Configure internal and external services for account administration.

Palo Alto Networks Study Guide v10

Administrative Role Types

Role Based: These roles are created by the administrator by selecting what permissions each role has. These must be updated anytime new features are added to the firewall.

Dynamic: These roles are pre-defined and are dynamically updated as the software is upgraded.

• Superuser: Full access, including creation of new administrators and virtual systems. You must be a superuser to create a new superuser.
• Superuser (read-only): Read-only access to the firewall
• Virtual system administrator: Full access to a single virtual system (vsys)
• Virtual system administrator (ready-only): Read-only access to a selected vsys.
• Device administrator: Full access except for defining new accounts or vsys
• Device administrator (read-only): Read-only access to all settings except password profiles and administrator accounts

External accounts: accounts that don’t rely on the local database can be authenticated by the following:

• None
• RADIUS
• LDAP
• TACACS+
• SAML
• Kerberos

Authentication Sequence: Admin roles for external accounts can be assigned an authentication sequence. A sequence contains one or more authentication profiles. A user is denied ONLY if all profiles in a sequence fail.

Password Complexity: For security, administrator passwords should have password complexity rules enabled under Setup>Management

Configuration Logs: These logs contain a listing of configuration changes and which account made them.