Administrative accounts specify roles and authentication methods for the administrators of Palo Alto Networks firewalls.
Configure an Administrative Account
( Optional ) Define password complexity and expiration settings for administrator accounts that are local to the firewall. These settings can help protect the firewall against unauthorized access by making it harder for attackers to guess passwords. You cannot configure these settings for local accounts that use a local database or external service for authentication. Define global password complexity and expiration settings for all local administrators. Select Device > Setup > Management and edit the Minimum Password Complexity settings. Select Enabled. Define the password settings and click OK. Define a Password Profile if you want certain local administrators to have password expiration settings that override the global settings. Select Device > Password Profiles and Add a profile. Enter a Name to identify the profile. Define the password expiration settings and click OK.
Add an administrative account. Select Device > Administrators and Add an administrator. Enter a user Name. Select an Authentication Profile or sequence if you configured either for the user. The default option ( None) specifies that the firewall will locally manage and authenticate the account without a local database. In this case, you must enter and confirm a Password. Select the Administrator Type. If you configured a custom role for the user, select Role Based and select the Admin Role Profile. Otherwise, select Dynamic (default) and select a dynamic role. If the dynamic role is virtual system administrator, add one or more virtual systems that the virtual system administrator is allowed to manage. ( Optional ) Select a Password Profile for local administrators. This option is available only if you set the Authentication Profile to None. Click OK and Commit.

Related Documentation