starting from the oldest to the most recent and by
type, until a given size of free disk space is reached. This value is to be entered in the field
“Remove sessions below free space”. This size is expressed in bytes (with suffixes “kb”, “kib”,
“Mb”, “Mib”, “Gb” and “Gib”) or in percentage of disk space in partition /var/wab. This removal
is carried following the steps below:
– first, archives older than 24h
286
– next, non-critical sessions which are older than the value entered in the field “Prefer sessions
older than”
– then, critical sessions which are older than the value entered in the field “Prefer sessions older
than”
– then, non-critical sessions older than 24h
– then, critical sessions which are older than the value entered in the field “Keep critical newer
than” or older than 24h
– next, non-critical sessions newer than 24h
– then, archives newer than 24h
– lastly, critical sessions newer than 24h if no value is entered in the field “Keep critical newer
than”
• a notification is sent with the list of the archived and removed elements. A notification is also sent
when the value related to the size of available free disk space has not been reached.
Archives are removed regardless of the critical or non critical context for sessions.
Furthermore, it is also possible to modify the default passphrase defined in the field “Archive key”.
This passphrase is used to encrypt the archived elements.
15.20. Move local session recordings to remote

storage
WALLIX Bastion moves automatically the recordings of recently terminated sessions from local
storage to remote storage. By default, this action is made through a cron job scheduled to run every
5 minutes.
You can also execute the following script to perform this action manually:
# /opt/wab/bin/bastion-traceman -h
action.
The following subcommands can be used:
• info: this subcommand allows to display the status of the available disk space on the remote
storage
Syntax example for the info subcommand:
# bastion-traceman info
• move local: this subcommand allows to move session recordings from the remote storage
onto the local one
Syntax example for the move local subcommand:
# bastion-traceman move local

• move remote: this subcommand allows to move session recordings from the local storage onto
the remote one
Syntax example for the move remote subcommand:
287
# bastion-traceman move remote
The available selection criteria are the same as those which can be used to export and/or
purge session recordings manually, except for the options --local-storage and --remote-
storage. For further information, refer to Section 15.18, “Export and/or purge session recordings
manually”, page 284.
Note:
When the session recordings are moved, the related folders are deleted when they
become empty. The following folders are considered:
• /var/wab/recorded/ssh/<YYYY-MM-DD>
• /var/wab/recorded/rdp/<YYYY-MM-DD>
• /var/wab/remote/recorded/ssh/<YYYY-MM-DD>
• /var/wab/remote/recorded/rdp/<YYYY-MM-DD>
Note that the folder related to the current day is never deleted.
From the "Remote Storage" page on the "System" menu, you can configure the export
of session video recordings to an external file system. For further information, refer to
Section 8.8, “Remote storage”, page 51.
15.21. Re-import archived session recordings

You can execute the following script to re-import session recordings archived during the execution
of the WABSessionLogExport script:
# /opt/wab/bin/WABSessionLogImport -h
action.
It is possible to only list the content of the archive using option --list. The archive will not be
re-imported.
15.22. Check integrity of session log files

You can execute the following command to check the integrity of session log files stored in /var/
wab/:
# /opt/wab/bin/WABSessionLogIntegrityChecker -h
action.
The available trace selection criteria are the same as those which can be used to export and/or
purge session recordings manually. For further information, refer to Section 15.18, “Export and/or
purge session recordings manually”, page 284.
When notifications are enabled for integrity errors, the email summarizes errors for sessions older
than 3 days by default. It is however possible to set another value for this number of days. This
288
parameter can be managed via "Configuration" > "Configuration Options" > "Session log policy",
then enter a positive integer in the field "Summarize error older than" below section "Integrity
Checker". If "0" is entered in this field, then there is no error summary on the notification email.
15.23. Change target servers identification

When you connect to a target server via a secure protocol (such as RDP or SSH), WALLIX Bastion
will check that the certificate or key presented to the proxy by the server corresponds to the one
known for this server.
If this certificate or key is different, the WALLIX Bastion proxy will close the connection as it could
be considered as an attack. It is therefore necessary to inform WALLIX Bastion when this certificate
or key has been changed. To do so, you can delete the declared certificate or key on the device
and the new one will be automatically saved at the next access to the device through the RDP or
SSH proxy. For further information, refer to Section 10.1.1.7, “View and delete certificates or keys
on the device”, page 130.
15.24. Configure TLS options for LDAP external

authentication
It is possible to configure the allowed TLS session's handshake algorithms and options. These
parameters can be managed via "Configuration" > "Configuration Options" > "Global", then specify
the allowed cipher suites according to the syntax of the GnuTLS priority strings in the field "Ldap
tls cipher suite". For further information regarding this syntax, refer to https://gnutls.org/
manual/html_node/Priority-Strings.html#Priority-Strings.
Warning:
15.25. Configure TLS client for SIEM integration

It is possible to configure the TLS client to allow the routing of information to network devices through
SIEM solutions by adding the file /etc/syslog-ng/conf.d/tls_siem.conf.
The following placeholders must be specified in the content of the file as described below:
• <SIEM_SERVER>
• <SIEM_PORT>
• <CA_DIR>
• <CLIENT_KEY>
• <CLIENT_CERT>
cat /etc/syslog-ng/conf.d/tls_siem.conf
destination d_rltp {
syslog( <SIEM_SERVER>
289
transport("tls")
port(<SIEM_PORT>)
tls(
peer-verify(required-trusted) ca_dir(<CA_DIR>)
key_file(<CLIENT_KEY>)
cert_file(<CLIENT_CERT>)
)
);
};
log {
source(s_src);
destination(d_rltp);
};
A TLS configuration can also be performed from the Web interface. For further information, refer
to Section 8.9, “SIEM integration”, page 52.
15.26. Change self-signed certificates of

services
15.26.1. Change the certificate for the Web interface and the
API
Replace the following certificate files in the directory /var/wab/apache2/ssl.crt:
• ca.crt (root authority certificate)
Note:
The new certificate generated as a .pem file must be converted into a .crt file prior to
be replaced in the directory.
• server.pem (public key)

• server.key (private key)
• and possibly crl.pem (certificate revocation list). If there is no need to revocate a site, then do
not replace the default crl.pem file.
Once the files have been replaced, it may be necessary to restart the Apache service by entering
the following command:
# systemctl restart apache2
Note:
These files are also modified by applying the X509 authentication configuration
procedure. For further information, refer to Section 9.7, “X509 certificate authentication
If High-Availability is set, the directory into which the certificates are gathered is shared
between both nodes. The procedure is to be applied on the active node only.
You could later generate back a self-signed certificate with the following command:
290
# WABGuiCertificate selfsign -f
15.26.2. Change the RDP proxy certificate

To install your certificate, copy it on the Bastion in PEM format, with its associated private key. Then,
on the SSH console (2242), execute the following command replacing the parameters by the full
path of the corresponding files:
# rdpcert --key --inkey=./<2048_bit_rsa_private_key_file>.key --x509

--inx509=./<X509_certificate_file>.pem --force
Once the files have been replaced, restart RDP proxy by entering the following command:
# systemctl restart redemption
Note:
You could later generate back a self-signed certificate with the following command:
# rdpcert --key --force
15.26.3. Change the SSH proxy host key

To install your host key using RSA +PEM format, copy it on WALLIX Bastion in the directory /var/
wab/etc/ssh/server_rsa.key location.
The host key must use RSA algorithm and a minimum 4,096-bit length is recommended.
To install your host key using ED25519 format, copy it on WALLIX Bastion in the directory /var/
wab/etc/ssh/server_ed25519.key location.
Note:
You can generate an SSH proxy host key on WALLIX Bastion by deleting the current host
keys and executing the generator script with the following command:
# rm /var/wab/etc/ssh/server_rsa.key
# rm /var/wab/etc/ssh/server_ed25519.key
# WABSshServerGenRsaKey.sh
15.27. Cryptographic configuration of services

15.27.1. Configure the security level to restore RDP protocol
compatibility
Old RDP clients may not be compatible by default with WALLIX Bastion. However, we recommend
rather using a modern client, such as the client MSTSC connected to Windows Server 2008 R2 (at
least), to keep a satisfactory security level.
291
To restore compatibility and therefore allow connections, it is then necessary to perform the following
actions at the level of the RDP proxy configuration from the "Configuration Options" page on the
"Configuration" menu, below the "client" section:
• for clients under Windows Server 2000 or lower: select the option "Tls fallback legacy"
• for clients supporting TLS from Windows XP: allow the minimum supported version for TLS
protocol by entering "0" in the "Tls min level" field and delete the value in the "Ssl cipher list" field.
Warning:
We remind you that these actions will lower the security level of the WALLIX Bastion
services.
15.27.2. Configure the security level to restore SSH protocol

compatibility
The cryptographic algorithms allowed by the SSH proxy can be declared by specifying them in the
following fields related to the SSH proxy configuration from the "Configuration Options" page on
the "Configuration" menu:
• below the "main" section: “Hostkeys”, “Client kex algos”, “Client cipher algos”, “Client integrity
algos”, “Client compression algos”
• below the "front_algorithms" section: “Dh modulus min size”
We recommend keeping the default configuration for these algorithms to ensure the highest security
level with SSH clients.
Warning:
These fields are displayed when the check box of the "Advanced options" field at the top
right of the page has been selected. They should ONLY be changed upon instructions
from the WALLIX Support Team!
15.27.3. Restore default cryptographic settings

To change the settings of the GUI Web server, edit the following file as described below:
# vim.tiny /etc/apache2/sites-enabled/wab-httpd.conf
1. Uncomment the following lines:
SSLProtocol TLSv1.2
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:HIGH:!MD5:!aNULL:!EDH
2. Comment out all other lines with the same keys.
15.28. Update the CRL (Certificate Revocation

List)
To update the CRL certificate, you can:
292
• either copy the file on the WALLIX Bastion in PEM format. Then, execute the following command:
# WABCRLFetch -f CRL_FILE
• or from the SSH console (port 2242), execute the following command replacing parameters by
the relevant data and the full path of the local CRL file:
client$ nc -l -p A_LOCAL_PORT -c "cat MY_LOCAL_CRL_FILE" &

client$ ssh -p 2242 -R A_WAB_PORT:localhost:LOCAL_PORT_ABOVE wabadmin@wab
wabadmin@wab$ super
wabsuper@wab$ nc localhost WAB_PORT_ABOVE|sudo /opt/wab/bin/WABCRLFetch [-n
NAME]
Example:
client$ nc -l -p 43210 -c "cat wallix_crls/2020/wallix-2020-02-29.crl" &

client$ ssh -p 2242 -R 54321:localhost:43210 wabadmin@wab
wabadmin@wab$ super
wabsuper@wab$ nc localhost 54321|sudo /opt/wab/bin/WABCRLFetch -n
wallix-2020-02-29.crl
Note:
The CRL files are stored in the directory /var/wab/apache2/ssl.crl/.
An uploaded file gathering several CRLs will be divided into several unit CRL files.
An uploaded CRL will only replace an old one if the number corresponding to the
“CRLNumber” is greater than or equal to the one of this former version.
This list can also be updated using the Web interface. For further information, refer to
Section 9.7.2, “CRL management”, page 101.
293
Chapter 16. REST API Web Services

WALLIX Bastion includes two APIs which can be used to provide an access to the resources and
also perform basic operations (such as data creation, update and deletion).
These APIs use a REST protocol based on JSON.
16.1. WALLIX Bastion REST API documentation

