It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

How to Configure Administrative Profiles

  • Last updated on

Administrative profiles define the authentication setup for admin users, and specify which ranges/clusters, services, and configuration areas that users can access on a Barracuda Firewall Control Center and its managed Barracuda CloudGen Firewall systems.

When creating an administrative profile, a user with an administrative role must be filed with the user's login information and the type of authentication. Next, all rights must be associated with a certain scope to that new administrator.

The corresponding configuration window marks mandatory input fields with an 'X' in a red bullet icon. The dialog window cannot be closed by clicking the OK button until these marked input fields in both tabs of the window are filled in with the required data. A green check mark indicates that the data is OK for either the corresponding category or for all input fields.

Step 1. Add a Control Center Administrator (for editing, see Step 1.a.)

  1. Click the ADMINS tab.
  2. Click +New Admin.
  3. The Create new CC Admin window is displayed.
    cc_admins_window_create_new_CC_admin.png
Step 1.a. Edit an Existing Control Center Administrator's Profile

To edit the profile of a CC-admin, proceed as follows:

  1. Click the ADMINS tab.
  2. To edit the entry, you now have two options:
    1. Option #1:
      1. Right-click the entry of the CC-admin.
      2. Click Lock in the list.
      3. Double-click the entry of the CC-admin.
      4. The Edit Standard Admin window is displayed.
    2. Option #2:
      1. Double-click the entry of the CC-admin.
      2. The Edit Standard Admin window is displayed.
      3. Click Lock in the upper-right corner of the window.

You can now continue with configuring the administrator's profile.

Step 2. Configure General Settings

  1. Disabled – Select the check box to disable the record for the admin.
  2. Login – Enter the login name for the administrator.
  3. Full Name – Enter the full name for the administrator.

  4. External Authentication – Select the check box to configure external authentication. In this case, continue with Step 2a.

    To use external authentication, the authentication scheme used to authenticate the CC Admin must be configured on the box level of the Control Center and all managed firewalls.

    For more information, see Authentication.

  5. Continue with Step 3.
Step 2a. Configure External Authentication Settings

For configuring external authentication, you have the following options:

  • Authentication Scheme - Select the required authentication scheme from the list. The possible options are as follows:
    • LDAP
    • MS Active Directory
    • MSNT
    • CGF Local
    • Radius
    • Redirect Authentication
    • RSA SecurID
    • TacPlus
    • No authentication (Template Admin)
  • External Login – Enter the login name that an administrator can use for external authentication.

Step 3. Configure Local Authentication Settings

For an internal authentication, the following options are presented in different ways in the configuration window, depending on the selection for the authentication level.

  1. Authentication Level

    Input FieldPassword OR KeyPassword AND KeyPasswordKey
    PasswordYYY-
    Last Password
    Change
    YYY-
    Public KeyYY-Y
    Enforce password
    strength
    YYY-
    Force password
    change on next
    login
    YYYY
    Force regular
    password change
    YYY-
    Click image to
    enlarge -->
    cc_admins_local_authentication_pwd_or_key.pngcc_admins_local_authentication_pwd_and_key.pngcc_admins_local_authentication_pwd_only.pngcc_admins_local_authentication_key_only.png
  2. Password – Click the small cog wheel to enter a new password.

  3. Last Password Change – Indicates the number of days since the last password change.

  4. Public key – Click the small cog wheel to either import the public key or to create a new one.

  5. Enforce password strength – Select the strength the password must conform to. The strength of the password is determined by the usage of different uppercase and lowercase letters, digits, special characters, and length. Passwords are rated best when characters of all types are used at least twice, and the length of the password is at least 16.

    The password strength check rates as follows:
    1 point for length > 7
    2 points for length > 15
    1 point for a small character
    2 points for 2 different small characters
    1 point for a capital character
    2 points for 2 different capital characters
    1 point for a digit
    2 points for 2 different digits
    1 point for a non alpha-numeric symbol
    2 points for 2 different non-alpha numeric symbols

    The rating by points results in:
    1 to 4 points = Weak
    4 to 7 points = Medium
    8 to 9 points = Strong
    10 points = Best

    Chose the required password strength from the following options:

    • No password enforcement
    • Weak
    • Medium
    • Strong
    • Best
  6. Force password on next login – Select the check box to force the user to enter a new password on the next login.

