Palo Alto Firewalls Admins
I've been studying for my PCNSA from Palo Alto and one topic that has been brought up in types of administrators. By default when you first set up a Palo Alto firewall there is only one default admin account. This is not a good practice especially when there are multiple people that will be configuring firewall because you won't be able to track who exactly is making these changes.
When you create an administrate in Palo you have to specify a username, authentication profile,, and then the administrator type. There are two administrators types, dynamic or role based. By default for role based the three roles are an audit admin, crypto admin, security admin, or you could create your own. Under dynamic there are many user roles. They are: Super user, super user with read only permissions, device admin, device admin with read only permissions, virtual system admin, and lastly virtual system admin with read only privilege. There are a lot of key difference between these 6 user roles.
Super user: A super user has complete access to the firewall and can also create new administrators and virtual systems.
Super user (READ ONLY): Only has read-only access
Device Admin: Access to all firewall settings but cannot define new accounts or virtual systems.
Device Admin (READ ONLY): Has read access to everything but password profiles and admin accounts.
Virtual System Admin: Only gets access to some virtual systems on the firewall to be able to create and manage specific parts of virtual systems. No network configuration capability.
Virtual System admin (READ ONLY): Has read only access to only certain virtual systems on the firewall. No access to viewing networking information.