Log Collector CLI Authentication Settings

  • Panorama > Managed Collectors > Authentication
An M-Series appliance in Log Collector mode (Dedicated Log Collector) has no web interface, only a CLI. You can use the Panorama management server to configure most settings on a Dedicated Log Collector but some settings require CLI access. To configure authentication settings for CLI access, configure the settings as described in the following table.
Log Collector Authentication Settings
Description
Users
Always displays as
admin
and is used for the local CLI login name on the Log Collector.
Mode
Select the password
Mode
:
  • Password
    —Enter a plaintext
    Password
    and
    Confirm Password
    .
  • Password Hash
    —Enter a hashed password string. This can be useful if, for example, you want to reuse the password of an existing Unix account but do not know the plaintext password, only the hashed password. Panorama accepts any string of up to 63 characters regardless of the algorithm used to generate the hash value. The operational CLI command
    request password-hash password <
    password
    >
    uses the MD5 algorithm. When you commit your changes, Panorama pushes the hash value to the Log Collector and the administrator password will be the specified
    <
    password
    >
    .
Failed Attempts
Enter the number of failed login attempts allowed on the CLI before locking out the administrator account (0 to 10). A value of 0 specifies unlimited login attempts. The default value is 0 for Log Collectors in normal operational mode and 10 for Log Collectors in FIPS-CC mode. Limiting login attempts can help protect the Log Collector from brute force attacks.
If you set the
Failed Attempts
to a value other than 0 but leave the
Lockout Time
at 0, then the admin user is indefinitely locked out until another administrator manually unlocks the locked out admin. If no other administrator has been created, you must reconfigure the
Failed Attempts
and
Lockout Time
settings on Panorama and push the configuration change to the Log Collector. To ensure that an admin is never locked out, use the default 0 value for both
Failed Attempts
and
Lockout Time
.
Lockout Time
Enter the number of minutes for which the Log Collector locks out the administrator out after reaching the number of
Failed Attempts
(range is 0 to 60; default is 0).
If you set the
Failed Attempts
to a value other than 0 but leave the
Lockout Time
at 0, then the admin user is indefinitely locked out until another administrator manually unlocks the locked out admin. If no other administrator has been created, you must reconfigure the
Failed Attempts
and
Lockout Time
settings on Panorama and push the configuration change to the Log Collector. To ensure that an admin is never locked out, use the default 0 value for both
Failed Attempts
and
Lockout Time
.

Related Documentation