Documentation for the last version of this service (3.6) is available online at this address:
https://bastion_ip_address/api/doc
The changelog for this version is available online at this address:
https://bastion_ip_address/api/doc/APIChangelog.html
Documentation of version 3.5 is available online at this address:
https://bastion_ip_address/api/v3.5/doc
The changelog for version 3.5 is available online at this address:
https://bastion_ip_address/api/v3.5/doc/APIChangelog.html
Documentation of version 3.3 is available online at this address:
https://bastion_ip_address/api/v3.3/doc
The changelog for version 3.3 is available online at this address:
https://bastion_ip_address/api/v3.3/doc/APIChangelog.html
Note:
The REST API version 3.4 is deprecated and then no longer available for this version
of WALLIX Bastion.
16.2. SCIM REST API documentation

Documentation for the last version of this service (2.0) is available online at this address:
https://bastion_ip_address/scim/doc
16.3. REST API key management

A REST API key is required to authenticate a request.
From the “API keys” page of the “Configuration” menu, you can:
• list declared REST API keys

• generate/edit/delete a REST API key
• view the IP addresses from which the connection is authorized for a given key
294
Important:
Only the administrator whose profile includes all rights together with transferable rights
(such as the “product_administrator” profile) can view the “API keys” entry in the
“Configuration” menu.
16.3.1. Generate an API key

From the “API keys” page, click on the “+ Add” button to display the API key creation page.
The API key creation page consists of the following fields:
• the name to identify the API key

• the IP address from which the connection is authorized for this key. You can add several
authorized IP addresses for the key.
Once the fields are specified and applied, a window opens and displays the generated API key.
Warning:
After closing the window, it will no longer be possible to view the API key.
Figure 16.1. Page "API keys" - Key generation
16.3.2. Edit an API key

From the “API keys” page, click on an API key name to display the related modification page.
The fields of this page are the same as those on the API key creation page.
16.3.3. Delete an API key

From the “API keys” page, check the box at the beginning of the line(s) to select the related API
key(s) you wish to delete, then click on the “Delete” button. WALLIX Bastion displays a dialogue
box requesting a confirmation before permanently deleting the line(s).
295
Chapter 17. SIEM messages

WALLIX Bastion 9.0.2 uses syslog messages to send data to SIEM solutions from the system, but
also from actions on the Web interface or the RDP or SSH services.
The following sections list log examples and are not exhaustive.
17.1. Logs from authentication

Messages are formatted as follows:
[wabauth] action=”authentify” user=”[USER NAME]” client_ip=”[USER IP
ADDRESS]” status=”[AUTHENTICATION STATUS]” infos=”diagnostic [INFOS]”
The possible values for the “user” field are as follows:
• the user name when used as login

• the value “[unknown username]” if the user name is not used as login (as for example, when
authenticating through a X509 certificate or via a Kerberos ticket).
The possible values for the “status” field are as follows:
• “started”: the user identification step has been successful

• “success”: the authentication step has been successful
• “failure”: the authentication step has failed
• “cancel”: the user has requested to cancel the authentication attempt in progress
The stream provides messages for the events described in following sections.
17.1.1. Successful authentication

Example of successful local authentication:
[wabauth] action="authentify" user="user01" client_ip="10.10.10.10"
status="started" infos="diagnostic [Authentication started: identified
with local(LOCAL).]"
status="success" infos="diagnostic [Authentication success: identified
with local(LOCAL).]"
Example of successful authentication from an LDAP directory:
with external-auth-ad(LDAP).]"
status="success" infos="diagnostic [Authentication success: identified
with external-auth-ad(LDAP), authentified with: external-auth-ad(LDAP).]"
17.1.2. Authentication failure

Example of failed authentication from an LDAP directory:
296

with external-auth-ad(LDAP).]"
status="failure" infos="diagnostic [Authentication failed]"
17.1.3. Authentication cancellation (either by the client or by

the user)
status="cancelled" infos="diagnostic [Authentication cancelled]"
17.2. Logs from WALLIX Bastion Web interface

Messages are formatted as follows:
[wabaudit] action=”[ACTION]” type=”[OBJTYPE]” object=”[UID/CN/NAME]”
user=”[WHO]” infos=”[INFOS]”
Example:
[wabaudit] action="edit" type="User" object="jdoe" user="admin"
client_ip="192.168.140.1" infos="UserAuths [Add < win2k16.acme.net >]"
The stream provides messages for the various object types described in following sections.
17.2.1. Object type: Account

Actions: add, edit, delete
Examples:
[wabaudit] action="add" type="Account"
object="account_with_approval@DOMAIN_SIMPLE" user="admin"
client_ip="10.10.45.212" infos="name [account_with_approval], login
[account_with_approval], autoChangePassword [True], autoChangeSSHKey
[True], isExternalVault [False]"
[wabaudit] action="edit" type="Account"
object="account_154954837938@local1@application_154954837837"
user="ADMIN" client_ip="10.10.45.212" infos=""
[wabaudit] action="delete" type="Account"
object="account_154954844398@local1@application_154954844399"
17.2.2. Object type: Account activity (Audit)

Action: list
Example:
[wabaudit] action="list" type="accountactivity"
object="168c1c48f141e911005056b60af6" user="admin"
client_ip="10.10.43.84" infos=""
297
17.2.3. Object type: Account history (Audit)

Action: list
Example:
[wabaudit] action="list" type="accounthistory"
object="168c1c48f141e911005056b88ag7" user="admin"
17.2.4. Object type: Answer from approval request

Action: add
Example:
[wabaudit] action="add" type="Answer" object="<Answer (uid: None,
user: USER_APPROVER_1, approved: True, text: some comment)>"
user="USER_APPROVER_1" client_ip="10.10.45.212" infos="username
[USER_APPROVER_1], creation [2019-02-07 15:08:38.577548], text [some
comment], approved [True]"
17.2.5. Object type: API key

Actions: add, delete
Examples:
[wabaudit] action="add" type="Apikey" object="apikey_154954880399"
user="ADMIN" client_ip="10.10.45.212" infos="cn [apikey_154954880399],
apikey [********], ipLimitation []"
[wabaudit] action="delete" type="Apikey" object="apikey_154954882800"
17.2.6. Object type: Application

Actions: add, delete, edit
Examples:
[wabaudit] action="add" type="Application" object="APP_DUMMY"
user="admin" client_ip="10.10.45.212" infos="target
[account@local@DEVICE_DUMMY_WIN:RDP]"
[wabaudit] action="delete" type="Application"
object="application_154954836612" user="ADMIN" client_ip="10.10.45.212"
infos=""
[wabaudit] action="edit" type="Application"
object="application_154954842057" user="ADMIN" client_ip="10.10.45.212"
infos=""
17.2.7. Object type: Application path

298
Examples:
[wabaudit] action="add" type="Apppath"

object="account@local@DEVICE_DUMMY_WIN:RDP[<C:\Program Files
(x86)\Mozilla Firefox\firefox.exe>:<C:\>]" user="admin"
client_ip="10.10.45.212" infos="program [C:\Program Files (x86)\Mozilla
Firefox\firefox.exe], workingdir [C:\]"
[wabaudit] action="delete" type="Apppath"

object="account_154954841440@local1@device_154954841439:rdp[<None>:<C:
\Program Files (x86)\Mozilla Firefox\firefox.exe>]" user="ADMIN"
client_ip="10.10.45.212" infos=""
17.2.8. Object type: Approval

Actions: add, delete, edit, list
Examples:
[wabaudit] action="add" type="Approval" object="<Approval(uid=

\'168c849f0378d7f4005056b69255\', status=3, begin=2019-02-07 15:08:00,
end=2019-02-07 15:18:00, quorum=1)>\n" user="user_154954851465"
client_ip="10.10.45.212" infos="status [3], begin [2019-02-07
15:08:00], creation [2019-02-07 15:08:35.382824], duration [600],
end [2019-02-07 15:18:00], username [user_154954851465], targetname
[user_1@local@DEVICE_WITH_APPROVAL_OPTIONAL_COMMENT_AND_TICKET:SSH],
quorum [1], email [notify@mydomain.com], language [en]"
[wabaudit] action="delete" type="Approval" object="<Approval(uid=

\'168c849f0378d7f4005056b69255\', status=4, begin=2019-02-07
15:08:00, end=2019-02-07 15:18:00, quorum=1)>\n" user="OPERATOR"
[wabaudit] action="edit" type="Approval" object="<Approval(uid=

\'168c849fa6a347bd005056b69255\', status=1, begin=2019-02-07 15:08:00,
end=2019-02-07 15:18:00, quorum=1)>\n" user="USER_APPROVER_1"
client_ip="10.10.45.212" infos="status ['3' to '1']"
[wabaudit] action="list" type="Approval" user="ADMIN"

client_ip="10.10.45.212" infos=""
17.2.9. Object type: Authorization

Examples:
[wabaudit] action="add" type="Authorization"

object="USER_GROUP_UNIX:DEVICE_GROUP_UNIX" user="admin"
client_ip="10.10.45.212" infos="cn [unix_group], targetGroupIdentifier
[DEVICE_GROUP_UNIX], isRecorded [True], isCritical [False], userAccess
[False], proxyAccess [True], subprotocols [SSH_SHELL_SESSION,
SSH_REMOTE_COMMAND, SSH_SCP_UP and 7 other(s)], approvalRequired
[False], hasComment [False], mandatoryComment [False], hasTicket [False],
mandatoryTicket [False], activeQuorum [0], inactiveQuorum [0]"
299
[wabaudit] action="delete" type="Authorization"

object="user_group_154954865272:target_group_154954865373" user="ADMIN"
client_ip="10.10.45.212" infos=""
[wabaudit] action="edit" type="Authorization"

object="user_group_154954869778:target_group_154954869779" user="ADMIN"
client_ip="10.10.45.212" infos=""
17.2.10. Object type: Backup/Restore

Actions: backup, download, restore
Examples:
[wabaudit] action="backup" type="Backup/Restore" user="admin"

client_ip="192.168.0.12" infos="Backup ['wab-6.0-
cspn_2019-02-04_16-59-11.wbk' saved]"
[wabaudit] action="download" type="Backup/Restore" user="admin"

cspn_2019-02-04_16-59-11.wbk' downloaded]"
[wabaudit] action="restore" type="Backup/Restore" user="admin"

cspn_2019-02-04_16-59-11.wbk' restored]"
17.2.11. Object type: Checkout policy

Examples:
[wabaudit] action="add" type="CheckoutPolicy"

object="CHECKOUT_POLICY_LOCK" user="admin" client_ip="10.10.45.212"
infos="enableLock [True], duration [600], extension [0], maxDuration
[600], checkinChange [0]"
[wabaudit] action="delete" type="CheckoutPolicy"

object="checkout_policy_154954874456" user="ADMIN"
client_ip="10.10.45.212" infos=""
[wabaudit] action="edit" type="CheckoutPolicy"

object="checkout_policy_154954875282" user="ADMIN"
client_ip="10.10.45.212" infos=""
17.2.12. Object type: Cluster

Examples:
[wabaudit] action="add" type="Cluster" object="cluster_154954837225"

user="ADMIN" client_ip="10.10.45.212" infos="member_targets
[account_154954837122@local1@device_154954837021:rdp,
account_154954837224@local1@device_154954837123:rdp]"
300
[wabaudit] action="delete" type="Cluster" object="cluster_154954875802"

[wabaudit] action="edit" type="Cluster" object="cluster_154954878267"
17.2.13. Object type: Connection policy

