With role-based administration on your Firebox, you can share the configuration and monitoring responsibilities for your Firebox among several individuals in your organization. This enables you to run audit reports to monitor which administrators make which changes in your device configuration file. You can use the built-in Firebox user accounts, or you can create your own.
About Firebox Roles and Users
| Role | Description |
|---|---|
| Device Administrator | User accounts that are assigned the Device Administrator role can connect to the device with read-write permissions to make changes to the device configuration file and monitor the device. |
| Device Monitor | User accounts that are assigned the Device Monitor role can connect to the device with read-only permissions to monitor the device. |
| Guest Administrator | User accounts that are assigned the Guest Administrator role can only connect to the device to manage the list of guest user accounts for connections to the hotspot enabled on the device. |
You can enable more than one user with Device Administrator, Device Monitor, or Guest Administrator privileges to connect to your Firebox at the same time. If you have enabled this feature and are connected to your Firebox with Device Administrator credentials in Fireware Web UI, before you can change the configuration settings in the Firebox device configuration file, you must unlock the configuration file.
For more information about:
- How to enable more than one user with administrator privileges to log in to your Firebox at the same time, go to Define Firebox Global Settings.
- How to unlock the configuration file to make changes, go to the Lock and Unlock a Configuration File section.
- The predefined roles available on your Firebox, go to About Predefined Roles.
- How to manage Guest Administrator user accounts, go to Configure Hotspot Settings.
| Default User Account | Description | Default Passphrase |
|---|---|---|
| admin | The default Device Administrator user account with read-write permissions. | readwrite |
| status | The default Device Monitor user account with read-only permissions. | readonly |
In Fireware v12.10 or higher, the wg-support user account is no longer a default account. You can add and edit an account named wg-support.
You can enable the Support Access option, which creates a temporary, read-only user account on your Firebox for connections from WatchGuard Support. For more information, go to Support Access to Your Firebox.
When you add new Device Management users to your Firebox, the account information for the users is stored in a separate file from the device configuration file. This means that if you must restore an earlier version of your configuration file to your Firebox, the user accounts you added are not affected. If you restore the factory-default settings for your Firebox, however, all the Device Management user accounts you added are removed; only the default user accounts are available, with the default passphrases restored.
Caution: To keep your device secure, make sure to change the default passphrases for the admin and status accounts when you set up a new Firebox and after you restore factory-default settings. We recommend you specify unique passphrases for each Firebox you manage and change them frequently.
You can use these authentication servers for Device Management user accounts on your Firebox:
- Firebox-DB
- Active Directory
- LDAP
- RADIUS
- AuthPoint
For external, third-party authentication servers (not Firebox-DB), make sure to add the user account to the authentication server before you add the user account to your Firebox. The user account credentials that you specify for a user account on your Firebox are case-sensitive and must match the user credentials as they are specified on the third-party authentication server.
In Fireware v12.6.2 or higher, Fireware Web UI prevents the addition of users with reserved user names to the Firebox-DB authentication server. For more information, go to Reserved Firebox-DB authentication server user names.
Manage Roles and Users
You can add a user account with the Device Administrator or Device Monitor role. To add a user account from an external, third-party authentication server (not Firebox-DB), you must have already configured the settings on the Firebox for that authentication server. You must also make sure that the user account already exists on the authentication server. You must only specify a passphrase for the user accounts that use the Firebox-DB authentication server. When you add a user account from an external authentication server (such as your Active Directory server), the password specified for that user account in the authentication server settings is used when the user logs in to the Firebox.
To require multi-factor authentication (MFA) when a Device Management user logs in, specify AuthPoint as the authentication server. To do this, your Firebox must run Fireware v12.7 or higher and you must configure a Firebox resource in AuthPoint.
- Select System > Users and Roles.
The Users and Roles page opens.
- Click Add.
The Add User dialog box opens.
- In the User Name text box, type the user name for the user account.
- From the Authentication Server drop-down list, select the authentication server for this user account.
- From the Role drop-down list, select the role for this user account.
- (Firebox-DB only) In the Passphrase and Confirm Passphrase text boxes, type the passphrase for this user account.
- Click OK.
The user account appears in the Users and Roles list. - Click Save.
- Select File > Manage Users and Roles.
The Login dialog box opens.
- In the Administrator User Name and Administrator Passphrase text boxes, type the credentials for a user account with Device Administrator privileges.
- From the Authentication Server drop-down list, select the correct authentication server for the user account you specified.
- Click OK.
The Manage Users and Roles dialog box opens.
- Click Add.
The Add User dialog box opens.
- In the User Name text box, type the user name for the user account.
- From the Authentication Server drop-down list, select the authentication server for this user account.
- From the Role drop-down list, select the role for this user account.
- (Firebox-DB only) In the Passphrase and Confirm Passphrase text boxes, type the passphrase for this user account.
- Click OK.
The user account appears in the Manage Users and Roles list.
- Select Tools > Manage Users and Roles.
The Manage Users and Roles login dialog box appears.
- In the User Name and Passphrase text boxes, type the credentials for a user account with Device Administrator privileges.
- From the Authentication Server drop-down list, select the correct authentication server for the user account you specified.
- If you selected an Active Directory server, in the Domain text box, type the domain name for your Active Directory server.
- Click OK.
The Manage Users and Roles dialog box opens.
- Click Add.
The Add User dialog box opens.
- In the User Name text box, type the user name for the user account.
- From the Authentication Server drop-down list, select the authentication server for this user account.
