Read-Only Superuser by Security Zone

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Read-Only Superuser by Security Zone

L1 Bithead

Hello, I hope everyone is staying healthy.


I work at a company that provides ISP services to public schools, each school district is divided in to separate security zones on our Palo and I am trying to see if a read-only user can be created that is able to only look at security and NAT rules for their assigned zone.  I've been fiddling around in the OS and searching online but haven't been able to find any information to answer this.  I know they can be setup to view all rules but I was hoping to narrow that down if possible.  We are running on the latest OS 10.0.3.  Thank you for any information you're able to provide.


Hi @rmaynardmeta ,


The only way to achive your goal, that I can think of is to use virtual systems (vsys). Unfortunately this come with some drawbacks:

 - Massive change for the firewall to split the existing configuration.

 - Each device come with "base license" for multity vsys, but if you need more vsys you need to purchase additional license

 - Each model has different max number of vsys - This could be your deal breakers. Looking at your post I can imagine, that you have one single firewall with huge amount of sub-interfaces/zones for  each school. If you want to create separate vsys for each district I am not sure that your device will be capable to handle so many. But it really depends on what model you are using. You can use "comparation tool" - Next-Generation Firewalls - Product Selection - Palo Alto Networks (just compare your model with something random, this wil give you really nice formated table of the max capacity for your device) {I like to read it that way instead of searching datasheets}.



By the way while I was typing this I was thinking for another solution, but sure how doable is for you, because it will require lots of programming - use the API to read the policy. Since you only need to have read-only access, I can imagine you can do the following:

- Assign each school district unique tag

- Configure all objects and rules for specific district with that tag

- Using the API read the whole firewall config (at least what is relevant - rules, objects, zones, etc)

- With a bit of programming magic create web page that will visualise the data from the firewall API

- Using the tags you can create "filter" so each user will see only data that is associated with his district.


  • 1 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!