Provide Granular Access to the Panorama Tab
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Provide Granular Access to the Panorama Tab
The following table lists the Panorama tab
access levels and the custom Panorama administrator roles for which
they are available. Firewall administrators cannot access any of
these privileges.
Access Level | Description | Administrator Role
Availability | Enable | Read Only | Disable |
|---|---|---|---|---|---|
Setup | Specifies whether the administrator can
view or edit Panorama setup information, including Management, Operations and Telemetry, Services,
Content-ID, WildFire, Session, or HSM. If
you set the privilege to:
| Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
High Availability | Specifies whether the administrator can
view and manage high availability (HA) settings for the Panorama management
server. If you set this privilege to read-only, the administrator
can view HA configuration information for the Panorama management
server but can’t manage the configuration. If you disable
this privilege, the administrator can’t see or manage HA configuration settings
for the Panorama management server. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
Config Audit | Specifies whether the administrator can
run Panorama configuration audits. If you disable this privilege,
the administrator can’t run Panorama configuration audits. | Panorama: Yes Device Group/Template: No | Yes | No | Yes |
|
Firewall Clusters
|
Specifies whether the administrator can create and configure CN-Series and PA-Series firewall clusters.
If you set this privilege to read-only, the administrator can view firewall cluster
information for the Panorama management server but can’t manage the configuration.
If you disable this privilege, the administrator can’t see or manage firewall clusters for
the Panorama management server.
|
Panorama: Yes
Device Group/Template: No
|
Yes
|
Yes
|
Yes
|
Administrators | Specifies whether the administrator can
view Panorama administrator account details. You can’t enable
full access to this function: just read-only access. (Only Panorama
administrators with a dynamic role can add, edit, or delete Panorama administrators.)
With read-only access, the administrator can see information about
his or her own account but no other Panorama administrator accounts. If
you disable this privilege, the administrator can’t see information
about any Panorama administrator account, including his or her own. | Panorama: Yes Device Group/Template: No | No | Yes | Yes |
Admin Roles | Specifies whether the administrator can
view Panorama administrator roles. You can’t enable full access
to this function: just read-only access. (Only Panorama administrators
with a dynamic role can add, edit, or delete custom Panorama roles.) With
read-only access, the administrator can see Panorama administrator
role configurations but can’t manage them. If you disable
this privilege, the administrator can’t see or manage Panorama administrator
roles. | Panorama: Yes Device Group/Template: No | No | Yes | Yes |
Access Domain | Specifies whether the administrator can
view, add, edit, delete, or clone access domain configurations for Panorama
administrators. (This privilege controls access only to the configuration
of access domains, not access to the device groups, templates, and firewall
contexts that are assigned to access domains.) If you set
this privilege to read-only, the administrator can view Panorama
access domain configurations but can’t manage them. If you
disable this privilege, the administrator can’t see or manage Panorama
access domain configurations. | Panorama: Yes Device Group/Template: No You
assign access domains to Device Group and Template administrators
so they can access the configuration and monitoring data within the
device groups, templates, and firewall contexts that are assigned
to those access domains. | Yes | Yes | Yes |
Authentication Profile | Specifies whether the administrator can
view, add, edit, delete, or clone authentication profiles for Panorama
administrators. If you set this privilege to read-only, the
administrator can view Panorama authentication profiles but can’t
manage them. If you disable this privilege, the administrator
can’t see or manage Panorama authentication profiles. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
Authentication Sequence | Specifies whether the administrator can
view, add, edit, delete, or clone authentication sequences for Panorama
administrators. If you set this privilege to read-only, the
administrator can view Panorama authentication sequences but can’t
manage them. If you disable this privilege, the administrator
can’t see or manage Panorama authentication sequences. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
User Identification | Specifies whether the administrator can
configure User-ID connection security and view, add, edit, or delete
data redistribution points (such as User-ID agents). If you
set this privilege to read-only, the administrator can view settings
for User-ID connection security and redistribution points but can’t manage
the settings. If you disable this privilege, the administrator
can’t see or manage settings for User-ID connection security or redistribution
points. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
Managed Devices | Specifies whether the administrator can
