Web Interface Access Privileges
If you want to prevent a role-based administrator from accessing specific tabs on the web interface, you can disable the tab and the administrator will not even see it when logging in using the associated role-based administrative account. For example, you could create an Admin Role Profile for your operations staff that provides access to the Device and Network tabs only and a separate profile for your security administrators that provides access to the Object, Policy, and Monitor tabs.
An admin role can apply at the Device level or Virtual System level as defined by the Device or Virtual System radio button. If you select Virtual System, the admin assigned this profile is restricted to the virtual system(s) he or she is assigned to. Furthermore, only the Device > Setup > Services > Virtual Systems tab is available to that admin, not the Global tab.
The following topics describe how to set admin role privileges to the different parts of the web interface:
Define Access to the Web Interface Tabs
The following table describes the top-level access privileges you can assign to an admin role profile ( Device > Admin Roles). You can enable, disable, or define read-only access privileges at the top-level tabs in the web interface.
Access Level Description Enable Read Only Disable
Dashboard Controls access to the Dashboard tab. If you disable this privilege, the administrator will not see the tab and will not have access to any of the Dashboard widgets. Yes No Yes
ACC Controls access to the Application Command Center (ACC). If you disable this privilege, the ACC tab will not display in the web interface. Keep in mind that if you want to protect the privacy of your users while still providing access to the ACC, you can disable the Privacy > Show Full Ip Addresses option and/or the Show User Names In Logs And Reports option. Yes No Yes
Monitor Controls access to the Monitor tab. If you disable this privilege, the administrator will not see the Monitor tab and will not have access to any of the logs, packet captures, session information, reports or to App Scope. For more granular control over what monitoring information the administrator can see, leave the Monitor option enabled and then enable or disable specific nodes on the tab as described in Provide Granular Access to the Monitor Tab. Yes No Yes
Policies Controls access to the Policies tab. If you disable this privilege, the administrator will not see the Policies tab and will not have access to any policy information. For more granular control over what policy information the administrator can see, for example to enable access to a specific type of policy or to enable read-only access to policy information, leave the Policies option enabled and then enable or disable specific nodes on the tab as described in Provide Granular Access to the Policy Tab. Yes No Yes
Objects Controls access to the Objects tab. If you disable this privilege, the administrator will not see the Objects tab and will not have access to any objects, security profiles, log forwarding profiles, decryption profiles, or schedules. For more granular control over what objects the administrator can see, leave the Objects option enabled and then enable or disable specific nodes on the tab as described in Provide Granular Access to the Objects Tab. Yes No Yes
Network Controls access to the Network tab. If you disable this privilege, the administrator will not see the Network tab and will not have access to any interface, zone, VLAN, virtual wire, virtual router, IPsec tunnel, DHCP, DNS Proxy, GlobalProtect, or QoS configuration information or to the network profiles. For more granular control over what objects the administrator can see, leave the Network option enabled and then enable or disable specific nodes on the tab as described in Provide Granular Access to the Network Tab. Yes No Yes
Device Controls access to the Device tab. If you disable this privilege, the administrator will not see the Device tab and will not have access to any firewall-wide configuration information, such as User-ID, high availability, server profile or certificate configuration information. For more granular control over what objects the administrator can see, leave the Objects option enabled and then enable or disable specific nodes on the tab as described in Provide Granular Access to the Device Tab. You cannot enable access to the Admin Roles or Administrators nodes for a role-based administrator even if you enable full access to the Device tab. Yes No Yes
Provide Granular Access to the Monitor Tab
In some cases you might want to enable the administrator to view some but not all areas of the Monitor tab. For example, you might want to restrict operations administrators to the Config and System logs only, because they do not contain sensitive user data. Although this section of the administrator role definition specifies what areas of the Monitor tab the administrator can see, you can also couple privileges in this section with privacy privileges, such as disabling the ability to see usernames in logs and reports. One thing to keep in mind, however, is that any system-generated reports will still show usernames and IP addresses even if you disable that functionality in the role. For this reason, if you do not want the administrator to see any of the private user information, disable access to the specific reports as detailed in the following table.
The following table lists the Monitor tab access levels and the administrator roles for which they are available.
Device Group and Template roles can see log data only for the device groups that are within the access domains assigned to those roles.
Access Level Description Administrator Role Availability Enable ReadOnly Disable
Monitor Enables or disables access to the Monitor tab. If disabled, the administrator will not see this tab or any of the associated logs or reports. Firewall: Yes Panorama: Yes Device Group/Template: Yes Yes No Yes
Logs Enables or disables access to all log files. You can also leave this privilege enabled and then disable specific logs that you do not want the administrator to see. Keep in mind that if you want to protect the privacy of your users while still providing access to one or more of the logs, you can disable the Privacy > Show Full Ip Addresses option and/or the Show User Names In Logs And Reports option. Firewall: Yes Panorama: Yes Device Group/Template: Yes Yes No Yes
Traffic Specifies whether the administrator can see the traffic logs. Firewall: Yes Panorama: Yes Device Group/Template: Yes Yes No Yes
Threat Specifies whether the administrator can see the threat logs. Firewall: Yes Panorama: Yes Device Group/Template: Yes Yes No Yes
URL Filtering Specifies whether the administrator can see the URL filtering logs. Firewall: Yes Panorama: Yes Device Group/Template: Yes Yes No Yes
WildFire Submissions Specifies whether the administrator can see the WildFire logs. These logs are only available if you have a WildFire subscription. Firewall: Yes Panorama: Yes Device Group/Template: Yes Yes No Yes
Data Filtering Specifies whether the administrator can see the data filtering logs. Firewall: Yes Panorama: Yes Device Group/Template: Yes Yes No Yes
HIP Match Specifies whether the administrator can see the HIP Match logs. HIP Match logs are only available if you have a GlobalProtect portal license and gateway subscription. Firewall: Yes Panorama: Yes Device Group/Template: Yes Yes No Yes
Configuration Specifies whether the administrator can see the configuration logs. Firewall: Yes Panorama: Yes Device Group/Template: No Yes No Yes
System Specifies whether the administrator can see the system logs. Firewall: Yes Panorama: Yes Device Group/Template: No Yes No Yes
Alarms Specifies whether the administrator can see system-generated alarms. Firewall: Yes Panorama: Yes Device Group/Template: Yes Yes No Yes
Automated Correlation Engine Enables or disables access to the correlation objects and correlated event logs generated on the firewall. Firewall: Yes Panorama: Yes Device Group/Template: Yes Yes No Yes
Correlation Objects Specifies whether the administrator can view and enable/disable the correlation objects. Firewall: Yes Panorama: Yes Device Group/Template: Yes Yes No Yes
Correlated Events Specifies whether the administrator Firewall: Yes Panorama: Yes Device Group/Template: Yes Yes No Yes
Packet Capture Specifies whether the administrator can see packet captures (pcaps) from the Monitor tab. Keep in mind that packet captures are raw flow data and as such may contain user IP addresses. Disabling the Show Full IP Addresses privileges will not obfuscate the IP address in the pcap and you should therefore disable the Packet Capture privilege if you are concerned about user privacy. Firewall: Yes Panorama: No Device Group/Template: No Yes Yes Yes
App Scope Specifies whether the administrator can see the App Scope visibility and analysis tools. Enabling App Scope enables access to all of the App Scope charts. Firewall: Yes Panorama: Yes Device Group/Template: Yes Yes No Yes
Session Browser Specifies whether the administrator can browse and filter current running sessions on the firewall. Keep in mind that the session browser shows raw flow data and as such may contain user IP addresses. Disabling the Show Full IP Addresses privileges will not obfuscate the IP address in the session browser and you should therefore disable the Session Browser privilege if you are concerned about user privacy. Firewall: Yes Panorama: No Device Group/Template: No Yes No Yes
Botnet Specifies whether the administrator can generate and view botnet analysis reports or view botnet reports in read-only mode. Disabling the Show Full IP Addresses privileges will not obfuscate the IP address in scheduled botnet reports and you should therefore disable the Botnet privilege if you are concerned about user privacy. Firewall: Yes Panorama: No Device Group/Template: No Yes Yes Yes
PDF Reports Enables or disables access to all PDF reports. You can also leave this privilege enabled and then disable specific PDF reports that you do not want the administrator to see. Keep in mind that if you want to protect the privacy of your users while still providing access to one or more of the reports, you can disable the Privacy > Show Full Ip Addresses option and/or the Show User Names In Logs And Reports option. Firewall: Yes Panorama: Yes Device Group/Template: Yes Yes No Yes
