Setup

Controls access to the Setup node. If you disable this privilege, the administrator will not see the Setup node or have access to firewall-wide setup configuration information, such as Management, Operations, Service, Content-ID, WildFire or Session setup information.

If the privilege state is set to read-only, you can view the current configuration but cannot make any changes.

Yes

Yes

Management

Controls access to the Management node. If you disable this privilege, the administrator will not be able to configure settings such as the hostname, domain, timezone, authentication, logging and reporting, Panorama connections, banner, message, and password complexity settings, and more.

If the privilege state is set to read-only, you can view the current configuration but cannot make any changes.

Yes

Yes

Operations

Controls access to the Operations and Telemetry and Threat Intelligence nodes. If you disable this privilege, the administrator cannot:

Only administrators with the predefined Superuser role can export or import firewall configurations and shut down the firewall.

Only administrators with the predefined Superuser or Device Administrator role can reboot the firewall or restart the dataplane.

Administrators with a role that allows access only to specific virtual systems cannot load, save, or revert firewall configurations through the DeviceOperations options.

Yes

Yes

Services

Controls access to the Services node. If you disable this privilege, the administrator will not be able to configure services for DNS servers, an update server, proxy server, or NTP servers, or set up service routes.

If the privilege state is set to read-only, you can view the current configuration but cannot make any changes.

Yes

Yes

Content-ID

Controls access to the Content-ID node. If you disable this privilege, the administrator will not be able to configure URL filtering or Content-ID.

If the privilege state is set to read-only, you can view the current configuration but cannot make any changes.

Yes

Yes

WildFire

Controls access to the WildFire node. If you disable this privilege, the administrator will not be able to configure WildFire settings.

If the privilege state is set to read-only, you can view the current configuration but cannot make any changes.

Yes

Yes

Session

Controls access to the Session node. If you disable this privilege, the administrator will not be able to configure session settings or timeouts for TCP, UDP or ICMP, or configure decryption or VPN session settings.

If the privilege state is set to read-only, you can view the current configuration but cannot make any changes.

Yes

Yes

HSM

Controls access to the HSM node. If you disable this privilege, the administrator will not be able to configure a Hardware Security Module.

If the privilege state is set to read-only, you can view the current configuration but cannot make any changes.

Yes

Yes

High Availability

Controls access to the High Availability node. If you disable this privilege, the administrator will not see the High Availability node or have access to firewall-wide high availability configuration information such as General setup information or Link and Path Monitoring.

If you set this privilege to read-only, the administrator can view High Availability configuration information for the firewall but is not allowed to perform any configuration procedures.

Yes

Yes

Config Audit

Controls access to the Config Audit node. If you disable this privilege, the administrator will not see the Config Audit node or have access to any firewall-wide configuration information.

Yes

No

Administrators

Controls access to the Administrators node. This function can only be allowed for read-only access.

If you disable this privilege, the administrator will not see the Administrators node or have access to information about their own administrator account.

If you set this privilege to read-only, the administrator can view the configuration information for their own administrator account. They will not see any information about other administrator accounts configured on the firewall.

No

Yes

Admin Roles

Controls access to the Admin Roles node. This function can only be allowed for read-only access.

If you disable this privilege, the administrator will not see the Admin Roles node or have access to any firewall-wide information concerning Admin Role profiles configuration.

If you set this privilege to read-only, you can view the configuration information for all administrator roles configured on the firewall.

No

Yes

Authentication Profile

Controls access to the Authentication Profile node. If you disable this privilege, the administrator will not see the Authentication Profile node or be able to create or edit authentication profiles that specify RADIUS, TACACS+, LDAP, Kerberos, SAML, multi-factor authentication (MFA), or local database authentication settings. PAN-OS uses authentication profiles to authenticate firewall administrators and Authentication Portal or GlobalProtect end users.

If you set this privilege to read-only, the administrator can view the Authentication Profile information but cannot create or edit authentication profiles.

Yes

Yes

Authentication Sequence

Controls access to the Authentication Sequence node. If you disable this privilege, the administrator will not see the Authentication Sequence node or be able to create or edit an authentication sequence.

If you set this privilege to read-only, the administrator can view the Authentication Profile information but cannot create or edit an authentication sequence.

Yes

Yes

Virtual Systems

Controls access to the Virtual Systems node. If you disable this privilege, the administrator will not see or be able to configure virtual systems.

If the privilege state is set to read-only, you can view the currently configured virtual systems but cannot add or edit a configuration.

Yes

Yes

Shared Gateways

Controls access to the Shared Gateways node. Shared gateways allow virtual systems to share a common interface for external communications.

