topic Re: Is it possible to create custom role in PAN-OS that allows management of administrator accounts? in General Topics

Is it possible to create custom role in PAN-OS that allows management of administrator accounts?

scottsander — Tue, 08 Aug 2017 12:32:13 GMT

I would like to create a custom Admin Role in PAN-OS 7.1.9 that is like a system admin for the device with the ability to configure and manage authentication, logging, licensing, certificates, dynamic updates, software, and administrators; however, when I am creating a new Admin Role, the Administrators and Admin Roles items can only be set to Read Only or Disabled. The account I am logged in with has the Superuser dynamic role.

Is it possible to create a custom role that can manage Administrators and Admin Roles?

Re: Is it possible to create custom role in PAN-OS that allows management of administrator accounts?

BPry — Tue, 08 Aug 2017 14:48:26 GMT

@scottsander,

The superuser role is the only admin role that is allowed to administer other Administrators or Admin Roles themselves.

If you grant someone the ability to modify Administrators and modify the Admin Roles you in essence give them the ability to enable their account as a superuser, therefore the function is locked to users already granted the administrator role.

Re: Is it possible to create custom role in PAN-OS that allows management of administrator accounts?

Remo — Tue, 08 Aug 2017 21:12:33 GMT

@scottsander

If you use RADIUS/TACACS+ for authentication then you could do the user/rights management on your RADIUS server or even better if the RADIUS is connected to an Active Directory you could create a usergroup and if a user from this user tries to log in the RADIUS will tell the firewall what Admin Role should be applied. This method could be used for all the mentionned points in your post except the local administrators for because of the reason already explained by @BPry. But also with this method you have to keep in mind: the admin of the RADIUS server will also be able to configure superuser rights, if he wants to ...

Re: Is it possible to create custom role in PAN-OS that allows management of administrator accounts?

scottsander — Wed, 09 Aug 2017 12:43:07 GMT

Interesting idea. I don't know much about TACACS+, but I don't like PAN's implementation of RADIUS since it only uses unencrypted PAP unless you are in FIPS mode and even then it only uses CHAP. I use Kerberos today.

Re: Is it possible to create custom role in PAN-OS that allows management of administrator accounts?

Remo — Wed, 09 Aug 2017 12:59:24 GMT

Just a thought, but you probably have a bigger problem if an attacker is able to capture your RADIUS traffic than PAP really is (the firewall management and RADIUS server are in protected networks)

But I know what you're saying.

And I totally forgot to mention: SAML

Only works with the WebUI and not for SSH but is also a great methof for authentication and passwords aren't sent at all to the firewall, only to your SAML IdP