Provide Granular Access to the Panorama Tab
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- Cloud Management of NGFWs
-
- Management Interfaces
-
- Launch the Web Interface
- Use the Administrator Login Activity Indicators to Detect Account Misuse
- Manage and Monitor Administrative Tasks
- Commit, Validate, and Preview Firewall Configuration Changes
- Commit Selective Configuration Changes
- Export Configuration Table Data
- Use Global Find to Search the Firewall or Panorama Management Server
- Manage Locks for Restricting Configuration Changes
-
-
- Define Access to the Web Interface Tabs
- Provide Granular Access to the Monitor Tab
- Provide Granular Access to the Policy Tab
- Provide Granular Access to the Objects Tab
- Provide Granular Access to the Network Tab
- Provide Granular Access to the Device Tab
- Define User Privacy Settings in the Admin Role Profile
- Restrict Administrator Access to Commit and Validate Functions
- Provide Granular Access to Global Settings
- Provide Granular Access to the Panorama Tab
- Provide Granular Access to Operations Settings
- Panorama Web Interface Access Privileges
-
- Reset the Firewall to Factory Default Settings
-
- Plan Your Authentication Deployment
- Pre-Logon for SAML Authentication
- Configure SAML Authentication
- Configure Kerberos Single Sign-On
- Configure Kerberos Server Authentication
- Configure TACACS+ Authentication
- Configure TACACS Accounting
- Configure RADIUS Authentication
- Configure LDAP Authentication
- Configure Local Database Authentication
- Configure an Authentication Profile and Sequence
- Test Authentication Server Connectivity
- Troubleshoot Authentication Issues
-
- Keys and Certificates
- Default Trusted Certificate Authorities (CAs)
- Certificate Deployment
- Configure the Master Key
- Export a Certificate and Private Key
- Configure a Certificate Profile
- Configure an SSL/TLS Service Profile
- Configure an SSH Service Profile
- Replace the Certificate for Inbound Management Traffic
- Configure the Key Size for SSL Forward Proxy Server Certificates
-
- HA Overview
-
- Prerequisites for Active/Active HA
- Configure Active/Active HA
-
- Use Case: Configure Active/Active HA with Route-Based Redundancy
- Use Case: Configure Active/Active HA with Floating IP Addresses
- Use Case: Configure Active/Active HA with ARP Load-Sharing
- Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall
- Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses
- Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3
- HA Clustering Overview
- HA Clustering Best Practices and Provisioning
- Configure HA Clustering
- Refresh HA1 SSH Keys and Configure Key Options
- HA Firewall States
- Reference: HA Synchronization
-
- Use the Dashboard
- Monitor Applications and Threats
- Monitor Block List
-
- Report Types
- View Reports
- Configure the Expiration Period and Run Time for Reports
- Disable Predefined Reports
- Custom Reports
- Generate Custom Reports
- Generate the SaaS Application Usage Report
- Manage PDF Summary Reports
- Generate User/Group Activity Reports
- Manage Report Groups
- Schedule Reports for Email Delivery
- Manage Report Storage Capacity
- View Policy Rule Usage
- Use External Services for Monitoring
- Configure Log Forwarding
- Configure Email Alerts
-
- Configure Syslog Monitoring
-
- Traffic Log Fields
- Threat Log Fields
- URL Filtering Log Fields
- Data Filtering Log Fields
- HIP Match Log Fields
- GlobalProtect Log Fields
- IP-Tag Log Fields
- User-ID Log Fields
- Decryption Log Fields
- Tunnel Inspection Log Fields
- SCTP Log Fields
- Authentication Log Fields
- Config Log Fields
- System Log Fields
- Correlated Events Log Fields
- GTP Log Fields
- Audit Log Fields
- Syslog Severity
- Custom Log/Event Format
- Escape Sequences
- Forward Logs to an HTTP/S Destination
- Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors
- Monitor Transceivers
-
- User-ID Overview
- Enable User-ID
- Map Users to Groups
- Enable User- and Group-Based Policy
- Enable Policy for Users with Multiple Accounts
- Verify the User-ID Configuration
-
- App-ID Overview
- App-ID and HTTP/2 Inspection
- Manage Custom or Unknown Applications
- Safely Enable Applications on Default Ports
- Applications with Implicit Support
-
- Prepare to Deploy App-ID Cloud Engine
- Enable or Disable the App-ID Cloud Engine
- App-ID Cloud Engine Processing and Policy Usage
