Device > Local User Database > Users

You can set up a local database on the firewall to store authentication information for firewall administrators TechDocs_logo_cropped.png , Captive Portal end users TechDocs_logo_cropped.png , and end users who authenticate to a GlobalProtect portal TechDocs_logo_cropped.png and GlobalProtect gateway TechDocs_logo_cropped.png . Local database authentication requires no external authentication service; you perform all account management on the firewall. After creating the local database and (optionally) assigning the users to groups (see Device > Local User Database > User Groups), you can configure authentication based on the local database (see Device > Authentication Profile).
You cannot configure Device > Password Profiles for administrative accounts that use local database authentication.
To Add a local user to the database, configure the settings described in the following table.
Local User Settings
Description
Name
Enter a name to identify the user (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Location
Select the scope in which the user account is available. In the context of a firewall that has more than one virtual system (vsys), select a vsys or select Shared (all virtual systems). In any other context, you can’t select the Location; its value is predefined as Shared (firewalls) or as Panorama. After you save the user account, you can’t change its Location.
Mode
Use this field to specify the authentication option:
  • Password—Enter and confirm a password for the user.
  • Password Hash—Enter a hashed password string. This can be useful if, for example, you want to reuse the credentials for an existing Unix account but don’t know the plaintext password, only the hashed password. The firewall accepts any string of up to 63 characters regardless of the algorithm used to generate the hash value. The operational CLI command request password-hash password uses the MD5 algorithm when the firewall is in normal mode and the SHA256 algorithm when the firewall is in CC/FIPS mode.
Any Minimum Password Complexity parameters you set for the firewall (DeviceSetupManagement) do not apply to accounts that use a Password Hash.
Enable
Select this option to activate the user account.

Related Documentation