Focus

Configure Local or External Authentication for Firewall Administrators

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
AIOps
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

Configure a Firewall Administrator Account

Configure Certificate-Based Administrator Authentication to the Web Interface

Configure Local or External Authentication for Firewall Administrators

You can use Local Authentication and External Authentication Services to authenticate administrators who access the firewall. These authentication methods prompt administrators to respond to one or more authentication challenges, such as a login page for entering a username and password.

If you use an external service to manage both authentication and authorization (role and access domain assignments), see:

To authenticate administrators without a challenge-response mechanism, you can Configure Certificate-Based Administrator Authentication to the Web Interface and Configure SSH Key-Based Administrator Authentication to the CLI.

(External authentication only) Enable the firewall to connect to an external server for authenticating administrators.
Configure a server profile:
- Add a RADIUS server profile.
  If the firewall integrates with a Multi-Factor Authentication (MFA) service through RADIUS, you must add a RADIUS server profile. In this case, the MFA service provides all the authentication factors (challenges). If the firewall integrates with an MFA service through a vendor API, you can still use a RADIUS server profile for the first factor but MFA server profiles are required for additional factors.
- Add an MFA server profile.
- Add a TACACS+ server profile.
- Add a SAML IdP server profile. You cannot combine Kerberos single sign-on (SSO) with SAML SSO; you can use only one type of SSO service.
- Add a Kerberos server profile.
- Add an LDAP server profile.
(Local database authentication only) Configure a user database that is local to the firewall.
1. Add the user account to the local database.
2. (Optional) Add the user group to the local database.
(Local authentication only) Define password complexity and expiration settings.
These settings help protect the firewall against unauthorized access by making it harder for attackers to guess passwords.
1. Define global password complexity and expiration settings for all local administrators. The settings don’t apply to local database accounts for which you specified a password hash instead of a password (see Local Authentication).
  1. Select DeviceSetupManagement and edit the Minimum Password Complexity settings.
  2. Select Enabled.
  3. Define the password settings and click OK.
2. Define a Password Profile.
  You assign the profile to administrator accounts for which you want to override the global password expiration settings. The profiles are available only to accounts that are not associated with a local database (see Local Authentication).
  1. Select DevicePassword Profiles and Add a profile.
  2. Enter a Name to identify the profile.
  3. Define the password expiration settings and click OK.
(Kerberos SSO only) Create a Kerberos keytab.
A keytab is a file that contains Kerberos account information for the firewall. To support Kerberos SSO, your network must have a Kerberos infrastructure.
Configure an authentication profile.
If your administrative accounts are stored across multiple types of servers, you can create an authentication profile for each type and add all the profiles to an authentication sequence.

Configure an Authentication Profile and Sequence. In the authentication profile, specify the Type of authentication service and related settings:
- External service—Select the Type of external service and select the Server Profile you created for it.
- Local database authentication—Set the Type to Local Database.
- Local authentication without a database—Set the Type to None.
- Kerberos SSO—Specify the Kerberos Realm and Import the Kerberos Keytab.
Assign the authentication profile or sequence to an administrator account.
1. Configure a Firewall Administrator Account.
  - Assign the Authentication Profile or sequence that you configured.
  - (Local database authentication only) Specify the Name of the user account you added to the local database.
2. Commit your changes.
3. (Optional) Test Authentication Server Connectivity to verify that the firewall can use the authentication profile to authenticate administrators.

Configure a Firewall Administrator Account

Configure Certificate-Based Administrator Authentication to the Web Interface

Next-Generation Firewall Docs

Configure Local or External Authentication for Firewall Administrators

Next-Generation Firewall Docs

Configure Local or External Authentication for Firewall Administrators

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner