Configure Administrative Access Per Virtual System or Firewall
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Configure Administrative Access Per Virtual System or Firewall
If you have a superuser administrative account,
you can create and configure granular permissions for a vsysadmin
or device admin role.
- Create an Admin Role Profile that grants or disables permission to an Administrator to configure or read-only various areas of the web interface.
- Select DeviceAdmin Roles and Add an Admin Role Profile.Enter a Name and optional Description of the profile.For Role, specify which level of control the profile affects:
- Device—The profile allows the management of the global settings and any virtual systems.
- Virtual System—The profile allows the management of only the virtual system(s) assigned to the administrator(s) who have this profile. (The administrator will be able to access DeviceSetupServicesVirtual Systems, but not the Global tab.)
On the Web UI tab for the Admin Role Profile, scroll down to Device, and leave the green check mark (Enable).- Under Device, enable Setup. Under Setup, enable the areas to which this profile will grant configuration permission to the administrator, as shown below. (The Read Only lock icon appears in the Enable/Disable rotation if Read Only is allowed for that setting.)
- Management—Allows an admin with this profile to configure settings on the Management tab.
- Operations—Allows an admin with this profile to configure settings on the Operations tab.
- Services—Allows an admin with this profile to configure settings on the Services tab. An admin must have Services enabled in order to access the DeviceSetup ServicesVirtual Systems tab. If the Role was specified as Virtual System in the prior step, Services is the only setting that can be enabled under DeviceSetup.
- Content-ID—Allows an admin with this profile to configure settings on the Content-ID tab.
- WildFire—Allows an admin with this profile to configure settings on the WildFire tab.
- Session—Allows an admin with this profile to configure settings on the Session tab.
- HSM—Allows an admin with this profile to configure settings on the HSM tab.
Click OK.(Optional) Repeat the entire step to create another Admin Role profile with different permissions, as necessary.Apply the Admin role profile to an administrator.- Select DeviceAdministrators, click Add and enter the Name to add an Administrator.(Optional) Select an Authentication Profile.(Optional) Select Use only client certificate authentication (Web) to have bi-directional authentication; to get the server to authenticate the client.Enter a Password and Confirm Password.(Optional) Select Use Public Key Authentication (SSH) if you want to use a much stronger, key-based authentication method using an SSH public key rather than just a password.For Administrator Type, select Role Based.For Profile, select the profile that you just created.(Optional) Select a Password Profile.Click OK.Commit the configuration.Click Commit.