- New App Viewer (Policy Optimizer)
- Add Apps to an Application Filter with Policy Optimizer
- Add Apps to an Application Group with Policy Optimizer
- Add Apps Directly to a Rule with Policy Optimizer
- Replace an RMA Firewall (ACE)
- Impact of License Expiration or Disabling ACE
- Commit Failure Due to Cloud Content Rollback
- Troubleshoot App-ID Cloud Engine
- Application Level Gateways
- Disable the SIP Application-level Gateway (ALG)
- Maintain Custom Timeouts for Data Center Applications
-
- Decryption Overview
-
- Keys and Certificates for Decryption Policies
- SSL Forward Proxy
- SSL Forward Proxy Decryption Profile
- SSL Inbound Inspection
- SSL Inbound Inspection Decryption Profile
- SSL Protocol Settings Decryption Profile
- SSH Proxy
- SSH Proxy Decryption Profile
- Profile for No Decryption
- SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates
- Perfect Forward Secrecy (PFS) Support for SSL Decryption
- SSL Decryption and Subject Alternative Names (SANs)
- TLSv1.3 Decryption
- High Availability Not Supported for Decrypted Sessions
- Decryption Mirroring
- Configure SSL Forward Proxy
- Configure SSL Inbound Inspection
- Configure SSH Proxy
- Configure Server Certificate Verification for Undecrypted Traffic
- Post-Quantum Cryptography Detection and Control
- Enable Users to Opt Out of SSL Decryption
- Temporarily Disable SSL Decryption
- Configure Decryption Port Mirroring
- Verify Decryption
- Activate Free Licenses for Decryption Features
-
- Policy Types
- Policy Objects
- Track Rules Within a Rulebase
- Enforce Policy Rule Description, Tag, and Audit Comment
- Move or Clone a Policy Rule or Object to a Different Virtual System
-
- External Dynamic List
- Built-in External Dynamic Lists
- Configure the Firewall to Access an External Dynamic List
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Exclude Entries from an External Dynamic List
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Register IP Addresses and Tags Dynamically
- Use Dynamic User Groups in Policy
- Use Auto-Tagging to Automate Security Actions
- CLI Commands for Dynamic IP Addresses and Tags
- Application Override Policy
- Test Policy Rules
-
- Network Segmentation Using Zones
- How Do Zones Protect the Network?
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure a PPPoE Client on a Subinterface
- Configure an IPv6 PPPoE Client
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- Dynamic IPv6 Addressing on the Management Interface
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure the Management Interface for Dynamic IPv6 Address Assignment
- Configure an Interface as a DHCP Relay Agent
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Create a Source NAT Rule with Persistent DIPP
- PAN-OS
- Strata Cloud Manager
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
-
-
PAN-OS 11.2
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
- Cloud Management and AIOps for NGFW
Provide Granular Access to the Panorama Tab
The following table lists the Panorama tab
access levels and the custom Panorama administrator roles for which
they are available. Firewall administrators cannot access any of
these privileges.
Access Level | Description | Administrator Role
Availability | Enable | Read Only | Disable |
---|---|---|---|---|---|
Setup | Specifies whether the administrator can
view or edit Panorama setup information, including Management, Operations and Telemetry, Services,
Content-ID, WildFire, Session, or HSM. If
you set the privilege to:
| Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
High Availability | Specifies whether the administrator can
view and manage high availability (HA) settings for the Panorama management
server. If you set this privilege to read-only, the administrator
can view HA configuration information for the Panorama management
server but can’t manage the configuration. If you disable
this privilege, the administrator can’t see or manage HA configuration settings
for the Panorama management server. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
Config Audit | Specifies whether the administrator can
run Panorama configuration audits. If you disable this privilege,
the administrator can’t run Panorama configuration audits. | Panorama: Yes Device Group/Template: No | Yes | No | Yes |
Firewall Clusters
|
Specifies whether the administrator can create and configure CN-Series and PA-Series firewall clusters.
If you set this privilege to read-only, the administrator can view firewall cluster
information for the Panorama management server but can’t manage the configuration.
If you disable this privilege, the administrator can’t see or manage firewall clusters for
the Panorama management server.
|
Panorama: Yes
Device Group/Template: No
|
Yes
|
Yes
|
Yes
|
Administrators | Specifies whether the administrator can
view Panorama administrator account details. You can’t enable
full access to this function: just read-only access. (Only Panorama
administrators with a dynamic role can add, edit, or delete Panorama administrators.)
With read-only access, the administrator can see information about
his or her own account but no other Panorama administrator accounts. If
you disable this privilege, the administrator can’t see information
about any Panorama administrator account, including his or her own. | Panorama: Yes Device Group/Template: No | No | Yes | Yes |
Admin Roles | Specifies whether the administrator can
view Panorama administrator roles. You can’t enable full access
to this function: just read-only access. (Only Panorama administrators
with a dynamic role can add, edit, or delete custom Panorama roles.) With
read-only access, the administrator can see Panorama administrator
role configurations but can’t manage them. If you disable
this privilege, the administrator can’t see or manage Panorama administrator
roles. | Panorama: Yes Device Group/Template: No | No | Yes | Yes |
Access Domain | Specifies whether the administrator can
view, add, edit, delete, or clone access domain configurations for Panorama
administrators. (This privilege controls access only to the configuration
of access domains, not access to the device groups, templates, and firewall
contexts that are assigned to access domains.) If you set
this privilege to read-only, the administrator can view Panorama
access domain configurations but can’t manage them. If you
disable this privilege, the administrator can’t see or manage Panorama
access domain configurations. | Panorama: Yes Device Group/Template: No You
assign access domains to Device Group and Template administrators
so they can access the configuration and monitoring data within the
device groups, templates, and firewall contexts that are assigned
to those access domains. | Yes | Yes | Yes |
Authentication Profile | Specifies whether the administrator can
view, add, edit, delete, or clone authentication profiles for Panorama
administrators. If you set this privilege to read-only, the
administrator can view Panorama authentication profiles but can’t
manage them. If you disable this privilege, the administrator
can’t see or manage Panorama authentication profiles. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
Authentication Sequence | Specifies whether the administrator can
view, add, edit, delete, or clone authentication sequences for Panorama
administrators. If you set this privilege to read-only, the
administrator can view Panorama authentication sequences but can’t
manage them. If you disable this privilege, the administrator
can’t see or manage Panorama authentication sequences. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
User Identification | Specifies whether the administrator can
configure User-ID connection security and view, add, edit, or delete
data redistribution points (such as User-ID agents). If you
set this privilege to read-only, the administrator can view settings
for User-ID connection security and redistribution points but can’t manage
the settings. If you disable this privilege, the administrator
can’t see or manage settings for User-ID connection security or redistribution
points. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
Managed Devices | Specifies whether the administrator can
view, add, edit, or delete firewalls as managed devices, and install software
or content updates on them. If you set this privilege to read-only,
the administrator can see managed firewalls but can’t add, delete,
tag, or install updates on them. If you disable this privilege,
the administrator can’t view, add, edit, tag, delete, or install
updates on managed firewalls. An administrator with Device
Deployment privileges can still select PanoramaDevice Deployment to install updates
on managed firewalls. | Panorama: Yes Device Group/Template: Yes | Yes (No for Device Group and Template roles) | Yes | Yes |
Templates | Specifies whether the administrator can
view, edit, add, or delete templates and template stacks. If
you set the privilege to read-only, the administrator can see template
and stack configurations but can’t manage them. If you disable
this privilege, the administrator can’t see or manage template and stack
configurations. | Panorama: Yes Device Group/Template: Yes Device
Group and Template administrators can see only the templates and stacks
that are within the access domains assigned to those administrators. | Yes (No for Device Group and Template admins) | Yes | Yes |
Device Groups | Specifies whether the administrator can
view, edit, add, or delete device groups. If you set this
