Add an internal user at the CLI

Create internal users to provide authorized access to the Firewall Threat Defense system with appropriate privilege levels.

Use the CLI to create internal users on the Firewall Threat Defense.

Procedure

Step 1

Log into the device CLI using an account with Config privileges.

The admin user account has the required privileges, but any account with Config privileges will work. You can use an SSH session or the Console port.

For certain Firewall Threat Defense models, the Console port puts you into the FXOS CLI. Use the connect ftd command to get to the Firewall Threat Defense CLI.

Step 2

Create the user account.

configure user add username {basic | config}

  • username —Sets the username. The username must be Linux-valid:

    • Maximum 32 alphanumeric characters, plus hyphen (-) and underscore (_)

    • All lowercase

    • Cannot start with hyphen (-); cannot be all numbers; cannot include a period (.), at sign (@), or slash (/)

  • basic —Gives the user basic access. This role does not allow the user to enter configuration commands. Allowed commands are dig, ping, and traceroute.

  • config —Gives the user configuration access. This role gives the user full administrator rights to all commands.

Example:

This example adds a user account named johncrichton with Config access rights. The password is not shown as you type it.


> configure user add johncrichton config
Enter new password for user johncrichton: newpassword
Confirm new password for user johncrichton: newpassword
> show user
Login              UID   Auth Access  Enabled Reset    Exp Warn  Str Lock Max
admin             1000  Local Config  Enabled    No  Never  N/A  Dis   No N/A
johncrichton      1001  Local Config  Enabled    No  Never  N/A  Dis   No   5
Note

Tell users they can change their own passwords using the configure password command.

Step 3

(Optional) Adjust the characteristics of the account to meet your security requirements.

You can use these commands to change the default account behavior.

  • configure user aging username max_days warn_days

    Sets an expiration date for the user's password. Specify the maximum number of days for the password to be valid followed by the number of days before expiration the user will be warned about the upcoming expiration. Both values are 1 to 9999, but the warning days must be less than the maximum days. When you create the account, there is no expiration date for the password.

  • configure user forcereset username

    Forces the user to change the password on the next login.

  • configure user maxfailedlogins username number

    Sets the maximum number of consecutive failed logins you will allow before locking the account, from 1 to 9999. Use the configure user unlock command to unlock accounts. The default for new accounts is 5 consecutive failed logins. The admin account is exempt from being locked out after a maximum number of failed logins unless you enable security certification compliance.

  • configure user minpasswdlen username number

    Sets a minimum password length, which can be from 1 to 127.

  • configure user strengthcheck username { enable | disable}

    Enables or disables password strength checking, which requires a user to meet specific password criteria when changing their password. When a user's password expires or if the configure user forcereset command is used, this requirement is automatically enabled the next time the user logs in.

Step 4

Manage user accounts as necessary.

Users can get locked out of their accounts, or you might need to remove accounts or fix other issues. Use these commands to manage the user accounts on the system.

  • configure user access username { basic | config}

    Changes the privileges for a user account.

  • configure user delete username

    Deletes the specified account.

  • configure user disable username

    Disables the specified account without deleting it. The user cannot log in until you enable the account.

  • configure user enable username

    Enables the specified account.

  • configure user password username

    Changes the password for the specified user. Users should normally change their own password using the configure password command.

    Caution

    Do not use the Linux passwd command in Expert Mode to change the admin user password. This command can cause file system corruption. Only use the regular Firewall Threat Defense CLI configure user password admin command (if you are not admin) or configure password command (if you are admin). If you don't know the password and can't log in at all, see the password recovery procedure.

  • configure user unlock username

    Unlocks a user account that was locked due to exceeding the maximum number of consecutive failed login attempts.

Note

Firewall Threat Defense uses the Pluggable Authentication Module (PAM) framework for user authentication. Within this framework, the pam_unix.so module handles password hashing and verification using the SHA-512 algorithm

Passwords are hashed using the SHA-512 algorithm.