https://live.paloaltonetworks.com/t5/general-articles/nominated-discussion-global-admin-account-lockout-settings-vs/ta-p/519341 <P>This article is based on a discussion, <A title="Global Device/Setup Authentication Settings vs Device/Setup/Authentication Profile" href="https://live.paloaltonetworks.com/t5/general-topics/global-device-setup-authentication-settings-vs-device-setup/m-p/517898" target="_blank" rel="noopener"><STRONG>Global Device/Setup Authentication Settings vs Device/Setup/Authentication Profile</STRONG></A>, posted by <STRONG><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/179185">@Metgatz</a></STRONG>&nbsp;and answered by <STRONG><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/11943">@kiwi</a>.</STRONG> Read on to see the discussion and solution!</P> <P>&nbsp;</P> <DIV class="lia-message-template-content-zone"> <BLOCKQUOTE> <P>Global Device/Setup Authentication Settings vs Device/Setup/Authentication Profile</P> <P>&nbsp;</P> <FONT size="3">At Global level in <STRONG>Device &gt; Setup &gt; Authentication Settings</STRONG> there are parameters such as: <STRONG>Failed Attempts</STRONG> and <STRONG>Lockout Time</STRONG>. </FONT><BR /><FONT size="3">At the same time, if I create an <STRONG>Authentication profile</STRONG> I see the same settings under the <STRONG>Account Lockout</STRONG> section.</FONT> <P>&nbsp;</P> <P><FONT size="3">Now I create a local account called:</FONT><BR /><FONT size="3">testadmin01</FONT></P> <P>&nbsp;</P> <span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Local User created under Device &gt; Local User Database &gt; Users" style="width: 509px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/44912i38676B7D7D05D461/image-size/large?v=v2&amp;px=999" role="button" title="kiwi_2-1666855148223.png" alt="Local User created under Device &gt; Local User Database &gt; Users" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Local User created under Device &gt; Local User Database &gt; Users</span></span> <P>&nbsp;</P> <P>&nbsp;</P> <P>Then I use the same account as an administrator in <STRONG>Device &gt; Setup &gt; Administrators</STRONG> and I associate it to an <STRONG>Authentication profile</STRONG>.&nbsp; In this profile I have <STRONG>Account Lockout</STRONG> settings configured <STRONG>Failed Attempts</STRONG> with value 3 and <STRONG>Lockout Time</STRONG> at 30 minutes.</P> <P>&nbsp;</P> <span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Administrator tied to Authentication Profile" style="width: 969px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/44913i652E9E88495F5A6F/image-size/large?v=v2&amp;px=999" role="button" title="kiwi_3-1666855450055.png" alt="Administrator tied to Authentication Profile" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Administrator tied to Authentication Profile</span></span> <P>&nbsp;</P> <P>However at a global level (<STRONG>Device &gt; Setup &gt; Authentication Settings</STRONG>) I have <STRONG>Failed Attempts</STRONG> configured with value 5 and <STRONG>Lockout Time</STRONG> at 30 minutes.</P> <P>&nbsp;</P> <span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Failed Attempts and Lockout Time in Authentication Settings" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/44910i228E0D83A6B7F1EA/image-size/large?v=v2&amp;px=999" role="button" title="kiwi_0-1666854863562.png" alt="Failed Attempts and Lockout Time in Authentication Settings" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Failed Attempts and Lockout Time in Authentication Settings</span></span> <P>&nbsp;</P> <P>&nbsp;</P> <P>Which settings are getting priority in this case ? The global level settings or the custom authentication profile settings ? Which of the two is valid, which one has real practical validity?</P> </BLOCKQUOTE> <P>&nbsp;</P> <P>If you use the local user configured with Authentication Profile, then the user will be locked out after reaching the number of Failed Attempts which was configured on the Authentication Profile.&nbsp; In that case, it will totally ignore my global lockout settings.</P> <P>&nbsp;</P> <P>Tested on LAB environment running PAN-OS 10.1.x</P> </DIV> <DIV id="ConnectiveDocSignExtentionInstalled" data-extension-version="1.0.4">&nbsp;</DIV> Thu, 27 Oct 2022 13:46:18 GMT kiwi 2022-10-27T13:46:18Z https://live.paloaltonetworks.com/t5/general-articles/nominated-discussion-global-admin-account-lockout-settings-vs/ta-p/519341 <P>&nbsp;</P> <DIV id="ConnectiveDocSignExtentionInstalled" data-extension-version="1.0.4">&nbsp;</DIV> Thu, 27 Oct 2022 13:46:18 GMT https://live.paloaltonetworks.com/t5/general-articles/nominated-discussion-global-admin-account-lockout-settings-vs/ta-p/519341 kiwi 2022-10-27T13:46:18Z