Palo Alto Firewall – Managment Configuration and Admin Roles


 Commit Operation:

Granular commit is possible

Tasks window shows jobs in progress

Compress the candidate configuration to the running configuration

Validates the changes before the configurations are applied to the firewall.

Transaction Locks :

Blocks other administrators from committing changes until all of the locks have been released.

These types of locks are supported:

Config lock blocks other administrators from making changes to the configuration. The lock is set globally or for a specific vsys.

commit lock blocks other administrators from committing changes until all of the locks have been released.

These locks are used to prevents collisions that can occurs when two administrators are making change at the same time.

Any administrator can open the Locks window to display the current locks with a timestamp for each. Only the same administrator or a super user administrator are able to release the lock on the system.

Automatically Acquire Commit Lock : a new admin that logs in cal automatically acquire the commit lock.

Device > Setup > Management > General Settings


Commit Queuing :

Configuration commit request can be queued to occurs sequentially, if two or more commits are issued at the same time , the commits are queued on a first come, first serve (FIFO) basis and then are executed one at a time.

Configuration Management :

You can save roll back (restore) the candidate configuration as often as needed and you can load, validate, import, and export configuration.

Device > Setup > Operations


Configuration Management :  Auditing

Use the config Audit page to compare configuration files. From the drop-down lists, select the configuration to compare.  Select the number of lines to be included for context and click Go. The system presents the configuration and highlights the differences.

The colour coding indicates the type of the change in the comparison :

Red: Indicates a deletion

Yellow: Indicates a change

Green: Indicates an addition

Note: You should perform a configuration audit on the running and candidate configurations before a commit to visually verify the changes that will be made to the firewall.

Device -> Config Audit



Reset to Factory Configuration:

Before you can reset the system to factory default, the firewall must enter maintenance mode. To enter maintenance mode, reboot the box, As the system is booting up, type the word “maint” into CLI through the console port, After some time, you can choose an option to have the system reset to default, including the default admin password.

After system reset you must configure the MGT port IP address through the serial port CLI.

Use the “ set deviceconfig system ip=-address <IP> netmask <mask> default-gateway <IP>” command.

With Admin User password:

  • Erase all logs
  • Resets all settings – including IP addressing, which causes loss of connectivity
  • Saves a default configuration after the MGT IP address is changed

> “request system private-data-reset”

Without admin User password:

  • From the console port
  • Type “maint” during bootup

Choose Reset to Factory Default or load another configuration into running memory.

Licensing and software Updates:

Activate the firewall :

  1. Register with Palo Alto Networks:
    • Obtain the serial number from the firewall dashboard.
    • Log in to
    • Select the Assets option
    • Enter the assigned serial number and register the device.
  2. Activate Licenses
  3. Manage content updates which include the latest application and threat signature and URL filtering database
  4. Install software updates.

Activate the VM-Series Firewall :

  1. Register with Palo Alto Networks:
  2. Select Activate future using the authentication code to download VM-Series License
  3. Manage Content updates
  4. Install software updates


Software Licenses :

The Palo Alto Networks firewall features are licensed individually. You can activate just the functionally the is required for implementation. Currently licensed feature are displayed in the  Device > Licenses

Feature requiring a licenses :

  • Threat prevention
  • WildFire
  • URL filtering database
  • Virtual system (vsys)
  • Decryption port mirroring
  • GlobalProtect Gateway
  • AutoFocus

The Palo Alto Networks firewall software license. This on-demand license option enables the customer to purchase the hardware and software as two separate items.

Support License: The firewall also must have a valid support license. The support license entitles access to the support portal, where trouble tickets can be submitted to the Technical Assistance Center (TAC).

The support license also enables you to received product and security alerts from Palo Alto Networks based on the serial number of your firewall.


Dynamic Updates:

Palo Alto Networks posts updates with new or revised application definitions, information about new security threats (such as anti virus signatures and URL filtering criteria), and updates to GlobalProtect data.

You can view the latest updates, read the released noes for each update, and then select an update to download and install.

You must have a threat prevention license before you can download application and threat updates.

Update are issued on the following schedule:

  • Antivirus : Daily
  • Applications and threats: Weekly
  • BrightCloud URL Filtering: Daily

On the Dynamic Update page, you may see two entries listed in the Application and Threat, Antivirus, or URL Filtering area, one for the currently installed version and one for the latest version available on the update server. If the latest version is already installed, only a single entry is listed.

PAN-OS Software Updates:

  • Upgrade to a new released of the PAN-OS software from Device > Software.
  • Select Check Now to display the latest software versions available. Read the release notes for each version, then select the version to download and install. A support license is required for the download. The management interface must be configured with DNS servers to resolve the name of Palo Alto Networks update server.
  • Software update requires firewall reboot.
  • If you want to upgrade to a maintenance release directly from a previous major version ( For example 6.1.9 to 7.0.1), you must download the .0 release before you install the maintenance release. For example: to upgrade from 6.1.9 to 7.0.1, download 7.0.0 and 7.0.1. But install only the maintenance release (7.0.1). The major release (7.0.0) is installed automatically.
  • Before upgrading the firewall software, make sure that the firewall is running the most recent version of the Application and Threat updates. If the current update is not running, the software installation will fail.


Rapid Mass Deployment:

  • When the firewall is at factory-default, it can bootstrap from an external virtual or physical USB device.
  • Without contacting the update server, the firewall can now perform:
  • Licensing
  • Content and software updates
  • Addressing
  • System configuration
  • Connection to Panorama
  • The firewall can now boot up and connect itself to the network and to a Panorama management server.

Power Operations :

The firewall can be shut down gracefully or rebooted from the WebUI. Either action deletes the candidate configuration in memory, so be sure to save or commit to preserve the changes.

To manage the firewall from the CLI, use the following commands:

> request restart system

  > request shutdown system

  > request restart Dataplane

The firewall need to physically power up after shutting down as MGT interface also down.


Account Administration:

  • Multiple administrators accounts can access the firewall.
  • Each administrator account can be assigned a role with specific abilities
  • Local authentication is available on the firewall.

Other supported authentication methods:

*RADIUS  *LDAP  *Active Directory   *Kerberos  *TACACS+  *User certificates

  • Administrator actions are logged n the configuration and system logs
  • Use transition locks when multiple administrators are configure the system.
  • By default, only the predefined admin account has access to the firewall.
  • Administrator accounts can be added to the firewall for delegation and accounting purposes.


Administrator Roles:

Roles define the type of success an administrator has on the firewall:

Dynamic Roles: built-in roles such as superuser and device administrator

Admin Role Profiles: Custom-made roles

Device > Admin Roles

An admin role has three parts: The WebUI permissions, The XML AP permissions, and the CLI permissions.

Access levels are set in the Admin Role profile. The sections on the navigation tree can be configured to Enable, Read Only, and Disabled, On the WebUI tab, all options are set to Enable by default. For the XML API, only Enable and Disable are available, and they are disabled by default.

CLI users rights are defined using the built-in roles. No customization of these roles is allowed. The built-in roles are:

None: No access granted to the CLI.

superuser: All access to all options of the derives.

superreader: Read-only access to all options of the device.

deviceadmin: Same as superuser, except for creation of administrative accounts.

devicereader: Same as superreader, except for administrative account creation.

vsysadmin: Full access to vsys

vsysreader: Read-only access to vsys.



Useful Links :

Register Firewall

Activate Licenses and Subscriptions

Install Content and Software Updates

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: