Photo by icon0.com from Pexels

Configure internal and external services for account administration.

Palo Alto Networks Study Guide v10

Administrative Role Types

Role Based: These roles are created by the administrator by selecting what permissions each role has. These must be updated anytime new features are added to the firewall.

Dynamic: These roles are pre-defined and are dynamically updated as the software is upgraded.

  • Superuser: Full access, including creation of new administrators and virtual systems. You must be a superuser to create a new superuser.
  • Superuser (read-only): Read-only access to the firewall
  • Virtual system administrator: Full access to a single virtual system (vsys)
  • Virtual system administrator (ready-only): Read-only access to a selected vsys.
  • Device administrator: Full access except for defining new accounts or vsys
  • Device administrator (read-only): Read-only access to all settings except password profiles and administrator accounts

External accounts: accounts that don’t rely on the local database can be authenticated by the following:

  • None
  • LDAP
  • SAML
  • Kerberos

Authentication Sequence: Admin roles for external accounts can be assigned an authentication sequence. A sequence contains one or more authentication profiles. A user is denied ONLY if all profiles in a sequence fail.

Password Complexity: For security, administrator passwords should have password complexity rules enabled under Setup>Management

Configuration Logs: These logs contain a listing of configuration changes and which account made them.