This is published as part of a series on obtaining the PCNSA certification.
Firewall administrators are defined via Panorama (central management) or locally on the firewall. But not everyone should have cart-blanche access.
Role-based access control can limit the type of changes a firewall administrator can perform.
The most common method is to define an administrator using local authentication.
To add a firewall administrative account, navigate to Device > Administrators and click on Add.
Specify a name for the account and password.
There are a few optional items such as the Authentication Profile and the Administrator Type, either Dynamic or Role Based.
An Authentication Profile is used with other authentication services.
The Administrator Type specifies a role. Dynamic includes built-in roles which include:
|Superuser||Full access to the firewall|
|Superuser (read-only)||Read-only access|
|Device Administrator||Full access to the firewall except creating new accounts and virtual systems|
|Device Administrator (read-only)||Read-only access to all firewall settings except password profiles and administrator accounts.|
Role Based will include custom roles that you configure. This allows you to create more granular control over certain settings. This would be configured under Device > Admin Roles
For example, I can create an Admin Role called analyst which will have access to the Monitor Logs only.