Manage PDF Summary Specifies whether the administrator can view, add or delete PDF summary report definitions. With read-only access, the administrator can see PDF summary report definitions, but not add or delete them. If you disable this option, the administrator can neither view the report definitions nor add/delete them. Firewall: Yes Panorama: Yes Device Group/Template: Yes Yes Yes Yes
PDF Summary Reports Specifies whether the administrator can see the generated PDF Summary reports in Monitor > Reports. If you disable this option, the PDF Summary Reports category will not display in the Reports node. Firewall: Yes Panorama: Yes Device Group/Template: Yes Yes No Yes
User Activity Report Specifies whether the administrator can view, add or delete User Activity report definitions and download the reports. With read-only access, the administrator can see User Activity report definitions, but not add, delete, or download them. If you disable this option, the administrator cannot see this category of PDF report. Firewall: Yes Panorama: Yes Device Group/Template: Yes Yes Yes Yes
SaaS Application Usage Report Specifies whether the administrator can view, add or delete a SaaS application usage report. With read-only access, the administrator can see the SaaS application usage report definitions, but cannot add or delete them. If you disable this option, the administrator can neither view the report definitions nor add or delete them. Firewall: Yes Panorama: Yes Device Group/Template: Yes Yes Yes Yes
Report Groups Specifies whether the administrator can view, add or delete report group definitions. With read-only access, the administrator can see report group definitions, but not add or delete them. If you disable this option, the administrator cannot see this category of PDF report. Firewall: Yes Panorama: Yes Device Group/Template: Yes Yes Yes Yes
Email Scheduler Specifies whether the administrator can schedule report groups for email. Because the generated reports that get emailed may contain sensitive user data that is not removed by disabling the Privacy > Show Full Ip Addresses option and/or the Show User Names In Logs And Reports options and because they may also show log data to which the administrator does not have access, you should disable the Email Scheduler option if you have user privacy requirements. Firewall: Yes Panorama: Yes Device Group/Template: Yes Yes Yes Yes
Manage Custom Reports Enables or disables access to all custom report functionality. You can also leave this privilege enabled and then disable specific custom report categories that you do not want the administrator to be able to access. Keep in mind that if you want to protect the privacy of your users while still providing access to one or more of the reports, you can disable the Privacy > Show Full Ip Addresses option and/or the Show User Names In Logs And Reports option. Reports that are scheduled to run rather than run on demand will show IP address and user information. In this case, be sure to restrict access to the corresponding report areas. In addition, the custom report feature does not restrict the ability to generate reports that contain log data contained in logs that are excluded from the administrator role. Firewall: Yes Panorama: Yes Device Group/Template: Yes Yes No Yes
Application Statistics Specifies whether the administrator can create a custom report that includes data from the application statistics database. Firewall: Yes Panorama: Yes Device Group/Template: Yes Yes No Yes
Data Filtering Log Specifies whether the administrator can create a custom report that includes data from the Data Filtering logs. Firewall: Yes Panorama: Yes Device Group/Template: Yes Yes No Yes
Threat Log Specifies whether the administrator can create a custom report that includes data from the Threat logs. Firewall: Yes Panorama: Yes Device Group/Template: Yes Yes No Yes
Threat Summary Specifies whether the administrator can create a custom report that includes data from the Threat Summary database. Firewall: Yes Panorama: Yes Device Group/Template: Yes Yes No Yes
Traffic Log Specifies whether the administrator can create a custom report that includes data from the Traffic logs. Firewall: Yes Panorama: Yes Device Group/Template: Yes Yes No Yes
Traffic Summary Specifies whether the administrator can create a custom report that includes data from the Traffic Summary database. Firewall: Yes Panorama: Yes Device Group/Template: Yes Yes No Yes
URL Log Specifies whether the administrator can create a custom report that includes data from the URL Filtering logs. Firewall: Yes Panorama: Yes Device Group/Template: Yes Yes No Yes
Hipmatch Specifies whether the administrator can create a custom report that includes data from the HIP Match logs. Firewall: Yes Panorama: Yes Device Group/Template: Yes Yes No Yes
WildFire Log Specifies whether the administrator can create a custom report that includes data from the WildFire logs. Firewall: Yes Panorama: Yes Device Group/Template: Yes Yes No Yes
View Scheduled Custom Reports Specifies whether the administrator can view a custom report that has been scheduled to generate. Firewall: Yes Panorama: Yes Device Group/Template: Yes Yes No Yes
View Predefined Application Reports Specifies whether the administrator can view Application Reports. Privacy privileges do not impact reports available on the Monitor > Reports node and you should therefore disable access to the reports if you have user privacy requirements. Firewall: Yes Panorama: Yes Device Group/Template: Yes Yes No Yes
View Predefined Threat Reports Specifies whether the administrator can view Threat Reports. Privacy privileges do not impact reports available on the Monitor > Reports node and you should therefore disable access to the reports if you have user privacy requirements. Firewall: Yes Panorama: Yes Device Group/Template: Yes Yes No Yes
View Predefined URL Filtering Reports Specifies whether the administrator can view URL Filtering Reports. Privacy privileges do not impact reports available on the Monitor > Reports node and you should therefore disable access to the reports if you have user privacy requirements. Firewall: Yes Panorama: Yes Device Group/Template: Yes Yes No Yes
View Predefined Traffic Reports Specifies whether the administrator can view Traffic Reports. Privacy privileges do not impact reports available on the Monitor > Reports node and you should therefore disable access to the reports if you have user privacy requirements. Firewall: Yes Panorama: Yes Device Group/Template: Yes Yes No Yes
Provide Granular Access to the Policy Tab
If you enable the Policy option in the Admin Role profile, you can then enable, disable, or provide read-only access to specific nodes within the tab as necessary for the role you are defining. By enabling access to a specific policy type, you enable the ability to view, add, or delete policy rules. By enabling read-only access to a specific policy, you enable the administrator to view the corresponding policy rule base, but not add or delete rules. Disabling access to a specific type of policy prevents the administrator from seeing the policy rule base.
Because policy that is based on specific users (by user name or IP address) must be explicitly defined, privacy settings that disable the ability to see full IP addresses or user names do not apply to the Policy tab. Therefore, you should only allow access to the Policy tab to administrators that are excluded from user privacy restrictions.
Access Level Description Enable Read Only Disable
Security Enable this privilege to allow the administrator to view, add, and/or delete security rules. Set the privilege to read-only if you want the administrator to be able to see the rules, but not modify them. To prevent the administrator from seeing the security rulebase, disable this privilege. Yes Yes Yes
NAT Enable this privilege to allow the administrator to view, add, and/or delete NAT rules. Set the privilege to read-only if you want the administrator to be able to see the rules, but not modify them. To prevent the administrator from seeing the NAT rulebase, disable this privilege. Yes Yes Yes
QoS Enable this privilege to allow the administrator to view, add, and/or delete QoS rules. Set the privilege to read-only if you want the administrator to be able to see the rules, but not modify them. To prevent the administrator from seeing the QoS rulebase, disable this privilege. Yes Yes Yes
Policy Based Forwarding Enable this privilege to allow the administrator to view, add, and/or delete Policy-Based Forwarding (PBF) rules. Set the privilege to read-only if you want the administrator to be able to see the rules, but not modify them. To prevent the administrator from seeing the PBF rulebase, disable this privilege. Yes Yes Yes
Decryption Enable this privilege to allow the administrator to view, add, and/or delete decryption rules. Set the privilege to read-only if you want the administrator to be able to see the rules, but not modify them. To prevent the administrator from seeing the decryption rulebase, disable this privilege. Yes Yes Yes
Application Override Enable this privilege to allow the administrator to view, add, and/or delete application override policy rules. Set the privilege to read-only if you want the administrator to be able to see the rules, but not modify them. To prevent the administrator from seeing the application override rulebase, disable this privilege. Yes Yes Yes
Captive Portal Enable this privilege to allow the administrator to view, add, and/or delete Captive Portal rules. Set the privilege to read-only if you want the administrator to be able to see the rules, but not modify them. To prevent the administrator from seeing the Captive Portal rulebase, disable this privilege. Yes Yes Yes
DoS Protection Enable this privilege to allow the administrator to view, add, and/or delete DoS protection rules. Set the privilege to read-only if you want the administrator to be able to see the rules, but not modify them. To prevent the administrator from seeing the DoS protection rulebase, disable this privilege. Yes Yes Yes
Provide Granular Access to the Objects Tab
An object is a container that groups specific policy filter values—such as IP addresses, URLs, applications, or services—for simplified rule definition. For example, an address object might contain specific IP address definitions for the web and application servers in your DMZ zone.
When deciding whether to allow access to the objects tab as a whole, determine whether the administrator will have policy definition responsibilities. If not, the administrator probably does not need access to the tab. If, however, the administrator will need to create policy, you can enable access to the tab and then provide granular access privileges at the node level.