view, add, edit, or delete firewalls as managed devices, and install software
or content updates on them. If you set this privilege to read-only,
the administrator can see managed firewalls but can’t add, delete,
tag, or install updates on them. If you disable this privilege,
the administrator can’t view, add, edit, tag, delete, or install
updates on managed firewalls. An administrator with Device
Deployment privileges can still select PanoramaDevice Deployment to install updates
on managed firewalls. | Panorama: Yes Device Group/Template: Yes | Yes (No for Device Group and Template roles) | Yes | Yes |
Templates | Specifies whether the administrator can
view, edit, add, or delete templates and template stacks. If
you set the privilege to read-only, the administrator can see template
and stack configurations but can’t manage them. If you disable
this privilege, the administrator can’t see or manage template and stack
configurations. | Panorama: Yes Device Group/Template: Yes Device
Group and Template administrators can see only the templates and stacks
that are within the access domains assigned to those administrators. | Yes (No for Device Group and Template admins) | Yes | Yes |
Device Groups | Specifies whether the administrator can
view, edit, add, or delete device groups. If you set this
privilege to read-only, the administrator can see device group configurations but
can’t manage them. If you disable this privilege, the administrator
can’t see or manage device group configurations. | Panorama: Yes Device Group/Template: Yes Device
Group and Template administrators can access only the device groups
that are within the access domains assigned to those administrators. | Yes | Yes | Yes |
Managed Collectors | Specifies whether the administrator can
view, edit, add, or delete managed collectors. If you set
this privilege to read-only, the administrator can see managed collector configurations
but can’t manage them. If you disable this privilege, the
administrator can’t view, edit, add, or delete managed collector configurations. An
administrator with Device
Deployment privileges can still use the PanoramaDevice Deployment options to install
updates on managed collectors. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
Collector Groups | Specifies whether the administrator can
view, edit, add, or delete Collector Groups. If you set this
privilege to read-only, the administrator can see Collector Groups
but can’t manage them. If you disable this privilege, the
administrator can’t see or manage Collector Groups. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
VMware Service Manager | Specifies whether the administrator can
view and edit VMware Service Manager settings. If you set
this privilege to read-only, the administrator can see the settings
but can’t perform any related configuration or operational procedures. If
you disable this privilege, the administrator can’t see the settings
or perform any related configuration or operational procedures. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
Certificate Management | Sets the default state, enabled or disabled,
for all of the Panorama certificate management privileges. | Panorama: Yes Device Group/Template: No | Yes | No | Yes |
Certificates | Specifies whether the administrator can
view, edit, generate, delete, revoke, renew, or export certificates.
This privilege also specifies whether the administrator can import
or export HA keys. If you set this privilege to read-only,
the administrator can see Panorama certificates but can’t manage
the certificates or HA keys. If you disable this privilege,
the administrator can’t see or manage Panorama certificates or HA
keys. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
Certificate Profile | Specifies whether the administrator can
view, add, edit, delete or clone Panorama certificate profiles. If
you set this privilege to read-only, the administrator can see Panorama
certificate profiles but can’t manage them. If you disable
this privilege, the administrator can’t see or manage Panorama certificate
profiles. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
SSL/TLS Service Profile | Specifies whether the administrator can
view, add, edit, delete or clone SSL/TLS Service profiles. If
you set this privilege to read-only, the administrator can see SSL/TLS
Service profiles but can’t manage them. If you disable this privilege,
the administrator can’t see or manage SSL/TLS Service profiles. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
Log Settings | Sets the default state, enabled or disabled,
for all the log setting privileges. | Panorama: Yes Device Group/Template: No | Yes | No | Yes |
System | Specifies whether the administrator can
see and configure the settings that control the forwarding of System logs
to external services (syslog, email, SNMP trap, or HTTP servers). If
you set this privilege to read-only, the administrator can see the
System log forwarding settings but can’t manage them. If you
disable this privilege, the administrator can’t see or manage the settings. This
privilege pertains only to System logs that Panorama and Log Collectors
generate. The Collector
Groups privilege (PanoramaCollector Groups) controls forwarding
for System logs that Log Collectors receive from firewalls. The DeviceLog Settings > System privilege
controls log forwarding from firewalls directly to external services
