10 Examples to Manage PaloAlto Firewall Users from PAN-OS CLI

This tutorial explains how to manage PaloAlto users from CLI.

You’ll learn about user and role related functionalities including how to create a new user, assign a role to an user, make regular user as an admin user, list all existing users, delete an user, etc.,

1. Enter PaloAlto CLI Configuration Mode

First, login to PaloAlto from CLI as shown below using ssh.

$ ssh [email protected]
admin@PA-FW>

To manage users, go to configure mode as shown below.
admin@PA-VM> configure
Entering configuration mode
[edit]
admin@PA-VM# 

Note: After you are in the configuration mode, the prompt will change from > to # as shown above.

2. Create New User

The following will create a new user called “ramesh”. You will be prompted to enter a password for this new user.

# set mgt-config users ramesh password
Enter password   :
Confirm password :

If you want this user to be a admin, make sure to assign appropriate role as explained in the examples below.

Also, only after the user is assigned to the role, you’ll see it in the list of users in the UI

On a related note, if you are running an older version of the firewall follow this instruction to upgrade: 5 Steps to Upgrade PaloAlto PAN-OS Firewall Software from CLI or Console

3. Create New User with a Password Hash

If you are automating user creation process, you may not want to enter the password interactively.

In that case, specify the password as hash in the command line using phash (password hash) option as shown below:

set mgt-config users john phash $$12345$da$78jdufadkjJBOMdkais89Bo

4. Edit an Existing user to Assign a ReadOnly Role

Once user is created, assign a role as shown below.

In this example, we are assigning ramesh to superreader role, which will have read-only access to everything.

set mgt-config users ramesh permissions role-based superreader yes

Note: If the user is already assigned to another role, the above command will overwrite the previous role assignment and assign the new role to the user.

5. Edit an existing user – Add public key

You can also assign a public key to a user from CLI as shown below using public-key option.

Just for simplicity, only partial public-key is shown below.

set mgt-config users john public-key jMkVBQUFBREFRQUJBQ.....QtMQ==

6. Assign Admin Role (SuperUser) to a User

The following command will make the user as admin. For this, assign the superuser role to an existing user as shown below.

set mgt-config users ramesh permissions role-based superuser yes

7. Assign User to a Password Profile

If you already have a password profile, you can assign that to a user using the password-profile option as shown below.

set mgt-config users ramesh password-profile TheGeekStuffProfile

8. View Existing Users

Use the following mgt-config users command to view all existing user.

# show mgt-config users
users {
  admin {
    phash $$$12345abcdefghilkWhjuyjjdkj/;
    permissions {
      role-based {
        superuser yes;
      }
    }
    public-key jRMESABCEPRAM.....QaCD==;
  }
  ramesh {
    phash $$$4a1234556mbcdefjJBOMdkais89Bo;
    permissions {
      role-based {
        superuser yes;
      }
    }
  }
}

9. Delete an existing User

To remove an existing user, use the following command. The following will remove user ramesh.

delete mgt-config users ramesh

10. Remove User from a Role

If you don’t want to delete an user, but like to remove the user from a role, use the following command and do not pass any role name.

set mgt-config users ramesh permissions role-based

Once you remove a role from an existing user, from the PaloAlto management console, from the browser, you’ll not see the user in the list of users.

But from CLI, show mgt-config users will still show this user who don’t have a role, as the user is not removed.