Palo Alto user account

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Palo Alto user account

L1 Bithead

Hi

 

Our customer has a PA-440 firewall deployed with HA and we have a request about the creation of a user account that has a full access to the device over Web UI but it can't change delete or change password of admin account 

 

is it possible ? and how we can do that ?

7 REPLIES 7

Cyber Elite
Cyber Elite

Hi @Abdelhak ,

 

You can create a new administrator account.  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewall-ad...

 

While you are logged in as admin, you cannot modify the admin account.  You will have to create a new administrator account, log in with it, and then you will be able to change or delete the default admin account.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hi Tom,

 

Our need is to created a new admin account other then the default, but when we sign in using it we should not be able to delete or modify the password of the default admin account

 

is it possible ?

Cyber Elite
Cyber Elite

@Abdelhak,

Yes, but what exactly are you trying to give them permission to do? Do you want to have them have the ability to make changes to the configuration outside of modifying other administrators or do they just need to read the configuration?

 

If it's just reading the configuration then grant a read-only role that meets what you want them to do, otherwise you'll need to build a custom role and ensure that administrators and admin roles are read-only and set the XML, CLI, and REST access appropriately. If they only need GUI access just disable access to everything else.

Hi

Our customer need to create another admin account that has the same rights as the default one to give it to other administrators for managing the device but they can't modify or change the password of the default admin account actually used by the main administrator of the site.

 

is it possible? and how we can do that ?

Cyber Elite
Cyber Elite

@Abdelhak,

So with those requirements a custom role assigned to the user is the only way. Build out a custom role and assign it to the created administrator account. The role will need to have 'Administrators' and 'Admin Roles' set to read only, this is the default status on a custom role that has Device access enabled so you'll just need to review everything else.

 

Keep in mind that this doesn't prevent them from loading a modified configuration file directly and committing it, it just prevents them from modifying things in normal means. You'll have more control over the GUI as you will with the XML, CLI, or REST settings. I would personally highly recommend disabling access to those three for this user, ensuring that 'Adminstrators' and 'Admin Roles' are set to read-only, and setting the 'Operations' tab to read-only so that the user couldn't upload and load a modified configuration file directly.

Thank you @Abdelhak !

 

I misunderstood.

Help the community: Like helpful comments and mark solutions.

Cyber Elite
Cyber Elite

Hi @Abdelhak ,

 

Maybe the built-in Device Administrator role fits the bill?  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewall-ad...

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
  • 1219 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!