Local Authentication

Although the firewall and Panorama provide local authentication for administrators and end users, External Authentication Services are preferable in most cases because they provide central account management. However, you might require special user accounts that you don’t manage through the directory servers that your organization reserves for regular accounts. For example, you might define a superuser account that is local to the firewall so that you can access the firewall even if the directory server is down. In such cases, you can use the following local authentication methods:
  • (Firewall only) Local database authentication
    —To Configure Local Database Authentication, you create a database that runs locally on the firewall and contains user accounts (usernames and passwords or hashed passwords) and user groups. This type of authentication is useful for creating user accounts that reuse the credentials of existing Unix accounts in cases where you know only the hashed passwords, not the plaintext passwords. Because local database authentication is associated with authentication profiles, you can accommodate deployments where different sets of users require different authentication settings, such as Kerberos single sign-on (SSO) or Multi-Factor Authentication (MFA). (For details, see Configure an Authentication Profile and Sequence). For accounts that use plaintext passwords, you can also define password complexity and expiration settings. This authentication method is available to administrators who access the firewall (but not Panorama) and end users who access services and applications through Captive Portal or GlobalProtect.
  • Local authentication without a database
    —You can configure firewall administrative accounts or Panorama administrative accounts without creating a database of users and user groups that runs locally on the firewall or Panorama. Because this method is not associated with authentication profiles, you cannot combine it with Kerberos SSO or MFA. However, this is the only authentication method that allows password profiles, which enable you to associate individual accounts with password expiration settings that differ from the global settings. (For details, see Define password complexity and expiration settings)

Related Documentation