Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Enable OTP

Hi,

How can I enable the OTP via mail for the default admin account on sonicwall nsa 3650?

I know already that I can create a new local account and then enable the OTP for this new account but I dont know how to do this with default admin account.

Any suggestion?

Thanks

Category: Firewall Management and Analytics
Reply

Best Answer

Answers

  • @mrshahin,

    For OTP via mail, we need to associate a username with an email address and we cannot do that with the built-in admin account. We can enable TOTP for the admin account though. Otherwise, you can create a local user, add it to SonicWall Administrators Group and then enable OTP via mail on it.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • mrshahinmrshahin Newbie ✭
    edited March 2021

    @shiprasahu93 Thanks as always for your reply,

    If I understood this correctly the TOTP will works as MFA for the local admin account and we can use it instead of OTP that send each time a rendom genrated number. correct?

    Thanks

  • PPI_MISPPI_MIS Newbie ✭

    If you create a 'new' admin account to use OTP via email how do you disable the built in admin as not having OTP on that account defeats our purpose of enabling.

    Thanks

  • abhitsabhits Newbie ✭

    I'm with @PPI_MIS ...

    If the built-in "admin" account cannot have TOTP associated with an email address, how might multiple people access these devices if/when such use of the account is required? Each engineer is assigned their own local account, but in the event it's needed, this built-in admin account w/could be used as the backup. Disabling TOTP on this account altogether isn't the solution. Using G/MS auth apps isn't glamorous...AFAIK, you can only register the key against a single device.

    Short of buying into a "single/shared" device in which to maintain keys for each built-in admin account, how do we secure our firewall(s) without requiring one (of many) individual to be responsible for these keys?

    Maybe that's the point? What are others doing?

  • joelloubejoelloube Newbie ✭

    @PPI_MIS @abhits Did you ever figure out a solution for this? Why can we not disable the built in admin account? This limitation really seems to defeat the entire idea behind MFA on user accounts.

    Otherwise, how do I even go about enrolling the admin user in MFA?

  • From my understanding it's always best practice to have a break glass account without MFA. If mfa stops working for whatever reason you'll need some type of management access. Make the default admin account a lengthy password and never use it.

    you can create a secondary account with admin role and have that use MFA.

    Went through MFA/2FA very recently.

Sign In or Register to comment.