By enabling access to a specific node, you give the administrator the privilege to view, add, and delete the corresponding object type. Giving read-only access allows the administrator to view the already defined objects, but not create or delete any. Disabling a node prevents the administrator from seeing the node in the web interface.
Access Level Description Enable Read Only Disable
Addresses Specifies whether the administrator can view, add, or delete address objects for use in security policy. Yes Yes Yes
Address Groups Specifies whether the administrator can view, add, or delete address group objects for use in security policy. Yes Yes Yes
Regions Specifies whether the administrator can view, add, or delete regions objects for use in security, decryption, or DoS policy. Yes Yes Yes
Applications Specifies whether the administrator can view, add, or delete application objects for use in policy. Yes Yes Yes
Application Groups Specifies whether the administrator can view, add, or delete application group objects for use in policy. Yes Yes Yes
Application Filters Specifies whether the administrator can view, add, or delete application filters for simplification of repeated searches. Yes Yes Yes
Services Specifies whether the administrator can view, add, or delete service objects for use in creating policy rules that limit the port numbers an application can use. Yes Yes Yes
Service Groups Specifies whether the administrator can view, add, or delete service group objects for use in security policy. Yes Yes Yes
Tags Specifies whether the administrator can view, add, or delete tags that have been defined on the firewall. Yes Yes Yes
GlobalProtect Specifies whether the administrator can view, add, or delete HIP objects and profiles. You can restrict access to both types of objects at the GlobalProtect level, or provide more granular control by enabling the GlobalProtect privilege and restricting HIP Object or HIP Profile access. Yes No Yes
HIP Objects Specifies whether the administrator can view, add, or delete HIP objects, which are used to define HIP profiles. HIP Objects also generate HIP Match logs. Yes Yes Yes
HIP Profiles Specifies whether the administrator can view, add, or delete HIP Profiles for use in security policy and/or for generating HIP Match logs. Yes Yes Yes
Dynamic Block Lists Specifies whether the administrator can view, add, or delete dynamic block lists for use in security policy. Yes Yes Yes
Custom Objects Specifies whether the administrator can see the custom spyware and vulnerability signatures. You can restrict access to either enable or disable access to all custom signatures at this level, or provide more granular control by enabling the Custom Objects privilege and then restricting access to each type of signature. Yes No Yes
Data Patterns Specifies whether the administrator can view, add, or delete custom data pattern signatures for use in creating custom Vulnerability Protection profiles. Yes Yes Yes
Spyware Specifies whether the administrator can view, add, or delete custom spyware signatures for use in creating custom Vulnerability Protection profiles. Yes Yes Yes
Vulnerability Specifies whether the administrator can view, add, or delete custom vulnerability signatures for use in creating custom Vulnerability Protection profiles. Yes Yes Yes
URL Category Specifies whether the administrator can view, add, or delete custom URL categories for use in policy. Yes Yes Yes
Security Profiles Specifies whether the administrator can see security profiles. You can restrict access to either enable or disable access to all security profiles at this level, or provide more granular control by enabling the Security Profiles privilege and then restricting access to each type of profile. Yes No Yes
Antivirus Specifies whether the administrator can view, add, or delete antivirus profiles. Yes Yes Yes
Anti-Spyware Specifies whether the administrator can view, add, or delete Anti-Spyware profiles. Yes Yes Yes
Vulnerability Protection Specifies whether the administrator can view, add, or delete Vulnerability Protection profiles. Yes Yes Yes
URL Filtering Specifies whether the administrator can view, add, or delete URL filtering profiles. Yes Yes Yes
File Blocking Specifies whether the administrator can view, add, or delete file blocking profiles. Yes Yes Yes
Data Filtering Specifies whether the administrator can view, add, or delete data filtering profiles. Yes Yes Yes
DoS Protection Specifies whether the administrator can view, add, or delete DoS protection profiles. Yes Yes Yes
Security Profile Groups Specifies whether the administrator can view, add, or delete security profile groups. Yes Yes Yes
Log Forwarding Specifies whether the administrator can view, add, or delete log forwarding profiles. Yes Yes Yes
Decryption Profile Specifies whether the administrator can view, add, or delete decryption profiles. Yes Yes Yes
Schedules Specifies whether the administrator can view, add, or delete schedules for limiting a security policy to a specific date and/or time range. Yes Yes Yes
Provide Granular Access to the Network Tab
When deciding whether to allow access to the Network tab as a whole, determine whether the administrator will have network administration responsibilities, including GlobalProtect administration. If not, the administrator probably does not need access to the tab.
You can also define access to the Network tab at the node level. By enabling access to a specific node, you give the administrator the privilege to view, add, and delete the corresponding network configurations. Giving read-only access allows the administrator to view the already-defined configuration, but not create or delete any. Disabling a node prevents the administrator from seeing the node in the web interface.
Access Level Description Enable Read Only Disable
Interfaces Specifies whether the administrator can view, add, or delete interface configurations. Yes Yes Yes
Zones Specifies whether the administrator can view, add, or delete zones. Yes Yes Yes
VLANs Specifies whether the administrator can view, add, or delete VLANs. Yes Yes Yes
Virtual Wires Specifies whether the administrator can view, add, or delete virtual wires. Yes Yes Yes
Virtual Routers Specifies whether the administrator can view, add, modify or delete virtual routers. Yes Yes Yes
IPSec Tunnels Specifies whether the administrator can view, add, modify, or delete IPSec Tunnel configurations. Yes Yes Yes
DHCP Specifies whether the administrator can view, add, modify, or delete DHCP server and DHCP relay configurations. Yes Yes Yes
DNS Proxy Specifies whether the administrator can view, add, modify, or delete DNS proxy configurations. Yes Yes Yes
GlobalProtect Specifies whether the administrator can view, add, modify GlobalProtect portal and gateway configurations. You can disable access to the GlobalProtect functions entirely, or you can enable the GlobalProtect privilege and then restrict the role to either the portal or gateway configuration areas. Yes No Yes
Portals Specifies whether the administrator can view, add, modify, or delete GlobalProtect portal configurations. Yes Yes Yes
Gateways Specifies whether the administrator can view, add, modify, or delete GlobalProtect gateway configurations. Yes Yes Yes
MDM Specifies whether the administrator can view, add, modify, or delete GlobalProtect MDM server configurations. Yes Yes Yes
Device Block List Specifies whether the administrator can view, add, modify, or delete device block lists. Yes Yes Yes
QoS Specifies whether the administrator can view, add, modify, or delete QoS configurations. Yes Yes Yes
LLDP Specifies whether the administrator can view add, modify, or delete LLDP configurations. Yes Yes Yes
Network Profiles Sets the default state to enable or disable for all of the Network settings described below. Yes No Yes
IKE Gateways Controls access to the Network Profiles > IKE Gateways node. If you disable this privilege, the administrator will not see the IKE Gateways node or define gateways that include the configuration information necessary to perform IKE protocol negotiation with peer gateway. If the privilege state is set to read-only, you can view the currently configured IKE Gateways but cannot add or edit gateways. Yes Yes Yes
GlobalProtect IPSec Crypto Controls access to the Network Profiles > GlobalProtect IPSec Crypto node. If you disable this privilege, the administrator will not see that node, or configure algorithms for authentication and encryption in VPN tunnels between a GlobalProtect gateway and clients. If you set the privilege to read-only, the administrator can view existing GlobalProtect IPSec Crypto profiles but cannot add or edit them. Yes Yes Yes
IPSec Crypto Controls access to the Network Profiles > IPSec Crypto node. If you disable this privilege, the administrator will not see the Network Profiles > IPSec Crypto node or specify protocols and algorithms for identification, authentication, and encryption in VPN tunnels based on IPSec SA negotiation. If the privilege state is set to read-only, you can view the currently configured IPSec Crypto configuration but cannot add or edit a configuration. Yes Yes Yes
IKE Crypto Controls how devices exchange information to ensure secure communication. Specify the protocols and algorithms for identification, authentication, and encryption in VPN tunnels based on IPsec SA negotiation (IKEv1 Phase-1). Yes Yes Yes
Monitor Controls access to the Network Profiles > Monitor node. If you disable this privilege, the administrator will not see the Network Profiles > Monitor node or be able to create or edit a monitor profile that is used to monitor IPSec tunnels and monitor a next-hop device for policy-based forwarding (PBF) rules. If the privilege state is set to read-only, you can view the currently configured monitor profile configuration but cannot add or edit a configuration. Yes Yes Yes
Interface Mgmt Controls access to the Network Profiles > Interface Mgmt node. If you disable this privilege, the administrator will not see the Network Profiles > Interface Mgmt node or be able to specify the protocols that are used to manage the firewall. If the privilege state is set to read-only, you can view the currently configured Interface management profile configuration but cannot add or edit a configuration. Yes Yes Yes
Zone Protection Controls access to the Network Profiles > Zone Protection node. If you disable this privilege, the administrator will not see the Network Profiles > Zone Protection node or be able to configure a profile that determines how the firewall responds to attacks from specified security zones. If the privilege state is set to read-only, you can view the currently configured Zone Protection profile configuration but cannot add or edit a configuration. Yes Yes Yes
QoS Profile Controls access to the Network Profiles > QoS node. If you disable this privilege, the administrator will not see the Network Profiles > QoS node or be able to configure a QoS profile that determines how QoS traffic classes are treated. If the privilege state is set to read-only, you can view the currently configured QoS profile configuration but cannot add or edit a configuration. Yes Yes Yes
LLDP Profile Controls access to the Network Profiles > LLDP node. If you disable this privilege, the administrator will not see the Network Profiles > LLDP node or be able to configure an LLDP profile that controls whether the interfaces on the firewall can participate in the Link Layer Discovery Protocol. If the privilege state is set to read-only, you can view the currently configured LLDP profile configuration but cannot add or edit a configuration. Yes Yes Yes
BFD Profile Controls access to the Network Profiles > BFD Profile node. If you disable this privilege, the administrator will not see the Network Profiles > BFD Profile node or be able to configure a BFD profile. A Bidirectional Forwarding Detection (BFD) profile allows you to configure BFD settings to apply to one or more static routes or routing protocols. Thus, BFD detects a failed link or BFD peer and allows an extremely fast failover. If the privilege state is set to read-only, you can view the currently configured BFD profile but cannot add or edit a BFD profile. Yes Yes Yes
Provide Granular Access to the Device Tab
To define granular access privileges for the Device tab, when creating or editing an admin role profile ( Device > Admin Roles), scroll down to the Device node on the WebUI tab.
