Device > Administrators
Administrator accounts control access to firewalls and
Panorama. A firewall administrator can have full or read-only access
to a single firewall or to a virtual system on a single firewall.
Firewalls have a predefined
admin
account
that has full access.To define Panorama administrators, see Panorama
> Managed Devices > Summary.
The following authentication options are supported:
- Password authentication—The administrator enters a username and password to log in. This authentication requires no certificates. You can use it in conjunction with authentication profiles, or for local database authentication.
- Client certificate authentication (web)—This authentication requires no username or password; the certificate suffices to authenticate access to the firewall.
- Public key authentication (SSH)—The administrator generates a public/private key pair on the machine that requires access to the firewall, and then uploads the public key to the firewall to allow secure access without requiring the administrator to enter a username and password.
To add an administrator, click
Add
and
fill in the following information:Administrator Account Settings | Description |
---|---|
Name | Enter a login name for the administrator
(up to 31 characters). The name is case sensitive and must be unique. Use
only letters, numbers, hyphens, periods, and underscores. Login
names cannot start with a hyphen (-). |
Authentication Profile | Select an authentication profile for administrator authentication.
You can use this setting for RADIUS, TACACS+, LDAP, Kerberos, SAML,
or local database authentication. For details, see Device
> Authentication Profile. |
Use only client certificate authentication
(web) | Select this option to use client certificate authentication
for web access. If you select this option, a username and password
are not required; the certificate is sufficient to authenticate
access to the firewall. |
New Password Confirm New Password | Enter and confirm a case-sensitive password
for the administrator (up to 31 characters). You can also select Setup Management To ensure that the
firewall management interface remains secure, we recommend that
you periodically change administrative passwords using a mixture
of lower-case letters, upper-case letters, and numbers. You can also
configure Minimum
Password Complexity settings for all administrators on the
firewall. |
Use Public Key Authentication (SSH) | Select this option to use SSH public key authentication.
Click Import Key and browse to select the
public key file. The uploaded key appears in the read-only text
area.Supported key file formats are IETF SECSH and OpenSSH.
Supported key algorithms are DSA (1,024 bits) and RSA (768 to 4,096
bits). If the public key authentication fails, the firewall
prompts the administrator for a username and password. |
Administrator Type | Assign a role to this administrator. The
role determines what the administrator can view and modify. If
you select Role Based , select a custom role
profile from the drop-down. For details, see Device
> Admin Roles.If you select Dynamic ,
you can select one of the following predefined roles:
|
Virtual System ( Virtual system administrator
role only ) | Click Add to select
the virtual systems that the administrator can manage. |
Password Profile | Select the password profile, if applicable.
To create a new password profile, see Device
> Password Profiles. Create
a password profile for administrators to ensure that admin passwords
expire after a configured time period. Changing admin passwords
regularly helps prevent attackers from using saved or stolen credentials. |
Recommended For You
Recommended Videos
Recommended videos not found.