If you disable this privilege, the administrator will not see or be able to configure shared gateways.

If the privilege state is set to read-only, you can view the currently configured shared gateways but cannot add or edit a configuration.

Yes

Yes

User Identification

Controls access to the User Identification node. If you disable this privilege, the administrator will not see the User Identification node or have access to firewall-wide User Identification configuration information, such as User Mapping, Connection Security, User-ID Agents, Terminal Server Agents, Group Mappings Settings, or Authentication Portal Settings.

If you set this privilege to read-only, the administrator can view configuration information for the firewall but is not allowed to perform any configuration procedures.

Yes

Yes

VM Information Source

Controls access to the VM Information Source node that allows you to configure the firewall/Windows User-ID agent to collect VM inventory automatically. If you disable this privilege, the administrator will not see the VM Information Source node.

If you set this privilege to read-only, the administrator can view the VM information sources configured but cannot add, edit, or delete any sources.

Yes

Yes

Certificate Management

Sets the default state to enable or disable for all of the Certificate settings described below.

Yes

No

Certificates

Controls access to the Certificates node. If you disable this privilege, the administrator will not see the Certificates node or be able to configure or access information regarding Device Certificates or Default Trusted Certificate Authorities.

If you set this privilege to read-only, the administrator can view Certificate configuration information for the firewall but is not allowed to perform any configuration procedures.

Yes

Yes

Certificate Profile

Controls access to the Certificate Profile node. If you disable this privilege, the administrator will not see the Certificate Profile node or be able to create certificate profiles.

If you set this privilege to read-only, the administrator can view Certificate Profiles that are currently configured for the firewall but is not allowed to create or edit a certificate profile.

Yes

Yes

OCSP Responder

Controls access to the OCSP Responder node. If you disable this privilege, the administrator will not see the OCSP Responder node or be able to define a server that will be used to verify the revocation status of certificates issues by the firewall.

If you set this privilege to read-only, the administrator can view the OCSP Responder configuration for the firewall but is not allowed to create or edit an OCSP responder configuration.

Yes

Yes

SSL/TLS Service Profile

Controls access to the SSL/TLS Service Profile node.

If you disable this privilege, the administrator will not see the node or configure a profile that specifies a certificate and a protocol version or range of versions for firewall services that use SSL/TLS.

If you set this privilege to read-only, the administrator can view existing SSL/TLS Service profiles but cannot create or edit them.

Yes

Yes

SCEP

Controls access to the SCEP node. If you disable this privilege, the administrator will not see the node or be able to define a profile that specifies simple certificate enrollment protocol (SCEP) settings for issuing unique device certificates.

If you set this privilege to read-only, the administrator can view existing SCEP profiles but cannot create or edit them.

Yes

Yes

SSL Decryption Exclusion

Controls access to the SSL Decryption Exclusion node. If you disable this privilege, the administrator will not see the node or be able to add custom exclusions.

If you set this privilege to read-only, the administrator can view existing SSL decryption exceptions but cannot create or edit them.

Yes

Yes

SSH Service Profile

Controls access to the SSH Service Profile node. If you disable this privilege, the administrator will be unable to see the node or configure a profile to specify parameters for SSH connections to your Palo Alto Networks management and high availability (HA) appliances.

If you set this privilege to read-only, the administrator can view existing SSH service profiles but cannot edit or create them.

Yes

Yes

Response Pages

Controls access to the Response Pages node. If you disable this privilege, the administrator will not see the Response Page node or be able to define a custom HTML message that is downloaded and displayed instead of a requested web page or file.

If you set this privilege to read-only, the administrator can view the Response Page configuration for the firewall but is not allowed to create or edit a response page configuration.

Yes

Yes

Log Settings

Sets the default state to enable or disable for all of the Log settings described below.

Yes

No

System

Controls access to the Log SettingsSystem node. If you disable this privilege, the administrator cannot see the Log SettingsSystem node or specify which System logs the firewall forwards to Panorama or external services (such as a syslog server).

If you set this privilege to read-only, the administrator can view the Log SettingsSystem settings for the firewall but cannot add, edit, or delete the settings.

Yes

Yes

Configuration

Controls access to the Log SettingsConfiguration node. If you disable this privilege, the administrator cannot see the Log SettingsConfiguration node or specify which Configuration logs the firewall forwards to Panorama or external services (such as a syslog server).

If you set this privilege to read-only, the administrator can view the Log SettingsConfiguration settings for the firewall but cannot add, edit, or delete the settings.

