on 10-27-2022 06:37 AM - edited on 10-27-2022 06:46 AM by jforsythe
This article is based on a discussion, Global Device/Setup Authentication Settings vs Device/Setup/Authentication Profile, posted by @Metgatz and answered by @kiwi. Read on to see the discussion and solution!
Global Device/Setup Authentication Settings vs Device/Setup/Authentication Profile
At Global level in Device > Setup > Authentication Settings there are parameters such as: Failed Attempts and Lockout Time.
At the same time, if I create an Authentication profile I see the same settings under the Account Lockout section.
Now I create a local account called:
testadmin01
Local User created under Device > Local User Database > Users
Then I use the same account as an administrator in Device > Setup > Administrators and I associate it to an Authentication profile. In this profile I have Account Lockout settings configured Failed Attempts with value 3 and Lockout Time at 30 minutes.
Administrator tied to Authentication Profile
However at a global level (Device > Setup > Authentication Settings) I have Failed Attempts configured with value 5 and Lockout Time at 30 minutes.
Failed Attempts and Lockout Time in Authentication Settings
Which settings are getting priority in this case ? The global level settings or the custom authentication profile settings ? Which of the two is valid, which one has real practical validity?
If you use the local user configured with Authentication Profile, then the user will be locked out after reaching the number of Failed Attempts which was configured on the Authentication Profile. In that case, it will totally ignore my global lockout settings.
Tested on LAB environment running PAN-OS 10.1.x