(without aggregation on Log Collectors). | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
Config | Specifies whether the administrator can
see and configure the settings that control the forwarding of Config logs
to external services (syslog, email, SNMP trap, or HTTP servers). If
you set this privilege to read-only, the administrator can see the
Config log forwarding settings but can’t manage them. If you
disable this privilege, the administrator can’t see or manage the settings. This
privilege pertains only to Config logs that Panorama and Log Collectors
generate. The Collector
Groups privilege (PanoramaCollector Groups) controls forwarding
for Config logs that Log Collectors receive from firewalls. The DeviceLog Settings > Configuration privilege
controls log forwarding from firewalls directly to external services
(without aggregation on Log Collectors). | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
User-ID | Specifies whether the administrator can
see and configure the settings that control the forwarding of User-ID
logs to external services (syslog, email, SNMP trap, or HTTP servers). If
you set this privilege to read-only, the administrator can see the
Config log forwarding settings but can’t manage them. If you
disable this privilege, the administrator can’t see or manage the settings. This
privilege pertains only to User-ID logs that Panorama generates. The Collector
Groups privilege (PanoramaCollector Groups) controls forwarding
for User-ID logs that Log Collectors receive from firewalls. The DeviceLog Settings > User-ID privilege
controls log forwarding from firewalls directly to external services
(without aggregation on Log Collectors). | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
HIP Match | Specifies whether the administrator can
see and configure the settings that control the forwarding of HIP Match
logs from a Panorama virtual appliance in Legacy mode to external
services (syslog, email, SNMP trap, or HTTP servers). If you
set this privilege to read-only, the administrator can see the forwarding
settings of HIP Match logs but can’t manage them. If you disable
this privilege, the administrator can’t see or manage the settings. The Collector
Groups privilege (PanoramaCollector Groups) controls forwarding
for HIP Match logs that Log Collectors receive from firewalls. The DeviceLog Settings > HIP
Match privilege controls log forwarding from firewalls directly
to external services (without aggregation on Log Collectors). | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
GlobalProtect | Specifies whether the administrator can
see and configure the settings that control the forwarding of GlobalProtect
logs from a Panorama virtual appliance in Legacy mode to external services
(syslog, email, SNMP trap, or HTTP servers). If you set this
privilege to read-only, the administrator can see the forwarding
settings of GlobalProtect logs but can’t manage them. If you
disable this privilege, the administrator can’t see or manage the settings. The Collector
Groups privilege (PanoramaCollector Groups) controls forwarding
for GlobalProtect logs that Log Collectors receive from firewalls.
The DeviceLog SettingsGlobalProtect privilege controls
log forwarding from firewalls directly to external services (without
aggregation on Log Collectors). | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
Correlation | Specifies whether the administrator can
see and configure the settings that control the forwarding of Correlation
logs from a Panorama virtual appliance in Legacy mode to external services
(syslog, email, SNMP trap, or HTTP servers). If you set this
privilege to read-only, the administrator can see the Correlation
log forwarding settings but can’t manage them. If you disable
this privilege, the administrator can’t see or manage the settings. The Collector
Groups privilege (PanoramaCollector Groups) controls forwarding
of Correlation logs from a Panorama M-Series appliance or Panorama
virtual appliance in Panorama mode. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
Traffic | Specifies whether the administrator can
see and configure the settings that control the forwarding of Traffic logs
from a Panorama virtual appliance in Legacy mode to external services
(syslog, email, SNMP trap, or HTTP servers). If you set this
privilege to read-only, the administrator can see the forwarding
settings of Traffic logs but can’t manage them. If you disable
this privilege, the administrator can’t see or manage the settings. The Collector
Groups privilege (PanoramaCollector Groups) controls forwarding
for Traffic logs that Log Collectors receive from firewalls. The Log
Forwarding privilege (ObjectsLog Forwarding) controls forwarding
from firewalls directly to external services (without aggregation
on Log Collectors). | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
Threat | Specifies whether the administrator can
see and configure the settings that control the forwarding of Threat logs
from a Panorama virtual appliance in Legacy mode to external services
(syslog, email, SNMP trap, or HTTP servers). If you set this
privilege to read-only, the administrator can see the forwarding
settings of Threat logs but can’t manage them. If you disable
this privilege, the administrator can’t see or manage the settings. The Collector
Groups privilege (PanoramaCollector Groups) controls forwarding
for Threat logs that Log Collectors receive from firewalls. The Log
