>
    Configure a Firewall Administrator Account
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. Firewall Administration
    4. Manage Firewall Administrators
    5. Configure Administrative Accounts and Authentication
    6. Configure a Firewall Administrator Account
    Download PDF

    Configure a Firewall Administrator Account

    Table of Contents
    End-of-Life (EoL)

    Configure a Firewall Administrator Account

    Administrative accounts specify roles and authentication methods for firewall administrators. The service that you use to assign roles and perform authentication determines whether you add the accounts on the firewall, on an external server, or both (see Administrative Authentication). If the authentication method relies on a local firewall database or an external service, you must configure an authentication profile before adding an administrative account (see Configure Administrative Accounts and Authentication). If you already configured the authentication profile or you will use Local Authentication without a firewall database, perform the following steps to add an administrative account on the firewall.
    Create a separate administrative account for each person who needs access to the administrative or reporting functions of the firewall. This enables you to better protect the firewall from unauthorized configuration and enables logging of the actions of individual administrators.
    Make sure you are following the Best Practices for Securing Administrative Access to ensure that you are securing administrative access to your firewalls and other security devices in a way that prevents successful attacks.
    1. Modify the number of supported administrator accounts.
      Configure the total number of supported concurrent administrative accounts sessions for a firewall in the normal operational mode or in FIPS-CC mode. You can allow up to four concurrent administrative account sessions or configure the firewall to support an unlimited number of concurrent administrative account sessions.
      1. Select DeviceSetupManagement and edit the Authentication Settings.
      2. Edit the Max Session Count to specify the number of supported concurrent sessions (range is 0 to 4) allowed for all administrator and user accounts.
        Enter 0 to configure the firewall to support an unlimited number of administrative accounts.
        In FIPS-CC mode, the range is 1 to 4 with a default value of 4.
        In PAN-OS 10.0.4 and later releases, firewalls in FIPS-CC mode support a value of 0 to allow an unlimited amount of concurrent sessions.
      3. Edit the Max Session Time in minutes for an administrative account. Default is 720 minutes.
      4. Click OK.
      5. Commit.
      You can also configure the total number of supported concurrent sessions by logging in to the firewall CLI.
      admin> configure
      admin# set deviceconfig setting management admin-session max-session-count <0-4>
      admin# set deviceconfig setting management admin-session max-session-time <0, 60-1499>
      admin# commit
    2. Select DeviceAdministrators and Add an account.
    3. Enter a user Name.
      If the firewall uses a local user database to authenticate the account, enter the name that you specified for the account in the database (see Add the user group to the local database.)
    4. Select an Authentication Profile or sequence if you configured either for the administrator.
      If the firewall uses Local Authentication without a local user database for the account, select None (default) and enter a Password.
    5. Select the Administrator Type.
      If you configured a custom role for the user, select Role Based and select the Admin Role Profile. Otherwise, select Dynamic (default) and select a dynamic role. If the dynamic role is virtual system administrator, add one or more virtual systems that the virtual system administrator is allowed to manage.
    6. (Optional) Select a Password Profile for administrators that the firewall authenticates locally without a local user database. For details, see Define a Password Profile.
    7. Click OK and Commit.

    © 2025 Palo Alto Networks, Inc. All rights reserved.