Panorama Administrator's Guide
    : Configure an Admin Role Profile for Selective Push to Managed Firewalls
    Focus
    Download PDF
    Focus
    1. Home
    2. Panorama
    3. Panorama Administrator's Guide
    4. Set Up Panorama
    5. Set Up Administrative Access to Panorama
    6. Configure an Admin Role Profile for Selective Push to Managed Firewalls
    Download PDF

    Panorama Administrator's Guide

    Configure an Admin Role Profile for Selective Push to Managed Firewalls

    Table of Contents

    Configure an Admin Role Profile for Selective Push to Managed Firewalls

    Create an admin role profile to push individual device group and template configuration objects to specific firewalls managed by the Panorama™ management server.
    To allow for greater control of configuration changes of managed firewalls, create an admin role profile to enable a Panorama administrator to push configuration for one or more Panorama administrators from the Panorama™ management server to managed firewalls. After you commit selective configuration changes to Panorama, you can select specific Panorama admin changes to review the configuration changes and then push only those changes made by the selected admins to your managed firewalls. Leveraging selective pushes to managed firewalls also reduces the risk of pushing incomplete device group and template configurations to managed firewalls by allowing you to explicitly exclude incomplete configuration changes when you push to managed firewalls. This helps mitigate and avoid potential outages and configuration related issues that could cause network disruptions,.
    Administrators with Superuser or Panorama admin role privileges can push and review object level changes of other administrators by default. However, you can modify the Panorama administrator admin roles to modify the object level configuration privileges as needed.
    1. Log in to the Panorama Web Interface.
    2. (Optional) Select DeviceAdmin Roles and select the Template in which to configure a firewall admin role profile.
      You must create an Admin Role profile on the firewall and assign it to the Panorama management server Admin Role profile to allow administrators to context switch between Panorama and managed firewall web interfaces.
    3. Select PanoramaAdmin Roles and Add a new admin role.
    4. Enter a descriptive Name for the admin role.
    5. Select the Panorama admin role.
    6. Select Web UI and navigate to the Commit privileges.
    7. Configure the object level configuration privileges as needed.
      All object level configuration privileges are enabled by default.
      The default Superuser or Panorama admin role privileges support full object level configuration privileges.
      • Push All Changes—Allow the administrator to push all changes made by all admins.
      • Push For Other Admins—Allows the administrator select and push configuration changes made by other administrators.
      • Object Level Changes—Allows the administrator to view individual configuration objects to push. If disabled, the list of configuration objects is not displayed in the Push Scope.
    8. (Optional) To allow Panorama administrators to Context Switch between the Panorama and firewall web interface, enter the name of Device Admin Role you configured in Step 1.
    9. Click OK.
    10. Configure a custom Panorama administrator and select the Admin Role you created.
    11. Commit and Commit to Panorama.

    © 2025 Palo Alto Networks, Inc. All rights reserved.