Configure Authorization, Authentication, and Device Access

2.5.1 Role-Based Access Control (RBAC) for Authorization

Role-Based Access Control (RBAC) enables administrators to define specific privileges and responsibilities for users accessing the firewall or Panorama. By assigning roles, you can control access to configuration settings, logs, reports, and other functional areas.

• Administrative Roles: Define access to specific configuration areas, logs, and reports within the firewall or Panorama. Roles can be customized to grant granular permissions based on organizational needs.
• Access Domains: When managing multiple device groups or templates, access domains allow you to restrict administrator access to specific sets of devices or configurations.
• Custom Roles: Create roles tailored to specific job functions, such as security administrators, network engineers, or auditors, ensuring each has appropriate access levels.

For detailed guidance on configuring RBAC, refer to the official documentation: Role-Based Access Control - Panorama .

Authentication Methods

Palo Alto Networks firewalls support various authentication methods to verify administrator identities:

• Local Authentication: User credentials are stored locally on the firewall or Panorama.
• External Authentication: Integration with external authentication services such as LDAP, RADIUS, Kerberos, or SAML for centralized user management.

To configure external authentication, you must create an Authentication Profile that specifies the authentication server and associated settings.

Device Access Configuration

Controlling access to the firewall or Panorama involves:

• Defining Administrative Accounts: Create individual administrator accounts with specific roles and authentication profiles.
• Configuring Access Domains: Limit administrator access to specific device groups, templates, or virtual systems.
• Setting Management Interface Access: Restrict access to the management interfaces using permitted IP address ranges and protocols.

These configurations ensure that administrators have appropriate access levels and that unauthorized access is prevented.

Best Practices

• Use unique administrator accounts for each individual to ensure accountability and accurate logging of activities.
• Assign the least privilege necessary for administrators to perform their tasks, adhering to the principle of least privilege.
• Regularly review and update administrative roles and access domains to reflect changes in organizational structure or responsibilities.
• Implement multi-factor authentication (MFA) for administrator accounts to enhance security.
• Monitor administrative activities through logs and reports to detect any unauthorized or suspicious actions.

References

• Role-Based Access Control - Panorama
• Administrative Role Types - PAN-OS
• About Roles and Permissions Through Common Services