Yes

Yes

User-ID

Controls access to the Log SettingsUser-ID node. If you disable this privilege, the administrator cannot see the Log SettingsUser-ID node or specify which User-ID logs the firewall forwards to Panorama or external services (such as a syslog server).

If you set this privilege to read-only, the administrator can view the Log SettingsUser-ID settings for the firewall but cannot add, edit, or delete the settings.

Yes

Yes

HIP Match

Controls access to the Log SettingsHIP Match node. If you disable this privilege, the administrator cannot see the Log SettingsHIP Match node or specify which Host Information Profile (HIP) match logs the firewall forwards to Panorama or external services (such as a syslog server). HIP match logs provide information on Security policy rules that apply to GlobalProtect endpoints.

If you set this privilege to read-only, the administrator can view the Log SettingsHIP settings for the firewall but cannot add, edit, or delete the settings.

Yes

Yes

GlobalProtect

Controls access to the Log SettingsGlobalProtect node. If you disable this privilege, the administrator cannot see the Log SettingsGlobalProtect node or specify which GlobalProtect logs the firewall forwards to Panorama or external services (such as a syslog server).

If you set this privilege to read-only, the administrator can view the Log SettingsGlobalProtect settings for the firewall but cannot add, edit, or delete the settings.

Yes

Yes

Correlation

Controls access to the Log SettingsCorrelation node. If you disable this privilege, the administrator cannot see the Log SettingsCorrelation node or add, delete, or modify correlation log forwarding settings or tag source or destination IP addresses.

If you set this privilege to read-only, the administrator can view the Log SettingsCorrelation settings for the firewall but cannot add, edit, or delete the settings.

Yes

Yes

Alarm Settings

Controls access to the Log SettingsAlarm Settings node. If you disable this privilege, the administrator cannot see the Log SettingsAlarm Settings node or configure notifications that the firewall generates when a Security policy rule (or group of rules) is hit repeatedly within a configurable time period.

If you set this privilege to read-only, the administrator can view the Log SettingsAlarm Settings for the firewall but cannot edit the settings.

Yes

Yes

Manage Logs

Controls access to the Log SettingsManage Logs node. If you disable this privilege, the administrator cannot see the Log SettingsManage Logs node or clear the indicated logs.

If you set this privilege to read-only, the administrator can view the Log SettingsManage Logs information but cannot clear any of the logs.

Yes

Yes

Server Profiles

Sets the default state to enable or disable for all of the Server Profiles settings described below.

Yes

No

SNMP Trap

Controls access to the Server ProfilesSNMP Trap node. If you disable this privilege, the administrator will not see the Server ProfilesSNMP Trap node or be able to specify one or more SNMP trap destinations to be used for system log entries.

If you set this privilege to read-only, the administrator can view the Server ProfilesSNMP Trap Logs information but cannot specify SNMP trap destinations.

Yes

Yes

Syslog

Controls access to the Server ProfilesSyslog node. If you disable this privilege, the administrator will not see the Server ProfilesSyslog node or be able to specify one or more syslog servers.

If you set this privilege to read-only, the administrator can view the Server ProfilesSyslog information but cannot specify syslog servers.

Yes

Yes

Email

Controls access to the Server ProfilesEmail node. If you disable this privilege, the administrator will not see the Server ProfilesEmail node or be able to configure an email profile that can be used to enable email notification for system and configuration log entries.

If you set this privilege to read-only, the administrator can view the Server ProfilesEmail information but cannot configure an email server profile.

Yes

Yes

HTTP

Controls access to the Server ProfilesHTTP node. If you disable this privilege, the administrator will not see the Server ProfilesHTTP node or be able to configure an HTTP server profile that can be used to enable log forwarding to HTTP destinations any log entries.

If you set this privilege to read-only, the administrator can view the Server ProfilesHTTP information but cannot configure an HTTP server profile.

Yes

Yes

Netflow

Controls access to the Server ProfilesNetflow node. If you disable this privilege, the administrator will not see the Server ProfilesNetflow node or be able to define a NetFlow server profile, which specifies the frequency of the export along with the NetFlow servers that will receive the exported data.

If you set this privilege to read-only, the administrator can view the Server ProfilesNetflow information but cannot define a Netflow profile.

Yes

Yes

RADIUS

Controls access to the Server ProfilesRADIUS node. If you disable this privilege, the administrator will not see the Server ProfilesRADIUS node or be able to configure settings for the RADIUS servers that are identified in authentication profiles.

If you set this privilege to read-only, the administrator can view the Server ProfilesRADIUS information but cannot configure settings for the RADIUS servers.

Yes

Yes

TACACS+

Controls access to the Server ProfilesTACACS+ node.