privilege to read-only, the administrator can see device group configurations but
can’t manage them. If you disable this privilege, the administrator
can’t see or manage device group configurations. | Panorama: Yes Device Group/Template: Yes Device
Group and Template administrators can access only the device groups
that are within the access domains assigned to those administrators. | Yes | Yes | Yes |
Managed Collectors | Specifies whether the administrator can
view, edit, add, or delete managed collectors. If you set
this privilege to read-only, the administrator can see managed collector configurations
but can’t manage them. If you disable this privilege, the
administrator can’t view, edit, add, or delete managed collector configurations. An
administrator with Device
Deployment privileges can still use the PanoramaDevice Deployment options to install
updates on managed collectors. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
Collector Groups | Specifies whether the administrator can
view, edit, add, or delete Collector Groups. If you set this
privilege to read-only, the administrator can see Collector Groups
but can’t manage them. If you disable this privilege, the
administrator can’t see or manage Collector Groups. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
VMware Service Manager | Specifies whether the administrator can
view and edit VMware Service Manager settings. If you set
this privilege to read-only, the administrator can see the settings
but can’t perform any related configuration or operational procedures. If
you disable this privilege, the administrator can’t see the settings
or perform any related configuration or operational procedures. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
Certificate Management | Sets the default state, enabled or disabled,
for all of the Panorama certificate management privileges. | Panorama: Yes Device Group/Template: No | Yes | No | Yes |
Certificates | Specifies whether the administrator can
view, edit, generate, delete, revoke, renew, or export certificates.
This privilege also specifies whether the administrator can import
or export HA keys. If you set this privilege to read-only,
the administrator can see Panorama certificates but can’t manage
the certificates or HA keys. If you disable this privilege,
the administrator can’t see or manage Panorama certificates or HA
keys. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
Certificate Profile | Specifies whether the administrator can
view, add, edit, delete or clone Panorama certificate profiles. If
you set this privilege to read-only, the administrator can see Panorama
certificate profiles but can’t manage them. If you disable
this privilege, the administrator can’t see or manage Panorama certificate
profiles. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
SSL/TLS Service Profile | Specifies whether the administrator can
view, add, edit, delete or clone SSL/TLS Service profiles. If
you set this privilege to read-only, the administrator can see SSL/TLS
Service profiles but can’t manage them. If you disable this privilege,
the administrator can’t see or manage SSL/TLS Service profiles. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
Log Settings | Sets the default state, enabled or disabled,
for all the log setting privileges. | Panorama: Yes Device Group/Template: No | Yes | No | Yes |
System | Specifies whether the administrator can
see and configure the settings that control the forwarding of System logs
to external services (syslog, email, SNMP trap, or HTTP servers). If
you set this privilege to read-only, the administrator can see the
System log forwarding settings but can’t manage them. If you
disable this privilege, the administrator can’t see or manage the settings. This
privilege pertains only to System logs that Panorama and Log Collectors
generate. The Collector
Groups privilege (PanoramaCollector Groups) controls forwarding
for System logs that Log Collectors receive from firewalls. The DeviceLog Settings > System privilege
controls log forwarding from firewalls directly to external services
(without aggregation on Log Collectors). | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
Config | Specifies whether the administrator can
see and configure the settings that control the forwarding of Config logs
to external services (syslog, email, SNMP trap, or HTTP servers). If
you set this privilege to read-only, the administrator can see the
Config log forwarding settings but can’t manage them. If you
disable this privilege, the administrator can’t see or manage the settings. This
privilege pertains only to Config logs that Panorama and Log Collectors
generate. The Collector
Groups privilege (PanoramaCollector Groups) controls forwarding
for Config logs that Log Collectors receive from firewalls. The DeviceLog Settings > Configuration privilege
controls log forwarding from firewalls directly to external services
(without aggregation on Log Collectors). | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
User-ID | Specifies whether the administrator can
