Next-Generation Firewall
Configure a Firewall Administrator Account
Table of Contents
Configure a Firewall Administrator Account
Learn how to configure firewall administrator accounts in PAN-OS, including setting
up administrative access, authentication, and user permissions for NGFW
management.
| Where Can I Use This? | What Do I Need? |
|---|---|
| NGFW (Managed by PAN-OS or Panorama) |
|
Administrative accounts specify roles and authentication methods for firewall
administrators. The service that you use to assign roles and perform authentication
determines whether you add the accounts on the firewall, on an external server, or
both (see Administrative
Authentication). If the authentication method relies on a local firewall
database or an external service, you must configure an authentication profile before
adding an administrative account (see Configure
Administrative Accounts and Authentication). If you already configured
the authentication profile or you will use Local
Authentication without a firewall database, perform the following steps
to add an administrative account on the firewall.
Create a separate administrative account
for each person who needs access to the administrative or reporting
functions of the firewall. This enables you to better protect the
firewall from unauthorized configuration and enables logging of
the actions of individual administrators.
Make sure you are following
the Adminstrative Access Best Practices to
ensure that you are securing administrative access to your firewalls
and other security devices in a way that prevents successful attacks.- Modify the number of supported administrator accounts.Configure the total number of supported concurrent administrative accounts sessions for a firewall in the normal operational mode or in FIPS-CC mode. You can allow up to four concurrent administrative account sessions or configure the firewall to support an unlimited number of concurrent administrative account sessions.
- Select and edit the Authentication Settings.Edit the Max Session Count to specify the number of supported concurrent sessions (range is 0 to 4) allowed for all administrator and user accounts.Enter 0 to configure the firewall to support an unlimited number of administrative accounts.Edit the Max Session Time in minutes for an administrative account. Default is 720 minutes.Click OK.Commit.You can also configure the total number of supported concurrent sessions by logging in to the firewall CLI.admin> configureadmin# set deviceconfig setting management admin-session max-session-count <0-4>admin# set deviceconfig setting management admin-session max-session-time <0, 60-1499>admin# commitSelect and Add an account.Enter a user Name.If the firewall uses a local user database to authenticate the account, enter the name that you specified for the account in the database (see Add the user group to the local database.)Select an Authentication Profile or sequence if you configured either for the administrator.If the firewall uses Local Authentication without a local user database for the account, select None (default) and enter a Password.Select the Administrator Type.If you configured a custom role for the user, select Role Based and select the Admin Role Profile. Otherwise, select Dynamic (default) and select a dynamic role. If the dynamic role is virtual system administrator, add one or more virtual systems that the virtual system administrator is allowed to manage.(Optional) Select a Password Profile for administrators that the firewall authenticates locally without a local user database. For details, see Define a Password Profile.Click OK and Commit.