If you disable this privilege, the administrator will not see the node or configure settings for the TACACS+ servers that authentication profiles reference.

If you set this privilege to read-only, the administrator can view existing TACACS+ server profiles but cannot add or edit them.

Yes

Yes

LDAP

Controls access to the Server ProfilesLDAP node. If you disable this privilege, the administrator will not see the Server ProfilesLDAP node or be able to configure settings for the LDAP servers to use for authentication by way of authentication profiles.

If you set this privilege to read-only, the administrator can view the Server ProfilesLDAP information but cannot configure settings for the LDAP servers.

Yes

Yes

Kerberos

Controls access to the Server ProfilesKerberos node. If you disable this privilege, the administrator will not see the Server ProfilesKerberos node or configure a Kerberos server that allows users to authenticate natively to a domain controller.

If you set this privilege to read-only, the administrator can view the Server ProfilesKerberos information but cannot configure settings for Kerberos servers.

Yes

Yes

SAML Identity Provider

Controls access to the Server ProfilesSAML Identity Provider node. If you disable this privilege, the administrator cannot see the node or configure SAML identity provider (IdP) server profiles.

If you set this privilege to read-only, the administrator can view the Server ProfilesSAML Identity Provider information but cannot configure SAML IdP server profiles.

Yes

Yes

Multi Factor Authentication

Controls access to the Server ProfilesMulti Factor Authentication node. If you disable this privilege, the administrator cannot see the node or configure multi-factor authentication (MFA) server profiles.

If you set this privilege to read-only, the administrator can view the Server ProfilesSAML Identity Provider information but cannot configure MFA server profiles.

Local User Database

Sets the default state to enable or disable for all of the Local User Database settings described below.

Yes

No

Users

Controls access to the Local User DatabaseUsers node. If you disable this privilege, the administrator will not see the Local User DatabaseUsers node or set up a local database on the firewall to store authentication information for remote access users, firewall administrators, and Authentication Portal users.

If you set this privilege to read-only, the administrator can view the Local User DatabaseUsers information but cannot set up a local database on the firewall to store authentication information.

Yes

Yes

User Groups

Controls access to the Local User DatabaseUsers node. If you disable this privilege, the administrator will not see the Local User DatabaseUsers node or be able to add user group information to the local database.

If you set this privilege to read-only, the administrator can view the Local User DatabaseUsers information but cannot add user group information to the local database.

Yes

Yes

Access Domain

Controls access to the Access Domain node. If you disable this privilege, the administrator will not see the Access Domain node or be able to create or edit an access domain.

If you set this privilege to read-only, the administrator can view the Access Domain information but cannot create or edit an access domain.

Yes

Yes

Scheduled Log Export

Controls access to the Scheduled Log Export node. If you disable this privilege, the administrator will not see the Scheduled Log Export node or be able schedule exports of logs and save them to a File Transfer Protocol (FTP) server in CSV format or use Secure Copy (SCP) to securely transfer data between the firewall and a remote host.

If you set this privilege to read-only, the administrator can view the Scheduled Log Export Profile information but cannot schedule the export of logs.

Yes

No

Software

Controls access to the Software node. If you disable this privilege, the administrator will not see the Software node or view the latest versions of the PAN-OS software available from Palo Alto Networks, read the release notes for each version, and select a release to download and install.

If you set this privilege to read-only, the administrator can view the Software information but cannot download or install software.

Yes

Yes

GlobalProtect Client

Controls access to the GlobalProtect Client node. If you disable this privilege, the administrator will not see the GlobalProtect Client node or view available GlobalProtect releases, download the code or activate the GlobalProtect app.

If you set this privilege to read-only, the administrator can view the available GlobalProtect Client releases but cannot download or install the app software.

Yes

Yes

Dynamic Updates

Controls access to the Dynamic Updates node. If you disable this privilege, the administrator will not see the Dynamic Updates node or be able to view the latest updates, read the release notes for each update, or select an update to upload and install.

If you set this privilege to read-only, the administrator can view the available Dynamic Updates releases, read the release notes but cannot upload or install the software.

Yes

Yes

Licenses

Controls access to the Licenses node. If you disable this privilege, the administrator will not see the Licenses node or be able to view the licenses installed or activate licenses.

If you set this privilege to read-only, the administrator can view the installed Licenses, but cannot perform license management functions.

Yes

Yes

Support

Controls access to the Support node. If you disable this privilege, the administrator cannot see the Support node, activate support, or access production and security alerts from Palo Alto Networks.

If you set this privilege to read-only, the administrator can see the Support node and access production and security alerts but cannot activate support.

Yes

Yes