How to Create Management Users, Assign Roles, and Change Password from the PAN-OS CLI

Printer Friendly Page

Overview

This document describes the CLI commands to add/create management users, assign them roles, and set their passwords.

 

Steps

Creating/Adding Users

  1. Log in to the CLI
  2. Go into configure mode:
    > configure
  3. Create/Add a management user and assign a password
    # set mgt-config users <name> password
    Note: If the <name> does not exist, then the user will be created.
  4. Set the role for the specified user
    # set mgt-config users <name> permissions role-based <role profile>
    custom
    deviceadmin
    devicereader
    superreader
    superuser
  5. Commit
    # commit

 

Change the password for a user

  1. Go into configure mode:
    > configure
  2. Enter the new password that will override the existing one:
    # set mgt-config users admin password
  3. Commit
    # commit

 

WebGUI

For information on performing these steps in the WebGUI, All of the information describing how to create granular Admin Role profiles is included inside of the Admin (Administrator's) guides for each version.  I have listed them below for your convenience:

 

PAN-OS 7.0 Administrator's Guide

 

PAN-OS 7.1 Administrator's Guide

 

PAN-OS 8.0 Administrator's Guide

 

owner: sraghunandan

Tags (6)
Comments

 How do you remove a user via CLI?

delete mgt-config users dtrump

Is there a way to change this in the GUI? I'm looking everywhere and can't find it (v7.0.11)

 @JohPalmer

 

All of the information describing how to create granular Admin Role profiles is included inside of the Admin (Administrator's) guides for each version.  I have listed them below for your convenience: (Search on Role or Admin Role to find it inside the guides.)

 

PAN-OS 6.0 Administrator's Guide

 

PAN-OS 6.1 Administrator's Guide

 

PAN-OS 7.0 Administrator's Guide

 

PAN-OS 7.1 Administrator's Guide

 

PAN-OS 8.0 Administrator's Guide

Hello jdelio - Thank you for the response. The question I realize I didn't ask in the right way, so if I can, I'd like to clarify. Right now, we have a specific account set up on our firewall that is the account being used for retrieving and installing dynamic updates, and it looks to be an AD based account. We want to change this account to a different service account specific for this task. Is there a specific walkthrough that would show me where to add a new account, and remove the existing one? I know this seems like a really basic question, but I can see the CLI commands specifying the account for the mgt setup, and that information just doesn't seem to be viewable in the CLI, unless I'm just completely missing it :)
A little more information on what's happening may help: I found that this account on the firewall is making a LOT of outbound session calls. When I started investigating, I found that it was making outbound sessions to comcast, verizon, and even IP's in the UK (we're a US based business with no ties to anything in the UK). I put a rule to block this traffic outbound; we haven't notice any issues that this has caused, with the exception of dynamic updates. I put another rule (higher than the block rule for that account) allowing traffic to allow traffic to get to updates.paloaltonetworks.com, however every session on that rule ends with a tcp-rst-from-client event in the log. I do have a TAC case open with PAN for this as well, trying to figure out the specifics I'm missing.

After upgrading this past weekend from v7.0.11 to 8.0.5, now the software updates and software install images are working correctly again;  the only change made was, we disabled a rule that was blocking the main management account.  We had a rule in place to block this traffic as we were not sure of it's purpose.  That issue is now resolved.  However, as discussed with the case owner last week, we do want to know how to replace the current management account with a new AD Service account that was created for this purpose, and also want to know if there is any impact to users/traffic that would facilitate this being done outside of business hours.

 

I had been told I'd be sent info on this, however I haven't seen that information provided yet.  I had requested this be sent for instructions on how to change this in the GUI (although CLI instructions would work as well).  

Please let me know when this information can be provided (or a new case opened and provided on there, as this is a separate issue).

 

Thank you!