Configure a Firewall Administrator Account
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Configure a Firewall Administrator Account
Administrative accounts specify roles and
authentication methods for firewall administrators. The service
that you use to assign roles and perform authentication determines
whether you add the accounts on the firewall, on an external server,
or both (see Administrative
Authentication). If the authentication method relies on a
local firewall database or an external service, you must configure
an authentication profile before adding an administrative account
(see Configure
Administrative Accounts and Authentication). If you already
configured the authentication profile or you will use Local
Authentication without a firewall database, perform the following
steps to add an administrative account on the firewall.
Create a separate administrative account
for each person who needs access to the administrative or reporting
functions of the firewall. This enables you to better protect the
firewall from unauthorized configuration and enables logging of
the actions of individual administrators.
- Modify the number of supported administrator accounts.Configure the total number of supported concurrent administrative accounts sessions for a firewall in the normal operational mode or in FIPS-CC mode. You can allow up to four concurrent administrative account sessions or configure the firewall to support an unlimited number of concurrent administrative account sessions.
- Selectand edit the Authentication Settings.DeviceSetupManagement
- Edit theMax Session Countto specify the number of supported concurrent sessions (range is0to4) allowed for all administrator and user accounts.Enter0to configure the firewall to support an unlimited number of administrative accounts.
- Edit theMax Session Timein minutes for an administrative account. Default is720minutes.
- ClickOK.
- Commit.
You can also configure the total number of supported concurrent sessions by logging in to the firewall CLI.admin>configureadmin#set deviceconfig setting management admin-session max-session-count <0-4>admin#set deviceconfig setting management admin-session max-session-time <0, 60-1499>admin#commitSelectandDeviceAdministratorsAddan account.Enter a userName.If the firewall uses a local user database to authenticate the account, enter the name that you specified for the account in the database (see Add the user group to the local database.)Select anAuthentication Profileor sequence if you configured either for the administrator.If the firewall uses Local Authentication without a local user database for the account, selectNone(default) and enter aPassword.Select theAdministrator Type.If you configured a custom role for the user, selectRole Basedand select the Admin RoleProfile. Otherwise, selectDynamic(default) and select a dynamic role. If the dynamic role isvirtual system administrator, add one or more virtual systems that the virtual system administrator is allowed to manage.(Optional) Select aPassword Profilefor administrators that the firewall authenticates locally without a local user database. For details, see Define a Password Profile.ClickOKandCommit.