Examples:
[wabaudit] action="add" type="ConnectionPolicy"
object="CONNECTION_POLICY_SSH_AGENT_FORWARDING" user="admin"
client_ip="10.10.45.212" infos="cn
[CONNECTION_POLICY_SSH_AGENT_FORWARDING], protocol [SSH], services
[], methods [PASSWORD_VAULT, PUBKEY_VAULT, PUBKEY_AGENT_FORWARDING
and 1 other(s)], Data [server_pubkey[server_pubkey_check]:
'1', server_pubkey[server_pubkey_create_message]: '1',
server_pubkey[server_access_allowed_message]: '0',
server_pubkey[server_pubkey_success_message]: '0',
server_pubkey[server_pubkey_failure_message]: '1',
server_pubkey[server_pubkey_store]: 'True', trace[log_all_kbd]: 'False',
startup_scenario[ask_startup]: 'False', startup_scenario[show_output]:
'True', startup_scenario[enable]: 'False', startup_scenario[timeout]:
'10', startup_scenario[scenario]: '', general[transformation_rule]:
'', session[inactivity_timeout]: '0', session[allow_multi_channels]:
'False', algorithms[kex_algos]: '', algorithms[compression_algos]: '',
algorithms[cipher_algos]: '', algorithms[integrity_algos]: '']"
[wabaudit] action="edit" type="ConnectionPolicy" object="SSH"
user="admin" client_ip="10.10.45.212" infos="methods [Add <
PASSWORD_VAULT, PUBKEY_VAULT, PASSWORD_INTERACTIVE and 1 other(s) >,
Remove < PUBKEY_VAULT, PASSWORD_MAPPING, PASSWORD_VAULT and 1 other(s)
>], Data [session[allow_multi_channels]: 'False' => 'on']"
[wabaudit] action="delete" type="ConnectionPolicy"
object="connection_policy_154954884812" user="ADMIN"
client_ip="10.10.45.212" infos=""
17.2.14. Object type: Credential change information

Examples:
[wabaudit] action="add" type="CredChgInfo" object="local1/None"
user="ADMIN" client_ip="10.10.45.212" infos="service_name ['None' to
'XE'], host ['None' to 'my.db.hostname'], port ['None' to '1234']"
[wabaudit] action="delete" type="CredChgInfo" object="<CredChgInfo(uid=
\'168c849848928a52005056b69255\')>\n" user="ADMIN"
client_ip="10.10.45.212" infos=""
[wabaudit] action="edit" type="CredChgInfo" object="local1/None"
301
17.2.15. Object type: Password change policy

Examples:
[wabaudit] action="add" type="CredChgPolicy"
object="PASSWORD_CHANGE_POLICY" user="admin" client_ip="10.10.45.212"
infos="pwdLength [8], specialChars [1], changePeriod []"
[wabaudit] action="delete" type="CredChgPolicy"
object="password_change_policy_name_154954918141" user="ADMIN"
client_ip="10.10.45.212" infos=""
[wabaudit] action="edit" type="CredChgPolicy"
object="password_change_policy_name_154954918865" user="ADMIN"
client_ip="10.10.45.212" infos=""
17.2.16. Object type: Device

Examples:
[wabaudit] action="add" type="Device" object="DEVICE_SSH_SHELL_SESSION"
user="admin" client_ip="10.10.45.212" infos="Host [10.10.45.148], Alias
[DEVICE_SSH_SHELL_SESSION_ALIAS]"
[wabaudit] action="delete" type="Device" object="device_154954886966"
[wabaudit] action="edit" type="Device" object="device_154954892089"
17.2.17. Object type: Global domain

Examples:
[wabaudit] action="add" type="Globaldomain" object="DOMAIN_SIMPLE"
user="admin" client_ip="10.10.45.212" infos="cn [DOMAIN_SIMPLE], name
[DOMAIN_SIMPLE]"
[wabaudit] action="delete" type="Globaldomain"
object="global_domain_154954904181" user="ADMIN"
client_ip="10.10.45.212" infos=""
[wabaudit] action="edit" type="Globaldomain"
object="global_domain_154954904486" user="ADMIN"
client_ip="10.10.45.212" infos="credchgplugin ['None' to 'Windows'],
credchgpolicy ['None' to 'default'], adminAccount ['None' to
'account_154954904487...']"
17.2.18. Object type: LDAP domain

302
Examples:
[wabaudit] action="add" type="Ldapdomain" object="DOMAIN_1" user="admin"

client_ip="10.10.45.212" infos="description [], ldapDomain [domain1],
defaultLanguage [en], defaultEmailDomain [wallix], groupAttribute
[memberOf], snAttribute [displayName], emailAttribute [mail],
languageAttribute [preferredLanguage], isDefaultDomain [True]"
[wabaudit] action="delete" type="Ldapdomain"

object="domain_154955334782" user="admin" client_ip="192.168.122.1"
infos=""
[wabaudit] action="edit" type="Ldapdomain" object="domain_154955334798"

user="admin" client_ip="10.10.45.212" infos="description ['some
description' to 'updated'], snAttribute ['' to 'updated']"
17.2.19. Object type: LDAP mapping

Examples:
[wabaudit] action="add" type="LdapMapping" object="<DOMAIN_1,

OU=Group> in user_group_154954913825 GROUP" user="ADMIN"
client_ip="10.10.45.212" infos="ldapGroup [OU=Group], domain [DOMAIN_1],
group [user_group_154954913825]"
[wabaudit] action="delete" type="LdapMapping" object="<DOMAIN_1,

OU=Group> in user_group_154954913825 GROUP" user="ADMIN"
client_ip="10.10.45.212" infos=""
17.2.20. Object type: Local domain

Examples:
[wabaudit] action="add" type="Localdomain" object="local"

user="admin" client_ip="10.10.45.212" infos="cn [local], device
[DEVICE_SSH_SHELL_SESSION]"
[wabaudit] action="delete" type="Localdomain" object="local1"

[wabaudit] action="edit" type="Localdomain" object="local1"

user="ADMIN" client_ip="10.10.45.212" infos="adminAccount ['None' to
'account_154954837938...']"
17.2.21. Object type: Notification

Examples:
[wabaudit] action="add" type="Notification"

object="notification_154955208543" user="ADMIN" client_ip="10.10.45.212"
303
infos="dest [notify@mydomain.com], flag [0], isNotificationEnable [True],

type [EMAIL]"
[wabaudit] action="delete" type="Notification"
infos=""
[wabaudit] action="edit" type="Notification"
infos="flag ['16' to '0']"
17.2.22. Object type: Period

Examples:
[wabaudit] action="add" type="Period" object="<2030-01-01 to 2099-12-31 ,
00:00:00 to 23:59:00, 127>" user="ADMIN" client_ip="10.10.45.212"
infos="startDate [2030-01-01], endDate [2099-12-31], startTime
[00:00:00], endTime [23:59:00], weekmask [127]"
[wabaudit] action="delete" type="Period" object="<2010-01-01 to
2020-01-01 , 09:30:00 to 18:30:00, 124>" user="ADMIN"
client_ip="10.10.45.212" infos=""
17.2.23. Object type: Profile

Examples:
[wabaudit] action="add" type="Profile" object="PROFILE_IP_FORBIDDEN"
user="admin" client_ip="10.10.45.212" infos="ip_limitation [1.1.1.1],
habilitationFlag [1], groups_limitation [], groups_member []"
[wabaudit] action="delete" type="Profile" object="profile_154954924847"
[wabaudit] action="edit" type="Profile" object="profile_154954927022"
17.2.24. Object type: Local password policy

Action: edit
Example:
[wabaudit] action="edit" type="PwdPolicy" object="default" user="admin"
client_ip="10.10.45.212" infos="pwdMinLowerLetter ['1' to '0'],
rsaMinLength ['4096' to '1024']"
17.2.25. Object type: Recording options

Action: edit
Example:
304
[wabaudit] action="edit" type="Recording Options" user="admin"

client_ip="10.10.43.28" infos="Recording Options ['No encryption, with
checksum' to 'No encryption, no checksum']"
17.2.26. Object type: Restriction

Examples:
[wabaudit] action="add" type="Restriction" object="<kill, Kill.

+Softly, SSH_SHELL_SESSION> in GROUP USER_GROUP_UNIX_KILL" user="admin"
client_ip="10.10.45.212" infos="action [kill], data [Kill.+Softly],
groups [USER_GROUP_UNIX_KILL], subprotocol [SSH_SHELL_SESSION]"
[wabaudit] action="delete" type="Restriction" object="<notify,

command_1, SSH_SHELL_SESSION> in GROUP ssh_grp" user="user_admin"
17.2.27. Object type: Service

Examples:
[wabaudit] action="add" type="Service"

object="DEVICE_SSH_SHELL_SESSION:SSH" user="admin"
client_ip="10.10.45.212" infos="protocol [SSH], port [22], subprotocols
[SSH_SHELL_SESSION], connectionPolicy [SSH]"
[wabaudit] action="delete" type="Service"

object="device_154954928856:ssh" user="ADMIN" client_ip="10.10.45.212"
infos=""
[wabaudit] action="edit" type="Service" object="device_154954931097:ssh"

17.2.28. Object type: Session logs

Action: list
Example:
[wabaudit] action="list" type="sessionlog" user="OPERATOR"

client_ip="127.0.0.1" infos="Current sessions"
17.2.29. Object type: Target group

Examples:
[wabaudit] action="add" type="Targetgroup" object="DEVICE_GROUP_UNIX"

user="admin" client_ip="10.10.45.212" infos="Users [], Targets
[__WIL__@am_il_domain@DEVICE_TELNET:TELNET,
__WAM__@am_il_domain@DEVICE_SSH_SCP_DOWN:SSH,
305
pubkey_account_without_password@local@DEVICE_SSH_FORWARDING:SSH and 35
other(s)], Profiles_limit [], Timeframes [allthetime]"
[wabaudit] action="delete" type="Targetgroup"
object="target_group_154954938767" user="ADMIN" client_ip="10.10.45.212"
infos=""
[wabaudit] action="edit" type="Targetgroup"
object="target_group_154954945465" user="ADMIN" client_ip="10.10.45.212"
infos="Description ['some desc' to 'some other desc']"
17.2.30. Object type: Time frame

Examples:
[wabaudit] action="add" type="TimeFrame" object="timeframe_154954856399"
user="ADMIN" client_ip="10.10.45.212" infos="description [],
isOvertimable [False]"
[wabaudit] action="delete" type="TimeFrame"
object="timeframe_154954953374" user="ADMIN" client_ip="10.10.45.212"
infos=""
[wabaudit] action="edit" type="TimeFrame"
object="timeframe_154954954305" user="ADMIN" client_ip="10.10.45.212"
infos=""
17.2.31. Object type: User

Examples:
[wabaudit] action="add" type="User" object="USER_IP_FORBIDDEN"
user="admin" client_ip="10.10.45.212" infos="email
[notify@mydomain.com], preferredLanguage [en], host [1.1.1.1], profile
[user], groups [USER_GROUP_UNIX], forceChangePwd [False], userPassword
[********], userauths [local]"
[wabaudit] action="edit" type="User" object="user_154954924239"
user="user_154954924239" client_ip="10.10.45.212" infos="email
['notify@mydomain.com...' to 'notify+1@mydomain.c...']"
[wabaudit] action="delete" type="User" object="UNKNOWN_USER" user="ADMIN"
client_ip="10.10.45.212" infos=""
17.2.32. Object type: External authentication

