Administrative accounts specify roles and authentication methods for the administrators of Palo Alto Networks firewalls. Every Palo Alto Networks firewall has a predefined default administrative account (admin) that provides full read-write access (also known as superuser access) to the firewall. As a best practice, create an administrative account for each person who will be performing configuration tasks on the firewall or Panorama so that you have an audit trail of changes.
Administrative Privileges
Privilege levels determine which commands an administrator can run as well as what information is viewable. Each administrative role has an associated privilege level. You can use dynamic roles, which are predefined roles that provide default privilege levels. Or, you can create custom firewall administrator roles or Panorama administrator roles and assign one of the following CLI privilege levels to each role:
Privilege Level Description
superuser Has full access to the Palo Alto Networks device (firewall or Panorama) and can define new administrator accounts and virtual systems. You must have superuser privileges to create an administrative user with superuser privileges.
superreader Has complete read-only access to the device.
vsysadmin Has access to selected virtual systems on the firewall to create and manage specific aspects of virtual systems. A virtual system administrator doesn’t have access to network interfaces, VLANs, virtual wires, virtual routers, IPSec tunnels, DHCP, DNS Proxy, QoS, LLDP, or network profiles.
vsysreader Has read-only access to selected virtual systems on the firewall and specific aspects of virtual systems. A virtual system administrator with read-only access doesn’t have access to network interfaces, VLANs, virtual wires, virtual routers, IPSec tunnels, DHCP, DNS Proxy, QoS, LLDP, or network profiles.
deviceadmin Has full access to all firewall settings except for defining new accounts or virtual systems.
devicereader Has read-only access to all firewall settings except password profiles (no access) and administrator accounts (only the logged in account is visible).
panorama-admin Has full access to Panorama except for the following actions: Create, modify, or delete Panorama or device administrators and roles. Export, validate, revert, save, load, or import a configuration. Schedule configuration exports.
Set Up a Firewall Administrative Account and Assign CLI Privileges
To set up a custom firewall administrative role and assign CLI privileges, use the following workflow:
Set Up a Firewall Administrative Account and Assign CLI Privileges
Configure an Admin Role profile. Select Device > Admin Roles and then click Add. Enter a Name to identify the role. For the scope of the Role, select Device or Virtual System. Define access to the Command Line: Device role— superuser, superreader, deviceadmin, devicereader, or None. Virtual System role— vsysadmin, vsysreader, or None. Click OK to save the profile.
Configure an administrator account. Select Device > Administrators and click Add. Enter a user Name. If you will use local database authentication, this must match the name of a user account in the local database. If you configured an Authentication Profile or authentication sequence for the user, select it in the drop-down. If you select None, you must enter a Password and Confirm Password. If you configured a custom role for the user, set the Administrator Type to Role Based and select the Admin Role Profile. Otherwise, set the Administrator Type to Dynamic and select a dynamic role. Click OK and Commit.
Set Up a Panorama Administrative Account and Assign CLI Privileges
To set up a custom Panorama administrative role and assign CLI privileges, use the following workflow:
Set Up a Panorama Administrative Account and Assign CLI Privileges
Configure an Admin Role profile. Select Panorama > Admin Roles and then click Add. Enter a Name to identify the role. For the scope of the Role, select Panorama. Select the Command Line tab and select an access level: superuser, superreader, panorama-admin, or None. Click OK to save the profile.
Configure an administrator account. Select Panorama > Administrators and click Add. Enter a user Name. If you configured an Authentication Profile or authentication sequence for the user, select it in the drop-down. If you select None, you must enter a Password and Confirm Password. If you configured a custom role for the user, set the Administrator Type to Custom Panorama Admin and select the Admin Role Profile. Otherwise, set the Administrator Type to Dynamic and select a dynamic Admin Role. Click OK and Commit, for the Commit Type select Panorama, and click Commit again.

Related Documentation