>
    Set Up an Administrative Account and Assign CLI Privileges
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Get Started with the CLI
    4. Give Administrators Access to the CLI
    5. Set Up an Administrative Account and Assign CLI Privileges
    Download PDF
    Next-Generation Firewall

    Set Up an Administrative Account and Assign CLI Privileges

    Table of Contents

    Set Up an Administrative Account and Assign CLI Privileges

    Create and configure administrative user accounts on firewalls and Panorama with specific CLI access rights and role-based permissions.
    Where Can I Use This?What Do I Need?
    NGFW (Managed by PAN-OS or Panorama)
    • No prerequisites needed
    To set up a custom administrative role and assign CLI privileges on a firewall or Panorama, use the following workflow. Creating custom administrative roles with CLI access provides enhanced security through granular permission controls and enables efficient automation of firewall management tasks. CLI access offers significant advantages over GUI-based administration, including faster execution of bulk operations, scriptable commands for repetitive tasks, remote management capabilities, and streamlined troubleshooting workflows. This approach allows administrators to maintain precise control over user privileges while enabling power users to leverage advanced command-line features for improved operational efficiency and reduced manual overhead.

    Set Up a Custom Firewall Admin Account

    1. Configure an Admin Role profile.
      1. Select DeviceAdmin Roles and then click Add.
      2. Enter a Name to identify the role.
      3. For the scope of the Role, select Device or Virtual System.
      4. Define access to the Command Line:
        • Device role—superuser, superreader, deviceadmin, devicereader, or None.
        • Virtual System role—vsysadmin, vsysreader, or None.
      5. Click OK to save the profile.
    2. Configure an administrator account.
      1. Select Device > Administrators and click Add.
      2. Enter a user Name. If you will use local database authentication, this must match the name of a user account in the local database.
      3. If you configured an Authentication Profile or authentication sequence for the user, select it in the drop-down. If you select None, you must enter a Password and Confirm Password.
      4. If you configured a custom role for the user, set the Administrator Type to Role Based and select the Admin Role Profile. Otherwise, set the Administrator Type to Dynamic and select a dynamic role.
      5. Click OK and Commit.

    Set Up a Custom Panorama Admin Account

    1. Configure an Admin Role profile.
      1. Select PanoramaAdmin Roles and then click Add.
      2. Enter a Name to identify the role.
      3. For the scope of the Role, select Panorama.
      4. Select the Command Line tab and select an access level: superuser, superreader, panorama-admin, or None.
      5. Click OK to save the profile.
    2. Configure an administrator account.
      1. Select PanoramaAdministrators and click Add.
      2. Enter a user Name.
      3. If you configured an Authentication Profile or authentication sequence for the user, select it in the drop-down. If you select None, you must enter a Password and Confirm Password.
      4. If you configured a custom role for the user, set the Administrator Type to Custom Panorama Admin and select the Admin Role Profile. Otherwise, set the Administrator Type to Dynamic and select a dynamic Admin Role.
      5. Click OK and Commit, for the Commit Type select Panorama, and click Commit again.

    © 2025 Palo Alto Networks, Inc. All rights reserved.