Palo Alto Firewall Version 10.2.0: How to configure Admin Roles

1.Goal of the article

In this article, techbast will explain to you what Admin Roles are, their effects and how to configure them on the Palo Alto firewall device.

2.What are Admin Roles and their uses?

Admin Roles is a profile used to define the details of administrative access rights for the administrative account to which it is applied.

It will help administrators to reasonably delegate permissions to lower-level administrative accounts to protect configuration parameters, device logs, sensitive company, and user information.


By default on the Palo Alto device, 3 Admin Roles have been created for us: auditadmin, cryptoadmin, securityadmin.

We will find out what these 3 Admin Roles include.

3.1. Audit Admin

Auditadmin is applied to administrators who specialize in collecting and analyzing logs recorded from activities in the network.

We can go to Device > Admin Roles > click on auditadmin.

Now we will see that the auditadmin only has access to sections like Monitor to view logs, install logs, view system warnings, etc.

The remaining configuration sections cannot be viewed by auditadmin.

3.2. Crypto Admin

Admin Roles cryptoadmin will include the rights that auditadmin has with some rights such as being able to configure features IPSec VPN Site-to-Site, SSL VPN Global Protect, SSL/TLS Service Profile, Certificate, ..

3.3.Security Admin

Admin Roles securityadmin will have almost all access rights in Web UI tab such as configuring Policy, NAT, Interface, Zone, view logs, create Security Profiles, etc. and it will not have permissions like VPN configuration, certificate, Gre.

In addition, you can also customize yourself an Admin Roles according to your wishes.

3.4. Create Admin Roles

To create Admin Roles, go to Device > Admin Roles > click Add and we will have the following parameters:

  • Name: Name Admin Roles
  • Description: Add description
  • Web UI: this is the tab that lists the permissions available on the admin page of the Palo Alto device, you can customize it to your liking by clicking the dot icon to the left of the permission, if it is a green checkmark is allowed and the red x is disallowed and the keychain icon is Read-only permission.
  • XML/REST API: These are the rights to use XML or REST APIs to integrate 3rd party solutions.
  • Command Line: This is the permission that allows the administrator to access the firewall device configuration using the command-line interface.

3.5. Assign Admin Roles to admin account

After creating Admin Roles we can assign it to an admin account.

To assign to Device > Administrators.

Tap the admin account name.

In the Administrator Type section select Role Based and select Admin Roles from the list.

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.