≡ Menu

10 Examples to Manage PaloAlto Firewall Users from PAN-OS CLI

This tutorial explains how to manage PaloAlto users from CLI.

You’ll learn about user and role related functionalities including how to create a new user, assign a role to an user, make regular user as an admin user, list all existing users, delete an user, etc.,

1. Enter PaloAlto CLI Configuration Mode

First, login to PaloAlto from CLI as shown below using ssh.

$ ssh admin@192.168.101.200
admin@PA-FW>

To manage users, go to configure mode as shown below.
admin@PA-VM> configure
Entering configuration mode
[edit]
admin@PA-VM# 

Note: After you are in the configuration mode, the prompt will change from > to # as shown above.

2. Create New User

The following will create a new user called “ramesh”. You will be prompted to enter a password for this new user.

# set mgt-config users ramesh password
Enter password   :
Confirm password :

If you want this user to be a admin, make sure to assign appropriate role as explained in the examples below.

Also, only after the user is assigned to the role, you’ll see it in the list of users in the UI

On a related note, if you are running an older version of the firewall follow this instruction to upgrade: 5 Steps to Upgrade PaloAlto PAN-OS Firewall Software from CLI or Console

3. Create New User with a Password Hash

If you are automating user creation process, you may not want to enter the password interactively.

In that case, specify the password as hash in the command line using phash (password hash) option as shown below:

set mgt-config users john phash $$12345$da$78jdufadkjJBOMdkais89Bo

4. Edit an Existing user to Assign a ReadOnly Role

Once user is created, assign a role as shown below.

In this example, we are assigning ramesh to superreader role, which will have read-only access to everything.

set mgt-config users ramesh permissions role-based superreader yes

Note: If the user is already assigned to another role, the above command will overwrite the previous role assignment and assign the new role to the user.

5. Edit an existing user – Add public key

You can also assign a public key to a user from CLI as shown below using public-key option.

Just for simplicity, only partial public-key is shown below.

set mgt-config users john public-key jMkVBQUFBREFRQUJBQ.....QtMQ==

6. Assign Admin Role (SuperUser) to a User

The following command will make the user as admin. For this, assign the superuser role to an existing user as shown below.

set mgt-config users ramesh permissions role-based superuser yes

7. Assign User to a Password Profile

If you already have a password profile, you can assign that to a user using the password-profile option as shown below.

set mgt-config users ramesh password-profile TheGeekStuffProfile

8. View Existing Users

Use the following mgt-config users command to view all existing user.

# show mgt-config users
users {
  admin {
    phash $$$12345abcdefghilkWhjuyjjdkj/;
    permissions {
      role-based {
        superuser yes;
      }
    }
    public-key jRMESABCEPRAM.....QaCD==;
  }
  ramesh {
    phash $$$4a1234556mbcdefjJBOMdkais89Bo;
    permissions {
      role-based {
        superuser yes;
      }
    }
  }
}

9. Delete an existing User

To remove an existing user, use the following command. The following will remove user ramesh.

delete mgt-config users ramesh

10. Remove User from a Role

If you don’t want to delete an user, but like to remove the user from a role, use the following command and do not pass any role name.

set mgt-config users ramesh permissions role-based

Once you remove a role from an existing user, from the PaloAlto management console, from the browser, you’ll not see the user in the list of users.

But from CLI, show mgt-config users will still show this user who don’t have a role, as the user is not removed.

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

{ 0 comments… add one }

Leave a Comment