>
    Strata Copilot
    Manage Firewall Administrators
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Firewall Administration
    4. Manage Firewall Administrators
    Download PDF
    Next-Generation Firewall

    Manage Firewall Administrators

    Table of Contents

    Manage Firewall Administrators

    Configure firewall admin accounts, roles, authentication, and access control privileges in PAN-OS for secure administration.
    Where Can I Use This?What Do I Need?
    NGFW (Managed by PAN-OS or Panorama)
    • No prerequisites needed
    Administrative accounts specify roles and authentication methods for the administrators of Palo Alto Networks firewalls. Every Palo Alto Networks firewall has a predefined default administrative account (admin) that provides full read-write access (also known as superuser access) to the firewall.
    As a best practice, create a separate administrative account for each person who needs access to the administrative or reporting functions of the firewall. This enables you to better protect the firewall from unauthorized configuration and enables logging of the actions of individual administrators. Make sure you are following the Administrative Access Best Practices to ensure that you are securing administrative access to your firewalls and other security devices in a way that prevents successful attacks.

    Administrative Role Types

    A role defines the type of access that an administrator has to the firewall. The Administrator Types are:
    • Role Based—Custom roles you can configure for more granular access control over the functional areas of the web interface, CLI, and XML API. For example, you can create an Admin Role profile for your operations staff that provides access to the firewall and network configuration areas of the web interface and a separate profile for your security administrators that provides access to security policy definitions, logs, and reports. On a firewall with multiple virtual systems, you can select whether the role defines access for all virtual systems or specific virtual systems. When new features are added to the product, you must update the roles with corresponding access privileges: the firewall does not automatically add new features to custom role definitions. For details on the privileges you can configure for custom administrator roles, see Reference: Web Interface Administrator Access.
    • Dynamic—Built-in roles that provide access to the firewall. When new features are added, the firewall automatically updates the definitions of dynamic roles; you never need to manually update them. The following table lists the access privileges associated with dynamic roles.
    Dynamic Role
    Privileges
    Superuser
    Full access to the firewall, including defining new administrator accounts and virtual systems. You must have Superuser privileges to create an administrative user with Superuser privileges.
    Superuser (read-only)
    Read-only access to the firewall (enables the XML API in a read-only state).
    Device administrator
    Full access to all firewall settings except for defining new accounts or virtual systems.
    Device administrator (read-only)
    Read-only access to all firewall settings except password profiles (no access) and administrator accounts (only the logged in account is visible).
    Virtual system administrator
    Access to selected virtual systems on the firewall to create and manage specific aspects of virtual systems. A virtual system administrator doesn’t have access to network interfaces, VLANs, virtual wires, virtual routers, IPSec tunnels, GRE tunnels, DHCP, DNS Proxy, QoS, LLDP, or network profiles.
    Virtual system administrator (read-only)
    Read-only access to selected virtual systems on the firewall and specific aspects of virtual systems. A virtual system administrator with read-only access doesn’t have access to network interfaces, VLANs, virtual wires, virtual routers, IPSec tunnels, GRE tunnels, DHCP, DNS Proxy, QoS, LLDP, or network profiles.

    © 2025 Palo Alto Networks, Inc. All rights reserved.