topic Re: security policies in General Topics https://live.paloaltonetworks.com/t5/general-topics/security-policies/m-p/1256371#M126596 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1468908427">@mostafa.abdelhakem</a>&nbsp;,</P> <P>&nbsp;</P> <P data-path-to-node="0">To accomplish this on a PA-460, you have two distinct approaches depending on whether you want a <STRONG data-index-in-node="130" data-path-to-node="0">push</STRONG> method (scheduling automated email reports) or a <STRONG data-index-in-node="184" data-path-to-node="0">pull</STRONG> method (granting direct, read-only access to an external auditor).</P> <P data-path-to-node="0">&nbsp;</P> <P data-path-to-node="0">Because "Security Policies" are part of the firewall's XML configuration file rather than dynamic traffic data, standard PDF custom reports won't show the exact rule geometry. However, for auditing Palo Alto policies you can configure notifications for configuration changes under <STRONG>Device &gt; Log Settings &gt; Configurations.</STRONG></P> <P data-path-to-node="3">&nbsp;</P> <P data-path-to-node="3">As for granting Read-Only Access to an Auditor,&nbsp;&nbsp;you can create a customized <STRONG data-index-in-node="180" data-path-to-node="4">Admin Role Profile:</STRONG></P> <OL start="1" data-path-to-node="6"> <LI> <P data-path-to-node="6,0,0">Navigate to <STRONG data-index-in-node="12" data-path-to-node="6,0,0">Device &gt; Admin Role</STRONG>&nbsp;and click <STRONG data-index-in-node="51" data-path-to-node="6,0,0">Add</STRONG>.</P> </LI> <LI> <P data-path-to-node="6,1,0">Name the profile something clear (e.g., <CODE data-index-in-node="40" data-path-to-node="6,1,0">Auditor-Read-Only</CODE>).</P> </LI> <LI> <P data-path-to-node="6,2,0">Under the <STRONG data-index-in-node="10" data-path-to-node="6,2,0">Web UI</STRONG> tab, set the rules for the tabs you want them to see.</P> </LI> </OL> <P data-path-to-node="7">Then you can create the actual auditor account.&nbsp; Go to <STRONG data-index-in-node="6" data-path-to-node="8,0,0">Device &gt; Administrators</STRONG> and click create a role based admin using the profile you just created earlier.&nbsp;</P> <P>&nbsp;</P> <P>Hope this helps,</P> Mon, 15 Jun 2026 14:36:20 GMT kiwi 2026-06-15T14:36:20Z security policies https://live.paloaltonetworks.com/t5/general-topics/security-policies/m-p/1256370#M126595 <P>hello , i need to extract security policies from palo alto appliance&nbsp;&nbsp;</P> <P>Model (PA-460)&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>is there a way to schedule the report or grant read only access to audit function ?</P> Mon, 15 Jun 2026 13:36:12 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policies/m-p/1256370#M126595 mostafa.abdelhakem 2026-06-15T13:36:12Z Re: security policies https://live.paloaltonetworks.com/t5/general-topics/security-policies/m-p/1256371#M126596 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1468908427">@mostafa.abdelhakem</a>&nbsp;,</P> <P>&nbsp;</P> <P data-path-to-node="0">To accomplish this on a PA-460, you have two distinct approaches depending on whether you want a <STRONG data-index-in-node="130" data-path-to-node="0">push</STRONG> method (scheduling automated email reports) or a <STRONG data-index-in-node="184" data-path-to-node="0">pull</STRONG> method (granting direct, read-only access to an external auditor).</P> <P data-path-to-node="0">&nbsp;</P> <P data-path-to-node="0">Because "Security Policies" are part of the firewall's XML configuration file rather than dynamic traffic data, standard PDF custom reports won't show the exact rule geometry. However, for auditing Palo Alto policies you can configure notifications for configuration changes under <STRONG>Device &gt; Log Settings &gt; Configurations.</STRONG></P> <P data-path-to-node="3">&nbsp;</P> <P data-path-to-node="3">As for granting Read-Only Access to an Auditor,&nbsp;&nbsp;you can create a customized <STRONG data-index-in-node="180" data-path-to-node="4">Admin Role Profile:</STRONG></P> <OL start="1" data-path-to-node="6"> <LI> <P data-path-to-node="6,0,0">Navigate to <STRONG data-index-in-node="12" data-path-to-node="6,0,0">Device &gt; Admin Role</STRONG>&nbsp;and click <STRONG data-index-in-node="51" data-path-to-node="6,0,0">Add</STRONG>.</P> </LI> <LI> <P data-path-to-node="6,1,0">Name the profile something clear (e.g., <CODE data-index-in-node="40" data-path-to-node="6,1,0">Auditor-Read-Only</CODE>).</P> </LI> <LI> <P data-path-to-node="6,2,0">Under the <STRONG data-index-in-node="10" data-path-to-node="6,2,0">Web UI</STRONG> tab, set the rules for the tabs you want them to see.</P> </LI> </OL> <P data-path-to-node="7">Then you can create the actual auditor account.&nbsp; Go to <STRONG data-index-in-node="6" data-path-to-node="8,0,0">Device &gt; Administrators</STRONG> and click create a role based admin using the profile you just created earlier.&nbsp;</P> <P>&nbsp;</P> <P>Hope this helps,</P> Mon, 15 Jun 2026 14:36:20 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policies/m-p/1256371#M126596 kiwi 2026-06-15T14:36:20Z