To prevent brute force attempts to guess your user account passwords, you can enable Account Lockout. Account Lockout settings apply to all user accounts that are configured for Firebox (Firebox-DB) authentication. You separately configure Account Lockout settings for Firebox user accounts and Device Management user accounts.
When Account Lockout is enabled, the Firebox temporarily locks a user account after a specified number of consecutive, unsuccessful login attempts, and permanently locks a user account after a specified number of temporary account lockouts. A permanently locked user account can be unlocked only by a user with Device Administrator credentials. For both temporary and permanent account lockouts, account lockout status is not affected when a Firebox is rebooted.
The Firebox does not clear unsuccessful login attempts unless the user successfully logs in or is locked. The count of unsuccessful login attempts is not cleared when the Firebox is rebooted.
Configure Account Lockout Settings
- Select Authentication > Servers.
The Authentication Servers page appears. - From the Authentication Servers list, select Firebox.
The Firebox page appears. - Select the Account Lockout tab.
- Select the Enable account lockout check box.
- In the Failed login attempts text box, type the number of consecutive failed login attempts that can occur before a user account is temporarily locked.
- In the Users locked out for text box, type the number of minutes that a temporarily locked account remains locked.
- In the Temporary lockouts text box, type the number of temporary lockouts that can occur before an account is permanently locked.
- Click Save.
- Select Setup > Authentication > Authentication Settings.
The Authentication Servers dialog box appears, with the Firebox tab selected. - Click Account Lockout.
The Account Lockout dialog box appears. - Select the Enable account lockout check box.
- In the Failed login attempts text box, type the number of consecutive failed login attempts that can occur before a user account is temporarily locked.
- In the Users locked out for text box, type the number of minutes that a temporarily locked account remains locked.
- In the Temporary lockouts text box, type the number of temporary lockouts can occur before an account is permanently locked.
- Click OK.
You can also configure Account Lockout settings for Device Management user accounts. For more information, go to:
- Fireware Web UI — Manage Users and Roles on Your Firebox
- Policy Manager — Set Global Firewall Authentication Values
Account Lockout Behavior
When a user tries to authenticate with a locked user account, a message on the Authentication Portal page shows whether the user account is temporarily or permanently locked out.
If a user tries to authenticate from a Mobile VPN client with a locked user account, authentication fails, but there is no message to the user that the user account is locked.
Unlock a Locked User Account
Before you can unlock a locked user account, you must log in to the Firebox as a user with Device Administrator credentials.
To unlock a locked Firebox user account, from Fireware Web UI:
- Select Authentication > Servers.
The Authentication Servers page appears. - From the Authentication Servers list, select Firebox.
The Firebox settings page appears, with the Users and Groups tab selected. In the Firebox Users section, the Lockout Status column shows whether a user account is locked.
- Select the check box for one or more locked user accounts.
- Click Unlock.
A confirmation message appears. - Click Yes.
You can also unlock a user account from the Authentication List tab in Firebox System Manager. For more information, go to See Authenticated Users in Firebox System Manager.