Examples:
[wabaudit] action="add" type="UserAuth" object="USER_AUTH_KERBEROS"
user="admin" client_ip="10.10.45.212" infos="wabAuthType [KERBEROS],
description [], port [88], host [10.10.45.148], kerDomControler
[DOMAIN.IFR.LAN]"
306
[wabaudit] action="delete" type="UserAuth"

object="auth_LDAP_154955198487" user="ADMIN" client_ip="10.10.45.212"
infos=""
[wabaudit] action="edit" type="UserAuth" object="auth_LDAP_154955202505"
user="ADMIN" client_ip="10.10.45.212" infos="description ['None' to
'updated while used b...']"
17.2.33. Object type: User group

Examples:
[wabaudit] action="add" type="Usergroup" object="USER_GROUP_UNIX"
user="admin" client_ip="10.10.45.212" infos="Users [], Profiles_limit [],
Timeframes [allthetime]"
[wabaudit] action="delete" type="Usergroup"
object="user_group_154954962345" user="ADMIN" client_ip="10.10.45.212"
infos=""
[wabaudit] action="edit" type="Usergroup"
object="user_group_154954965326" user="ADMIN" client_ip="10.10.45.212"
infos="Description ['some desc' to 'some other desc']"
17.2.34. Object type: X509 parameters (CRL)

Examples:
[wabaudit] action="add" type="X509 Parameters" user="admin"
client_ip="192.168.0.12" infos="CRL [url fetched hourly]"
[wabaudit] action="delete" type="X509 Parameters" user="admin"
client_ip="192.168.0.12" infos="CRL [deleted]"
[wabaudit] action="edit" type="X509 Parameters" user="admin"
client_ip="192.168.0.12" infos="CRL [file updated]"
17.3. Logs from the SSH service

17.3.1. Flow of a successful session

17.3.1.1. Successful connection
sshproxy: [sshproxy] psid="15493629957933" type="INCOMING_CONNECTION"
src_ip="10.10.43.84" src_port="54446"
sshproxy: [sshproxy] psid="15493629957933" user="user01"
type="AUTHENTICATION_TRY"
pubkey_hash="2aab6ee7ace610650e14de24d318fa9defefe984377923e382daae6c4b648ebb"
method="SSH Key" pubkey_type="ssh-ed25519"
307

type="AUTHENTICATION_FAILED"
pubkey_hash="2aab6ee7ace610650e14de24d318fa9defefe984377923e382daae6c4b648ebb"
method="SSH Key" pubkey_type="ssh-ed25519"
type="AUTHENTICATION_TRY" method="Password"
wabengine: [wabauth] action="authentify" user="user01"
client_ip="10.10.43.84" status="started" infos="diagnostic
[Authentication started: identified with external-auth-ad(LDAP).]"
client_ip="10.10.43.84" status="success" infos="diagnostic
[Authentication success: identified with external-auth-ad(LDAP),
authentified with: external-auth-ad(LDAP).]"
type="AUTHENTICATION_SUCCESS" method="Password"
Note:
The psid number is the same for all actions logged during the same session.
17.3.1.2. Display of the proxy selector

type="TARGET_CONNECTION" login="root" host="10.10.47.53"
sessionid="168bd3b417f437ae005056b60af6"
target="root@local@10.10.47.53:ssh:SSH_ALL" port="22"
sshproxy: [SSH Session] session_id="168bd3b417f437ae005056b60af6"
client_ip="10.10.43.84" target_ip="10.10.47.53" user="user01"
device="10.10.47.53" service="ssh" account="root"
type="SESSION_ESTABLISHED_SUCCESSFULLY"
device="10.10.47.53" service="ssh" account="root" type="KBD_INPUT"
data="exit"
type="TARGET_DISCONNECTION" sessionid="168bd3b417f437ae005056b60af6"
target="root@local@10.10.47.53:ssh:SSH_ALL"
Note:
17.3.1.3. Return to the proxy selector

device="10.10.47.53" service="ssh" account="root"
type="SESSION_DISCONNECTION" duration="0:00:05"
308

type="DISCONNECTION"
Note:
17.3.2. Flow of a connection failure: connection denied,

machine is powered off or service unavailable
type="TARGET_CONNECTION" login="root" host="10.10.47.53"
sessionid="168bd4545a2dba16005056b60af6"
target="root@local@10.10.47.53:TELNET:SSH_ALL" port="23"
sshproxy: [SSH Session] session_id="168bd4545a2dba16005056b60af6"

device="10.10.47.53" service="TELNET" account="root"
type="CONNECTION_FAILED"

type="TARGET_CONNECTION_FAILED" reason="Connection failed" login="root"
host="10.10.47.53" target="root@local@10.10.47.53:TELNET:SSH_ALL"
port="23"

type="TARGET_DISCONNECTION" sessionid="168bd4545a2dba16005056b60af6"
target="root@local@10.10.47.53:TELNET:SSH_ALL"
Note:
17.3.3. Flow of a connection failure: invalid target or access

denied
ssh -t roota@local@10.10.47.53:ssh:SSH_ALL:user01@10.10.47.20


type="TARGET_ERROR" reason="Invalid target"
target="roota@local@10.10.47.53:ssh:SSH_ALL"

type="DISCONNECTION"
Note:
309
17.3.4. Successful session opening

[SSH Session] type=”SESSION_ESTABLISHED_SUCCESSFULLY”
session_id="002ac1d68450742e1928b88df3ca15385d710b33"
client_ip="192.168.1.10" target_ip="192.168.1.200" user="maint"
device="debian" service="ssh" account="admin"
17.3.5. Session opening failure

[SSH Session] type=”CONNECTION_FAILED”
device="debian" service="ssh" account="admin"
17.3.6. Session disconnection

[SSH Session] type=”SESSION_DISCONNECTION”
session_id=”002ac1d68450742e1928b88df3ca15385d710b33”
client_ip=”192.168.1.10” target_ip=”192.168.1.200” user=”maint”
device=”debian” service=”ssh” account=”admin” duration=”9:12:12”
Note:
The session duration format (“duration”) is as follows:
h:mm:ss
“h”: the number of hours. Note that it is only labelled on a single digit from “0” to “9”.
“mm”: the number of minutes is always labelled on 2 digits
“ss”: the number of seconds is always labelled on 2 digits
Examples:
duration="0:00:07"
duration="2:15:01"
duration="16:23:16"
duration="88:02:01"
duration="157:45:59"
17.3.7. Channel events

17.3.7.1. Open / Close X11 channel
[SSH Session] type="CHANNEL_EVENT"
device="debian" service="ssh" account="admin" data="Open X11 Channel"
channel_id="C0001"

310

device="debian" service="ssh" account="admin" data="Close X11 Channel"
channel_id="C0001"
17.3.7.2. Open / Close AuthAgent channel

device="debian" service="ssh" account="admin" data="Open AuthAgent
Channel" channel_id="C0001"

device="debian" service="ssh" account="admin" data="Close AuthAgent
17.3.7.3. Open / Close direct TCP/IP channel

device="debian" service="ssh" account="admin" data="Open Direct
TCPIP Channel" channel_id="C0001" src="127.0.0.1" src_port="45678"
dst="localhost" dst_port="1234"

device="debian" service="ssh" account="admin" data="Close Direct TCPIP
17.3.7.4. Open / Close reverse TCP/IP channel

device="debian" service="ssh" account="admin" data="Open Reverse
TCPIP Channel" channel_id="C0001" src="127.0.0.1" src_port="45678"
dst="localhost" dst_port="1234"

device="debian" service="ssh" account="admin" data="Close Reverse TCPIP
17.3.8. Request events

17.3.8.1. X11 request
[SSH Session] type="REQUEST_EVENT"
311

device="debian" service="ssh" account="admin" data="Request X11"
17.3.8.2. AuthAgent request

device="debian" service="ssh" account="admin" data="Request AuthAgent"
17.3.8.3. Reverse TCP/IP socket request

device="debian" service="ssh" account="admin" data="Request Reverse TCPIP
Socket"
device="debian" service="ssh" account="admin" data="Cancel Reverse TCPIP
Socket"
17.3.9. Pattern detection on shell or remote command

[SSH Session] type="NOTIFY_PATTERN_DETECTED"
device="debian" service="ssh" account="admin" pattern="tail"
[SSH Session] type="KILL_PATTERN_DETECTED"
device="debian" service="ssh" account="admin" pattern="rm"
[SSH Session] type="WARNING_PATTERN_DETECTED"
device="debian" service="ssh" account="admin" pattern="tail"
17.3.10. Command detection on Cisco devices

[SSH Session] type="NOTIFY_COMMAND_DETECTED"
device="cisco" service="ssh" account="admin" command="access-template"
[SSH Session] type="KILL_COMMAND_DETECTED"
device="cisco" service="ssh" account="admin" command="configure terminal"
[SSH Session] type="WARNING_COMMAND_DETECTED"
312

device="cisco" service="ssh" account="admin" command="access-template"
17.3.11. SFTP actions

The actions are: stat, lstat, opendir, remove, mkdir, rmdir, rename, readlink, symlink, link, status.
[SSH Session] type=”SFTP_EVENT”
device="debian" service="ssh" account="admin" data=”lstat /home/admin/”
17.3.12. File size restriction on SFTP

[SSH Session] type=”KILL_SIZELIMIT_DETECTED”
device="debian" service="ssh" account="admin" data=”Restriction: /var/
log/syslog file too big”
[SSH Session] type=”NOTIFY_SIZELIMIT_DETECTED”
device="debian" service="ssh" account="admin" data=”Restriction: /var/
log/syslog file too big”
17.3.13. Beginning of file transfer on SFTP

device="debian" service="ssh" account="admin" data=”get /var/log/syslog
begin”
17.3.14. End of file transfer on SFTP with file size and hash
device="debian" service="ssh" account="admin" data=”get /
var/log/syslog done, length= 338079, sha256 =
711cf730055826274d76ebb0505e13973f69d1b55d81199385362f5f319e9453”
17.3.15. File size restriction on SCP

[SSH Session] type="KILL_SIZELIMIT_DETECTED"
device="debian" service="ssh" account="admin" data="Restriction: /var/
log/syslog file too big"
[SSH Session] type="SCP Event" session_id="sssss" user="uuuuu"
device="ddddd" service="SSSSS" account="aaaaa" data="Kill Restriction:
<filename> file too big"
313
17.3.16. Beginning of file transfer on SCP

[SSH Session] type=”SCP_EVENT”
device="debian" service="ssh" account="admin" data=”get /var/log/syslog
begin”
17.3.17. End of file transfer on SCP with file size and hash
[SSH Session] type=”SCP_EVENT”
device="debian" service="ssh" account="admin" data=”get /
var/log/syslog done, length= 338079, sha256 =
711cf730055826274d76ebb0505e13973f69d1b55d81199385362f5f319e9453”
17.3.18. User typed keyboard input

[SSH Session] type=”KBD_INPUT”
device="debian" service="ssh" account="admin" data=”ls -al”
17.3.19. Export group membership for target account in

session metadata
[SSH Session] type=”GROUP_MEMBERSHIP” session_id=”SESSIONID-0000”
device=”debian” service=”ssh” account=”tartempion” groups="foo,bar,mod"
Note:
This can be enabled by selecting the option "Log group membership" below the "trace"
section on the configuration page related to the connection policy for the SSH protocol.
17.3.20. File verification by ICAP server