Forwarding privilege (ObjectsLog Forwarding) controls forwarding
from firewalls directly to external services (without aggregation
on Log Collectors). | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
WildFire | Specifies whether the administrator can
see and configure the settings that control the forwarding of WildFire
logs from a Panorama virtual appliance in Legacy mode to external
services (syslog, email, SNMP trap, or HTTP servers). If you
set this privilege to read-only, the administrator can see the forwarding
settings of WildFire logs but can’t manage them. If you disable
this privilege, the administrator can’t see or manage the settings. The Collector
Groups privilege (PanoramaCollector Groups) controls
the forwarding for WildFire logs that Log Collectors receive from
firewalls. The Log
Forwarding privilege (ObjectsLog Forwarding) controls forwarding
from firewalls directly to external services (without aggregation
on Log Collectors). | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
Server Profiles | Sets the default state, enabled or disabled,
for all the server profile privileges. These privileges
pertain only to the server profiles that are used for forwarding
logs from Panorama or Log Collectors and the server profiles that
are used for authenticating Panorama administrators. The Device Server
Profiles privileges control access to the server profiles
that are used for forwarding logs directly from firewalls to external
services and for authenticating firewall administrators. | Panorama: Yes Device Group/Template: No | Yes | No | Yes |
SNMP Trap | Specifies whether the administrator can
see and configure SNMP trap server profiles. If you set this
privilege to read-only, the administrator can see SNMP trap server
profiles but can’t manage them. If you disable this privilege,
the administrator can’t see or manage SNMP trap server profiles. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
Syslog | Specifies whether the administrator can
see and configure Syslog server profiles. If you set this
privilege to read-only, the administrator can see Syslog server
profiles but can’t manage them. If you disable this privilege,
the administrator can’t see or manage Syslog server profiles. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
Email | Specifies whether the administrator can
see and configure email server profiles. If you set this privilege
to read-only, the administrator can see email server profiles but can’t
manage them. If you disable this privilege, the administrator
can’t see or manage email server profiles. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
RADIUS | Specifies whether the administrator can
see and configure the RADIUS server profiles that are used to authenticate
Panorama administrators. If you set this privilege to read-only,
the administrator can see the RADIUS server profiles but can’t manage
them. If you disable this privilege, the administrator can’t see
or manage the RADIUS server profiles. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
TACACS+ | Specifies whether the administrator can
see and configure the TACACS+ server profiles that are used to authenticate
Panorama administrators. If you disable this privilege, the
administrator can’t see the node or configure settings for the TACACS+ servers
that authentication profiles reference. If you set this privilege
to read-only, the administrator can view existing TACACS+ server profiles
but can’t add or edit them. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
LDAP | Specifies whether the administrator can
see and configure the LDAP server profiles that are used to authenticate
Panorama administrators. If you set this privilege to read-only,
the administrator can see the LDAP server profiles but can’t manage
them. If you disable this privilege, the administrator can’t see
or manage the LDAP server profiles. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
Kerberos | Specifies whether the administrator can
see and configure the Kerberos server profiles that are used to authenticate
Panorama administrators. If you set this privilege to read-only,
the administrator can see the Kerberos server profiles but can’t
manage them. If you disable this privilege, the administrator
can’t see or manage the Kerberos server profiles. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
SAML Identity Provider | Specifies whether the administrator can
see and configure the SAML Identity Provider (IdP) server profiles that
are used to authenticate Panorama administrators. If you set
this privilege to read-only, the administrator can see the SAML
IdP server profiles but can’t manage them. If you disable
this privilege, the administrator can’t see or manage the SAML IdP server
profiles. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
Scheduled Config Export | Specifies whether the administrator can
view, add, edit, delete, or clone scheduled Panorama configuration exports. If
you set this privilege to read-only, the administrator can view
the scheduled exports but can’t manage them. If you disable
this privilege, the administrator can’t see or manage the scheduled exports. | Panorama: Yes Device Group/Template: No | Yes | No | Yes |
Software | Specifies whether the administrator can:
view information about software updates installed on the Panorama
management server; download, upload, or install the updates; and
