topic Re: Palo Alto user account in Next-Generation Firewall Discussions

Palo Alto user account

Abdelhak — Wed, 15 May 2024 13:01:04 GMT

Our customer has a PA-440 firewall deployed with HA and we have a request about the creation of a user account that has a full access to the device over Web UI but it can't change delete or change password of admin account

is it possible ? and how we can do that ?

Re: Palo Alto user account

TomYoung — Wed, 15 May 2024 13:17:11 GMT

Hi @Abdelhak ,

You can create a new administrator account. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewall-administrators/configure-administrative-accounts-and-authentication/configure-a-firewall-administrator-account

While you are logged in as admin, you cannot modify the admin account. You will have to create a new administrator account, log in with it, and then you will be able to change or delete the default admin account.

Thanks,

Tom

Re: Palo Alto user account

Abdelhak — Wed, 15 May 2024 13:23:57 GMT

Hi Tom,

Our need is to created a new admin account other then the default, but when we sign in using it we should not be able to delete or modify the password of the default admin account

is it possible ?

Re: Palo Alto user account

BPry — Wed, 15 May 2024 13:31:42 GMT

@Abdelhak,

Yes, but what exactly are you trying to give them permission to do? Do you want to have them have the ability to make changes to the configuration outside of modifying other administrators or do they just need to read the configuration?

If it's just reading the configuration then grant a read-only role that meets what you want them to do, otherwise you'll need to build a custom role and ensure that administrators and admin roles are read-only and set the XML, CLI, and REST access appropriately. If they only need GUI access just disable access to everything else.

Re: Palo Alto user account

Abdelhak — Wed, 15 May 2024 13:40:47 GMT

Our customer need to create another admin account that has the same rights as the default one to give it to other administrators for managing the device but they can't modify or change the password of the default admin account actually used by the main administrator of the site.

is it possible? and how we can do that ?

Re: Palo Alto user account

BPry — Wed, 15 May 2024 13:54:23 GMT

@Abdelhak,

So with those requirements a custom role assigned to the user is the only way. Build out a custom role and assign it to the created administrator account. The role will need to have 'Administrators' and 'Admin Roles' set to read only, this is the default status on a custom role that has Device access enabled so you'll just need to review everything else.

Keep in mind that this doesn't prevent them from loading a modified configuration file directly and committing it, it just prevents them from modifying things in normal means. You'll have more control over the GUI as you will with the XML, CLI, or REST settings. I would personally highly recommend disabling access to those three for this user, ensuring that 'Adminstrators' and 'Admin Roles' are set to read-only, and setting the 'Operations' tab to read-only so that the user couldn't upload and load a modified configuration file directly.

Re: Palo Alto user account

TomYoung — Wed, 15 May 2024 14:33:17 GMT

Thank you @Abdelhak !

I misunderstood.

Re: Palo Alto user account

TomYoung — Wed, 15 May 2024 14:35:48 GMT

Hi @Abdelhak ,

Maybe the built-in Device Administrator role fits the bill? https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-role-types

Thanks,

Tom