Firewall Administrator Accounts

Firewall Authentication and Authorisation

Administrator Accounts And Roles

Authenticate local or remote

Admin account assigned a role with privileges  

Administrator actions logged in config and system logs Monitor>Logs

Only the predefined admin account has access to the firewall. add administrator accounts for delegation and auditing purpose.

PAN-OS OS for local or ...supported Authentication/authorisation and accounting Services like active directory, LDAP, RADIUS, SAML.

XML config or database

To create a local administrator account:

  1. Create an Admin Role Profile.
  2. Create a local administrator account.


To create a non-local administrator account:

  1. Create an Admin Role Profile.
  2. Create a Server Profile.
  3. Create an Authentication Profile.
  4. Create an authentication sequence (optional).
  5. Create a non-local administrator account.


Supports 3 authentication services local, external and (multi) MFA

Local with DB (monitors user traffic flowing through the firewall) and local without DB (XML file), can not authenticate user traffic. 5 external services Kerberos. LDAP, RADIUS, TACACS+ and SAML.

Can use and supports 4 MFA for sensitive services and applications (using for example a verification code.

An Authentication Profile is used for all bar local no db.

When Are Users Authenticated?

Users Connecting to Firewall Services ... to the firewall .. verifies user credentials before granting access to services running

Users Connecting to Network Resources ... through the firewall.. authentication policy to prompt users for their credentials before the firewall grants access to network services.

Configure Authentication “to” the Firewall

Authentication Profile defines the authentication service that validates the login credentials. To individually configure each user with an authentication service, assign an Authentication Profile to a user account when you add the user account to the firewall.

Configure Authentication “Through” the Firewall

Assign an Authentication Profile to an Authentication policy via an authentication enforcement object..

User Authorization “to” and “Through” the Firewall

Use Admin Role Profiles

There are 2 types of Admin Role Profiles. Dynamic Admin Role Profiles are built in and have a predefined .. permissions control web interface, CLI command, XML API and REST API... Role Based Admin Role Profiles are custom roles you can configure for more granular access control over the functional areas of the web interface, CLI command, XML API and REST API.

Dynamic Admin Roles

6 Dynamic Admin Roles.. predefined privileges that cannot be manually modified in their permissions

Create Custom Role-Based Admin Roles

..custom privileges that you assign to administrative user accounts on the firewall. Role based privileges on the Command Line tab are predefined. No customization is possible. As None, Superuser, superreader, deviceadmin, devicereader

Create a local firewall administrator account

Create a Local (Non-Database) Administrator Account

Device > Administrators > Add

The web interface assumes a local account and prompts for a password when you do not select an Authentication Profile.

Device > Setup > Management > Minimum Password Complexity ... for password aging.

Create a User in the User Database

Device > Local User Database > Users > Add

Create a Local Database Authentication Profile

Device > Authentication Profile > Add

Go to Authentication tab..... Select Local Database

Authentication Profile: Advanced Tab

Device > Authentication Profile

from the Advanced tab ... select all rather than specify a long list of specific users and groups. other options are ..Failed Attempts option in the Account Lockout section.

for Factors tab MFA is used

Create an Administrator Account from a Local Database User

Device > Administrators > Add

Create a non-local firewall administrator account

Device > Administrators > Add

Firewall Authentication of Non-Local Passwords

Server Profile:
Authentication Profile:
..Communicate with authentication server
Authentication Sequence:

Configure Server Profiles

Device > Server Profiles

Configure Authentication Profiles

Device > Authentication Profiles

Configure an Authentication Sequence

Device > Authentication Sequence > Add

Create a firewall administrator account for non interactive login

Create an Administrator Account for Non Interactive Login

Administrator Authentication Methods

  • Password Authentication (Interactive)
  • Certificate Based Authentication (Non Interactive)... based authentication is available only when the firewall web interface is accessed, NOT CLI

import the certificate into the browser on your administrative workstation. Note that configuration of certificate based authentication for any administrator automatically will disable the username and password logins for all administrators on the firewall. The administrators will require a certificate to authenticate

User Certificate

Configure a Certificate Profile

Device > Certificate Management > Certificate Profile > Add

Configure Firewall Authentication Settings

Device >Setup > Management > Authentication Settings

Enables the firewall to verify client certificates using the Certificate Profile

Create an Administrator Account for Non-Interactive Login

Device > Administrators > Add

Select the Use only client certificate authentication (Web) check box to configure the firewall to use certificate based authentication for this user. Use of certificate

Firewall Administrator Accounts Question And Answers

1. Global user authentication is not supported by which authentication service?





LDAP is not supported by authentication service.

2. It is true that on the Next Generation firewall, a commit lock blocks other administrators from committing changes until all of the locks have been released.

3. It is true that Server Profiles define connections that the firewall can make to external servers.

4. It is true that Certificate-based authentication replaces all other forms of either local or external authentication.

5. When creating a custom admin role, which type of privileges can not be defined?




Command Line


Panorama can not be defined when creating a custom admin role.

6. When creating PAN-OS firewall administrator accounts, which configuration step is required for Non-Local Administrators, but not for Local Administrators?

Authentication Profile

Directory Services Replication

Authentication Sequence

API Interface

Authentication Profile are required when for Non-local Admins

7. When resetting the PAN-OS firewall to factory defaults, you can save all configuration settings and logs by performing the following:

NO. Executing the CLI command when in maintenance mode: rebuild/FactoryReset

No Selecting 'yes' when prompted

No Pressing Shift-C when prompted

None of the above

8. Which built-in administrator role allows all rights except for the creation of administrative accounts and virtual systems?

Custom role




deviceadmin does not allow creation of other admins acc and virtual systems

9. Which built-in role on the Next Generation firewall is the same as superuser except for creation of administrative accounts?





deviceadmin is the same a superuser except for creation of admin accounts

10. Which of the following is NOT a PAN-OS Firewall Administrator Dynamic Role?

Device administrator (read-only) Yes

Local only administrator This is not

Virtual system administrator Yes

Superuser Yes

Local only administrator is not a PAN-OS Dynamic role

11. Which role-based privilege allows full access to the Palo Alto Networks firewall, including defining new administrator accounts and virtual systems?





the superuser role-based privilege allows full access to the Palo Alto Networks firewall, including defining new administrator accounts and virtual systems