Access Level Description Enable Read Only Disable
Setup Controls access to the Setup node. If you disable this privilege, the administrator will not see the Setup node or have access to firewall-wide setup configuration information, such as Management, Operations, Service, Content-ID, Wildfire or Session setup information. If the privilege state is set to read-only, you can view the current configuration but cannot make any changes. Yes Yes Yes
Management Controls access to the Management node. If you disable this privilege, the administrator will not be able to configure settings such as the hostname, domain, timezone, authentication, logging and reporting, Panorama, management interface, banner, message, and password complexity settings, and more. If the privilege state is set to read-only, you can view the current configuration but cannot make any changes. Yes Yes Yes
Operations Controls access to the Operations node. If you disable this privilege, the administrator cannot: Load firewall configurations. Save or revert the firewall configuration. Create custom logos. Configure SNMP monitoring of firewall settings. Configure the Statistics Service feature. Only administrators with the predefined Superuser role can export or import firewall configurations and shut down the firewall. Only administrators with the predefined Superuser or Device Administrator role can reboot the firewall or restart the dataplane. Administrators with a role that allows access only to specific virtual systems cannot load, save, or revert firewall configurations through the Device > Operations options. Yes Yes Yes
Services Controls access to the Services node. If you disable this privilege, the administrator will not be able to configure services for DNS servers, an update server, proxy server, or NTP servers, or set up service routes. If the privilege state is set to read-only, you can view the current configuration but cannot make any changes. Yes Yes Yes
Content-ID Controls access to the Content-ID node. If you disable this privilege, the administrator will not be able to configure URL filtering or Content-ID. If the privilege state is set to read-only, you can view the current configuration but cannot make any changes. Yes Yes Yes
WildFire Controls access to the WildFire node. If you disable this privilege, the administrator will not be able to configure WildFire settings. If the privilege state is set to read-only, you can view the current configuration but cannot make any changes. Yes Yes Yes
Session Controls access to the Session node. If you disable this privilege, the administrator will not be able to configure session settings or timeouts for TCP, UDP or ICMP, or configure decryption or VPN session settings. If the privilege state is set to read-only, you can view the current configuration but cannot make any changes. Yes Yes Yes
HSM Controls access to the HSM node. If you disable this privilege, the administrator will not be able to configure a Hardware Security Module. If the privilege state is set to read-only, you can view the current configuration but cannot make any changes. Yes Yes Yes
Config Audit Controls access to the Config Audit node. If you disable this privilege, the administrator will not see the Config Audit node or have access to any firewall-wide configuration information. Yes No Yes
Admin Roles Controls access to the Admin Roles node. This function can only be allowed for read-only access. If you disable this privilege, the administrator will not see the Admin Roles node or have access to any firewall-wide information concerning Admin Role profiles configuration. If you set this privilege to read-only, you can view the configuration information for all administrator roles configured on the firewall. No Yes Yes
Administrators Controls access to the Administrators node. This function can only be allowed for read-only access. If you disable this privilege, the administrator will not see the Administrators node or have access to information about their own administrator account. If you set this privilege to read-only, the administrator can view the configuration information for their own administrator account. They will not see any information about other administrator accounts configured on the firewall. No Yes Yes
Virtual Systems Controls access to the Virtual Systems node. If you disable this privilege, the administrator will not see or be able to configure virtual systems. If the privilege state is set to read-only, you can view the currently configured virtual systems but cannot add or edit a configuration. Yes Yes Yes
Shared Gateways Controls access to the Shared Gateways node. Shared gateways allow virtual systems to share a common interface for external communications. If you disable this privilege, the administrator will not see or be able to configure shared gateways. If the privilege state is set to read-only, you can view the currently configured shared gateways but cannot add or edit a configuration. Yes Yes Yes
User Identification Controls access to the User Identification node. If you disable this privilege, the administrator will not see the User Identification node or have access to firewall-wide User Identification configuration information, such as User Mapping, User-ID Agents, Service, Terminal Services Agents, Group Mappings Settings or Captive Portal Settings. If you set this privilege to read-only, the administrator can view configuration information for the firewall but is not allowed to perform any configuration procedures. Yes Yes Yes
VM Information Source Controls access to the VM Information Source node that allows you to configure the firewall/Windows User-ID agent to collect VM inventory automatically. If you disable this privilege, the administrator will not see the VM Information Source node. If you set this privilege to read-only, the administrator can view the VM information sources configured but cannot add, edit, or delete any sources. This privilege is not available to Device Group and Template administrators. Yes Yes Yes
High Availability Controls access to the High Availability node. If you disable this privilege, the administrator will not see the High Availability node or have access to firewall-wide high availability configuration information such as General setup information or Link and Path Monitoring. If you set this privilege to read-only, the administrator can view High Availability configuration information for the firewall but is not allowed to perform any configuration procedures. Yes Yes Yes
Certificate Management Sets the default state to enable or disable for all of the Certificate settings described below. Yes No Yes
Certificates Controls access to the Certificates node. If you disable this privilege, the administrator will not see the Certificates node or be able to configure or access information regarding Device Certificates or Default Trusted Certificate Authorities. If you set this privilege to read-only, the administrator can view Certificate configuration information for the firewall but is not allowed to perform any configuration procedures. Yes Yes Yes
Certificate Profile Controls access to the Certificate Profile node. If you disable this privilege, the administrator will not see the Certificate Profile node or be able to create certificate profiles. If you set this privilege to read-only, the administrator can view Certificate Profiles that are currently configured for the firewall but is not allowed to create or edit a certificate profile. Yes Yes Yes
OCSP Responder Controls access to the OCSP Responder node. If you disable this privilege, the administrator will not see the OCSP Responder node or be able to define a server that will be used to verify the revocation status of certificates issues by the firewall. If you set this privilege to read-only, the administrator can view the OCSP Responder configuration for the firewall but is not allowed to create or edit an OCSP responder configuration. Yes Yes Yes
SSL/TLS Service Profile Controls access to the SSL/TLS Service Profile node. If you disable this privilege, the administrator will not see the node or configure a profile that specifies a certificate and a protocol version or range of versions for firewall services that use SSL/TLS. If you set this privilege to read-only, the administrator can view existing SSL/TLS Service profiles but cannot create or edit them. Yes Yes Yes
SCEP Controls access to the SCEP node. If you disable this privilege, the administrator will not see the node or be able to define a profile that specifies simple certificate enrollment protocol (SCEP) settings for issuing unique device certificates. If you set this privilege to read-only, the administrator can view existing SCEP profiles but cannot create or edit them. Yes Yes Yes
Response Pages Controls access to the Response Pages node. If you disable this privilege, the administrator will not see the Response Page node or be able to define a custom HTML message that is downloaded and displayed instead of a requested web page or file. If you set this privilege to read-only, the administrator can view the Response Page configuration for the firewall but is not allowed to create or edit a response page configuration. Yes Yes Yes
Log Settings Sets the default state to enable or disable for all of the Log settings described below. Yes No Yes
System Controls access to the Log Settings > System node. If you disable this privilege, the administrator will not see the Log Settings > System node or be able to specify the severity levels of the system log entries that are logged remotely with Panorama and sent as SNMP traps, syslog messages, and/or email notifications. If you set this privilege to read-only, the administrator can view the Log Settings > System configuration for the firewall but is not allowed to create or edit a configuration. Yes Yes Yes
Config Controls access to the Log Settings > Config node. If you disable this privilege, the administrator will not see the Log Settings > Config node or be able to specify the configuration log entries that are logged remotely with Panorama, and sent as syslog messages and/or email notification. If you set this privilege to read-only, the administrator can view the Log Settings > Config configuration for the firewall but is not allowed to create or edit a configuration. Yes Yes Yes