17.3.20.1. Verification of a valid file
[SSH Session] session_id=”SESSIONID-0000” client_ip=”192.168.1.10”
target_ip=”192.168.1.200” user=”maint” device=”win2k8” service=”sshd”
account=”doe” type="FILE_VERIFICATION" direction="UP" filename="/home/
doe/viruses/abc" status="OK"
17.3.20.2. Verification of an invalid file

doe/viruses/abc" status="Forbidden"
314
Note:
The status may change depending on the ICAP server.
17.3.20.3. Connection error to the ICAP server

account=”doe” type="FILE_VERIFICATION_ERROR" icap_service="avscan"
status="Unable to connect to ICAP server"
17.4. Logs from the RDP service

17.4.1. Flow of a connection failure: connection denied,

machine is powered off or service unavailable
rdpproxy: [rdpproxy] psid="154937229523480" user="user01@Active Directory
Domain" type="TARGET_CONNECTION" target="Administrator" host="1.1.1.1"
port="3389"
rdpproxy: [rdpproxy] psid="154937229523480" user="user01@Active

Directory Domain" type="TARGET_CONNECTION_FAILED" target="Administrator"
host="1.1.1.1" port="3389" reason="All trials done"
rdpproxy: [RDP Session] session_id="168bdc90a110d2b5005056b60af6"

client_ip="10.10.43.84" target_ip="1.1.1.1" user="user01@Active
Directory Domain" device="win_Invalid" service="RDP"
account="Administrator" type="CONNECTION_FAILED"
Note:
17.4.2. Flow of a connection failure: invalid target or access

denied
rdpproxy: [rdpproxy] psid="15496397758462" type="INCOMING_CONNECTION"
src_ip="10.10.43.84" src_port="35302"
rdpproxy: [rdpproxy] psid="15496397758462" user="user01"

type="AUTHENTICATION_TRY" method="Password"

client_ip="10.10.43.84" status="success" infos="diagnostic [\'Active
Directory\' -password- authentication succeeded]"

client_ip="10.10.43.84" status="started" infos="diagnostic
[Authentication started: identified with external-auth-ad(LDAP).]"
315

client_ip="10.10.43.84" status="success" infos="diagnostic
[Authentication success: identified with external-auth-ad(LDAP),
authentified with: external-auth-ad(LDAP).]"


type="TARGET_ERROR" target="Administrator@local" reason="Target not found
in user rights"
rdpproxy: [rdpproxy] psid="15496397758462" user="user01" type="LOGOUT"
rdpproxy: [rdpproxy] psid="15496397758462" type="DISCONNECT"
Note:
17.4.3. Successful session opening

[RDP Session] type=”SESSION_ESTABLISHED_SUCCESSFULLY”
session_id=”SESSIONID-0000” client_ip=”192.168.1.10”
target_ip=”192.168.1.200” user=”maint” device=”win2k8” service=”rdp”
account=”Maintenance”
17.4.4. Upload file via clipboard

[RDP Session] type=”CB_COPYING_PASTING_FILE_TO_REMOTE_SESSION”
target_ip=”192.168.1.200” user=”maint” device=”win2k8”
service=”rdp” account=”Maintenance” file_name=”20160725-183530_659.log”
size=”42816744”
sha256=”5933e6ca43514b5b4108ca07be7b040f161c5331b4455449a204cc9c502f9c0a”
17.4.5. Download file via clipboard

[RDP Session] type=”CB_COPYING_PASTING_FILE_FROM_REMOTE_SESSION”
service=”rdp” account=”Maintenance” file_name=”20160725-183530_659.log”
size=”42816744”
sha256=”45d6f2826b24d69faed524e5f42020c917e29c9deaf162845f7c441b0d5561d8”
17.4.6. Upload data via clipboard (such as image, sound,

etc. except Unicode text format or local data)
[RDP Session] session_id=”SESSIONID-0000” client_ip=”192.168.1.10”
account=”Maintenance” type=”CB_COPYING_PASTING_DATA_TO_REMOTE_SESSION”
format=”Preferred DropEffect” size=”4”
316
17.4.7. Download data via clipboard (such as image, sound,

etc. except Unicode text format or local data)
account=”Maintenance” type=”CB_COPYING_PASTING_DATA_FROM_REMOTE_SESSION”
format=”Preferred DropEffect” size=”4”
17.4.8. Upload data via clipboard (such as Unicode text

format or local data)
type=”CB_COPYING_PASTING_DATA_TO_REMOTE_SESSION_EX”
format=”CF_UNICODETEXT” size=”32” partial_data=”This is a test!”
17.4.9. Download data via clipboard (such as Unicode text

format or local data)
type=”CB_COPYING_PASTING_DATA_FROM_REMOTE_SESSION_EX”
format=”CF_UNICODETEXT” size=”32” partial_data=”This is a test!”
17.4.10. Reading workstation file from server

17.4.10.1. Non-sequential or partial access to the file
account=”Maintenance” type=”DRIVE_REDIRECTION_READ” file_name=”home/
out.txt”
17.4.10.2. Sequential or full access to the file

account=”Maintenance” type=”DRIVE_REDIRECTION_READ_EX” file_name=”home/
out.txt size=”4281”
sha256=”5933e6ca43514b5b4108ca07be7b040f161c5331b4455449a204cc9c502f9c0a”
17.4.11. Writing workstation file by server

17.4.11.1. Non-sequential or partial access to the file
317
account=”Maintenance” type=”DRIVE_REDIRECTION_WRITE” file_name=”home/

out.txt”
17.4.11.2. Sequential or full access to the file

service=”rdp” account=”Maintenance” type=”DRIVE_REDIRECTION_WRITE_EX”
file_name=”home/out.txt size=”5423”
sha256=”45d6f2826b24d69faed524e5f42020c917e29c9deaf162845f7c441b0d5561d8”
17.4.12. Target disconnected the session

[RDP Session] type=”SESSION_DISCONNECTION” session_id=”SESSIONID-0000”
device=”win2k8” service=”rdp” account=”Maintenance” duration=”9:12:12”
Note:
h:mm:ss
Examples:
duration="0:00:07"
duration="2:15:01"
duration="16:23:16"
duration="88:02:01"
17.4.13. Session ended by proxy

[RDP Session] type=”SESSION_DISCONNECTION” session_id=”SESSIONID-0000”
device=”win2k8” service=”rdp” account=”Maintenance” duration=”9:12:12”
Note:
h:mm:ss
318
Examples:
duration="0:00:07"
duration="2:15:01"
duration="16:23:16"
duration="88:02:01"
17.4.14. Session ending in progress

[RDP Session] type=”SESSION_ENDING_IN_PROGRESS”
Note:
This log is displayed when session ending is slow and then exceeds the timeout of the
RDP proxy.
17.4.15. Window title bars as detected by the Session Probe

Data can contain the title and the process command line.
[RDP Session] type=”TITLE_BAR” session_id=”SESSIONID-0000”

device=”win2k8” service=”rdp” account=”Maintenance” source=”Probe”
window=”out.txt - Bloc-notes”
17.4.16. Window title bars as detected by OCR

[RDP Session] type=”TITLE_BAR” session_id=”SESSIONID-0000”
device=”win2k8” service=”rdp” account=”Maintenance” source=”OCR”
window=”out.txt - Bloc-notes”
17.4.17. User typed keycodes translated using the current

layout
[RDP Session] type=”KBD_INPUT” session_id=”SESSIONID-0000”
device=”win2k8” service=”rdp” account=”Maintenance” data=” to connect to
remote TCP host.”
17.4.18. Click on a button in a window

The message contains the window title and the button name.
[RDP Session] type=”BUTTON_CLICKED” session_id=”SESSIONID-0000”

319
device=”win2k8” service=”rdp” account=”Maintenance” windows=”\"Bloc-

notes\",\"\",\"\"” button=”Ne pas en&registrer'”
17.4.19. Text edition in a text field in a window

The message contains the window title and the text field name.
[RDP Session] type=”EDIT_CHANGED” session_id=”SESSIONID-0000”
device=”win2k8” service=”rdp” account=”Maintenance”
windows=”\"Propriétés de : id.txt\",\"Général\"” edit=”Nom du fichier :”
17.4.20. Focus in and out on a password text box

[RDP Session] type=”PASSWORD_TEXT_BOX_GET_FOCUS”
account=”Maintenance” status=”yes”
17.4.21. Focus in and out on an unidentified input field

[RDP Session] type=”UNIDENTIFIED_INPUT_FIELD_GET_FOCUS”
17.4.22. New active windows detected by the Session Probe

The message contains the window title, the window class name and the process command line.
[RDP Session] type=”FOREGROUND_WINDOW_CHANGED”
service=”rdp” account=”Maintenance” text=”PuTTY Configuration”
class_name=”PuTTYConfigBox” command_line=”\"C:\\Users\\Maintenance\
\Desktop \\putty.exe\"”
17.4.23. Change of keyboard layout

The message contains the sub-language name.
[RDP Session] type=”INPUT_LANGUAGE” session_id=”SESSIONID-0000”
device=”win2k8” service=”rdp” account=”Maintenance” identifier=”0x040C”
display_name=”French (France)”
17.4.24. Creation of a new process

[RDP Session] type=”NEW_PROCESS” session_id=”SESSIONID-0000”
device=”win2k8” service=”rdp” account=”Maintenance” command_line=”C:
\\Windows\\system32\\DllHost.exe /Processid:{49F171DD- B51A-40D3-9A6C-
2D674CC729D}”
320
17.4.25. Process ended

[RDP Session] type=”COMPLETED_PROCESS” session_id=”SESSIONID-0000”
device='win2k8' service='rdp' account=”Maintenance” command_line=”C: \
\Windows\\system32\\TSTheme.exe -Embedding”
17.4.26. Process blocked

[RDP Session] type=”PROCESS_BLOCKED” session_id=”SESSIONID-0000”
device='win2k8' service='rdp' account=”Maintenance” rule=”$deny:cmd”
app_name=”cmd.exe” app_cmd_line=”\”C:\\Windows\\system32\\cmd.exe\” ”
17.4.27. VNC session initiated

[VNC Session] type=”SESSION_ESTABLISHED_SUCCESSFULLY”
target_ip=”192.168.1.210” user=”maint” device=”win2k3” service=”vnc”
account=”vncuser”
17.4.28. VNC session ended

[VNC Session] type=”SESSION_DISCONNECTION” session_id=”SESSIONID-0000”
device=”win2k3” service=”vnc” account=”vncuser" duration=”9:12:12”
Note:
h:mm:ss
Examples:
duration="0:00:07"
duration="2:15:01"
duration="16:23:16"
duration="88:02:01"
17.4.29. UAC prompt displayed

[RDP Session] type=”UAC_PROMPT_BECOME_VISIBLE”
321
17.4.30. X509 server certificate match

[RDP Session] type=”SERVER_CERTIFICATE_MATCH_SUCCESS”
account=”Maintenance” description=”X.509 server certificate match”
17.4.31. Connection to server allowed

[RDP Session] type=”CERTIFICATE_CHECK_SUCCESS”
account=”Maintenance” description="Connexion to server allowed"
17.4.32. New X509 certificate created

[RDP Session] type=”SERVER_CERTIFICATE_NEW” session_id=”SESSIONID-0000”
device=”win2k8” service=”rdp” account=”Maintenance” description=”New
X.509 certificate created”
17.4.33. X509 server certificate match failure

[RDP Session] type=”SERVER_CERTIFICATE_MATCH_FAILURE”
account=”Maintenance” description=”X.509 server certificate match
failure”
17.4.34. X509 server certificate internal error

