You can use role-based administration on your Firebox or XTM device to share the configuration and monitoring responsibilities for the device among several individuals in your organization. This enables you to run audit reports to monitor which administrators make which changes in your device configuration file.
Each device includes roles that you can assign to the unique user accounts you add: Device Administrator, Device Monitor, and Guest Administrator. User accounts that are assigned the Device Administrator role can connect to the device with read-write permissions to make changes to the device configuration file and monitor the device. User accounts that are assigned the Device Monitor role can connect to the device with read-only permissions to monitor the device. User accounts that are assigned the Guest Administrator role can only connect to the device to manage the list of guest user accounts for connections to the hotspot enabled on the device. More than one user with Device Monitor or Guest Administrator privileges can connect to a device at the same time, but, only one user with Device Administrator privileges can connect to a device at any time.
For more information about Guest Administrator user accounts, see Configure the Hotspot Custom Page.
Each Firebox or XTM device includes these default user accounts that cannot be deleted.
|Default User Account||Description||Default Passphrase|
|admin||The default Device Administrator user account with read-write permissions.||readwrite|
|status||The default Device Monitor user account with read-only permissions.||readonly|
|wg-support||The user account for WatchGuard Support access to your device. Disabled by default.||None|
When you add new Device Management users to your Firebox or XTM device, the account information for the users is stored in a separate file from the device configuration file. This means that if you must restore an earlier version of your configuration file to your device, the user accounts you added are not affected. If you restore the factory-default settings for your Firebox or XTM device, however, all the Device Management user accounts you added are removed; only the default user accounts are available, with the default passphrases restored.
You can use these authentication servers for Device Management user accounts on your device:
For external authentication servers (not Firebox-DB), make sure to add the user account to the authentication server before you add the user account to your device. The user account credentials that you specify for the user account on your Firebox or XTM device are case-sensitive and must match the user credentials as they are specified on the authentication server.
You can add a user account with the Device Administrator or Device Monitor role. To add a user account from an authentication server other than Firebox-DB, you must have already configured the settings on the Firebox or XTM device for that authentication server. Make sure that the user account already exists on the authentication server. You must only specify a passphrase for the user accounts that use the Firebox-DB authentication server. When you add a user account from an external authentication server (such as your Active Directory server), the password specified for that user account in the authentication server settings is used when the user logs in to the Firebox or XTM device.
To add a new device user:
When you edit a user account that you created on your Firebox or XTM device, you can change only the role assigned to the user and the passphrase for users defined for the Firebox-DB authentication server. You cannot change the user name or the authentication server settings. To change the user name or the authentication server specified for a user account, you must remove the user from the Manage Users and Roles list and then add the user account again with the correct settings.
For the admin and status user accounts, you can only change the passphrase. For the wg-support user account, you can change the role and the passphrase.
To change the role or passphrase for a user account:
You can only delete the user accounts that you create on your Firebox or XTM device. The default user accounts (admin, status, and wg-support) cannot be deleted.
To delete a user account:
To see which Device Management users have made changes to your Firebox or XTM device, you can review an Audit Trail report. This report includes a detailed list of the audited configuration changes made to your device.
Before you can see audit trail details in a report, you must configure your device to send audit trail log messages to your WatchGuard Log Server or Dimension Log Server. In the Logging settings for your device, select the Send log messages when the configuration for this Firebox is changed check box.
For more information about how to configure your device to generate audit trail log messages, see Include Performance Statistics in Log Messages.
For information about how to view an Audit Trail report in WatchGuard Dimension, see View Reports in the WatchGuard Dimension Help.
About Role-Based Administration