Default user
The default user for the new Palo Alto firewall is admin
and password is admin
. To check the available user use show mgt-config
command.
admin@PA-5050# show mgt-config mgt-config { users { admin { phash fnRL/G5lXVMug; permissions { role-based { superuser yes; } } } } } [edit] admin@PA-5050#
Types of privileges
1. Superuser, this is the root user of the firewall, you have full configuration access of the firewall which also includes the access to create user accounts and virtual systems. This privilege also can create another user with superuser rights.
2. Superreader, you have full read access to the firewall except you cannot do any configuration.
3. vsysadmin, you have full configuration access to the selected virtual system on the firewall.
4. vsysreader, you have full read access to the selected virtual system on the firewall, and you cannot do any configuration to the selected virtual system.
5. deviceadmin, you have full configuration access to the selected device except for creating user accounts and virtual system on the firewall.
6. devicereader, you have full read access to the selected device, and no configuration rights like deviceadmin.
mgt-config hirerachy
You define user roles under mgt-config hierarchy.
For example I want to create a new user name cyruslab with superuser rights.
admin@PA-5050> configure Entering configuration mode [edit] admin@PA-5050# set mgt-config users cyruslab password Enter password : Confirm password : [edit] admin@PA-5050# set mgt-config users cyruslab permissions role-based superuser yes [edit] admin@PA-5050# commit ....75%99%.....100% Configuration committed successfully [edit] admin@PA-5050#
To verify the configuration after commit
admin@PA-5050# show mgt-config users cyruslab cyruslab { phash $1$panetwrx$XZrls5mlf03IRRB7QxS2T1; permissions { role-based { superuser yes; } } } [edit] admin@PA-5050#
Suppose I decided to change cyruslab to superreader instead of superuser and change password after user role changed.
admin@PA-5050# edit mgt-config users cyruslab [edit mgt-config users cyruslab] admin@PA-5050# set permissions role-based superreader yes [edit mgt-config users cyruslab] admin@PA-5050# set password Enter password : Confirm password : [edit mgt-config users cyruslab] admin@PA-5050# commit ....75%99%.....100% Configuration committed successfully [edit mgt-config users cyruslab] admin@PA-5050#
Verify superreader’s privilege
I will login as cyruslab which has a superreader rights.
PA-5050 login: cyruslab Password: cyruslab@PA-5050> configure Entering configuration mode [edit] cyruslab@PA-5050# check Check configuration status edit Edit a sub-element exit Exit from this level quit Quit from this level run Run an operational-mode command show Show a parameter top Exit to top level of configuration up Exit one level of configuration cyruslab@PA-5050#
As you can see I can only use show command in configuration mode and no configuration options are available under superreader privilege.
Deviceadmin
The deviceadmin privilege is almost the same as superuser except that it cannot create any user accounts and virtual systems.
cyruslab@PA-5050# show mgt-config users cyruslab cyruslab { phash ********; permissions { role-based { deviceadmin localhost.localdomain; } } } [edit] cyruslab@PA-5050#
cyruslab has changed the privilege to deviceadmin let’s see if this account can create any user.
cyruslab@PA-5050# set > address address > address-group address-group > application application > application-filter application-filter > application-group application-group > captive-portal captive-portal > deviceconfig deviceconfig > email-scheduler email-scheduler > global-protect GlobalProtect > group-mapping group-mapping > network network configuration > pdf-summary-report pdf-summary-report > profile-group profile-group > profiles profiles > region region > report-group report-group > reports reports > rulebase rulebase > schedule schedule > service service > service-group service-group > setting setting --more-- > shared shared > threats threats > ts-agent ts-agent > url-admin-override url-admin-override > url-content-types url-content-types > user-id-agent user-id-agent > zone zone display-name alphanumeric string [ 0-9a-zA-Z._-] cyruslab@PA-5050# set
The mgt-config
hierarchy is removed in this deviceadmin privilege, however you still can show the mgt-config parameters.
cyruslab@PA-5050# show mgt-config mgt-config { users { admin { phash ********; permissions { role-based { superuser yes; } } } cyruslab { phash ********; permissions { role-based { deviceadmin localhost.localdomain; } } } } } [edit] cyruslab@PA-5050#
You cannot delete the user as well, as mgt-config
is removed in deviceadmin privilege.
cyruslab@PA-5050# delete address address address-group address-group application application application-filter application-filter application-group application-group captive-portal captive-portal deviceconfig deviceconfig display-name alphanumeric string [ 0-9a-zA-Z._-] email-scheduler email-scheduler global-protect GlobalProtect group-mapping group-mapping network network configuration pdf-summary-report pdf-summary-report profile-group profile-group profiles profiles region region report-group report-group reports reports rulebase rulebase schedule schedule service service service-group service-group --more-- setting setting shared shared threats threats ts-agent ts-agent url-admin-override url-admin-override url-content-types url-content-types user-id-agent user-id-agent zone zone cyruslab@PA-5050# delete
Devicereader
Now I will reassign cyruslab to devicereader privilege and commit.
admin@PA-5050# set mgt-config users cyruslab permissions role-based devicereader localhost.localdomain [edit] admin@PA-5050# commit ....75%99%.....100% Configuration committed successfully [edit] admin@PA-5050#
The rights of devicereader is the same as superreader, I do not see any difference.
PA-5050 login: cyruslab Password: Last login: Tue Dec 11 00:03:38 on ttyS0 cyruslab@PA-5050> configure Entering configuration mode [edit] cyruslab@PA-5050# check Check configuration status edit Edit a sub-element exit Exit from this level quit Quit from this level run Run an operational-mode command show Show a parameter top Exit to top level of configuration up Exit one level of configuration cyruslab@PA-5050#
Delete configuration/delete user
delete
is the opposite of what set
does, you can remove configuration by using delete
, you can also delete your user account using this command.
admin@PA-5050# delete mgt-config users cyruslab [edit] admin@PA-5050# commit ....75%99%.....100% Configuration committed successfully [edit] admin@PA-5050# show mgt-config users users { admin { phash fnRL/G5lXVMug; permissions { role-based { superuser yes; } } } } [edit] admin@PA-5050#