Panorama > Administrators
Select to create and
manage accounts for Panorama administrators.
Panorama
Administrators
If you log in to Panorama as an administrator with a superuser
role, you can unlock the accounts of other administrators by clicking
the lock icons in the Locked User column. A locked out administrator
cannot access Panorama. Panorama locks out administrators who exceed
the allowed number of failed successive attempts to access Panorama
as defined in the
Authentication Profile
assigned
to their accounts (see Device
> Authentication Profile).To create an administrator account, click
Add
and configure
the settings as described in the following table.Administrator Account
Settings | Description |
---|---|
Name | Enter a login username for the administrator
(up to 15 characters). The name is case-sensitive, must be unique,
and can contain only letters, numbers, hyphens, and underscores. |
Authentication Profile | Select an authentication profile or sequence
to authenticate this administrator. For details, see Device
> Authentication Profile or Device
> Authentication Sequence. |
Use only client certificate authentication ( Web ) | Select to use client certificate authentication for
web interface access. If you select this option, a username ( Name )
and Password are not required. |
Password/Confirm Password | Enter and confirm a case-sensitive password
for the administrator (up to 15 characters). To ensure security,
Palo Alto Networks recommends that administrators change their passwords
periodically using a combination of lowercase letters, uppercase
letters, and numbers. Be sure to use the best practices for password strength to
ensure a strict password. Device Group and Template administrators
cannot access Panorama Administrators Logout at the bottom of the web interface).
This also applies to administrators with a custom Panorama role
in which access to Panorama Administrators You
can use password authentication in conjunction with an Authentication
Profile (or sequence) or with local database authentication.You
can set password expiration parameters by selecting a Password
Profile (see Device
> Password Profiles) and setting Minimum Password Complexity
parameters (see Device
> Setup > Management), but only for administrative accounts
that Panorama authenticates locally. |
Use Public Key Authentication (SSH) | Select to use SSH public key authentication:
click Import Key , Browse to
select the public key file, and click OK .
The Administrator dialog displays the uploaded key in the read-only text
area.Supported key file formats are IETF SECSH and OpenSSH. Supported
key algorithms are DSA (1024 bits) and RSA (768 to 4096 bits). If
public key authentication fails, Panorama presents a login and password
prompt. |
Administrator Type | The type selection determines the administrative role options:
|
Admin Role ( Dynamic administrator type ) | Select a predefined role:
|
Profile ( Custom Panorama Admin
administrator type ) | Select a custom Panorama role (see Panorama
> Managed Devices > Summary). |
Access Domain to Administrator Role ( Device
Group and Template Admin administrator type ) | For each access domain (up to 25) you want
to assign to the administrator, Add an Access
Domain from the drop-down (see Panorama
> Access Domains) and then click the adjacent Admin Role
cell and select a custom Device Group and Template administrator
role from the drop-down (see Panorama
> Managed Devices > Summary). When administrators with access
to more than one domain log in to Panorama, an Access
Domain drop-down appears in the footer of the web interface. Administrators
can select any assigned Access Domain to
filter the monitoring and configuration data that Panorama displays.
The Access Domain selection also filters
the firewalls that the Context drop-down
displays.If you use a RADIUS server to authenticate administrators,
you must map administrator roles and access domainstoRADIUS
VSAs. Because VSA strings support a limited number of characters,
if you configure the maximum number of access domain/role pairs
(25) for an administrator, the Name values for each access domain
and each role must not exceed an average of 9 characters. |
Password Profile | Select a Password Profile (see Device
> Password Profiles). |
Recommended For You
Recommended Videos
Recommended videos not found.