Panorama > Administrators
to create and manage accounts for Panorama administrators.
If you log in to Panorama as an administrator with a superuser role, you can unlock the accounts of other administrators by clicking the lock icons in the Locked User column. A locked out administrator cannot access Panorama. Panorama locks out administrators who exceed the allowed number of failed successive attempts to access Panorama as defined in the
Authentication Profileassigned to their accounts (see Device > Authentication Profile).
To create an administrator account, click
Addand configure the settings as described in the following table.
Administrator Account Settings
Enter a login username for the administrator (up to 15 characters). The name is case-sensitive, must be unique, and can contain only letters, numbers, hyphens, and underscores.
Use only client certificate authentication (
Enter and confirm a case-sensitive password for the administrator (up to 15 characters). To ensure security, Palo Alto Networks recommends that administrators change their passwords periodically using a combination of lowercase letters, uppercase letters, and numbers.
Device Group and Template administrators cannot access
. To change their local password, these administrators click their username (beside
Logoutat the bottom of the web interface). This also applies to administrators with a custom Panorama role in which access to
You can use password authentication in conjunction with an
Authentication Profile(or sequence) or with local database authentication.
Use Public Key Authentication (SSH)
Select to use SSH public key authentication: click
Browseto select the public key file, and click
OK. The Administrator dialog displays the uploaded key in the read-only text area.
Supported key file formats are IETF SECSH and OpenSSH. Supported key algorithms are DSA (1024 bits) and RSA (768 to 4096 bits).
If public key authentication fails, Panorama presents a login and password prompt.
The type selection determines the administrative role options:
Dynamic administrator type)
Select a predefined role:
Custom Panorama Admin administrator type)
Access Domain to Administrator Role
Device Group and Template Admin administrator type)
For each access domain (up to 25) you want to assign to the administrator,
Access Domainfrom the drop-down (see Panorama > Access Domains) and then click the adjacent Admin Role cell and select a custom Device Group and Template administrator role from the drop-down (see Panorama > Managed Devices > Summary). When administrators with access to more than one domain log in to Panorama, an
Access Domaindrop-down appears in the footer of the web interface. Administrators can select any assigned
Access Domainto filter the monitoring and configuration data that Panorama displays. The
Access Domainselection also filters the firewalls that the
If you use a RADIUS server to authenticate administrators, you must map administrator roles and access domainstoRADIUS VSAs. Because VSA strings support a limited number of characters, if you configure the maximum number of access domain/role pairs (25) for an administrator, the Name values for each access domain and each role must not exceed an average of 9 characters.
Administrative Roles You configure administrator accounts based on the security requirements of your organization, any existing authentication services that your network uses, and the required ...
Device > Administrators
Device > Administrators Administrator accounts control access to firewalls and Panorama. A firewall administrator can have full or read-only access to a single firewall or ...
Configure a Panorama Administrator Account
Configure a Panorama Administrator Account Administrative accounts specify Administrative Roles and authentication for Panorama administrators. The service that you use to assign roles and perform ...
Configure Administrative Access Per Virtual System or Firew...
Configure Administrative Access Per Virtual System or Firewall If you have a superuser administrative account, you can create and configure granular permissions for a vsysadmin ...
Configure Local or External Authentication for Panorama Adm...
Configure Local or External Authentication for Panorama Administrators You can use an external authentication service or the service that is local to Panorama to authenticate ...
Use the Panorama Web Interface
Use the Panorama Web Interface The web interface on both Panorama and the firewall has the same look and feel. However, the Panorama web interface ...
Configure TACACS+ Authentication for Panorama Administrator...
Configure TACACS+ Authentication for Panorama Administrators You can use a TACACS+ server to authenticate administrative access to the Panorama web interface. You can also define ...
Panorama > Admin Roles
Panorama > Admin Roles Admin Role profiles are custom roles that define the access privileges and responsibilities of administrators. For example, the roles assigned to ...
Provide Granular Access to the Device Tab
Provide Granular Access to the Device Tab To define granular access privileges for the Device tab, when creating or editing an admin role profile ( ...