: Device > Local User Database > Users
Focus
Focus

Device > Local User Database > Users

Table of Contents
End-of-Life (EoL)

Device > Local User Database > Users

You can set up a local database on the firewall to store authentication information for firewall administrators
, Captive Portal end users
, and end users who authenticate to a GlobalProtect portal
and GlobalProtect gateway
. Local database authentication requires no external authentication service; you perform all account management on the firewall. After creating the local database and (optionally) assigning the users to groups (see Device > Local User Database > User Groups), you can Device > Authentication Profile based on the local database.
You cannot configure Device > Password Profiles for administrative accounts that use local database authentication.
To Add a local user to the database, configure the settings described in the following table.
Local User Settings
Description
Name
Enter a name to identify the user (up to 31 characters). The name is not case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Location
Select the scope in which the user account is available. In the context of a firewall that has more than one virtual system (vsys), select a vsys or select Shared (all virtual systems). In any other context, you can’t select the Location; its value is predefined as Shared (firewalls) or as Panorama. After you save the user account, you can’t change its Location.
Mode
Use this field to specify the authentication option:
  • Password—Enter and confirm a password for the user.
  • Password Hash—Enter a hashed password string. This can be useful if, for example, you want to reuse the credentials for an existing Unix account but don’t know the plaintext password, only the hashed password. The firewall accepts any string of up to 63 characters regardless of the algorithm used to generate the hash value.
    In PAN-OS 9.1.10 and earlier, the operational CLI command request password-hash password uses the MD5 algorithm when the firewall is in normal mode and the SHA256 algorithm when the firewall is in CC/FIPS mode.
    In PAN-OS 9.1.11 and later, the operational CLI command request password-hash password uses the SHA256 algorithm in all modes.
Any Minimum Password Complexity parameters you set for the firewall (DeviceSetupManagement) do not apply to accounts that use a Password Hash.
Enable
Select this option to activate the user account.