see and configure the settings that control the forwarding of User-ID
logs to external services (syslog, email, SNMP trap, or HTTP servers). If
you set this privilege to read-only, the administrator can see the
Config log forwarding settings but can’t manage them. If you
disable this privilege, the administrator can’t see or manage the settings. This
privilege pertains only to User-ID logs that Panorama generates. The Collector
Groups privilege (PanoramaCollector Groups) controls forwarding
for User-ID logs that Log Collectors receive from firewalls. The DeviceLog Settings > User-ID privilege
controls log forwarding from firewalls directly to external services
(without aggregation on Log Collectors). | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
HIP Match | Specifies whether the administrator can
see and configure the settings that control the forwarding of HIP Match
logs from a Panorama virtual appliance in Legacy mode to external
services (syslog, email, SNMP trap, or HTTP servers). If you
set this privilege to read-only, the administrator can see the forwarding
settings of HIP Match logs but can’t manage them. If you disable
this privilege, the administrator can’t see or manage the settings. The Collector
Groups privilege (PanoramaCollector Groups) controls forwarding
for HIP Match logs that Log Collectors receive from firewalls. The DeviceLog Settings > HIP
Match privilege controls log forwarding from firewalls directly
to external services (without aggregation on Log Collectors). | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
GlobalProtect | Specifies whether the administrator can
see and configure the settings that control the forwarding of GlobalProtect
logs from a Panorama virtual appliance in Legacy mode to external services
(syslog, email, SNMP trap, or HTTP servers). If you set this
privilege to read-only, the administrator can see the forwarding
settings of GlobalProtect logs but can’t manage them. If you
disable this privilege, the administrator can’t see or manage the settings. The Collector
Groups privilege (PanoramaCollector Groups) controls forwarding
for GlobalProtect logs that Log Collectors receive from firewalls.
The DeviceLog SettingsGlobalProtect privilege controls
log forwarding from firewalls directly to external services (without
aggregation on Log Collectors). | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
Correlation | Specifies whether the administrator can
see and configure the settings that control the forwarding of Correlation
logs from a Panorama virtual appliance in Legacy mode to external services
(syslog, email, SNMP trap, or HTTP servers). If you set this
privilege to read-only, the administrator can see the Correlation
log forwarding settings but can’t manage them. If you disable
this privilege, the administrator can’t see or manage the settings. The Collector
Groups privilege (PanoramaCollector Groups) controls forwarding
of Correlation logs from a Panorama M-Series appliance or Panorama
virtual appliance in Panorama mode. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
Traffic | Specifies whether the administrator can
see and configure the settings that control the forwarding of Traffic logs
from a Panorama virtual appliance in Legacy mode to external services
(syslog, email, SNMP trap, or HTTP servers). If you set this
privilege to read-only, the administrator can see the forwarding
settings of Traffic logs but can’t manage them. If you disable
this privilege, the administrator can’t see or manage the settings. The Collector
Groups privilege (PanoramaCollector Groups) controls forwarding
for Traffic logs that Log Collectors receive from firewalls. The Log
Forwarding privilege (ObjectsLog Forwarding) controls forwarding
from firewalls directly to external services (without aggregation
on Log Collectors). | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
Threat | Specifies whether the administrator can
see and configure the settings that control the forwarding of Threat logs
from a Panorama virtual appliance in Legacy mode to external services
(syslog, email, SNMP trap, or HTTP servers). If you set this
privilege to read-only, the administrator can see the forwarding
settings of Threat logs but can’t manage them. If you disable
this privilege, the administrator can’t see or manage the settings. The Collector
Groups privilege (PanoramaCollector Groups) controls forwarding
for Threat logs that Log Collectors receive from firewalls. The Log
Forwarding privilege (ObjectsLog Forwarding) controls forwarding
from firewalls directly to external services (without aggregation
on Log Collectors). | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
WildFire | Specifies whether the administrator can
see and configure the settings that control the forwarding of WildFire
logs from a Panorama virtual appliance in Legacy mode to external
services (syslog, email, SNMP trap, or HTTP servers). If you
set this privilege to read-only, the administrator can see the forwarding
settings of WildFire logs but can’t manage them. If you disable
this privilege, the administrator can’t see or manage the settings. The Collector