  7. Force regular password change – Select the check box to force the user to re-enter a new password regularly. After selecting the check box, the following sub-options are available:

    • Force password change every – Enter the number of days or weeks after which the password must be renewed.

    • Warning period before expiration – Enter the number of days the user is presented a warning before the current password expires.
  8. Grace period after expiration – Enter the number of days the user has to enter a new password after the expiration period.
    During the grace period, administrators can reset a password on their own.
    After the grace period ends, administrators can no longer log in. Then, another administrator with higher configuration privileges must reset the password of the affected administrator.

Step 4. Configure Additional Settings

  1. Assigned Range – This option in combination with linked ranges controls which entries an administrator can see in CONFIGURATION > State Info > Sessions..., in the window Configuration Sessions.
  2. Login Event – Chose between the following options of possible associated events:
    • Service default
    • Silent
    • Type 1
    • Type 2
    • Type 3
      For more information on events, see Events.
  3. ACL – Click + to configure access restriction for the admin to certain IP addresses or networks.

Step 5. Add a New Instance to Configure the Administrative Scope and Rights

After creating the account, one or more specific scope(s) must be defined that will be associated with the new CC-administrator.

If you create more than one instance for the same administrator, you must ensure that the instances do not overlap.

 For more information on administrative roles, see How to Configure Administrative Roles.
cc_admins_window_assign_administrator_scope.png

  1. In the window, click the Administrator Scopes tab.
  2. Click + next to Instances.
  3. A new instance of the category Global is displayed.
    cc_admins_add_new_instance.png
Step 5.1. Configure Administrative Scope

The administrative scope can be selected from the following options:

  • Global
  • Global linked
  • Range
  • Range linked
  • Cluster

The options Global, Range, and Cluster signify that the configured administrative rights apply to every node in CONFIGURATION > Configuration Tree at or below the node Global, Range, or Cluster that must be selected at configuration.

cc_admins_admin_scope_range.png

The options Global linked and Range linked associate the configured administrative rights with any individually selected node (in the list Links) at or below a configured Global linked or Range linked node (in the list Range).

cc_admins_admin_scope_range_linked.png

Click + to add selected nodes to the Links list.

Step 5.2. Configure Administrative Rights

cc_admins_administrative_rights.png

  • Configuration Level – Administrative rights are filed individually on a per-administrator basis. When an administrator's configuration level is lower than or equal to the configured number, the administrator is granted access according to his or her filed administrative rights.
    A configuration level of 2 or lower means write access, 99 or lower means read access. Usually, the write level is lower than the read level.
    For more information on the configuration level, see Control Center Admins.
  • Allow all operations – Select the check box to allow all operations within the configured administrative scope. This overrides all administrative roles that have been assigned to the administrator.
  • Assign Roles – Click + to add roles for the CC-administrator.
    Administrative roles are configured in CONFIGURATION > Configuration Tree > Global Settings.
  • Shell Level – Select from the list what permissions are granted for shell level access.
    • No login – Shell access is denied.
    • Standard Login – Allows access on the OS layer via a default user account (home directory: user/phion/home/username).
    • Restricted Login – Permits access via restricted shell (rbash) with limitations (e.g., specifying command containing slashes, changing directories by entering cd, ...). A restricted login confines any saving action to the user's home directory.

Step 6. Save the Administrator's Configuration

After entering all information into the mandatory input fields, continue with the following:

  1. Click OK to save the data.
  2. Depending on the lock state of the created/edited entry/entries:
    1. If you have edited a single entry:
      1. Right-click the edited entry.
      2. Select Unlock from the list.
        cc_admins_window_listview_unlock_single.png
    2. If you have edited multiple entries:
      1. Select Unlock All.
        cc_admins_window_listview_unlock_multiple.png

The following screenshot shows what an entry looks like in the list of the overview window.

cc_admins_list_of_configured_administrators.png

Last updated on