10 Examples for Managing PAN-OS CLII PaloAlto Firewall Users

This tutorial explains handle PaloAlto customers from CLI.

You’ll study person and position associated functionalities together with create a brand new person, assign a job to an person, make common person as an admin person, record all current customers, delete an person, and many others.,

1. Enter PaloAlto CLI Configuration Mode

First, login to PaloAlto from CLI as proven beneath utilizing ssh.

$ ssh [email protected]
[email protected]>

To handle customers, go to configure mode as proven beneath.
[email protected]> configure
Getting into configuration mode
[email protected]#

Observe: After you might be within the configuration mode, the immediate will change from > to # as proven above.

2. Create New Consumer

The next will create a brand new person known as “ramesh”. You can be prompted to enter a password for this new person.

# set mgt-config customers ramesh password
Enter password :
Verify password :

In order for you this person to be a admin, be sure to assign acceptable position as defined within the examples beneath.

Additionally, solely after the person is assigned to the position, you’ll see it within the record of customers within the UI

On a associated observe, in case you are working an older model of the firewall observe this instruction to improve: 5 Steps to Improve PaloAlto PAN-OS Firewall Software program from CLI or Console

3. Create New Consumer with a Password Hash

If you’re automating person creation course of, you might not wish to enter the password interactively.

In that case, specify the password as hash within the command line utilizing phash (password hash) choice as proven beneath:

set mgt-config customers john phash $$12345$da$78jdufadkjJBOMdkais89Bo

4. Edit an Current person to Assign a ReadOnly Function

As soon as person is created, assign a job as proven beneath.

On this instance, we’re assigning ramesh to superreader position, which can have read-only entry to every thing.

set mgt-config customers ramesh permissions role-based superreader sure

Observe: If the person is already assigned to a different position, the above command will overwrite the earlier position task and assign the brand new position to the person.

5. Edit an current person – Add public key

It’s also possible to assign a public key to a person from CLI as proven beneath utilizing public-key choice.

Only for simplicity, solely partial public-key is proven beneath.

set mgt-config customers john public-key jMkVBQUFBREFRQUJBQ…..QtMQ==

6. Assign Admin Function (SuperUser) to a Consumer

The next command will make the person as admin. For this, assign the superuser position to an current person as proven beneath.

set mgt-config customers ramesh permissions role-based superuser sure

7. Assign Consumer to a Password Profile

If you have already got a password profile, you’ll be able to assign that to a person utilizing the password-profile choice as proven beneath.

set mgt-config customers ramesh password-profile TheGeekStuffProfile

8. View Current Customers

Use the next mgt-config customers command to view all current person.

# present mgt-config customers
customers {
admin {
phash $$$12345abcdefghilkWhjuyjjdkj/;
permissions {
superuser sure;

public-key jRMESABCEPRAM…..QaCD==;
ramesh {
phash $$$4a1234556mbcdefjJBOMdkais89Bo;
permissions {
superuser sure;


9. Delete an current Consumer

To take away an current person, use the next command. The next will take away person ramesh.

delete mgt-config customers ramesh

10. Take away Consumer from a Function

In the event you don’t wish to delete an person, however prefer to take away the person from a job, use the next command and don’t move any position identify.

set mgt-config customers ramesh permissions role-based

When you take away a job from an current person, from the PaloAlto administration console, from the browser, you’ll not see the person within the record of customers.

However from CLI, present mgt-config customers will nonetheless present this person who don’t have a job, because the person shouldn’t be eliminated.

In the event you loved this text, you may also like..



palo alto security policy rule cli,palo alto cli cheat sheet,palo alto show nat translations cli,set cli config-output-format set,palo alto shared objects,palo alto firewall rule analyzer,panorama cli commands,panorama commit and push cli,set deviceconfig system type dhcp-client,palo alto management interface dhcp,palo alto panorama cli reference,show config pushed-shared-policy,globalprotect vpn client command line,globalprotect command line mac,globalprotect cli linux,palo alto cli match multiple,palo alto globalprotect usage report,show vpn user palo alto,cookie authentication for config refresh,palo alto authentication policy,setauthenticationprofile servicenow,palo alto authentication profile ldap group,palo alto management authentication profile,globalprotect portal authentication profile,palo alto secure client communication,palo alto device certificate,palo alto cannot access web gui,ssl/tls service profile palo alto,install ssl certificate palo alto,palo alto no valid device certificate found,palo alto admin guide (8.1 pdf),palo alto configuration step by step,palo alto study guide,palo alto cli commands pdf,palo alto firewall troubleshooting guide,palo alto firewall tutorial for beginners,palo alto firewall self study guide pdf,palo alto firewall book,let's learn palo alto ngfw pdf,iron skillet template,first step when deploying prisma access,pan-configurator,palo alto policies xml,palo alto how to export configuration,palo alto export device state,palo alto cli commands,how to check snmp configuration in palo alto cli,palo alto 8.1 cli commands,palo alto cli troubleshooting commands,show running config palo alto cli,palo alto show address group cli