- From the Role drop-down list, select the role for this user account.
- (Firebox-DB only) In the Passphrase and Confirm Passphrase text boxes, type the passphrase for this user account.
- Click OK.
The user account appears in the Manage Users and Roles list.
When you edit a user account that you created on your Firebox, you cannot change the user name or the authentication server setting. The other settings that you can change depend on the authentication server you specified for the user account. For user accounts from any external authentication server, you can change the role assigned to the user account and the passphrase. For users you defined in the Firebox-DB authentication server, you can change only the passphrase.
To change the user name or the authentication server specified for a user account, you must remove the user from the Manage Users and Roles list and then add the user account again with the correct settings.
For the built-in admin and status user accounts, you can change only the passphrase. For the wg-support user account, you can change the role and the passphrase.
In Fireware v12.10 or higher, the wg-support user account is no longer a default account. You can add and edit an account named wg-support.
We recommend you specify unique passphrases for each Firebox you manage and change them frequently.
- From the Users and Roles list, select a user account.
- Click Edit.
The Edit User dialog box opens. - Select a different role or specify a new passphrase.
- Click OK.
- Click Save.
- From the Manage Users and Roles list, select a user account.
- Click Edit.
The Edit User dialog box opens. - Select a different role or specify a new passphrase.
- Click OK.
You can only delete the user accounts that you create on your Firebox. The default, built-in user accounts (admin, status, and wg-support) cannot be deleted.
In Fireware v12.10 or higher, the wg-support user account is no longer a default account. You can add and edit an account named wg-support.
- From the Users and Roles list, select a user account.
- Click Remove.
A confirmation message opens. - Click Yes.
The user is deleted from the Users and Roles list. - Click Save.
- From the Manage Users and Roles list, select a user account.
- Click Remove.
A confirmation message opens. - Click Yes.
The user is deleted from the Manage Users and Roles list.
You can enable Account Lockout to prevent brute force attempts to guess user account passphrases. When Account Lockout is enabled, the Firebox temporarily locks a user account after a specified number of consecutive, unsuccessful login attempts, and permanently locks a user account after a specified number of temporary account lockouts. A permanently locked user account can be unlocked only by a user with Device Administrator credentials.
The default admin user account can be temporarily locked but cannot be permanently locked.
- Select System > Users and Roles.
The Users and Roles page opens. - Select the Account Lockout tab.
- Select the Enable account lockout check box.
- In the Failed login attempts text box, type the number of consecutive failed login attempts that can occur before a user account is temporarily locked.
- In the Users locked out for text box, type the number of minutes that a temporarily locked account remains locked.
- In the Temporary lockouts text box, type the number of temporary lockouts can occur before an account is permanently locked. Tip!
- Click Save.
- Select Setup > Authentication > Authentication Settings.
- In the Management Session section, click Account Lockout.
The Account Lockout dialog box opens.
- Select the Enable account lockout check box.
- In the Failed login attempts text box, type the number of consecutive failed login attempts that can occur before a user account is temporarily locked.
- In the Users locked out for text box, type the number of minutes that a temporarily locked account remains locked.
- In the Temporary lockouts text box, type the number of temporary lockouts can occur before an account is permanently locked. Tip!
- Click OK.
If Account Lockout is enabled for Device Management user accounts, a Device Management user account can be temporarily or permanently locked after a specified number of failed login attempts. A user with the Device Administrator credentials can unlock a locked account.
- Select System > Users and Roles.
The Users and Roles page opens, with the Users and Roles tab selected. The Lockout Status column shows whether an account is locked. - Select a locked account.
- Click Unlock.
A confirmation message opens. - Click Yes.
- From the Users and Roles page, select a locked account.
On the Users and Roles tab, the Lockout Status column indicates whether an account is locked. - Click Unlock.
A confirmation message opens. - Click Yes.
You can also unlock a user account from the Authentication List tab in Firebox System Manager. For more information, go to See Authenticated Users in Firebox System Manager.
(Fireware Web UI Only)
When you enable more than one Device Administrator to connect to your Firebox at the same time, in Fireware Web UI, before a Device Administrator can change the configuration settings in the Firebox device configuration file, that user must unlock the configuration file. When the configuration file is unlocked by a Device Administrator to make changes, the configuration file is locked for all other users with Device Administrator credentials, until the Device Administrator who unlocked the configuration file either locks the configuration file again or logs out.
For information about how to enable more than one Device Administrator to log in to your Firebox at the same time, see Define Firebox Global Settings.
To unlock a configuration file, from Fireware Web UI:
At the top of the page, click 
.
To lock a configuration file, from Fireware Web UI:
At the top of the page, click 
.
To see which Device Management users have made changes to your Firebox, you can review an Audit Trail report. This report includes a detailed list of the audited configuration changes made to your Firebox.
Before you can see audit trail details in a report, you must configure your Firebox to send audit trail log messages to your WSM Log Server or your instance of Dimension. In the Logging settings for your Firebox, select the Send log messages when the configuration for this Firebox is changed check box.
For more information about:
- How to configure your Firebox to generate audit trail log messages from Policy Manager, go to Define Where the Firebox Sends Log Messages.
- How to configure your Firebox to generate audit trail log messages from Fireware Web UI, go to Configure Logging Settings & Performance Statistics (Web UI).
- How to generate an Audit Trail report in Report Manager, go to View Reports in Report Manager.
- How to view an Audit Trail report in Dimension, go to View Reports.