view the associated release notes. If you set this privilege
to read-only, the administrator can view information about Panorama
software updates and view the associated release notes but can’t
perform any related operations. If you disable this privilege,
the administrator can’t see Panorama software updates, see the associated
release notes, or perform any related operations. The Panorama > Device
Deployment > Software privilege
controls access to PAN-OS software deployed on firewalls and Panorama
software deployed on Dedicated Log Collectors. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
Dynamic Updates | Specifies whether the administrator can:
view information about content updates installed on the Panorama
management server (for example, WildFire updates); download, upload,
install, or revert the updates; and view the associated release
notes. If you set this privilege to read-only, the administrator
can view information about Panorama content updates and view the
associated release notes but can’t perform any related operations. If
you disable this privilege, the administrator can’t see Panorama
content updates, see the associated release notes, or perform any
related operations. The Panorama > Device
Deployment > Dynamic
Updates privilege controls access to content updates deployed
on firewalls and Dedicated Log Collectors. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
Support | Specifies whether the administrator can:
view Panorama support license information, product alerts, and security
alerts; activate a support license, and manage cases. Only a superuser
admin can generate Tech Support files. If you set this privilege
to read-only, the administrator can view Panorama support information,
product alerts, and security alerts, but can’t activate a support
license, generate Tech Support files, or manage cases. If
you disable this privilege, the administrator can’t: see Panorama
support information, product alerts, or security alerts; activate
a support license, generate Tech Support files, or manage cases. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |
Device Deployment | Sets the default state, enabled or disabled,
for all the privileges associated with deploying licenses and software or
content updates to firewalls and Log Collectors. The Panorama > Software and Panorama > Dynamic
Updates privileges control the software and content updates
installed on a Panorama management server. | Panorama: Yes Device Group/Template: Yes | Yes | No | Yes |
Software | Specifies whether the administrator can:
view information about the software updates installed on firewalls and
Log Collectors; download, upload, or install the updates; and view
the associated release notes. If you set this privilege to read-only,
the administrator can see information about the software updates
and view the associated release notes but can’t deploy the updates
to firewalls or dedicated Log Collectors. If you
disable this privilege, the administrator can’t see information
about the software updates, see the associated release notes, or deploy
the updates to firewalls or Dedicated Log Collectors. | Panorama: Yes Device Group/Template: Yes | Yes | Yes | Yes |
GlobalProtect Client | Specifies whether the administrator can:
view information about GlobalProtect app software updates on firewalls;
download, upload, or activate the updates; and view the associated
release notes. If you set this privilege to read-only, the
administrator can see information about GlobalProtect app software updates
and view the associated release notes but can’t activate the updates
on firewalls. If you disable this privilege, the administrator
can’t see information about GlobalProtect app software updates,
see the associated release notes, or activate the updates on firewalls. | Panorama: Yes Device Group/Template: Yes | Yes | Yes | Yes |
Dynamic Updates | Specifies whether the administrator can:
view information about the content updates (for example, Applications
updates) installed on firewalls and Dedicated Log Collectors; download,
upload, or install the updates; and view the associated release
notes. If you set this privilege to read-only, the administrator
can see information about the content updates and view the associated
release notes but can’t deploy the updates to firewalls or Dedicated
Log Collectors. If you disable this privilege, the administrator
can’t see information about the content updates, see the associated
release notes, or deploy the updates to firewalls or Dedicated Log Collectors. | Panorama: Yes Device Group/Template: Yes | Yes | Yes | Yes |
Licenses | Specifies whether the administrator can
view, refresh, and activate firewall licenses. If you set
this privilege to read-only, the administrator can view firewall
licenses but can’t refresh or activate those licenses. If
you disable this privilege, the administrator can’t view, refresh,
or activate firewall licenses. | Panorama: Yes Device Group/Template: Yes | Yes | Yes | Yes |
Master Key and Diagnostics | Specifies whether the administrator can
view and configure a master key by which to encrypt private keys
on Panorama. If you set this privilege to read-only, the administrator
can view the Panorama master key configuration but can’t change it. If
you disable this privilege, the administrator can’t see or edit
the Panorama master key configuration. | Panorama: Yes Device Group/Template: No | Yes | Yes | Yes |