[RDP Session] type=”SERVER_CERTIFICATE_ERROR”
account=”Maintenance” description=”X.509 server certificate internal
error: \"No such file or directory\"”
17.4.35. Kerberos ticket creation

[RDP Session] type="KERBEROS_TICKET_CREATION"
encryption_type="AES256_CTS_HMAC_SHA1_96(18)"
client_name="user01@mydomain.com" server_name="host/
ad01.mydomain.com@MYDOMAIN.COM" start_time="2018/12/05 17:51:56"
end_time="2018/12/06 03:51:56" renew_time="2018/12/12 17:51:56"
flags="[name_canonicalize | ok_as_delegate | pre_authent | renewable |
forwardable](0x40a50000)"
17.4.36. Kerberos ticket deletion

[RDP Session] type="KERBEROS_TICKET_DELETION"
encryption_type="AES256_CTS_HMAC_SHA1_96(18)"
client_name="user01@mydomain.com" server_name="host/
322
ad01.mydomain.com@MYDOMAIN.COM" start_time="2018/12/05 17:51:56"

end_time="2018/12/06 03:51:56" renew_time="2018/12/12 17:51:56"
flags="[name_canonicalize | ok_as_delegate | pre_authent | renewable |
forwardable](0x40a50000)"
17.4.37. State of check boxes in metadata collected by the

Session Probe
The message contains the state of a check box once an action has been performed.
[RDP Session] type=”CHECKBOX_CLICKED” session_id=”SESSIONID-0000”

device=”win2k8” service=”rdp” account=”Maintenance” windows=”\"Remote
Desktop Connection\",\"\",\"\"” checkbox=”Allow me to save credentials'”
state="checked"
The possible values for the “state” field are as follows:
• “checked”: the check box is selected

• “indeterminate”: the check box is an intermediate state, when there are three possible states for
the check box
• “unchecked”: the check box is deselected
• “unavailable”: the state of the check box could not be read
17.4.38. Web navigation data collected from the Session

Probe
Data can be collected from the following browsers: Internet Explorer, Microsoft Edge, Mozilla Firefox
and Google Chrome.
[RDP Session] type=”WEB_BEFORE_NAVIGATE” session_id=”SESSIONID-0000”

device=”win2k8” service=”rdp” account=”Maintenance” url=”https://
fr.wikipedia.org/” post="no"
[RDP Session] type=”WEB_DOCUMENT_COMPLETE” session_id=”SESSIONID-0000”

fr.wikipedia.org/” title="Wikipédia, l'encyclopédie libre"
[RDP Session] type=”WEB_NAVIGATE_ERROR” session_id=”SESSIONID-0000”

fr.wikipedia.org/todoist” title="Not found" code="404"
display_name="NOT_FOUND"
[RDP Session] type=”WEB_ENCRYPTION_LEVEL_CHANGED”

account=”Maintenance” identifier="6" display_name="Secure128Bit"
[RDP Session] type=”WEB_ATTEMPT_TO_PRINT” session_id=”SESSIONID-0000”

323

fr.wikipedia.org/” title="Wikipédia, l'encyclopédie libre"
[RDP Session] type=”WEB_THIRD_PARTY_URL_BLOCKED”
account=”Maintenance” url=”https://www.download.org/”
[RDP Session] type=”WEB_PRIVACY_IMPACTED” session_id=”SESSIONID-0000”
device=”win2k8” service=”rdp” account=”Maintenance” impacted="no"
[RDP Session] type=”WEB_NAVIGATION” session_id=”SESSIONID-0000”
fr.wikipedia.org/”
Data related to this last message cannot be collected from Internet Explorer.
17.4.39. Export group membership for target account in

session metadata
[RDP Session] type=”GROUP_MEMBERSHIP” session_id=”SESSIONID-0000”
device=”win2k8” service=”rdp” account=”Maintenance”
groups="None,All,Users,Remote Desktop Users,REMOTE INTERACTIVE
LOGON,INTERACTIF,LOCAL"
17.4.40. File verification by ICAP server

17.4.40.1. Verification of a valid file
doe/viruses/abc" status="OK"
17.4.40.2. Verification of an invalid file

doe/viruses/abc" status="Forbidden"
Note:
The status may change depending on the ICAP server.
17.4.40.3. Verification of a valid text transferred from the copy/paste function via
the clipboard
324
account=”doe” type="TEXT_VERIFICATION" direction="UP" copy_id="003"

status="OK"
17.4.40.4. Verification of an invalid text transferred from the copy/paste function

via the clipboard
account=”doe” type="TEXT_VERIFICATION" direction="UP" copy_id="005"
status="OK"
17.4.40.5. Connection error to the ICAP server

account=”doe” type="FILE_VERIFICATION_ERROR" icap_service="avscan"
status="Unable to connect to ICAP server"
17.4.41. Opening of dynamic virtual channel

17.4.41.1. Dynamic virtual channel allowed
[RDP Session] type="DYNAMIC_CHANNEL_CREATION_ALLOWED"
session_id="SESSIONID-0000" client_ip="192.168.1.10"
target_ip="192.168.1.200" user="maint" device="win2k8" service="rdp"
account="Maintenance" channel_name="SocksChannel"
17.4.41.2. Dynamic virtual rejected

[RDP Session] type="DYNAMIC_CHANNEL_CREATION_REJECTED"
session_id="SESSIONID-0000" client_ip="192.168.1.10"
target_ip="192.168.1.200" user="maint" device="win2k8" service="rdp"
account="Maintenance" channel_name="SocksChannel"
17.5. Logs from the system

The stream provides messages for the activities described in following sections.
17.5.1. Integrity of session log files

17.5.1.1. Integrity check successful
[integrity] session_uid="168bd4814f18ce92005056b60af6" status="OK"
type="SSH_SHELL_SESSION" user="user01@Active Directory
Domain@10.10.43.84" target=root@local@10.10.47.53:ssh" begin="2019-02-05
11:50:44" end="2019-02-05 11:50:49"
[integrity] session_uid="168bd4dbaf97a9fd005056b60af6" status="OK"

type="RDP" user="user01@Active Directory Domain@10.10.43.84"
target=Administrator@local@winAD:rdp" begin="2019-02-05 11:56:55"
end="2019-02-05 11:57:26"
325
17.5.1.2. Integrity error: session log file corrupted

[integrity] session_uid="168bdad7ef8916bd005056b60af6" status="failed"
type="RDP" user="user01@Active Directory Domain@10.10.43.84"
target=Administrator@local@winAD:rdp" begin="2019-02-05 13:41:31"
end="2019-02-05 13:41:43" files=[
"/var/wab/recorded/
rdp/168bdad7ef8916bd005056b60af6,user01@ActiveDirectoryDomain@10.10.43.84,Adminis
DEV,2131.log",
"/var/wab/recorded/
rdp/168bdad7ef8916bd005056b60af6,user01@ActiveDirectoryDomain@10.10.43.84,Adminis
DEV,2131.mwrm" ]
17.5.2. System configuration changes

17.5.2.1. Network configuration
Examples:
[sysaudit] action="add" type="route" object="eth0<10.10.0.0>"
[sysaudit] action="delete" type="route" object="eth0<10.10.0.0>"
[sysaudit] action="edit" type="route" object="eth0<10.10.0.0>"
infos="changed netmask from None to 255.255.255.0"
17.5.2.2. SIEM server configuration

Examples:
[sysaudit] action="add" object="1.1.1.1" type="siem-dest"
[sysaudit] action="delete" object="1.1.1.1" type="siem-dest"
[sysaudit] action="edit" object="1.1.1.1" type="siem-dest" infos="SIEM
destination enabled"
[sysaudit] action="edit" object="1.1.1.1" type="siem-dest" infos="changed
port from 514 to 2514"
[sysaudit] action="edit" object="1.1.1.1" type="siem-dest" infos="changed
remote protocol from udp to tls"
17.5.2.3. Remote storage configuration

Action: edit
Examples:
[sysaudit] action="edit" type="remote-storage" infos="remote storage
enabled"
[sysaudit] action="edit" type="remote-storage" infos="changed remote
storage type from cifs to nfs"
326
17.5.2.4. Service mapping configuration

Action: edit
Examples:
[sysaudit] action="edit" type="service-mapping" infos="iptables rules

enabled"
[sysaudit] action="edit" type="service-mapping" infos="changed the limit

of parallel connections per IP from 10 to 5"
[sysaudit] action="edit" type="service-mapping" infos="changed HA

interface mapping from ['eth1'] to ['eth1.0']"
17.6. Logs from vault activities

The stream provides messages for the following account activities:
• checkout
• checkout duration extension
• check-in and automatic check-in
• forced check-in
• credential change
Examples:
[Vault Activity] action="checkout" user="administrator"

account="limited_user@local@device1" session="False" result="Checkout
successful"
[Vault Activity] action="extend checkout" user="administrator"

account="limited_user@local@device1" session="False" result="Checkout
extension successful"
[Vault Activity] action="checkout" user="OPERATOR"

account="limited_user@local@device1" session="False" result="Force
checkin successful"
[Vault Activity] action="credential change"

account="limited_user@local@bastion" credential type="any"
result="failed" reason="missing new credentials from account"
327
Chapter 18. Contact WALLIX Bastion

Support
Our WALLIX Bastion Support Team is available to help you during hours defined in your support
contract:
Web: https://support.wallix.com/
Telephone: (+33) (0)1 70 36 37 50 for Europe, Middle East and Africa and (+1) 438-777-9439 for
the Americas
328
Index menu, 232, 274

Approval workflow, 275
configuration, 276
steps, 276
A Audit
Account history account history, 231
audit, 231 approval history, 232
menu, 231 authentication history, 233
Account mapping connection statistics, 234
configure target groups, 173 current sessions, 223
Accounts current sessions in real-time view, 224
add/list/delete a reference, 162 RDP current session remote control, 225
application accounts, 165 RDP current session sharing, 225
checkout policies, 193 recording options, 239
define references, 162 session history, 225
global accounts, 128, 160 session management, 223
local accounts, 126, 163 session recordings, 227
Accounts (targets) Audit data, 223
menu, 159 Audit logs
Accounts (user) logs, 47
menu, 72 menu, 47
ACLs Authentication
presentation, 17 smart card, 243
administration interface X509 certificate authentication, 100
access, 34 Authentication history
Algorithms audit, 233
data encryption, 18 menu, 233
Antivirus Authorization
configuration for verification of files transferred passwords, 201
with ICAP for RDP and SSH, 241 sessions, 218
API key Authorizations, 269
delete, 295 add, 269
edit, 295 approval workflow, 275
generate, 295 delete, 270
Application accounts, 165 edit, 270
delete, 168 import, 271
edit, 166 view approval history, 274
Application Driver, 141 view current approvals, 273
virtual channel, 141 AutoIt
Applications, 136 scripts, 139
accounts, 165 Automatic backup
add, 144 configuration, 63
add an account, 145 purge, 64
AutoIt scripts, 139 Automatic credential change, 167
delete, 145
edit, 145
import, 146
B
Backup, 60, 61, 62, 63, 64
jump server configuration, 137
automatic backup, 63
manage resource associations, 146
automatic backup purge, 64
menu, 136
purge, 64
RemoteApp mode, 138
Backup/restoration
Approval history
automatic backup, 63
audit, 232
automatic backup purge, 64
329
command line, 62 network, 48

