Configure a Firewall Administrator Account

Administrative accounts specify roles and authentication methods for firewall administrators. The service that you use to assign roles and perform authentication determines whether you add the accounts on the firewall, on an external server, or both (see Administrative Authentication). If the authentication method relies on a local firewall database or an external service, you must configure an authentication profile before adding an administrative account (see Configure Administrative Accounts and Authentication). If you already configured the authentication profile or you will use Local Authentication without a firewall database, perform the following steps to add an administrative account on the firewall.
Create a separate administrative account for each person who needs access to the administrative or reporting functions of the firewall. This enables you to better protect the firewall from unauthorized configuration and enables logging of the actions of individual administrators.
Make sure you are following the Best Practices for Securing Administrative Access to ensure that you are securing administrative access to your firewalls and other security devices in a way that prevents successful attacks.
  1. Modify the number of supported administrator accounts.
    Configure the total number of supported concurrent administrative accounts sessions for a firewall in the normal operational mode or in FIPS-CC mode. You can allow up to four concurrent administrative account sessions or configure the firewall to support an unlimited number of concurrent administrative account sessions.
    1. Select
      Device
      Setup
      Management
      and edit the Authentication Settings.
    2. Edit the
      Max Session Count
      to specify the number of supported concurrent sessions (range is
      0
      to
      4
      ) allowed for all administrator and user accounts.
      Enter
      0
      to configure the firewall to support an unlimited number of administrative accounts.
    3. Edit the
      Max Session Time
      in minutes for an administrative account. Default is
      720
      minutes.
    4. Click
      OK
      .
    5. Commit
      .
    You can also configure the total number of supported concurrent sessions by logging in to the firewall CLI.
    admin>
    configure
    admin#
    set deviceconfig setting management admin-session max-session-count <0-4>
    admin#
    set deviceconfig setting management admin-session max-session-time <0, 60-1499>
    admin#
    commit
  2. Select
    Device
    Administrators
    and
    Add
    an account.
  3. Enter a user
    Name
    .
    If the firewall uses a local user database to authenticate the account, enter the name that you specified for the account in the database (see Add the user group to the local database.)
  4. Select an
    Authentication Profile
    or sequence if you configured either for the administrator.
    If the firewall uses Local Authentication without a local user database for the account, select
    None
    (default) and enter a
    Password
    .
  5. Select the
    Administrator Type
    .
    If you configured a custom role for the user, select
    Role Based
    and select the Admin Role
    Profile
    . Otherwise, select
    Dynamic
    (default) and select a dynamic role. If the dynamic role is
    virtual system administrator
    , add one or more virtual systems that the virtual system administrator is allowed to manage.
  6. (
    Optional
    ) Select a
    Password Profile
    for administrators that the firewall authenticates locally without a local user database. For details, see Define a Password Profile.
  7. Click
    OK
    and
    Commit
    .

Recommended For You