This is published as part of a series on obtaining the PCNSA certification.
Firewall administrators are defined via Panorama (central management) or locally on the firewall. But not everyone should have cart-blanche access.
Role-based access control can limit the type of changes a firewall administrator can perform.
The most common method is to define an administrator using local authentication.
To add a firewall administrative account, navigate to Device > Administrators and click on Add.
Specify a name for the account and password.
There are a few optional items such as the Authentication Profile and the Administrator Type, either Dynamic or Role Based.
An Authentication Profile is used with other authentication services.
The Administrator Type specifies a role. Dynamic includes built-in roles which include:
|Full access to the firewall
|Full access to the firewall except creating new accounts and virtual systems
|Device Administrator (read-only)
|Read-only access to all firewall settings except password profiles and administrator accounts.
Role Based will include custom roles that you configure. This allows you to create more granular control over certain settings. This would be configured under Device > Admin Roles
For example, I can create an Admin Role called analyst which will have access to the Monitor Logs only.