10 Examples to Manage PaloAlto Firewall Users from PAN-OS CLI
source link: https://www.thegeekstuff.com/2020/09/paloalto-user-management/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
This tutorial explains how to manage PaloAlto users from CLI.
You’ll learn about user and role related functionalities including how to create a new user, assign a role to an user, make regular user as an admin user, list all existing users, delete an user, etc.,
1. Enter PaloAlto CLI Configuration Mode
First, login to PaloAlto from CLI as shown below using ssh.
$ ssh [email protected] admin@PA-FW> To manage users, go to configure mode as shown below. admin@PA-VM> configure Entering configuration mode [edit] admin@PA-VM#
Note: After you are in the configuration mode, the prompt will change from > to # as shown above.
2. Create New User
The following will create a new user called “ramesh”. You will be prompted to enter a password for this new user.
# set mgt-config users ramesh password Enter password : Confirm password :
If you want this user to be a admin, make sure to assign appropriate role as explained in the examples below.
Also, only after the user is assigned to the role, you’ll see it in the list of users in the UI
On a related note, if you are running an older version of the firewall follow this instruction to upgrade: 5 Steps to Upgrade PaloAlto PAN-OS Firewall Software from CLI or Console
3. Create New User with a Password Hash
If you are automating user creation process, you may not want to enter the password interactively.
In that case, specify the password as hash in the command line using phash (password hash) option as shown below:
set mgt-config users john phash $$12345$da$78jdufadkjJBOMdkais89Bo
4. Edit an Existing user to Assign a ReadOnly Role
Once user is created, assign a role as shown below.
In this example, we are assigning ramesh to superreader role, which will have read-only access to everything.
set mgt-config users ramesh permissions role-based superreader yes
Note: If the user is already assigned to another role, the above command will overwrite the previous role assignment and assign the new role to the user.
5. Edit an existing user – Add public key
You can also assign a public key to a user from CLI as shown below using public-key option.
Just for simplicity, only partial public-key is shown below.
set mgt-config users john public-key jMkVBQUFBREFRQUJBQ.....QtMQ==
6. Assign Admin Role (SuperUser) to a User
The following command will make the user as admin. For this, assign the superuser role to an existing user as shown below.
set mgt-config users ramesh permissions role-based superuser yes
7. Assign User to a Password Profile
If you already have a password profile, you can assign that to a user using the password-profile option as shown below.
set mgt-config users ramesh password-profile TheGeekStuffProfile
8. View Existing Users
Use the following mgt-config users command to view all existing user.
# show mgt-config users
users {
admin {
phash $$$12345abcdefghilkWhjuyjjdkj/;
permissions {
role-based {
superuser yes;
}
}
public-key jRMESABCEPRAM.....QaCD==;
}
ramesh {
phash $$$4a1234556mbcdefjJBOMdkais89Bo;
permissions {
role-based {
superuser yes;
}
}
}
}
9. Delete an existing User
To remove an existing user, use the following command. The following will remove user ramesh.
delete mgt-config users ramesh
10. Remove User from a Role
If you don’t want to delete an user, but like to remove the user from a role, use the following command and do not pass any role name.
set mgt-config users ramesh permissions role-based
Once you remove a role from an existing user, from the PaloAlto management console, from the browser, you’ll not see the user in the list of users.
But from CLI, show mgt-config users will still show this user who don’t have a role, as the user is not removed.
Recommend
-
63
一个人的安全部之ELK接收Paloalto日志并用钉钉告警
-
27
Make any web visualization interactive via pan and zoom, for mobile and desktop, using just one line of code!
-
34
对于有多台PaloAlto防火墙需要统一管理的企业来说,Panorama是个不错的选择,利用Panorama可以做到中心化和统一管理的目的。这里简单给大家demo一下如何对现有的PaloAlto HA高可用防火墙迁移到Panorama上。环境介绍:Panorama:192.168.55.5PA-PRIMARY:192.168.55.1...
-
6
Infusing Design into Pan-University Programs I believe strongly that education should provide a so...
-
9
Why I am Janet☰ Published on 2021-01-08 by pepe Why I am Janet janet In this installment I would like to show you in six cases, why is
-
8
We Develop Pan Coronavirus AntiviralsThere is no home therapeutic treatment for COVID-19 patients, and similarly no prophylactic treatment for at risk patients...
-
8
Paloalto防火墙GlobalProtect设置及更改默认443端口 原创 型号:Paloalto PA-220
-
6
PaloAlto init-cfg.txt Bootstrap Config file Layout with Examples by Ramesh Natarajan on May 18, 2022
-
5
Managing routes is an essential configuration task for network admins who are managing firewalls. If you are using the PaloAlto firewall, this tutorial explains how to add static routes using both the PAN-OS command line interface and fr...
-
9
5 Steps to Upgrade PaloAlto PAN-OS Firewall Software from CLI or Console by Ramesh Natarajan on June 8, 2020 PaloAlto releases software updates on an on-going b...
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK