Provide Granular Access to the Objects Tab
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
End-of-Life (EoL)
Provide Granular Access to the Objects Tab
An object is a container that groups specific
policy filter values—such as IP addresses, URLs, applications, or
services—for simplified rule definition. For example, an address
object might contain specific IP address definitions for the web
and application servers in your DMZ zone.
When deciding whether to allow access to the objects tab as a
whole, determine whether the administrator will have policy definition
responsibilities. If not, the administrator probably does not need
access to the tab. If, however, the administrator will need to create
policy, you can enable access to the tab and then provide granular
access privileges at the node level.
By enabling access to a specific node, you give the administrator
the privilege to view, add, and delete the corresponding object
type. Giving read-only access allows the administrator to view the
already defined objects, but not create or delete any. Disabling
a node prevents the administrator from seeing the node in the web
interface.
Access Level | Description | Enable | Read Only | Disable |
---|---|---|---|---|
Addresses | Specifies whether the administrator can
view, add, or delete address objects for use in security policy. | Yes | Yes | Yes |
Address Groups | Specifies whether the administrator can
view, add, or delete address group objects for use in security policy. | Yes | Yes | Yes |
Regions | Specifies whether the administrator can
view, add, or delete regions objects for use in security, decryption,
or DoS policy. | Yes | Yes | Yes |
Applications | Specifies whether the administrator can
view, add, or delete application objects for use in policy. | Yes | Yes | Yes |
Application Groups | Specifies whether the administrator can
view, add, or delete application group objects for use in policy. | Yes | Yes | Yes |
Application Filters | Specifies whether the administrator can
view, add, or delete application filters for simplification of repeated searches. | Yes | Yes | Yes |
Services | Specifies whether the administrator can
view, add, or delete service objects for use in creating policy
rules that limit the port numbers an application can use. | Yes | Yes | Yes |
Service Groups | Specifies whether the administrator can
view, add, or delete service group objects for use in security policy. | Yes | Yes | Yes |
Tags | Specifies whether the administrator can
view, add, or delete tags that have been defined on the firewall. | Yes | Yes | Yes |
GlobalProtect | Specifies whether the administrator can
view, add, or delete HIP objects and profiles. You can restrict
access to both types of objects at the GlobalProtect level, or provide
more granular control by enabling the GlobalProtect privilege and restricting
HIP Object or HIP Profile access. | Yes | No | Yes |
HIP Objects | Specifies whether the administrator can
view, add, or delete HIP objects, which are used to define HIP profiles.
HIP Objects also generate HIP Match logs. | Yes | Yes | Yes |
Clientless Apps | Specifies whether the administrator can
view, add, modify, or delete GlobalProtect VPN Clientless applications. | Yes | Yes | Yes |
Clientless App Groups | Specifies whether the administrator can
view, add, modify, or delete GlobalProtect VPN Clientless application groups. | Yes | Yes | Yes |
HIP Profiles | Specifies whether the administrator can
view, add, or delete HIP Profiles for use in security policy and/or
for generating HIP Match logs. | Yes | Yes | Yes |
External Dynamic Lists | Specifies whether the administrator can
view, add, or delete external dynamic lists for use in security
policy. | Yes | Yes | Yes |
Custom Objects | Specifies whether the administrator can
see the custom spyware and vulnerability signatures. You can restrict access
to either enable or disable access to all custom signatures at this
level, or provide more granular control by enabling the Custom Objects
privilege and then restricting access to each type of signature. | Yes | No | Yes |
Data Patterns | Specifies whether the administrator can
view, add, or delete custom data pattern signatures for use in creating custom
Vulnerability Protection profiles. | Yes | Yes | Yes |
Spyware | Specifies whether the administrator can
view, add, or delete custom spyware signatures for use in creating
custom Vulnerability Protection profiles. | Yes | Yes | Yes |
Vulnerability | Specifies whether the administrator can
view, add, or delete custom vulnerability signatures for use in
creating custom Vulnerability Protection profiles. | Yes | Yes | Yes |
URL Category | Specifies whether the administrator can
view, add, or delete custom URL categories for use in policy. | Yes | Yes | Yes |
Security Profiles | Specifies whether the administrator can
see security profiles. You can restrict access to either enable
or disable access to all security profiles at this level, or provide more
granular control by enabling the Security Profiles privilege and
then restricting access to each type of profile. | Yes | No | Yes |
Antivirus | Specifies whether the administrator can
view, add, or delete antivirus profiles. | Yes | Yes | Yes |
Anti-Spyware | Specifies whether the administrator can
view, add, or delete Anti-Spyware profiles. | Yes | Yes | Yes |
Vulnerability Protection | Specifies whether the administrator can
view, add, or delete Vulnerability Protection profiles. | Yes | Yes | Yes |
URL Filtering | Specifies whether the administrator can
view, add, or delete URL filtering profiles. | Yes | Yes | Yes |
File Blocking | Specifies whether the administrator can
view, add, or delete file blocking profiles. | Yes | Yes | Yes |
WildFire Analysis | Specifies whether the administrator can
view, add, or delete WildFire analysis profiles. | Yes | Yes | Yes |
Data Filtering | Specifies whether the administrator can
view, add, or delete data filtering profiles. | Yes | Yes | Yes |
DoS Protection | Specifies whether the administrator can
view, add, or delete DoS protection profiles. | Yes | Yes | Yes |
GTP Protection | Specifies whether the mobile network operator
can view, add, or delete GTP Protection profiles. | Yes | Yes | Yes |
SCTP Protection | Specifies whether the mobile network operator
can view, add, or delete Stream Control Transmission Protocol (SCTP) Protection
profiles. | Yes | Yes | Yes |
Security Profile Groups | Specifies whether the administrator can
view, add, or delete security profile groups. | Yes | Yes | Yes |
Log Forwarding | Specifies whether the administrator can
view, add, or delete log forwarding profiles. | Yes | Yes | Yes |
Authentication | Specifies whether the administrator can
view, add, or delete authentication enforcement objects. | Yes | Yes | Yes |
Decryption Profile | Specifies whether the administrator can
view, add, or delete decryption profiles. | Yes | Yes | Yes |
SD-WAN Link Management | Specifies whether the administrator can
add or delete Path Quality, SaaS Quality, Traffic Distribution,
and Error Correction profiles. | Yes | No | Yes |
Path Quality Profile | Specifies whether the administrator can
view, add, or delete SD-WAN Path Quality profiles. | Yes | Yes | Yes |
SaaS Quality Profile | Specifies whether the administrator can
view, add, or delete SD-WAN SaaS Quality profiles. | Yes | Yes | Yes |
Traffic Distribution Profile | Specifies whether the administrator can
view, add, or delete SD-WAN Traffic Distribution profiles. | Yes | Yes | Yes |
Error Correction Profile | Specifies whether the administrator can
view, add, or delete SD-WAN Error Correction profiles. | Yes | Yes | Yes |
Schedules | Specifies whether the administrator can
view, add, or delete schedules for limiting a security policy to
a specific date and/or time range. | Yes | Yes | Yes |