HIP Match Controls access to the Log Settings > HIP Match node. If you disable this privilege, the administrator will not see the Log Settings > HIP Match node or be able to specify the Host Information Profile (HIP) match log settings that are used to provide information on security rules that apply to GlobalProtect clients If you set this privilege to read-only, the administrator can view the Log Settings > HIP configuration for the firewall but is not allowed to create or edit a configuration. Yes Yes Yes
Alarms Controls access to the Log Settings > Alarms node. If you disable this privilege, the administrator will not see the Log Settings > Alarms node or be able to configure notifications that are generated when a security rule (or group of rules) has been hit repeatedly in a set period of time. If you set this privilege to read-only, the administrator can view the Log Settings > Alarms configuration for the firewall but is not allowed to create or edit a configuration. Yes Yes Yes
Manage Logs Controls access to the Log Settings > Manage Logs node. If you disable this privilege, the administrator will not see the Log Settings > Manage Logs node or be able to clear the indicated logs. If you set this privilege to read-only, the administrator can view the Log Settings > Manage Logs information but cannot clear any of the logs. Yes Yes Yes
Server Profiles Sets the default state to enable or disable for all of the Server Profiles settings described below. Yes No Yes
SNMP Trap Controls access to the Server Profiles > SNMP Trap node. If you disable this privilege, the administrator will not see the Server Profiles > SNMP Trap node or be able to specify one or more SNMP trap destinations to be used for system log entries. If you set this privilege to read-only, the administrator can view the Server Profiles > SNMP Trap Logs information but cannot specify SNMP trap destinations. Yes Yes Yes
Syslog Controls access to the Server Profiles > Syslog node. If you disable this privilege, the administrator will not see the Server Profiles > Syslog node or be able to specify one or more syslog servers. If you set this privilege to read-only, the administrator can view the Server Profiles > Syslog information but cannot specify syslog servers. Yes Yes Yes
Email Controls access to the Server Profiles > Email node. If you disable this privilege, the administrator will not see the Server Profiles > Email node or be able to configure an email profile that can be used to enable email notification for system and configuration log entries If you set this privilege to read-only, the administrator can view the Server Profiles > Email information but cannot configure and email profile. Yes Yes Yes
Netflow Controls access to the Server Profiles > Netflow node. If you disable this privilege, the administrator will not see the Server Profiles > Netflow node or be able to define a NetFlow server profile, which specifies the frequency of the export along with the NetFlow servers that will receive the exported data. If you set this privilege to read-only, the administrator can view the Server Profiles > Netflow information but cannot define a Netflow profile. Yes Yes Yes
RADIUS Controls access to the Server Profiles > RADIUS node. If you disable this privilege, the administrator will not see the Server Profiles > RADIUS node or be able to configure settings for the RADIUS servers that are identified in authentication profiles. If you set this privilege to read-only, the administrator can view the Server Profiles > RADIUS information but cannot configure settings for the RADIUS servers. Yes Yes Yes
TACACS+ Controls access to the Server Profiles > TACACS+ node. If you disable this privilege, the administrator will not see the node or configure settings for the TACACS+ servers that authentication profiles reference. If you set this privilege to read-only, the administrator can view existing TACACS+ server profiles but cannot add or edit them. Yes Yes Yes
LDAP Controls access to the Server Profiles > LDAP node. If you disable this privilege, the administrator will not see the Server Profiles > LDAP node or be able to configure settings for the LDAP servers to use for authentication by way of authentication profiles. If you set this privilege to read-only, the administrator can view the Server Profiles > LDAP information but cannot configure settings for the LDAP servers. Yes Yes Yes
Kerberos Controls access to the Server Profiles > Kerberos node. If you disable this privilege, the administrator will not see the Server Profiles > Kerberos node or configure a Kerberos server that allows users to authenticate natively to a domain controller. If you set this privilege to read-only, the administrator can view the Server Profiles > Kerberos information but cannot configure settings for Kerberos servers. Yes Yes Yes
Local User Database Sets the default state to enable or disable for all of the Local User Database settings described below. Yes No Yes
Users Controls access to the Local User Database > Users node. If you disable this privilege, the administrator will not see the Local User Database > Users node or set up a local database on the firewall to store authentication information for remote access users, firewall administrators, and captive portal users. If you set this privilege to read-only, the administrator can view the Local User Database > Users information but cannot set up a local database on the firewall to store authentication information. Yes Yes Yes
User Groups Controls access to the Local User Database > Users node. If you disable this privilege, the administrator will not see the Local User Database > Users node or be able to add user group information to the local database. If you set this privilege to read-only, the administrator can view the Local User Database > Users information but cannot add user group information to the local database. Yes Yes Yes
Authentication Profile Controls access to the Authentication Profile node. If you disable this privilege, the administrator will not see the Authentication Profile node or be able to create or edit authentication profiles that specify local database, RADIUS, TACACS+, LDAP, or Kerberos settings that can be assigned to administrator accounts. If you set this privilege to read-only, the administrator can view the Authentication Profile information but cannot create or edit an authentication profile. Yes Yes Yes
Authentication Sequence Controls access to the Authentication Sequence node. If you disable this privilege, the administrator will not see the Authentication Sequence node or be able to create or edit an authentication sequence. If you set this privilege to read-only, the administrator can view the Authentication Profile information but cannot create or edit an authentication sequence. Yes Yes Yes
Access Domain Controls access to the Access Domain node. If you disable this privilege, the administrator will not see the Access Domain node or be able to create or edit an access domain. If you set this privilege to read-only, the administrator can view the Access Domain information but cannot create or edit an access domain. Yes Yes Yes
Scheduled Log Export Controls access to the Scheduled Log Export node. If you disable this privilege, the administrator will not see the Scheduled Log Export node or be able schedule exports of logs and save them to a File Transfer Protocol (FTP) server in CSV format or use Secure Copy (SCP) to securely transfer data between the firewall and a remote host. If you set this privilege to read-only, the administrator can view the Scheduled Log Export Profile information but cannot schedule the export of logs. Yes No Yes
Software Controls access to the Software node. If you disable this privilege, the administrator will not see the Software node or view the latest versions of the PAN-OS software available from Palo Alto Networks, read the release notes for each version, and select a release to download and install. If you set this privilege to read-only, the administrator can view the Software information but cannot download or install software. Yes Yes Yes
GlobalProtect Client Controls access to the GlobalProtect Client node. If you disable this privilege, the administrator will not see the GlobalProtect Client node or view available GlobalProtect releases, download the code or activate the GlobalProtect agent. If you set this privilege to read-only, the administrator can view the available GlobalProtect Client releases but cannot download or install the agent software. Yes Yes Yes
Dynamic Updates Controls access to the Dynamic Updates node. If you disable this privilege, the administrator will not see the Dynamic Updates node or be able to view the latest updates, read the release notes for each update, or select an update to upload and install. If you set this privilege to read-only, the administrator can view the available Dynamic Updates releases, read the release notes but cannot upload or install the software. Yes Yes Yes
Licenses Controls access to the Licenses node. If you disable this privilege, the administrator will not see the Licenses node or be able to view the licenses installed or activate licenses. If you set this privilege to read-only, the administrator can view the installed Licenses, but cannot perform license management functions. Yes Yes Yes
Support Controls access to the Support node. If you disable this privilege, the administrator cannot see the Support node, activate support, or access production and security alerts from Palo Alto Networks. If you set this privilege to read-only, the administrator can see the Support node and access production and security alerts but cannot activate support. Only administrators with the predefined Superuser role can use the Support node to generate tech support files or generate and download stats dump and core files. Yes Yes Yes
Master Key and Diagnostics Controls access to the Master Key and Diagnostics node. If you disable this privilege, the administrator will not see the Master Key and Diagnostics node or be able to specify a master key to encrypt private keys on the firewall. If you set this privilege to read-only, the administrator can view the Master Key and Diagnostics node and view information about master keys that have been specified but cannot add or edit a new master key configuration. Yes Yes Yes
Define User Privacy Settings in the Admin Role Profile
To define what private end user data an administrator has access to, when creating or editing an admin role profile ( Device > Admin Roles), scroll down to the Privacy option on the WebUI tab.
