Contents

Related Topics

Manage Users and Roles on Your Firebox

You can use role-based administration on your Firebox to share the configuration and monitoring responsibilities for the Firebox among several individuals in your organization. This enables you to run audit reports to monitor which administrators make which changes in your device configuration file.

Each Firebox includes roles that you can assign to the unique user accounts you add: Device Administrator, Device Monitor, and Guest Administrator.

Device Administrator

User accounts that are assigned the Device Administrator role can connect to the device with read-write permissions to make changes to the device configuration file and monitor the device.

Device Monitor

User accounts that are assigned the Device Monitor role can connect to the device with read-only permissions to monitor the device.

Guest Administrator

User accounts that are assigned the Guest Administrator role can only connect to the device to manage the list of guest user accounts for connections to the hotspot enabled on the device.

More than one user with Device Administrator, Device Monitor, or Guest Administrator privileges can connect to the same Firebox at the same time. If you are connected to your Firebox with Device Administrator credentials, before you can change the configuration settings in the Firebox device configuration file, you must unlock the configuration file. For more information about how to unlock the configuration file to make changes, see Lock and Unlock a Configuration File.

For more information about the predefined roles available on your Firebox, see About Predefined Roles.

For more information about how to manage Guest Administrator user accounts, see Configure Hotspot Settings.

Each Firebox includes these default user accounts that cannot be deleted.

Default User Account Description Default Passphrase
admin The default Device Administrator user account with read-write permissions. readwrite
status The default Device Monitor user account with read-only permissions. readonly
wg-support The user account for WatchGuard Support access to your device. Disabled by default. None

When you add new Device Management users to your Firebox, the account information for the users is stored in a separate file from the device configuration file. This means that if you must restore an earlier version of your configuration file to your Firebox, the user accounts you added are not affected. If you restore the factory-default settings for your Firebox, however, all the Device Management user accounts you added are removed; only the default user accounts are available, with the default passphrases restored.

You can use these authentication servers for Device Management user accounts on your Firebox:

  • Firebox-DB
  • Active Directory
  • LDAP
  • RADIUS

For external authentication servers (not Firebox-DB), make sure to add the user account to the authentication server before you add the user account to your Firebox. The user account credentials that you specify for a user account on your Firebox are case-sensitive and must match the user credentials as they are specified on the authentication server.

Add a New Device User

You can add a user account with the Device Administrator or Device Monitor role. To add a user account from an authentication server other than Firebox-DB, you must have already configured the settings on the Firebox for that authentication server. Make sure that the user account already exists on the authentication server. You must only specify a passphrase for the user accounts that use the Firebox-DB authentication server. When you add a user account from an external authentication server (such as your Active Directory server), the password specified for that user account in the authentication server settings is used when the user logs in to the Firebox.

Configure Account Lockout Settings

You can enable Account Lockout to prevent brute force attempts to guess user account passwords. When Account Lockout is enabled, the Firebox temporarily locks a user account after a specified number of consecutive, unsuccessful login attempts, and permanently locks a user account after a specified number of temporary account lockouts. A permanently locked user account can be unlocked only by a user with Device Administrator credentials.

The default admin user account can be temporarily locked but cannot be permanently locked.

Unlock a Locked Device Management User Account

If Account Lockout is enabled for Device Management user accounts, a Device Management user account can be temporarily or permanently locked after a specified number of failed login attempts. A user with the Device Administrator credentials can unlock a locked account.

To unlock a locked Device Management user account, from Fireware Web UI:

  1. Select System > Users and Roles.
    The Users and Roles page appears, with the Users and Roles tab selected. The Lockout Status column shows whether an account is locked.
  2. Select a locked account.
  3. Click Unlock.
    A confirmation message appears.
  4. Click Yes.

To unlock a locked user account, from Policy Manager:

  1. From the Users and Roles page, select a locked account.
    On the Users and Roles tab, the Lockout Status column indicates whether an account is locked.
  2. Click Unlock.
    A confirmation message appears.
  3. Click Yes.

You can also unlock a user account from the Authentication List tab in Firebox System Manager. For more information, see Authenticated Users (Authentication List).

Lock and Unlock a Configuration File

(Fireware Web UI Only)

When you enable more than one Device Administrator to connect to your Firebox at the same time with Fireware Web UI, before a Device Administrator can change the configuration settings in the Firebox device configuration file, that user must unlock the configuration file. When the configuration file is unlocked by a Device Administrator to make changes, the configuration file is locked for all other users with Device Administrator credentials, until the Device Administrator who unlocked the configuration file either locks the configuration file again or logs out.

For information about how to enable more than one Device Administrator to log in to your Firebox at the same time, see Define Firebox Global Settings.

To unlock a configuration file, from Fireware Web UI:

At the top of the page, click the Lock icon.

To lock a configuration file, from Fireware Web UI:

At the top of the page, click the Unlocked icon.

Edit a Device User

When you edit a user account that you created on your Firebox, you can change only the role assigned to the user and the passphrase for users defined for the Firebox-DB authentication server. You cannot change the user name or the authentication server settings. To change the user name or the authentication server specified for a user account, you must remove the user from the Manage Users and Roles list and then add the user account again with the correct settings.

For the admin and status user accounts, you can only change the passphrase. For the wg-support user account, you can change the role and the passphrase.

Delete a Device User

You can only delete the user accounts that you create on your Firebox. The default user accounts (admin, status, and wg-support) cannot be deleted.

Audit Device Management User Activity

To see which Device Management users have made changes to your Firebox, you can review an Audit Trail report. This report includes a detailed list of the audited configuration changes made to your Firebox.

Before you can see audit trail details in a report, you must configure your Firebox to send audit trail log messages to your WSM Log Server or your instance of Dimension. In the Logging settings for your Firebox, select the Send log messages when the configuration for this Firebox is changed check box.

For more information about how to configure your Firebox to generate audit trail log messages from Policy Manager, see Define Where the Firebox Sends Log Messages (WSM).

For more information about how to configure your Firebox to generate audit trail log messages from Fireware Web UI, see Configure Logging Settings & Performance Statistics.

For information about how to generate an Audit Trail report in Report Manager, see View Reports in Report Manager.

For information about how to view an Audit Trail report in Dimension, see View Reports.

See Also

About Role-Based Administration

About Predefined Roles

Give Us Feedback     Get Support     All Product Documentation     Technical Search