Device > Administrators
Administrator accounts control access to firewalls and Panorama. A firewall administrator can have full or read-only access to a single firewall or to a virtual system on a single firewall. Firewalls have a predefined
adminaccount that has full access.
The following authentication options are supported:
- Password authentication—The administrator enters a username and password to log in. This authentication requires no certificates. You can use it in conjunction with authentication profiles, or for local database authentication.
- Client certificate authentication (web)—This authentication requires no username or password; the certificate suffices to authenticate access to the firewall.
- Public key authentication (SSH)—The administrator generates a public/private key pair on the machine that requires access to the firewall, and then uploads the public key to the firewall to allow secure access without requiring the administrator to enter a username and password.
To add an administrator, click
Addand fill in the following information:
Administrator Account Settings
Enter a login name for the administrator (up to 31 characters). The name is case sensitive and must be unique. Use only letters, numbers, hyphens, periods, and underscores. Login names cannot start with a hyphen (-).
Select an authentication profile for administrator authentication. You can use this setting for RADIUS, TACACS+, LDAP, Kerberos, SAML, or local database authentication. For details, see Device > Authentication Profile.
Use only client certificate authentication (web)
Select this option to use client certificate authentication for web access. If you select this option, a username and password are not required; the certificate is sufficient to authenticate access to the firewall.
Confirm New Password
Enter and confirm a case-sensitive password for the administrator (up to 31 characters). You can also select
to enforce a minimum password length.
To ensure that the firewall management interface remains secure, we recommend that you periodically change administrative passwords using a mixture of lower-case letters, upper-case letters, and numbers. You can also configure Minimum Password Complexity settings for all administrators on the firewall.
Use Public Key Authentication (SSH)
Select this option to use SSH public key authentication. Click
Import Keyand browse to select the public key file. The uploaded key appears in the read-only text area.
Supported key file formats are IETF SECSH and OpenSSH. Supported key algorithms are DSA (1,024 bits) and RSA (768 to 4,096 bits).
If the public key authentication fails, the firewall prompts the administrator for a username and password.
Assign a role to this administrator. The role determines what the administrator can view and modify.
If you select
Role Based, select a custom role profile from the drop-down. For details, see Device > Admin Roles.
If you select
Dynamic, you can select one of the following predefined roles:
Virtual system administrator role only)
Addto select the virtual systems that the administrator can manage.
Select the password profile, if applicable. To create a new password profile, see Device > Password Profiles.
Create a password profile for administrators to ensure that admin passwords expire after a configured time period. Changing admin passwords regularly helps prevent attackers from using saved or stolen credentials.
Panorama > Administrators
Panorama > Administrators Select Panorama Administrators to create and manage accounts for Panorama administrators. If you log in to Panorama as an administrator with a ...
Administrative Role Types
Administrative Role Types A role defines the type of access that an administrator has to the firewall. The Administrator Types are: Role Based —Custom roles ...
Administrative Privileges Privilege levels determine which commands an administrator can run as well as what information is viewable. Each administrative role has an associated privilege ...
Configure Administrative Access Per Virtual System or Firew...
Configure Administrative Access Per Virtual System or Firewall If you have a superuser administrative account, you can create and configure granular permissions for a vsysadmin ...
Administrative Roles You configure administrator accounts based on the security requirements of your organization, any existing authentication services that your network uses, and the required ...
Device > Admin Roles
Device > Admin Roles Select Device Admin Roles to define Admin Role profiles, which are custom roles that determine the access privileges and responsibilities of ...
Configure RADIUS Authentication
Configure RADIUS Authentication You can configure RADIUS authentication for end users and firewall or Panorama administrators. For administrators, you can use RADIUS to manage authorization ...
Provide Granular Access to the Device Tab
Provide Granular Access to the Device Tab To define granular access privileges for the Device tab, when creating or editing an admin role profile ( ...
Configure TACACS+ Authentication
Configure TACACS+ Authentication You can configure TACACS+ authentication for end users and firewall or Panorama administrators. You can also use a TACACS+ server to manage ...