Configure a Firewall Administrator Account
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Configure a Firewall Administrator Account
Administrative accounts specify roles and
authentication methods for firewall administrators. The service
that you use to assign roles and perform authentication determines
whether you add the accounts on the firewall, on an external server,
or both (see Administrative
Authentication). If the authentication method relies on a
local firewall database or an external service, you must configure
an authentication profile before adding an administrative account
(see Configure
Administrative Accounts and Authentication). If you already
configured the authentication profile or you will use Local
Authentication without a firewall database, perform the following
steps to add an administrative account on the firewall.
Create a separate administrative account
for each person who needs access to the administrative or reporting
functions of the firewall. This enables you to better protect the
firewall from unauthorized configuration and enables logging of
the actions of individual administrators.
Make sure you are following
the Adminstrative Access Best Practices to
ensure that you are securing administrative access to your firewalls
and other security devices in a way that prevents successful attacks.- Modify the number of supported administrator accounts.Configure the total number of supported concurrent administrative accounts sessions for a firewall in the normal operational mode or in FIPS-CC mode. You can allow up to four concurrent administrative account sessions or configure the firewall to support an unlimited number of concurrent administrative account sessions.
- Select DeviceSetupManagement and edit the Authentication Settings.Edit the Max Session Count to specify the number of supported concurrent sessions (range is 0 to 4) allowed for all administrator and user accounts.Enter 0 to configure the firewall to support an unlimited number of administrative accounts.Edit the Max Session Time in minutes for an administrative account. Default is 720 minutes.Click OK.Commit.You can also configure the total number of supported concurrent sessions by logging in to the firewall CLI.admin> configureadmin# set deviceconfig setting management admin-session max-session-count <0-4>admin# set deviceconfig setting management admin-session max-session-time <0, 60-1499>admin# commitSelect DeviceAdministrators and Add an account.Enter a user Name.If the firewall uses a local user database to authenticate the account, enter the name that you specified for the account in the database (see Add the user group to the local database.)Select an Authentication Profile or sequence if you configured either for the administrator.If the firewall uses Local Authentication without a local user database for the account, select None (default) and enter a Password.Select the Administrator Type.If you configured a custom role for the user, select Role Based and select the Admin Role Profile. Otherwise, select Dynamic (default) and select a dynamic role. If the dynamic role is virtual system administrator, add one or more virtual systems that the virtual system administrator is allowed to manage.(Optional) Select a Password Profile for administrators that the firewall authenticates locally without a local user database. For details, see Define a Password Profile.Click OK and Commit.