Palo Alto Networks: Create users with different roles in CLI

Default user
The default user for the new Palo Alto firewall is admin and password is admin. To check the available user use show mgt-config command.

admin@PA-5050# show mgt-config
mgt-config {
  users {
    admin {
      phash fnRL/G5lXVMug;
      permissions {
        role-based {
          superuser yes;
        }
      }
    }
  }
}
[edit]
admin@PA-5050#

Types of privileges
1. Superuser, this is the root user of the firewall, you have full configuration access of the firewall which also includes the access to create user accounts and virtual systems. This privilege also can create another user with superuser rights.

2. Superreader, you have full read access to the firewall except you cannot do any configuration.

3. vsysadmin, you have full configuration access to the selected virtual system on the firewall.

4. vsysreader, you have full read access to the selected virtual system on the firewall, and you cannot do any configuration to the selected virtual system.

5. deviceadmin, you have full configuration access to the selected device except for creating user accounts and virtual system on the firewall.

6. devicereader, you have full read access to the selected device, and no configuration rights like deviceadmin.

mgt-config hirerachy
You define user roles under mgt-config hierarchy.
For example I want to create a new user name cyruslab with superuser rights.

admin@PA-5050> configure
Entering configuration mode
[edit]
admin@PA-5050# set mgt-config users cyruslab password
Enter password   :
Confirm password :

[edit]
admin@PA-5050# set mgt-config users cyruslab permissions role-based superuser yes

[edit]
admin@PA-5050# commit


....75%99%.....100%
Configuration committed successfully

[edit]
admin@PA-5050#

To verify the configuration after commit

admin@PA-5050# show mgt-config users cyruslab
cyruslab {
  phash $1$panetwrx$XZrls5mlf03IRRB7QxS2T1;
  permissions {
    role-based {
      superuser yes;
    }
  }
}
[edit]
admin@PA-5050#

Suppose I decided to change cyruslab to superreader instead of superuser and change password after user role changed.

admin@PA-5050# edit mgt-config users cyruslab
[edit mgt-config users cyruslab]
admin@PA-5050# set permissions role-based superreader yes

[edit mgt-config users cyruslab]
admin@PA-5050# set password
Enter password   :
Confirm password :

[edit mgt-config users cyruslab]
admin@PA-5050# commit


....75%99%.....100%
Configuration committed successfully

[edit mgt-config users cyruslab]
admin@PA-5050#

Verify superreader’s privilege
I will login as cyruslab which has a superreader rights.

PA-5050 login: cyruslab
Password:
cyruslab@PA-5050> configure
Entering configuration mode
[edit]
cyruslab@PA-5050#
  check   Check configuration status
  edit    Edit a sub-element
  exit    Exit from this level
  quit    Quit from this level
  run     Run an operational-mode command
  show    Show a parameter
  top     Exit to top level of configuration
  up      Exit one level of configuration

cyruslab@PA-5050#

As you can see I can only use show command in configuration mode and no configuration options are available under superreader privilege.

Deviceadmin
The deviceadmin privilege is almost the same as superuser except that it cannot create any user accounts and virtual systems.

cyruslab@PA-5050# show mgt-config users cyruslab
cyruslab {
  phash ********;
  permissions {
    role-based {
      deviceadmin localhost.localdomain;
    }
  }
}
[edit]
cyruslab@PA-5050#

cyruslab has changed the privilege to deviceadmin let’s see if this account can create any user.

cyruslab@PA-5050# set
> address              address
> address-group        address-group
> application          application
> application-filter   application-filter
> application-group    application-group
> captive-portal       captive-portal
> deviceconfig         deviceconfig
> email-scheduler      email-scheduler
> global-protect       GlobalProtect
> group-mapping        group-mapping
> network              network configuration
> pdf-summary-report   pdf-summary-report
> profile-group        profile-group
> profiles             profiles
> region               region
> report-group         report-group
> reports              reports
> rulebase             rulebase
> schedule             schedule
> service              service
> service-group        service-group
> setting              setting
--more--
> shared               shared
> threats              threats
> ts-agent             ts-agent
> url-admin-override   url-admin-override
> url-content-types    url-content-types
> user-id-agent        user-id-agent
> zone                 zone
  display-name         alphanumeric string [ 0-9a-zA-Z._-]

cyruslab@PA-5050# set

The mgt-config hierarchy is removed in this deviceadmin privilege, however you still can show the mgt-config parameters.

cyruslab@PA-5050# show mgt-config
mgt-config {
  users {
    admin {
      phash ********;
      permissions {
        role-based {
          superuser yes;
        }
      }
    }
    cyruslab {
      phash ********;
      permissions {
        role-based {
          deviceadmin localhost.localdomain;
        }
      }
    }
  }
}
[edit]
cyruslab@PA-5050#

You cannot delete the user as well, as mgt-config is removed in deviceadmin privilege.

cyruslab@PA-5050# delete
  address              address
  address-group        address-group
  application          application
  application-filter   application-filter
  application-group    application-group
  captive-portal       captive-portal
  deviceconfig         deviceconfig
  display-name         alphanumeric string [ 0-9a-zA-Z._-]
  email-scheduler      email-scheduler
  global-protect       GlobalProtect
  group-mapping        group-mapping
  network              network configuration
  pdf-summary-report   pdf-summary-report
  profile-group        profile-group
  profiles             profiles
  region               region
  report-group         report-group
  reports              reports
  rulebase             rulebase
  schedule             schedule
  service              service
  service-group        service-group
--more--
  setting              setting
  shared               shared
  threats              threats
  ts-agent             ts-agent
  url-admin-override   url-admin-override
  url-content-types    url-content-types
  user-id-agent        user-id-agent
  zone                 zone

cyruslab@PA-5050# delete

Devicereader
Now I will reassign cyruslab to devicereader privilege and commit.

admin@PA-5050# set mgt-config users cyruslab permissions role-based devicereader localhost.localdomain

[edit]
admin@PA-5050# commit


....75%99%.....100%
Configuration committed successfully

[edit]
admin@PA-5050#

The rights of devicereader is the same as superreader, I do not see any difference.

PA-5050 login: cyruslab
Password:
Last login: Tue Dec 11 00:03:38 on ttyS0
cyruslab@PA-5050> configure
Entering configuration mode
[edit]
cyruslab@PA-5050#
  check   Check configuration status
  edit    Edit a sub-element
  exit    Exit from this level
  quit    Quit from this level
  run     Run an operational-mode command
  show    Show a parameter
  top     Exit to top level of configuration
  up      Exit one level of configuration

cyruslab@PA-5050#

Delete configuration/delete user
delete is the opposite of what set does, you can remove configuration by using delete, you can also delete your user account using this command.

admin@PA-5050# delete mgt-config users cyruslab

[edit]
admin@PA-5050# commit


....75%99%.....100%
Configuration committed successfully

[edit]
admin@PA-5050# show mgt-config users
users {
  admin {
    phash fnRL/G5lXVMug;
    permissions {
      role-based {
        superuser yes;
      }
    }
  }
}
[edit]
admin@PA-5050#