Is it possible to create custom role in PAN-OS that allows management of administrator accounts?

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
scottsander
L3 Networker

Is it possible to create custom role in PAN-OS that allows management of administrator accounts?

I would like to create a custom Admin Role in PAN-OS 7.1.9 that is like a system admin for the device with the ability to configure and manage authentication, logging, licensing, certificates, dynamic updates, software, and administrators; however, when I am creating a new Admin Role, the Administrators and Admin Roles items can only be set to Read Only or Disabled.  The account I am logged in with has the Superuser dynamic role.

 

Is it possible to create a custom role that can manage Administrators and Admin Roles?

Tags (1)

Accepted Solutions
BPry
Cyber Elite

@scottsander,

The superuser role is the only admin role that is allowed to administer other Administrators or Admin Roles themselves. 

 

If you grant someone the ability to modify Administrators and modify the Admin Roles you in essence give them the ability to enable their account as a superuser, therefore the function is locked to users already granted the administrator role. 

View solution in original post


All Replies
BPry
Cyber Elite

@scottsander,

The superuser role is the only admin role that is allowed to administer other Administrators or Admin Roles themselves. 

 

If you grant someone the ability to modify Administrators and modify the Admin Roles you in essence give them the ability to enable their account as a superuser, therefore the function is locked to users already granted the administrator role. 

View solution in original post

vsys_remo
Cyber Elite

@scottsander

If you use RADIUS/TACACS+ for authentication then you could do the user/rights management on your RADIUS server or even better if the RADIUS is connected to an Active Directory you could create a usergroup and if a user from this user tries to log in the RADIUS will tell the firewall what Admin Role should be applied. This method could be used for all the mentionned points in your post except the local administrators for because of the reason already explained by @BPry. But also with this method you have to keep in mind: the admin of the RADIUS server will also be able to configure superuser rights, if he wants to ...

scottsander
L3 Networker

Interesting idea. I don't know much about TACACS+, but I don't like PAN's implementation of RADIUS since it only uses unencrypted PAP unless you are in FIPS mode and even then it only uses CHAP. I use Kerberos today.

vsys_remo
Cyber Elite

Just a thought, but you probably have a bigger problem if an attacker is able to capture your RADIUS traffic than PAP really is (the firewall management and RADIUS server are in protected networks)

But I know what you're saying.

 

And I totally forgot to mention: SAML

Only works with the WebUI and not for SSH but is also a great methof for authentication and passwords aren't sent at all to the firewall, only to your SAML IdP

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!