End-of-Life (EoL)
Select Device > Password Profiles or Panorama > Password Profiles to set basic password requirements for individual local accounts. Password profiles override any Minimum Password Complexity settings you defined for all local accounts ( Device > Setup > Management).
To apply a password profile to an account, select Device > Administrators (for firewalls) or Panorama > Administrators (for Panorama), select an account, and then select the Password Profile.
You cannot assign password profiles to administrative accounts that use local database authentication (see Device > Local User Database > Users).
To create a password profile, click Add and enter the following information.
Password Profile Setting Description
Name Enter a name to identify the password profile (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Required Password Change Period (days) Require that administrators change their password on a regular basis specified a by the number of days set, ranging from 0-365 days. Example, if the value is set to 90, administrators will be prompted to change their password every 90 days. You can also set an expiration warning from 0-30 days and specify a grace period.
Expiration Warning Period (days) If a required password change period is set, this setting can be used to prompt the user to change their password at each log in as the forced password change date approaches (range is 0–30).
Post Expiration Admin Login Count Allow the administrator to log in a specified number of times after their account has expired. Example, if the value is set to 3 and their account has expired, they can log in 3 more times before their account is locked out (range is 0–3).
Post Expiration Grace Period (days) Allow the administrator to log in the specified number of days after their account has expired (range is 0–30).
Username and Password Requirements
The following table lists the valid characters that can be used in usernames and passwords for PAN-OS and Panorama accounts.
Account Type Username and Password Restrictions
Password Character Set There are no restrictions on any password field character sets.
Remote Admin, SSL-VPN, or Captive Portal The following characters are not allowed for the username: Backtick (`) Angular brackets (< and >) Ampersand (&) Asterisk (*) At sign (@) Question mark (?) Pipe (|) Single-Quote (‘) Semicolon (;) Double-Quote (") Dollar ($) Parentheses ( '(' and ')' ) Colon (':')
Local Administrator Accounts The following are the allowed characters for local usernames: Lowercase (a-z) Uppercase (A-Z) Numeric (0-9) Underscore (_) Period (.) Hyphen (-) Login names cannot start with a hyphen (-).

Recommended For You