configuration files, 61 notifications, 93
menu, 60 Notifications
Bastion plugin, 188 add, 94
Boot messages customize, 96
logs, 47 delete, 95
menu, 47 edit, 95
Break glass passphrase, 45
configuration , 216 password policy, 98
preferences, 36
C Remote Desktop Connection Broker, 261
Certificates remote storage, 51
devices, 130 RemoteApp mode, 138
Checkout policies, 193 restoration, 60
add, 194 service activation, 58
delete, 195 service control, 57
edit, 195 service mapping, 57
menu, 193 session probe, 254
CIDR, 125, 196 SIEM integration, 52
notation, 250 smart card authentication, 243
Cisco plugin, 208 SMTP server, 59
Clusters, 184 SNMP, 53
add, 185 target accounts, 159
delete, 186 target groups, 172
edit, 185 time frames, 277
import, 186 time service, 50
menu, 184 transparent mode, 250
Commands, 279 user account mapping, 114
Configuration user accounts, 72
applications, 136 user data retention policy, 92
authorizations, 269 user groups, 82
AutoIt scripts, 139 user profiles, 86
automatic backup, 63 X509 configuration, 100
backup, 60 Configuration options, 39
break glass mechanism, 216 AutoIt scripts, 139
checkout policies, 193 configuration for verification of files transferred
clusters, 184 with ICAP for RDP and SSH, 241
configuration options, 39 KeepAlive, 251
OEM, 40 OEM, 40
user interface, 40 RemoteApp mode, 138
connection messages, 262 transparent mode, 250
connection policies, 236 user interface, 40
devices, 124 virtual channel, 141
discovery, 195 Configurations options
domains, 148 menu, 39
encryption, 45 Connection messages
external authentications, 107 menu, 262
high-availability, 65 Connection policies
jump server, 137 add, 237
KeepAlive, 251 allowing or rejecting dynamic virtual channels,
LDAP/Active Directory domain, 114 244
license, 43 configuration for verification of files transferred
local password policy, 98 with ICAP for RDP and SSH, 241
330
configuration of log for keyboard input, 245 RDP current session remote control, 225
configuration of log for recorded sensitive data, RDP current session sharing, 225
244 real-time view, 224
configuration of RDP cryptographic settings, 247 Current sessions in real-time view
configuration of SSH cryptographic settings, 246 audit, 224
delete, 238 CyberArk Enterprise Password Vault plugin, 188
edit, 238
file storage, 243 D
menu, 236 Dashboards, 263
Remote Desktop Connection Broker, 260 administration, 263
session probe, 252 audit, 265
SSH startup scenario, 247 Dell iDRAC plugin, 208
TELNET/RLOGIN connection scenario, 245 Device accounts
transformation rule to get a login, 239 delete, 168
transformation rule to get credentials, 240 edit, 166
WALLIX BestSafe, 259 Devices, 124
Connection scenario accounts, 163
TELNET/RLOGIN, 245 add, 124
Connection statistics add tags, 131
audit, 234 add/list/delete a tag, 130
menu, 234 add/list/edit/delete a global account, 128
Credential checkout add/list/edit/delete a local account, 126
add a policy, 194 add/list/edit/delete a service, 125
delete a policy, 195 configuration of RDP cryptographic settings, 246
edit a policy, 195 configuration of SSH cryptographic settings, 246
Credentials delete, 132
automatic change for a target account, 167 delete certificates, 130
checkout policies, 193 discovery, 195
manual change for a target account, 168 configure a network scan, 196
CRL, 101 configure an Active Directory scan, 197
Cryptographic settings launch a scan manually, 198
RDP, 247 onboard discovered devices, 199
SSH, 246 set a periodic scan launch, 198
CSV discovery)
import applications, 146 view the results of a scan job, 198
import authorizations, 271 edit, 131
import clusters, 186 filter devices, 132
import devices, 132 global accounts, 128
import global domains, 153 import, 132
import LDAP/Active Directory domains, 120 local accounts, 126
import LDAP/Active Directory mappings, 122 local domains, 126
import local domains, 156 manage global accounts, 128
import target accounts, 168 manage local accounts, 126
import target groups, 183 manage local domains, 126
import user groups, 85 manage services, 125
import user profiles, 89 manage target group associations, 130
import users, 76 manage the tag association, 130
import/export restrictions, 181 menu, 124
import/export restrictions for target groups, 181 RDP specific options, 135
import/export restrictions for user groups, 181 remove tags, 132
Current sessions SSH specific options, 134
audit, 223 SSH startup scenario, 247
menu, 223, 224, 225 tags, 131
331
TELNET/RLOGIN connection scenario, 245 G

Discovery, 195 GDPR, 92
configure a network scan, 196 General concepts, 16
configure an Active Directory scan, 197 General data protection regulation, 92
launch a scan manually, 198 Global accounts, 128, 160
menu, 195 Global domain accounts
onboard discovered devices, 199 delete, 168
set a periodic scan launch, 198 edit, 166
view the results of a scan job, 198 Global domains
DLP accounts, 160
configuration for verification of files transferred Glossary, 14
with ICAP for RDP and SSH, 241 Groups (targets)
Domains, 148 add, 172
add, 149 configure for password management
add an account, 152 account in the vault, 175
associate with a CA, 150 configure for session management
associate with an SSH Certificate Authority, 150 account in the vault, 172
change the passwords for all the accounts, 152, account mapping, 173
152 interactive login, 174
delete, 153 scenario account, 173
edit, 151 delete, 182
import, 153, 156 edit, 182
local domains, 126 import, 183
menu, 148 manage restrictions for RDP session, 180
revoke the signed certificate for the accounts, manage restrictions for SSH session, 175
153 menu, 172
Dynamic virtual channels Groups (users)
allowing for RDP, 244 menu, 82
rejecting for RDP, 244
H
E HashiCorp Vault plugin, 189
Encryption, 45 High-Availability, 65
Algorithms, 18 configuration, 65
menu, 45 presentation, 23
passphrase, 45 Home page, 36
presentation, 18
External authentications, 107 I
add, 107 IBM 3270 plugin, 208
add for Kerberos, 108 ICAP
add for Kerberos-Password, 109 blocage du transfert des fichiers, 241
add for LDAP/, 109 configuration for file transfer verification, 241
add for PingID, 113 file storage, 241
add for RADIUS, 113 file verification, 241
delete, 114 ICAP servers
edit, 114 configuration for file transfer verification, 241
menu, 107 Import
External password vault applications, 146
plugins, 187 authorizations, 271
clusters, 186
F devices, 132
File storage global domains, 153
connection policies, 243 LDAP/Active Directory domains, 120
Fortinet FortiGate plugin, 208 LDAP/Active Directory mappings, 122
332
local domains, 156 manage, 126

profiles, 89 Local password policy, 98
target accounts, 168 menu, 98
target groups, 183 Log
user groups, 85 keyboard input, 245
user profiles, 89 recorded sensible data, 244
users, 76 Log for keyboard input
Import/export configuration for RLOGIN, SSH and TELNET,
restrictions, 181 245
Interactive login Log for recorded sensitive data
configure target groups, 174 configuration for RDP, 244
Interface Login, 34
access, 34 interface, 34
menu presentation, 26 Logs
audit logs, 47
J boot messages, 47
Jump server syslog, 47
configuration, 137
Juniper SRX plugin, 211 M
Manage authorizations
K menu, 269
KeepAlive Manual credential change, 168
configuration, 251 Menu
RDP, 251 account history, 231
SSH, 251, 252 accounts (targets), 159
Keyboard input accounts (user), 72
configuration of log for RLOGIN, SSH and applications, 136
TELNET, 245 approval history, 232, 274
audit logs, 47
L authentication history, 233
LDAP plugin, 211 backup/restoration, 60
LDAP/Active Directory boot messages, 47
import domains, 120 checkout policies), 193
import mappings, 122 clusters), 184
import users, 80 configuration options, 39
LDAP/Active Directory domain connection messages, 262
menu, 114 connection policies, 236
LDAP/Active Directory domains, 114 connection statistics, 234
add, 115 current sessions, 223, 224, 225
delete, 119 devices, 124
edit, 119 discovery), 195
import, 120 domains, 148
LDAP/Active Directory mappings encryption, 45
import, 122 external authentications, 107
License, 45, 45 groups (targets), 172
command line, 45 groups (users), 82
menu, 43 LDAP/Active Directory domain, 114
notifications, 45 license, 43
obtain a key, 43 local password policy, 98
revoke a license, 43 manage authorizations, 269
update a key, 43 my current approvals, 273
Local accounts, 126, 163 my preferences, 36
Local domains network, 48
333
notifications, 93 edit a checkout policy, 195

password change plugins, 203 external vault, 22
password vault plugins, 187 manual change for a target account, 168
profiles (users), 86 password change plugins, 203
recording options, 239 password vault plugins, 187
remote storage, 51 Password change plugins
service control, 57 Cisco, 208
session history, 225, 227 Dell iDRAC, 208
SIEM integration, 52 Fortinet FortiGate, 208
SMTP server, 59 IBM 3270, 208
SNMP, 53 Juniper SRX, 211
syslog, 47 LDAP, 211
system status, 47 matrix, 203
time frames, 277 menu, 203
time service, 50 MySQL, 212
X509 configuration, 100 Oracle, 212
MIBs, 53 Palo Alto PA-500, 212
My current approvals Unix, 212
menu, 273 Windows, 213
My preferences WindowsService, 213
menu, 36 Password change policies
MySQL plugin, 212 add, 215
delete, 216
N edit, 216
Network, 48 Password external vault
menu, 48 presentation, 22
Network infrastructure Password management, 201
positioning of WALLIX Bastion, 16 break glass mechanism, 216
Notifications, 93 configure target groups from an account in the
add, 94 vault, 175
customize, 96 password change plugins, 203
delete, 95 password change policies, 214
edit, 95 add, 214
menu, 93 delete, 216
edit, 216
O user authorizations, 201
OCSP, 102 Password policy, 98
OEM, 40 Password vault plugins
Oracle plugin, 212 Bastion, 188
CyberArk Enterprise Password Vault, 188
P HashiCorp Vault, 189
menu, 187
Palo Alto PA-500 plugin, 212
presentation, 22
Passphrase, 45
Thycotic, 190
Password
Plugins
add a change policy, 215
password change, 203
add a checkout policy, 194
password vault, 187
authorizations, 201
Ports
automatic change for a target account, 167
configuration, 24
change policies, 214
Profiles (users)
checkout policies, 193
menu, 86
delete a change policy, 216
Proxy options
delete a checkout policy, 195
RDP, 135
edit a change policy, 216
334
SSH, 134 RDP session notify, 180