Access Level Description Enable Read Only Disable
Privacy Sets the default state to enable or disable for all of the privacy settings described below. Yes N/A Yes
Show Full IP addresses When disabled, full IP addresses obtained by traffic running through the Palo Alto firewall are not shown in logs or reports. In place of the IP addresses that are normally displayed, the relevant subnet is displayed. Scheduled reports that are displayed in the interface through Monitor > Reports and reports that are sent via scheduled emails will still display full IP addresses. Because of this exception, we recommend that the following settings within the Monitor tab be set to disable: Custom Reports, Application Reports, Threat Reports, URL Filtering Reports, Traffic Reports and Email Scheduler. Yes N/A Yes
Show User Names in Logs and Reports When disabled, user names obtained by traffic running through the Palo Alto Networks firewall are not shown in logs or reports. Columns where the user names would normally be displayed are empty. Scheduled reports that are displayed in the interface through Monitor > Reports or reports that are sent via the email scheduler will still display user names. Because of this exception, we recommend that the following settings within the Monitor tab be set to disable: Custom Reports, Application Reports, Threat Reports, URL Filtering Reports, Traffic Reports and Email Scheduler. Yes N/A Yes
View PCAP Files When disabled, packet capture files that are normally available within the Traffic, Threat and Data Filtering logs are not displayed. Yes N/A Yes
Restrict Administrator Access to Commit and Validate Functions
To restrict access to commit and validate functions when creating or editing an admin role profile ( Device > Admin Roles), scroll down to the Commit and Validate options on the WebUI tab.
Access Level Description Enable Read Only Disable
Commit When disabled, an administrator cannot commit any changes to a configuration. Yes N/A Yes
Validate When disabled, an administrator cannot validate a configuration. Yes N/A Yes
Provide Granular Access to Global Settings
To define what global settings and administrator has access to, when creating or editing an admin role profile ( Device > Admin Roles), scroll down to the Global option on the WebUI tab.
Access Level Description Enable Read Only Disable
Global Sets the default state to enable or disable for all of the global settings described below. In effect, this setting is only for System Alarms at this time. Yes N/A Yes
System Alarms When disabled, an administrator cannot view or acknowledge alarms that are generated. Yes N/A Yes
Provide Granular Access to the Panorama Tab
The following table lists the Panorama tab access levels and the custom Panorama administrator roles for which they are available. Firewall administrators cannot access any of these privileges.
Access Level Description Administrator Role Availability Enable Read Only Disable
Setup Specifies whether the administrator can view or edit Panorama setup information, such as Management, Operations, Services, WildFire, or HSM. If you set the privilege to: read-only, the administrator can see the information but cannot edit it. disable this privilege, the administrator cannot see or edit the information. Panorama: Yes Device Group/Template: No Yes Yes Yes
High Availability Specifies whether the administrator can view and manage high availability (HA) settings for the Panorama management server. If you set this privilege to read-only, the administrator can view HA configuration information for the Panorama management server but can’t manage the configuration. If you disable this privilege, the administrator can’t see or manage HA configuration settings for the Panorama management server. Panorama: Yes Device Group/Template: No Yes Yes Yes
Config Audit Specifies whether the administrator can run Panorama configuration audits. If you disable this privilege, the administrator can’t run Panorama configuration audits. Panorama: Yes Device Group/Template: No Yes No Yes
Administrators Specifies whether the administrator can view Panorama administrator account details. You can’t enable full access to this function: just read-only access. (Only Panorama administrators with a dynamic role can add, edit, or delete Panorama administrators.) With read-only access, the administrator can see information about his or her own account but no other Panorama administrator accounts. If you disable this privilege, the administrator can’t see information about any Panorama administrator account, including his or her own. Panorama: Yes Device Group/Template: No No Yes Yes
Admin Roles Specifies whether the administrator can view Panorama administrator roles. You can’t enable full access to this function: just read-only access. (Only Panorama administrators with a dynamic role can add, edit, or delete custom Panorama roles.) With read-only access, the administrator can see Panorama administrator role configurations but can’t manage them. If you disable this privilege, the administrator can’t see or manage Panorama administrator roles. Panorama: Yes Device Group/Template: No No Yes Yes
Access Domain Specifies whether the administrator can view, add, edit, delete, or clone access domain configurations for Panorama administrators. (This privilege controls access only to the configuration of access domains, not access to the device groups, templates, and firewall contexts that are assigned to access domains.) If you set this privilege to read-only, the administrator can view Panorama access domain configurations but can’t manage them. If you disable this privilege, the administrator can’t see or manage Panorama access domain configurations. Panorama: Yes Device Group/Template: No You assign access domains to Device Group and Template administrators so they can access the configuration and monitoring data within the device groups, templates, and firewall contexts that are assigned to those access domains. Yes Yes Yes
Authentication Profile Specifies whether the administrator can view, add, edit, delete, or clone authentication profiles for Panorama administrators. If you set this privilege to read-only, the administrator can view Panorama authentication profiles but can’t manage them. If you disable this privilege, the administrator can’t see or manage Panorama authentication profiles. Panorama: Yes Device Group/Template: No Yes Yes Yes
Authentication Sequence Specifies whether the administrator can view, add, edit, delete, or clone authentication sequences for Panorama administrators. If you set this privilege to read-only, the administrator can view Panorama authentication sequences but can’t manage them. If you disable this privilege, the administrator can’t see or manage Panorama authentication sequences. Panorama: Yes Device Group/Template: No Yes Yes Yes
Managed Devices Specifies whether the administrator can view, add, edit, tag, or delete firewalls as managed devices, and install software or content updates on them. If you set this privilege to read-only, the administrator can see managed firewalls but can’t add, delete, tag, or install updates on them. If you disable this privilege, the administrator can’t view, add, edit, tag, delete, or install updates on managed firewalls. This privilege applies only to the Panorama > Managed Devices page. An administrator with Device Deployment privileges can still use the Panorama > Device Deployment pages to install updates on managed firewalls. Panorama: Yes Device Group/Template: Yes Yes (No for Device Group and Template roles) Yes Yes
Templates Specifies whether the administrator can view, edit, add, or delete templates and template stacks. If you set the privilege to read-only, the administrator can see template and stack configurations but can’t manage them. If you disable this privilege, the administrator can’t see or manage template and stack configurations. Panorama: Yes Device Group/Template: Yes Device Group and Template administrators can see only the templates and stacks that are within the access domains assigned to those administrators. Yes (No for Device Group and Template admins) Yes Yes
Device Groups Specifies whether the administrator can view, edit, add, or delete device groups. If you set this privilege to read-only, the administrator can see device group configurations but can’t manage them. If you disable this privilege, the administrator can’t see or manage device group configurations. Panorama: Yes Device Group/Template: Yes Device Group and Template administrators can access only the device groups that are within the access domains assigned to those administrators. Yes Yes Yes
Managed Collectors Specifies whether the administrator can view, edit, add, or delete managed collectors. If you set this privilege to read-only, the administrator can see managed collector configurations but can’t manage them. If you disable this privilege, the administrator can’t view, edit, add, or delete managed collector configurations. This privilege applies only to the Panorama > Managed Collectors page. An administrator with Device Deployment privileges can still use the Panorama > Device Deployment pages to install updates on managed collectors. Panorama: Yes Device Group/Template: No Yes Yes Yes
Collector Groups Specifies whether the administrator can view, edit, add, or delete Collector Groups. If you set this privilege to read-only, the administrator can see Collector Groups but can’t manage them. If you disable this privilege, the administrator can’t see or manage Collector Groups. Panorama: Yes Device Group/Template: No Yes Yes Yes
VMware Service Manager Specifies whether the administrator can view and edit VMware Service Manager settings. If you set this privilege to read-only, the administrator can see the settings but can’t perform any related configuration or operational procedures. If you disable this privilege, the administrator can’t see the settings or perform any related configuration or operational procedures. Panorama: Yes Device Group/Template: No Yes Yes Yes
Certificate Management Sets the default state, enabled or disabled, for all of the Panorama certificate management privileges. Panorama: Yes Device Group/Template: No Yes No Yes
Certificates Specifies whether the administrator can view, edit, generate, delete, revoke, renew, or export certificates. This privilege also specifies whether the administrator can import or export HA keys. If you set this privilege to read-only, the administrator can see Panorama certificates but can’t manage the certificates or HA keys. If you disable this privilege, the administrator can’t see or manage Panorama certificates or HA keys. Panorama: Yes Device Group/Template: No Yes Yes Yes
Certificate Profile Specifies whether the administrator can view, add, edit, delete or clone Panorama certificate profiles. If you set this privilege to read-only, the administrator can see Panorama certificate profiles but can’t manage them. If you disable this privilege, the administrator can’t see or manage Panorama certificate profiles. Panorama: Yes Device Group/Template: No Yes Yes Yes
SSL/TLS Service Profile Specifies whether the administrator can view, add, edit, delete or clone SSL/TLS Service profiles. If you set this privilege to read-only, the administrator can see SSL/TLS Service profiles but can’t manage them. If you disable this privilege, the administrator can’t see or manage SSL/TLS Service profiles. Panorama: Yes Device Group/Template: No Yes Yes Yes
Log Settings Sets the default state, enabled or disabled, for all the log setting privileges. Panorama: Yes Device Group/Template: No Yes No Yes
System Specifies whether the administrator can see and configure the settings that control the forwarding of System logs to external services (syslog, email, or SNMP trap servers). If you set this privilege to read-only, the administrator can see the System log forwarding settings but can’t manage them. If you disable this privilege, the administrator can’t see or manage the settings. On a Panorama M-Series appliance, this privilege pertains only to System logs that Panorama generates. On a Panorama virtual appliance, this privilege applies to System logs that Panorama generates and to System logs that Panorama collects from firewalls. The Panorama > Collector Groups page controls the forwarding of System logs that an M-Series appliance collects from firewalls. The Device > Log Settings page controls the forwarding of System logs directly from firewalls to external services (without aggregation on Panorama). Panorama: Yes Device Group/Template: No Yes Yes Yes
Config Specifies whether the administrator can see and configure the settings that control the forwarding of Config logs to external services (syslog, email, or SNMP trap servers). If you set this privilege to read-only, the administrator can see the Config log forwarding settings but can’t manage them. If you disable this privilege, the administrator can’t see or manage the settings. On a Panorama M-Series appliance, this privilege pertains only to Config logs that Panorama generates. On a Panorama virtual appliance, this privilege applies to Config logs that Panorama generates and to Config logs that Panorama collects from firewalls. The Panorama > Collector Groups page controls the forwarding of Config logs that an M-Series appliance collects from firewalls. The Device > Log Settings page controls the forwarding of Config logs directly from firewalls to external services (without aggregation on Panorama). Panorama: Yes Device Group/Template: No Yes Yes Yes
HIP Match Specifies whether the administrator can see and configure the settings that control the forwarding of HIP Match logs from a Panorama virtual appliance to external services (syslog, email, or SNMP trap servers). If you set this privilege to read-only, the administrator can see the forwarding settings of HIP Match logs but can’t manage them. If you disable this privilege, the administrator can’t see or manage the settings. The Panorama > Collector Groups page controls the forwarding of HIP Match logs from a Panorama M-Series appliance. The Device > Log Settings page controls the forwarding of HIP Match logs directly from firewalls to external services (without aggregation on Panorama). Panorama: Yes Device Group/Template: No Yes Yes Yes
Correlation Specifies whether the administrator can see and configure the settings that control the forwarding of Correlation logs to external services (syslog, email, or SNMP trap servers). If you set this privilege to read-only, the administrator can see the Correlation log forwarding settings but can’t manage them. If you disable this privilege, the administrator can’t see or manage the settings. The Panorama > Collector Groups page controls the forwarding of Correlation logs from a Panorama M-Series appliance. The Device > Log Settings page controls the forwarding of Correlation logs directly from firewalls to external services (without aggregation on Panorama). Panorama: Yes Device Group/Template: No Yes Yes Yes
Traffic Specifies whether the administrator can see and configure the settings that control the forwarding of Traffic logs from a Panorama virtual appliance to external services (syslog, email, or SNMP trap servers). If you set this privilege to read-only, the administrator can see the forwarding settings of Traffic logs but can’t manage them. If you disable this privilege, the administrator can’t see or manage the settings. The Panorama > Collector Groups page controls the forwarding of Traffic logs from a Panorama M-Series appliance. The Objects > Log Forwarding page controls the forwarding of Traffic logs directly from firewalls to external services (without aggregation on Panorama). Panorama: Yes Device Group/Template: No Yes Yes Yes
Threat Specifies whether the administrator can see and configure the settings that control the forwarding of Threat logs from a Panorama virtual appliance to external services (syslog, email, or SNMP trap servers). If you set this privilege to read-only, the administrator can see the forwarding settings of Threat logs but can’t manage them. If you disable this privilege, the administrator can’t see or manage the settings. The Panorama > Collector Groups page controls the forwarding of Threat logs from a Panorama M-Series appliance. The Objects > Log Forwarding page controls the forwarding of Threat logs directly from firewalls to external services (without aggregation on Panorama). Panorama: Yes Device Group/Template: No Yes Yes Yes
Wildfire Specifies whether the administrator can see and configure the settings that control the forwarding of WildFire logs from a Panorama virtual appliance to external services (syslog, email, or SNMP trap servers). If you set this privilege to read-only, the administrator can see the forwarding settings of WildFire logs but can’t manage them. If you disable this privilege, the administrator can’t see or manage the settings. The Panorama > Collector Groups page controls the forwarding of WildFire logs from a Panorama M-Series appliance. The Objects > Log Forwarding page controls the forwarding of WildFire logs directly from firewalls to external services (without aggregation on Panorama). Panorama: Yes Device Group/Template: No Yes Yes Yes
Server Profiles Sets the default state, enabled or disabled, for all the server profile privileges. These privileges pertain only to the server profiles that are used for forwarding logs that Panorama generates or collects from firewalls and the server profiles that are used for authenticating Panorama administrators. The Device > Server Profiles pages control the server profiles that are used for forwarding logs directly from firewalls to external services (without aggregation on Panorama) and for authenticating firewall administrators. Panorama: Yes Device Group/Template: No Yes No Yes
SNMP Trap Specifies whether the administrator can see and configure SNMP trap server profiles. If you set this privilege to read-only, the administrator can see SNMP trap server profiles but can’t manage them. If you disable this privilege, the administrator can’t see or manage SNMP trap server profiles. Panorama: Yes Device Group/Template: No Yes Yes Yes
Syslog Specifies whether the administrator can see and configure Syslog server profiles. If you set this privilege to read-only, the administrator can see Syslog server profiles but can’t manage them. If you disable this privilege, the administrator can’t see or manage Syslog server profiles. Panorama: Yes Device Group/Template: No Yes Yes Yes
Email Specifies whether the administrator can see and configure email server profiles. If you set this privilege to read-only, the administrator can see email server profiles but can’t manage them. If you disable this privilege, the administrator can’t see or manage email server profiles. Panorama: Yes Device Group/Template: No Yes Yes Yes
RADIUS Specifies whether the administrator can see and configure the RADIUS server profiles that are used to authenticate Panorama administrators. If you set this privilege to read-only, the administrator can see the RADIUS server profiles but can’t manage them. If you disable this privilege, the administrator can’t see or manage the RADIUS server profiles. Panorama: Yes Device Group/Template: No Yes Yes Yes
TACACS+ Specifies whether the administrator can see and configure the TACACS+ server profiles that are used to authenticate Panorama administrators. If you disable this privilege, the administrator can’t see the node or configure settings for the TACACS+ servers that authentication profiles reference. If you set this privilege to read-only, the administrator can view existing TACACS+ server profiles but can’t add or edit them. Panorama: Yes Device Group/Template: No Yes Yes Yes
LDAP Specifies whether the administrator can see and configure the LDAP server profiles that are used to authenticate Panorama administrators. If you set this privilege to read-only, the administrator can see the LDAP server profiles but can’t manage them. If you disable this privilege, the administrator can’t see or manage the LDAP server profiles. Panorama: Yes Device Group/Template: No Yes Yes Yes
Kerberos Specifies whether the administrator can see and configure the Kerberos server profiles that are used to authenticate Panorama administrators. If you set this privilege to read-only, the administrator can see the Kerberos server profiles but can’t manage them. If you disable this privilege, the administrator can’t see or manage the Kerberos server profiles. Panorama: Yes Device Group/Template: No Yes Yes Yes
Scheduled Config Export Specifies whether the administrator can view, add, edit, delete, or clone scheduled Panorama configuration exports. If you set this privilege to read-only, the administrator can view the scheduled exports but can’t manage them. If you disable this privilege, the administrator can’t see or manage the scheduled exports. Panorama: Yes Device Group/Template: No Yes No Yes
Software Specifies whether the administrator can: view information about Panorama software updates; download, upload, or install the updates; and view the associated release notes. If you set this privilege to read-only, the administrator can view information about Panorama software updates and view the associated release notes but can’t perform any related operations. If you disable this privilege, the administrator can’t see Panorama software updates, see the associated release notes, or perform any related operations. This privilege pertains only to software installed on a Panorama management server. The Panorama > Device Deployment > Software page controls access to PAN-OS software deployed on firewalls and Panorama software deployed on Dedicated Log Collectors. Panorama: Yes Device Group/Template: No Yes Yes Yes
Dynamic Updates Specifies whether the administrator can: view information about Panorama content updates (for example, WildFire updates); download, upload, install, or revert the updates; and view the associated release notes. If you set this privilege to read-only, the administrator can view information about Panorama content updates and view the associated release notes but can’t perform any related operations. If you disable this privilege, the administrator can’t see Panorama content updates, see the associated release notes, or perform any related operations. This privilege pertains only to content updates installed on a Panorama management server. The Panorama > Device Deployment > Dynamic Updates page controls access to content updates deployed on firewalls and Dedicated Log Collectors. Panorama: Yes Device Group/Template: No Yes Yes Yes
Support Specifies whether the administrator can: view Panorama support license information, product alerts, and security alerts; activate a support license, generate Tech Support files, and manage cases If you set this privilege to read-only, the administrator can view Panorama support information, product alerts, and security alerts, but can’t activate a support license, generate Tech Support files, or manage cases. If you disable this privilege, the administrator can’t: see Panorama support information, product alerts, or security alerts; activate a support license, generate Tech Support files, or manage cases. Panorama: Yes Device Group/Template: No Yes Yes Yes
Device Deployment Sets the default state, enabled or disabled, for all the device deployment privileges. These privilege pertain only to software and content updates that Panorama administrators deploy on firewalls and Dedicated Log Collectors. The Panorama > Software and Panorama > Dynamic Updates pages control the software and content updates installed on a Panorama management server. Panorama: Yes Device Group/Template: Yes Yes No Yes
Software Specifies whether the administrator can: view information about the software updates installed on firewalls and Log Collectors; download, upload, or install the updates; and view the associated release notes. If you set this privilege to read-only, the administrator can see information about the software updates and view the associated release notes but can’t deploy the updates to firewalls or dedicated Log Collectors. If you disable this privilege, the administrator can’t see information about the software updates, see the associated release notes, or deploy the updates to firewalls or Dedicated Log Collectors. Panorama: Yes Device Group/Template: Yes Yes Yes Yes
SSL VPN Client Specifies whether the administrator can: view information about SSL VPN client software updates on firewalls; download, upload, or activate the updates; and view the associated release notes. If you set this privilege to read-only, the administrator can see information about SSL VPN client software updates and view the associated release notes but can’t activate the updates on firewalls. If you disable this privilege, the administrator can’t see information about SSL VPN client software updates, see the associated release notes, or activate the updates on firewalls. Panorama: Yes Device Group/Template: Yes Yes Yes Yes
GlobalProtect Client Specifies whether the administrator can: view information about GlobalProtect agent/app software updates on firewalls; download, upload, or activate the updates; and view the associated release notes. If you set this privilege to read-only, the administrator can see information about GlobalProtect agent/app software updates and view the associated release notes but can’t activate the updates on firewalls. If you disable this privilege, the administrator can’t see information about GlobalProtect agent/app software updates, see the associated release notes, or activate the updates on firewalls. Panorama: Yes Device Group/Template: Yes Yes Yes Yes
Dynamic Updates Specifies whether the administrator can: view information about the content updates (for example, Applications updates) installed on firewalls and Dedicated Log Collectors; download, upload, or install the updates; and view the associated release notes. If you set this privilege to read-only, the administrator can see information about the content updates and view the associated release notes but can’t deploy the updates to firewalls or Dedicated Log Collectors. If you disable this privilege, the administrator can’t see information about the content updates, see the associated release notes, or deploy the updates to firewalls or Dedicated Log Collectors. Panorama: Yes Device Group/Template: Yes Yes Yes Yes
Licenses Specifies whether the administrator can view, refresh, and activate firewall licenses. If you set this privilege to read-only, the administrator can view firewall licenses but can’t refresh or activate those licenses. If you disable this privilege, the administrator can’t view, refresh, or activate firewall licenses. Panorama: Yes Device Group/Template: Yes Yes Yes Yes
Master Key and Diagnostics Specifies whether the administrator can view and configure a master key by which to encrypt private keys on Panorama. If you set this privilege to read-only, the administrator can view the Panorama master key configuration but can’t change it. If you disable this privilege, the administrator can’t see or edit the Panorama master key configuration. Panorama: Yes Device Group/Template: No Yes Yes Yes
Panorama Web Interface Access Privileges
The custom Panorama administrator roles allow you to define access to the options on Panorama and the ability to only allow access to Device Groups and Templates ( Policies, Objects, Network, Device tabs).
The administrator roles you can create are Panorama and Device Group and Template. You can’t assign CLI access privileges to a Device Group and Template Admin Role profile. If you assign superuser privileges for the CLI to a Panorama Admin Role profile, administrators with that role can access all features regardless of the web interface privileges you assign.
Access Level Description Enable Read Only Disable
Dashboard Controls access to the Dashboard tab. If you disable this privilege, the administrator will not see the tab and will not have access to any of the Dashboard widgets. Yes No Yes
ACC Controls access to the Application Command Center (ACC). If you disable this privilege, the ACC tab will not display in the web interface. Keep in mind that if you want to protect the privacy of your users while still providing access to the ACC, you can disable the Privacy > Show Full Ip Addresses option and/or the Show User Names In Logs And Reports option. Yes No Yes
Monitor Controls access to the Monitor tab. If you disable this privilege, the administrator will not see the Monitor tab and will not have access to any of the logs, packet captures, session information, reports or to App Scope. For more granular control over what monitoring information the administrator can see, leave the Monitor option enabled and then enable or disable specific nodes on the tab as described in Provide Granular Access to the Monitor Tab. Yes No Yes
Policies Controls access to the Policies tab. If you disable this privilege, the administrator will not see the Policies tab and will not have access to any policy information. For more granular control over what policy information the administrator can see, for example to enable access to a specific type of policy or to enable read-only access to policy information, leave the Policies option enabled and then enable or disable specific nodes on the tab as described in Provide Granular Access to the Policy Tab. Yes No Yes
Objects Controls access to the Objects tab. If you disable this privilege, the administrator will not see the Objects tab and will not have access to any objects, security profiles, log forwarding profiles, decryption profiles, or schedules. For more granular control over what objects the administrator can see, leave the Objects option enabled and then enable or disable specific nodes on the tab as described in Provide Granular Access to the Objects Tab. Yes No Yes
Network Controls access to the Network tab. If you disable this privilege, the administrator will not see the Network tab and will not have access to any interface, zone, VLAN, virtual wire, virtual router, IPsec tunnel, DHCP, DNS Proxy, GlobalProtect, or QoS configuration information or to the network profiles. For more granular control over what objects the administrator can see, leave the Network option enabled and then enable or disable specific nodes on the tab as described in Provide Granular Access to the Network Tab. Yes No Yes
Device Controls access to the Device tab. If you disable this privilege, the administrator will not see the Device tab and will not have access to any firewall-wide configuration information, such as User-ID, High Availability, server profile or certificate configuration information. For more granular control over what objects the administrator can see, leave the Device option enabled and then enable or disable specific nodes on the tab as described in Provide Granular Access to the Device Tab. You can’t enable access to the Admin Roles or Administrators nodes for a role-based administrator even if you enable full access to the Device tab. Yes No Yes
Panorama Controls access to the Panorama tab. If you disable this privilege, the administrator will not see the Panorama tab and will not have access to any Panorama-wide configuration information, such as Managed Devices, Managed Collectors, or Collector Groups. For more granular control over what objects the administrator can see, leave the Panorama option enabled and then enable or disable specific nodes on the tab as described in Provide Granular Access to the Panorama Tab. Yes No Yes
Privacy Controls access to the privacy settings described in Define User Privacy Settings in the Admin Role Profile. Yes No Yes
Validate When disabled, an administrator cannot validate a configuration. Yes No Yes
Commit Sets the default state (enabled or disabled) for all the commit settings described below (Panorama, Device Groups, Templates, Force Template Values, Collector Groups). Yes No Yes
Panorama When disabled, an administrator cannot commit changes to the Panorama configuration. Yes No Yes
Device Groups When disabled, an administrator cannot commit changes to device groups. Yes No Yes
Templates When disabled, an administrator cannot commit changes to templates. Yes No Yes
Force Template Values This privilege controls access to the Force Template Values option in the Commit dialog. When disabled, an administrator cannot replace overridden settings in local firewall configurations with settings that Panorama pushes from a template. Yes No Yes
Collector Groups When disabled, an administrator cannot commit changes to Collector Groups. Yes No Yes
Global Controls access to the global settings (system alarms) described in Provide Granular Access to Global Settings. Yes No Yes

Related Documentation