Administrator accounts control access to firewalls and Panorama. A firewall administrator can have full or read-only access to a single firewall or to a virtual system on a single firewall. Firewalls have a predefined
account that has full access.
The following authentication options are supported:
—The administrator enters a username and password to log in. This authentication requires no certificates. You can use it in conjunction with authentication profiles, or for local database authentication.
Client certificate authentication (web)
—This authentication requires no username or password; the certificate suffices to authenticate access to the firewall.
Public key authentication (SSH)
—The administrator generates a public/private key pair on the machine that requires access to the firewall, and then uploads the public key to the firewall to allow secure access without requiring the administrator to enter a username and password.
To add an administrator, click
and fill in the following information.
Administrator Account Setting
Enter a login name for the administrator (up to 31 characters). The name is case sensitive and must be unique. Use only letters, numbers, hyphens, periods, and underscores. Login names cannot start with a hyphen (-).
Select an authentication profile for administrator authentication. You can use this setting for RADIUS, TACACS+, LDAP, Kerberos, or local database authentication. For details, see
Device > Authentication Profile.
Use only client certificate authentication (web)
Select this option to use client certificate authentication for web access. If you select this option, a username and password are not required; the certificate is sufficient to authenticate access to the firewall.
Confirm New Password
Enter and confirm a case-sensitive password for the administrator (up to 31 characters). You can also select
Setup > Management
to enforce a minimum password length.
To ensure that the firewall management interface remains secure, we recommend that you periodically change administrative passwords using a mixture of lower-case letters, upper-case letters, and numbers. You can also configure
Minimum Password Complexity settings for all administrators on the firewall.
Use Public Key Authentication (SSH)
Select this option to use SSH public key authentication. Click
and browse to select the public key file. The uploaded key appears in the read-only text area.
Supported key file formats are IETF SECSH and OpenSSH. Supported key algorithms are DSA (1024 bits) and RSA (768-4096 bits).
If the public key authentication fails, the firewall prompts the administrator for a username and password.
Assign a role to this administrator. The role determines what the administrator can view and modify.
If you select
Role Based, select a custom role profile from the drop-down. For details, see
Device > Admin Roles.
If you select
Dynamic, you can select one of the following predefined roles:
—Has full access to the firewall and can define new administrator accounts and virtual systems. You must have superuser privileges to create an administrative user with superuser privileges.
(read-only)—Has read-only access to the firewall.
—Has full access to all firewall settings except for defining new accounts or virtual systems.
(read-only)—Has read-only access to all firewall settings except password profiles (no access) and administrator accounts (only the logged in account is visible).
Virtual system administrator
—Has access to specific virtual systems on the firewall to create and manage specific aspects of virtual systems (if Multi Virtual System Capability is enabled). A virtual system administrator doesn’t have access to network interfaces, virtual routers, IPSec tunnels, VLANs, virtual wires, DHCP, DNS Proxy, QoS, LLDP, or network profiles.
Virtual system administrator
(read-only)—Has read-only access to specific virtual systems on the firewall to view specific aspects of virtual systems (if Multi Virtual System Capability is enabled). A virtual system administrator with read-only access doesn’t have access to network interfaces, virtual routers, IPSec tunnels, VLANs, virtual wires, DHCP, DNS Proxy, QoS, LLDP, or network profiles.
Virtual system administrator role only
to select the virtual systems that the administrator can manage.
Panorama > Administrators Panorama administrative accounts define administrator role and authentication parameters . To unlock a locked account, click the lock in the Locked User ...
Role-Based Access Control
Role-Based Access Control Role-based access control (RBAC) enables you to define the privileges and responsibilities of administrative users (administrators). Every administrator must have a user ...
Administrative Roles A role defines the type of access that an administrator has to the firewall. Administrative Role Types Configure an Admin Role Profile Administrative ...
Give Administrators Access to the CLI
Give Administrators Access to the CLI Administrative accounts specify roles and authentication methods for the administrators of Palo Alto Networks firewalls. Every Palo Alto Networks ...
Web Interface Access Privileges
Web Interface Access Privileges If you want to prevent a role-based administrator from accessing specific tabs on the web interface, you can disable the tab ...
Device > Admin Roles
Device > Admin Roles Select Device > Admin Roles to define Admin Role profiles, which are custom roles that determine the access privileges and responsibilities ...
Customize Service Routes for a Virtual System
Customize Service Routes for a Virtual System Customize Service Routes to Services for Virtual Systems Configure a PA-7000 Series Firewall for Logging Per Virtual System ...
Configure a TACACS+ Server Profile
Configure a TACACS+ Server Profile Terminal Access Controller Access-Control System Plus (TACACS+) protocol provides better Authentication security than RADIUS because it encrypts usernames and passwords ...
Configure a RADIUS Server Profile
Configure a RADIUS Server Profile You can configure the firewall or Panorama to use a RADIUS server for managing administrator accounts. You can also configure ...
Configure SSH Key-Based Administrator Authentication to the CLI
Configure SSH Key-Based Administrator Authentication to the CLI For administrators who use Secure Shell (SSH) to access the CLI of a Palo Alto Networks firewall, ...