Purge SSH session kill, 175, 176
automatic backup, 64 SSH session notify, 175
RLOGIN
R configuration of log for keyboard input, 245
RDP
allowing or rejecting dynamic virtual channels, S
244 Scenario
Application Driver, 141 RLOGIN, 247
AutoIt scripts, 139 SSH, 173, 247
configuration of log for recorded sensitive data, TELNET, 247
244 TELNET/RLOGIN, 245
proxy specific options, 135 Scenario account
Remote Desktop Connection Broker, 260 target groups, 173
RemoteApp mode, 138 SCIM REST API, 294
session probe, 252 SCP
WALLIX BestSafe, 259 target connection in interactive mode, 222
RDP cryptographic settings Scripts
connection policies, 247 AutoIt, 139
RDP current session remote control Service accounts, 162
audit, 225 Service activation, 58
RDP current session sharing Service control, 57
audit, 225 menu, 57
RDP protocol service activation, 58
specific options, 135 service mapping, 57
RDP session Service mapping, 57
kill, 180 Services, 57, 125
notify, 180 Session
Reconciliation authorizations, 218
definition, 151, 212, 213 Session history
Recorded sensible data audit, 225
configuration of log for RDP, 244 menu, 225, 227
Recording options Session management, 218
audit, 239 account history, 231
menu, 239 approval history, 232
References, 162 audit data, 223
Remote Desktop Connection Broker authentication history, 233
configuration, 261 configure target groups for account mapping,
prerequisites, 260 173
Remote storage, 51 configure target groups for interactive login, 174
menu, 51 configure target groups for startup scenario, 173
RemoteApp mode configure target groups from an account in the
configuration, 138 vault, 172
REST API, 294 connection messages, 261
delete a key, 295 connection policies, 236
documentation, 294, 294 connection statistics, 234
edit a key, 295 connection via SCP and SFTP, 222
generate a key, 295 current sessions, 223
key management, 294 current sessions in real-time view, 224
Restoration, 60, 61, 62 RDP current session remote control, 225
Restrictions RDP current session sharing, 225
import/export, 181 recording options, 239
RDP session kill, 180 session history, 225
335
session recordings, 227 generate the report on the status of WALLIX

target connection in interactive mode, 222 Bastion, 283
user authorizations, 218 get the GUI URL, 282
Session probe get version information of WALLIX Bastion, 281
configuration, 254 manage the license key, 283
connection policies, 252 move session recordings to remote storage, 287
default operating mode, 253 purge session recordings automatically, 286
interaction with WALLIX BestSafe, 259 purge session recordings manually, 284
launching from a specific directory, 258 re-import archived session recordings, 288
prerequisites, 253 reset data encryption in WALLIX Bastion, 281
Session recordings, 239 restore the factory-set administrator account,
audit, 227 280
Session Shadowing, 225 restore WALLIX Bastion to factory settings, 280
SFTP update CRL, 292
target connection in interactive mode, 222 use the command line to connect to WALLIX
SIEM Bastion, 280
logs from authentication, 296 use WABConsole to change the user password,
logs from external vault, 327 284
logs from RDP service, 315 SSH
logs from SSH service, 307 configuration of log for keyboard input, 245
logs from system, 325 proxy specific options, 134
logs from Web interface, 297 SSH cryptographic settings
messages, 296 connection policies, 246
SIEM integration, 52, 296 SSH key
configure TLS client, 289 add a checkout policy, 194
menu, 52 automatic change for a target account, 167
Smart card, 243 checkout policies, 193
Smart card authentication, 243 delete a checkout policy, 195
SMTP server, 59 edit a checkout policy, 195
menu, 59 manual change for a target account, 168
SNMP, 53 SSH protocol
menu, 53 specific options, 134
MIB files, 53 SSH session
Specific commands, 279 kill, 175, 176
change self-signed certificates, 290 notify, 175
change target servers identification, 289 SSH startup scenario
change the GRUB password, 282 connection policies, 247
change the keyboard layout, 282 Startup scenario
change the network configuration, 282 configure target groups, 173
change the password of the factory-set RLOGIN, 247
administrator account, 281 SSH, 173, 247
change the security level configuration, 282 target groups, 173
check integrity of session log files, 288 TELNET, 247
configure High-Availability (HA), 283 Subnet, 125, 250
configure services, 283 Summary, 38
configure TLS client for SIEM integration, 289 Syslog
configure TLS options for LDAP external logs, 47
authentication, 289 menu, 47
cryptographic configuration of services, 291 System
display the content of journalctl, 284 backup, 60
export session recordings automatically, 286 logs, 47
export session recordings manually, 284 network, 48
remote storage, 51
336
restoration, 60 applications, 136

service control, 57 add, 144
SIEM integration, 52 add an account, 145
SMTP server, 59 AutoIt scripts, 139
SNMP, 53 delete, 145
status, 47 edit, 145
time service, 50 import, 146
System logs, 47 jump server configuration, 137
System status, 46 manage resource associations, 146
menu, 47 RemoteApp mode, 138
checkout policies, 193
T add, 194
Tables delete, 195
customize layout, 32 edit, 195
delete data, 33 clusters, 184
search data, 31 add, 185
sort data, 32 delete, 186
Tags, 130, 131 edit, 186
filter devices, 132 import, 186
Target account on a global domain devices, 124
add, 160, 163 add, 124
Target account on an application add tags, 131
add, 165 add/list/delete a tag, 130
Target accounts, 159 add/list/edit/delete a global account, 128
change the credentials automatically, 167 add/list/edit/delete a local account, 126
change the credentials manually, 168 add/list/edit/delete a service, 125
change the passwords automatically, 167 configuration of RDP cryptographic settings,
change the passwords manually, 168 247
delete, 168 configuration of SSH cryptographic settings,
edit, 166 246
import, 168 delete, 132
Target groups, 172 delete certificates, 130
add, 172 edit, 131
configure for account mapping, 173 filter devices, 132
configure for interactive login, 174 import, 132
configure for password management from an list/delete a local domain, 126
account in the vault, 175 manage target group associations, 130
configure for session management from an RDP specific options, 135
account in the vault, 172 remove tags, 132
configure for startup scenario during SSH SSH specific options, 134
session, 173 SSH startup scenario, 247
delete, 182 tags, 131
edit, 182 TELNET/RLOGIN connection scenario, 245
import, 183 discovery, 195
import/export restrictions, 181 domains, 148
pattern detection in SSH flow, 175 add, 149
RDP flows analysis/pattern detection in RDP add an account, 152
flow, 180 associate with a CA, 150
scenario account, 173 associate with an SSH Certificate Authority,
startup scenario, 173 150
Targets change the passwords for all the accounts,
accounts 152, 152
add/list/delete a reference, 162 delete, 153
337
edit, 151 U
import, 153, 156 Unix plugin, 212
revoke the signed certificate for the accounts, User account mapping
153 configuration, 114
password vault plugins, 187 User accounts, 72
target account on a device User data retention policy, 92
add, 163 User groups, 82
target account on a global domain User interface, 40
add, 159 User profiles, 86
target account on an application Users
add, 165 data retention, 92
target accounts, 159 user accounts, 72
change the credentials automatically , 167 add, 73
change the credentials manually, 168 delete, 75
delete, 168 edit, 75
edit, 166 import, 76
import, 168 import from .csv file, 76
target groups, 172 import from LDAP/AD directory, 79
add, 172 view accessible applications, 76
configure for account mapping, 173 view accessible device, 76
configure for interactive login, 174 view accessible target accounts, 76
configure for password management from an view rights on the GUI, 75
account in the vault, 175 user groups, 82
configure for session management from an add, 82
account in the vault, 172 delete, 84
configure for startup scenario during SSH edit, 84
session, 173 import, 85
delete, 182 import/export restrictions, 181
edit, 182 view members, 85
import, 183 user profiles, 86
import/export restrictions, 181 add, 86
pattern detection in SSH flow, 175 default profiles, 86
RDP flows analysis/pattern detection in RDP delete, 88
flow, 180 edit, 88
TCP/UDP import, 89
port configuration, 24
TELNET V
configuration of log for keyboard input, 245 Virtual channel, 141
TELNET/RLOGIN connection scenario
connection policies, 245 W
Terminology, 14
WABChangeGrub, 282
Thycotic plugin, 190
WABChangeKeyboard, 282
Time frames, 277
WABConsole, 284
add, 278
WABCRLFetch, 292
delete, 278
WABGetGuiUrl, 282
edit, 278
WABGetLicenseInfo, 283
menu, 277
WABHASetup, 283
Time service, 50
WABInitReset, 280
menu, 50
WABJournalCtl, 284
Transformation rule
WABNetworkConfiguration, 282
connection policies, 239, 240
WABResetCrypto, 281
Transparent mode
WABRestoreDefaultAdmin, 280, 281
configuration, 250
WABSecurityLevel, 282
338
WABServices, 283
WABSessionLogExport, 284
WABSessionLogImport, 288
WABSessionLogIntegrityChecker, 288
WABSetLicense, 283
WABVersion, 281
WALLIX Bastion REST API, 294
WALLIX Bastion terminology, 14
WALLIX BestSafe
interaction with session probe, 259
WALLIX Password Manager
management, 31
password management, 201
presentation, 22
WALLIX Session Manager
management, 31
presentation, 22
session management, 218
Web Services
REST API, 294
Welcome page, 36
Windows plugin, 213
Windows Service, 162
WindowsService plugin, 213
X
X509, 100
X509 certificate authentication, 100
configuration, 100
CRL management, 101
disable, 106
OCSP management, 102
unset, 106
user configuration, 103
X509 authentication, 104
X509 configuration
menu, 100
339

Bastion Admin Guide En

Uploaded by

Copyright:

Available Formats

You might also like

Bastion Admin Guide En

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Bastion Admin Guide En

Uploaded by

Copyright:

Available Formats

ADMINISTRATION GUIDE

WALLIX Bastion 9.0.2

8.2. License ..................................................................................................................... 43

9.5.1. Add a notification ........................................................................................... 94

10.3.9. Import global domains ................................................................................ 153

11.2.13. WindowsService plugin ............................................................................. 213

15.12. Configure services .............................................................................................. 283

17.2.18. Object type: LDAP domain ....................................................................... 302

17.4.11. Writing workstation file by server .............................................................. 317

• Amazon Web Services (AWS)

1.2. Copyright & Licenses

WALLIX Bastion is subject to the WALLIX software license contract.

1.3. Third-party components

1.5. About this document

The following documents are also provided by WALLIX:

They can be downloaded from the WALLIX Support portal (https://support.wallix.com

Chapter 2. Compatibility and limits

We do not recommend modifying your system configuration or installing an additional software as

ACL Acronym for "Access Control List". This is a system to manage

Interactive login Mechanism which allows a user to dynamically enter his/her

• checking the authentication detail provided by the user

Protocols currently supported are as follows:

• SSH (and its sub-systems)

4.2. Positioning of WALLIX Bastion in the

• the company’s personnel

Figure 4.1. WALLIX Bastion in the network infrastructure

4.3. The concept of WALLIX Bastion ACLs

• connection time frames

4.5. Rights of the user connected to WALLIX

4.6. Data encryption

• primary authentication information, i.e. information related to WALLIX Bastion authentication

All sensitive data is encrypted to ensure security.

4.6.1. Administration with HTTPS protocol (Web interface

4.6.2. Administration with SSH protocol

Server host key algorithms:

4.6.3. RDP (TLS based) primary connection algorithms

4.6.4. SSH primary connection algorithms

Host key algorithms:

4.6.5. Secondary connection algorithms

Chapter 5. Specific features

This feature allows the administrator to:

5.2. WALLIX Password Manager

This feature allows the administrator to:

• secure target account passwords and SSH keys

5.3. Password external vault

For further information, refer to Section 8.14, “High-Availability”, page 65.

Chapter 6. Getting started with WALLIX

6.1.2. Communication to WALLIX Bastion

6.2. Using the command line to connect to

The default credentials are as follows:

6. Lastly, sixth step: define the network configuration

6.3. Browsing through the menu of the Web

See Section 7.3, “Setting your

See Section 12.1, “User authorizations on

See Section 11.1, “User authorizations on

Menu Sub-menu Actions

See Section 12.3.1, “Current sessions”, page 223

See Section 12.3.4, “Session history”, page 225

See Section 12.3.6, “Account history”, page 231