Groups privilege (PanoramaCollector Groups) controls
the forwarding for WildFire logs that Log Collectors receive from
firewalls. The Log
Forwarding privilege (ObjectsLog Forwarding) controls forwarding
from firewalls directly to external services (without aggregation
on Log Collectors). | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
Server Profiles | Sets the default state, enabled or disabled,
for all the server profile privileges. These privileges
pertain only to the server profiles that are used for forwarding
logs from Panorama or Log Collectors and the server profiles that
are used for authenticating Panorama administrators. The Device Server
Profiles privileges control access to the server profiles
that are used for forwarding logs directly from firewalls to external
services and for authenticating firewall administrators. | Panorama: Yes Device Group/Template: No | Yes | No | Yes |
SNMP Trap | Specifies whether the administrator can
see and configure SNMP trap server profiles. If you set this
privilege to read-only, the administrator can see SNMP trap server
profiles but can’t manage them. If you disable this privilege,
the administrator can’t see or manage SNMP trap server profiles. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
Syslog | Specifies whether the administrator can
see and configure Syslog server profiles. If you set this
privilege to read-only, the administrator can see Syslog server
profiles but can’t manage them. If you disable this privilege,
the administrator can’t see or manage Syslog server profiles. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
Email | Specifies whether the administrator can
see and configure email server profiles. If you set this privilege
to read-only, the administrator can see email server profiles but can’t
manage them. If you disable this privilege, the administrator
can’t see or manage email server profiles. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
RADIUS | Specifies whether the administrator can
see and configure the RADIUS server profiles that are used to authenticate
Panorama administrators. If you set this privilege to read-only,
the administrator can see the RADIUS server profiles but can’t manage
them. If you disable this privilege, the administrator can’t see
or manage the RADIUS server profiles. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
TACACS+ | Specifies whether the administrator can
see and configure the TACACS+ server profiles that are used to authenticate
Panorama administrators. If you disable this privilege, the
administrator can’t see the node or configure settings for the TACACS+ servers
that authentication profiles reference. If you set this privilege
to read-only, the administrator can view existing TACACS+ server profiles
but can’t add or edit them. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
LDAP | Specifies whether the administrator can
see and configure the LDAP server profiles that are used to authenticate
Panorama administrators. If you set this privilege to read-only,
the administrator can see the LDAP server profiles but can’t manage
them. If you disable this privilege, the administrator can’t see
or manage the LDAP server profiles. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
Kerberos | Specifies whether the administrator can
see and configure the Kerberos server profiles that are used to authenticate
Panorama administrators. If you set this privilege to read-only,
the administrator can see the Kerberos server profiles but can’t
manage them. If you disable this privilege, the administrator
can’t see or manage the Kerberos server profiles. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
SAML Identity Provider | Specifies whether the administrator can
see and configure the SAML Identity Provider (IdP) server profiles that
are used to authenticate Panorama administrators. If you set
this privilege to read-only, the administrator can see the SAML
IdP server profiles but can’t manage them. If you disable
this privilege, the administrator can’t see or manage the SAML IdP server
profiles. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
Scheduled Config Export | Specifies whether the administrator can
view, add, edit, delete, or clone scheduled Panorama configuration exports. If
you set this privilege to read-only, the administrator can view
the scheduled exports but can’t manage them. If you disable
this privilege, the administrator can’t see or manage the scheduled exports. | Panorama: Yes Device Group/Template: No | Yes | No | Yes |
Software | Specifies whether the administrator can:
view information about software updates installed on the Panorama
management server; download, upload, or install the updates; and
view the associated release notes. If you set this privilege
to read-only, the administrator can view information about Panorama
software updates and view the associated release notes but can’t
perform any related operations. If you disable this privilege,
the administrator can’t see Panorama software updates, see the associated
release notes, or perform any related operations. The Panorama > Device
Deployment > Software privilege
controls access to PAN-OS software deployed on firewalls and Panorama
software deployed on Dedicated Log Collectors. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
Dynamic Updates | Specifies whether the administrator can:
view information about content updates installed on the Panorama
management server (for example, WildFire updates); download, upload,
install, or revert the updates; and view the associated release
notes. If you set this privilege to read-only, the administrator
can view information about Panorama content updates and view the
associated release notes but can’t perform any related operations. If
you disable this privilege, the administrator can’t see Panorama
content updates, see the associated release notes, or perform any
related operations. The Panorama > Device
Deployment > Dynamic
Updates privilege controls access to content updates deployed
on firewalls and Dedicated Log Collectors. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
Support | Specifies whether the administrator can:
view Panorama support license information, product alerts, and security
alerts; activate a support license, and manage cases. Only a superuser
admin can generate Tech Support files. If you set this privilege
to read-only, the administrator can view Panorama support information,
product alerts, and security alerts, but can’t activate a support
license, generate Tech Support files, or manage cases. If
you disable this privilege, the administrator can’t: see Panorama
support information, product alerts, or security alerts; activate
a support license, generate Tech Support files, or manage cases. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
Device Deployment | Sets the default state, enabled or disabled,
for all the privileges associated with deploying licenses and software or
content updates to firewalls and Log Collectors. The Panorama > Software and Panorama > Dynamic
Updates privileges control the software and content updates
installed on a Panorama management server. | Panorama: Yes Device Group/Template: Yes | Yes | No | Yes |
Software | Specifies whether the administrator can:
view information about the software updates installed on firewalls and
Log Collectors; download, upload, or install the updates; and view
the associated release notes. If you set this privilege to read-only,
the administrator can see information about the software updates
and view the associated release notes but can’t deploy the updates
to firewalls or dedicated Log Collectors. If you
disable this privilege, the administrator can’t see information
about the software updates, see the associated release notes, or deploy
the updates to firewalls or Dedicated Log Collectors. | Panorama: Yes Device Group/Template: Yes | Yes | Yes | Yes |
GlobalProtect Client | Specifies whether the administrator can:
view information about GlobalProtect app software updates on firewalls;
download, upload, or activate the updates; and view the associated
release notes. If you set this privilege to read-only, the
administrator can see information about GlobalProtect app software updates
and view the associated release notes but can’t activate the updates
on firewalls. If you disable this privilege, the administrator
can’t see information about GlobalProtect app software updates,
see the associated release notes, or activate the updates on firewalls. | Panorama: Yes Device Group/Template: Yes | Yes | Yes | Yes |
Dynamic Updates | Specifies whether the administrator can:
view information about the content updates (for example, Applications
updates) installed on firewalls and Dedicated Log Collectors; download,
upload, or install the updates; and view the associated release
notes. If you set this privilege to read-only, the administrator
can see information about the content updates and view the associated
release notes but can’t deploy the updates to firewalls or Dedicated
Log Collectors. If you disable this privilege, the administrator
can’t see information about the content updates, see the associated
release notes, or deploy the updates to firewalls or Dedicated Log Collectors. | Panorama: Yes Device Group/Template: Yes | Yes | Yes | Yes |
Licenses | Specifies whether the administrator can
view, refresh, and activate firewall licenses. If you set
this privilege to read-only, the administrator can view firewall
licenses but can’t refresh or activate those licenses. If
you disable this privilege, the administrator can’t view, refresh,
or activate firewall licenses. | Panorama: Yes Device Group/Template: Yes | Yes | Yes | Yes |
Master Key and Diagnostics | Specifies whether the administrator can
view and configure a master key by which to encrypt private keys
on Panorama. If you set this privilege to read-only, the administrator
can view the Panorama master key configuration but can’t change it. If
you disable this privilege, the administrator can’t see or edit
the Panorama master key configuration. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |