Palo Alto Networks – PCNSE Certification Part 3: Basic Configuration (Admin Roles)

So I continue my journey to get this cert, I think I have procrastinated for too long and I need to get back to learning all the ins and outs for the technology. Again this certification is very heavy on configuration, HA concepts and maybe scattered between all their main Objectives. We are going to get working with Initial Configuration

Admin Roles

Like any other appliance out there, you have the ability to create different Admin roles and different permissions based on their job function

** On the green checkmarks, you can decide what access will be provided for this admin role

Now we are going to move to create a User account and assign it to the
* Make sure you change the Administrator type from Dynamic to Role Based (This allow us to get the Role we created previously)

** Don’t forget to commit your changes!

Admin Role – Testing it

So from the Role creation we removed few sections on the permissions:
So lets see how things look like after we login with our new account

Our Major Configuration Tabs are now different and less than we had while we logged in with Admin

There are few more things as we examine deeper, but this one is the most notorious change.

How to make it happen from the CLI

So at the CLI the story is a bit different and just a little more complicated than in the GUI, the reason I mention this is becasue I basically had to reverse engineered my way into creating the CLI instruction, or maybe I could not find a good document that explains what I want to do

admin@firewall-a> configure
admin@firewall-a# set shared admin-role policy-test description Test_By_Andres role device web device
admin@firewall-a# set mgt-config users policy-admin permissions role-based custom profile policy-test
admin@firewall-# commit


Lets see what this thing did when I go to the GUI

The results are very funny and a bit expected, for what I can tell I only gave this role access to the Device, so the Device TAB is the only thing that shows up there, but I’m missing few other things that really will not be fun to configure over the CLI

As you can tell there are many things that need to be set up for the admin role, but for now it was a good excersice, and we were able to get our first experience with the PANOS CLI

What is next

Configure Ethernet Interfaces (vWire, Layer2, Layer 3, VIrtual Router, Management Profiles for Interfaces

About the Author:

Andres Sarmiento, CCIE # 53520 (Collaboration)
With more than 15 years of experience, Andres is specialized in Unified Communications and Collaboration technologies. Consulted for several companies in South Florida, also Financial Institutions on behalf of Cisco Systems. Andres has been involved in high-profile implementations including Cisco technologies; such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security and Hosted IPT Service provider infrastructures.

You can follow Andres using Twitter, LinkedIn or Facebook

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top