This is published as part of a series on obtaining the PCNSA certification.
Firewall administrators are defined via Panorama (central management) or locally on the firewall. But not everyone should have cart-blanche access.
Role-based access control can limit the type of changes a firewall administrator can perform.
Authentication Methods
The most common method is to define an administrator using local authentication.
To add a firewall administrative account, navigate to Device > Administrators and click on Add.

Specify a name for the account and password.
There are a few optional items such as the Authentication Profile and the Administrator Type, either Dynamic or Role Based.

An Authentication Profile is used with other authentication services.
The Administrator Type specifies a role. Dynamic includes built-in roles which include:
Dynamic Role | Privileges |
---|---|
Superuser | Full access to the firewall |
Superuser (read-only) | Read-only access |
Device Administrator | Full access to the firewall except creating new accounts and virtual systems |
Device Administrator (read-only) | Read-only access to all firewall settings except password profiles and administrator accounts. |
Role Based will include custom roles that you configure. This allows you to create more granular control over certain settings. This would be configured under Device > Admin Roles

For example, I can create an Admin Role called analyst which will have access to the Monitor Logs only.
Leave a Reply