Nominated Discussion: Global Admin Account Lockout Settings vs Authentication Profile Settings

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Team Member
No ratings

This article is based on a discussion, Global Device/Setup Authentication Settings vs Device/Setup/Authentication Profile, posted by @Metgatz and answered by @kiwi. Read on to see the discussion and solution!

 

Global Device/Setup Authentication Settings vs Device/Setup/Authentication Profile

 

At Global level in Device > Setup > Authentication Settings there are parameters such as: Failed Attempts and Lockout Time.
At the same time, if I create an Authentication profile I see the same settings under the Account Lockout section.

 

Now I create a local account called:
testadmin01

 

Local User created under Device > Local User Database > UsersLocal User created under Device > Local User Database > Users

 

 

Then I use the same account as an administrator in Device > Setup > Administrators and I associate it to an Authentication profile.  In this profile I have Account Lockout settings configured Failed Attempts with value 3 and Lockout Time at 30 minutes.

 

Administrator tied to Authentication ProfileAdministrator tied to Authentication Profile

 

However at a global level (Device > Setup > Authentication Settings) I have Failed Attempts configured with value 5 and Lockout Time at 30 minutes.

 

Failed Attempts and Lockout Time in Authentication SettingsFailed Attempts and Lockout Time in Authentication Settings

 

 

Which settings are getting priority in this case ? The global level settings or the custom authentication profile settings ? Which of the two is valid, which one has real practical validity?

 

If you use the local user configured with Authentication Profile, then the user will be locked out after reaching the number of Failed Attempts which was configured on the Authentication Profile.  In that case, it will totally ignore my global lockout settings.

 

Tested on LAB environment running PAN-OS 10.1.x

 
Rate this article:
(1)
  • 2297 Views
  • 0 comments
  • 1 Likes
Register or Sign-in
Labels
Article Dashboard
Version history
Last Updated:
‎10-27-2022 06:46 AM
Updated by: