Panorama > Administrators
Table of Contents
Expand all | Collapse all
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > GTP Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Decryption > Forwarding Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Device Block List
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Scheduled Config Export
End-of-Life (EoL)
Panorama > Administrators
Select PanoramaAdministrators to create and
manage accounts for Panorama administrators.
If you log in to Panorama as an administrator with a superuser
role, you can unlock the accounts of other administrators by clicking
the lock icons in the Locked User column. A locked out administrator
cannot access Panorama. Panorama locks out administrators who exceed
the allowed number of failed successive attempts to access Panorama
as defined in the Authentication Profile assigned
to their accounts (see Device
> Authentication Profile).
To create an administrator account, click Add and configure
the settings as described in the following table.
Administrator Account
Settings | Description |
|---|---|
Name | Enter a login username for the administrator
(up to 15 characters). The name is case-sensitive, must be unique,
and can contain only letters, numbers, hyphens, and underscores. |
Authentication Profile | Select an authentication profile or sequence
to authenticate this administrator. For details, see Device
> Authentication Profile or Device
> Authentication Sequence. |
Use only client certificate authentication (Web) | Select to use client certificate authentication for
web interface access. If you select this option, a username (Name)
and Password are not required. |
Password/Confirm Password | Enter and confirm a case-sensitive password
for the administrator (up to 15 characters). To ensure security,
Palo Alto Networks recommends that administrators change their passwords
periodically using a combination of lowercase letters, uppercase
letters, and numbers. Be sure to use the best practices for password strength to
ensure a strict password. Device Group and Template administrators
cannot access PanoramaAdministrators.
To change their local password, these administrators click their username
(beside Logout at the bottom of the web interface).
This also applies to administrators with a custom Panorama role
in which access to PanoramaAdministrators is disabled. You
can use password authentication in conjunction with an Authentication
Profile (or sequence) or with local database authentication. You
can set password expiration parameters by selecting a Password
Profile (see Device
> Password Profiles) and setting Minimum Password Complexity
parameters (see Device
> Setup > Management), but only for administrative accounts
that Panorama authenticates locally. |
Use Public Key Authentication (SSH) | Select to use SSH public key authentication:
click Import Key, Browse to
select the public key file, and click OK.
The Administrator dialog displays the uploaded key in the read-only text
area. Supported key file formats are IETF SECSH and OpenSSH. Supported
key algorithms are DSA (1024 bits) and RSA (768 to 4096 bits). If
public key authentication fails, Panorama presents a login and password
prompt. |
Administrator Type | The type selection determines the administrative role options:
|
Admin Role (Dynamic administrator type) | Select a predefined role:
|
Profile (Custom Panorama Admin
administrator type) | Select a custom Panorama role (see Panorama
> Managed Devices > Summary). |
Access Domain to Administrator Role (Device
Group and Template Admin administrator type) | For each access domain (up to 25) you want
to assign to the administrator, Add an Access
Domain from the drop-down (see Panorama
> Access Domains) and then click the adjacent Admin Role
cell and select a custom Device Group and Template administrator
role from the drop-down (see Panorama
> Managed Devices > Summary). When administrators with access
to more than one domain log in to Panorama, an Access
Domain drop-down appears in the footer of the web interface. Administrators
can select any assigned Access Domain to
filter the monitoring and configuration data that Panorama displays.
The Access Domain selection also filters
the firewalls that the Context drop-down
displays. If you use a RADIUS server to authenticate administrators,
you must map administrator roles and access domainstoRADIUS
VSAs. Because VSA strings support a limited number of characters,
if you configure the maximum number of access domain/role pairs
(25) for an administrator, the Name values for each access domain
and each role must not exceed an average of 9 characters. |
Password Profile | Select a Password Profile (see Device
> Password Profiles). |