https://live.paloaltonetworks.com/t5/panorama-discussions/custom-admin-template-examples-for-gp-admin-and-network-engineer/m-p/441571#M484 <P>Thank you for posting question&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/2857">@PeterT</a></P> <P>&nbsp;</P> <P>I believe that Access Domain together with Custom Admin Roles can give you that level of granularity you are looking for.</P> <P>&nbsp;</P> <P>I would suggest to go to: Panorama &gt; Access Domain &gt; Add new Access Domain</P> <P>&nbsp;</P> <P>Then select Template where all Global Protest is configured, limit Device Context to Firewalls where Global Protect configuration is pushed. Below is an example:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PavelK_0-1634559483749.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/37058i37C3B2784D5B26AD/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="PavelK_0-1634559483749.png" alt="PavelK_0-1634559483749.png" /></span></P> <P>&nbsp;</P> <P>Then navigate to Panorama &gt; Admin Roles &gt; Add new Admin Role and limit Device Group &amp; Template only to Global Protect configuration. Below is an example:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PavelK_6-1634560634099.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/37064i9895E76A6D7D7B4E/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="PavelK_6-1634560634099.png" alt="PavelK_6-1634560634099.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Then link Global Protest Access Domain and Admin Role together in the account. Below is an example:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PavelK_5-1634560592759.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/37063iD405A0BCB722CD08/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="PavelK_5-1634560592759.png" alt="PavelK_5-1634560592759.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Once the admin assigned to Global Protect role logs is, he will be able to see and manage only corresponding configuration:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PavelK_3-1634560105205.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/37061i401F8424948027E6/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="PavelK_3-1634560105205.png" alt="PavelK_3-1634560105205.png" /></span></P> <P>&nbsp;</P> <P>Exactly the same configuration can be replicated for Network Administrator role by changing setting in Access Domain and under Admin Role.</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel</P> Mon, 18 Oct 2021 12:39:44 GMT PavelK 2021-10-18T12:39:44Z https://live.paloaltonetworks.com/t5/panorama-discussions/custom-admin-template-examples-for-gp-admin-and-network-engineer/m-p/440668#M478 <P>So recently we (as in voluntold lol) decided to get rid of our dedicated Cisco L3 devices and move the L1 (VMWire) only FW's into L3 as a "cost saving measure".&nbsp; Won't get into how much I hate this but the decision has been made. Also this entire thing is managed via Panorama so don't need "do local FW overrides of templates".&nbsp; Also virtual systems not an option in many cases as the majority are low end small site models (i.e. 800's and down) hence don't need to get into "spin up a virtual system and control it that way" discussions.</P> <P>&nbsp;</P> <P>Anyways anybody have a config snippet they want to share for setting up the following two custom admin roles?</P> <P>&nbsp;</P> <P>1) GP Admin - Needs access to the FW running GP (not all of them, just one), the ability to configure it all, maintain it, etc (via Panorama templates) but NOT anything else in Panorama or the FW.</P> <P>&nbsp;</P> <P>2) Ditto but Network Engineer - I.e. needs access to the virtual routers, L2/L3 configs, interface configs, routing tables, etc but not stuff like admin database, authentication setup, security policy or objects, etc.</P> <P>&nbsp;</P> <P>The built-in rolls are ill equipped for this and I know how do do via effective superuser via Device Templates/Admin a per FW / virtual system level but I'm looking for more fine tuned than that i.e. "Just every function GP needs and nothing more" or "Every function a network engineer would need to treat the PA like a L3 device but nothing more"</P> Wed, 13 Oct 2021 23:31:41 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/custom-admin-template-examples-for-gp-admin-and-network-engineer/m-p/440668#M478 PeterT 2021-10-13T23:31:41Z https://live.paloaltonetworks.com/t5/panorama-discussions/custom-admin-template-examples-for-gp-admin-and-network-engineer/m-p/441571#M484 <P>Thank you for posting question&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/2857">@PeterT</a></P> <P>&nbsp;</P> <P>I believe that Access Domain together with Custom Admin Roles can give you that level of granularity you are looking for.</P> <P>&nbsp;</P> <P>I would suggest to go to: Panorama &gt; Access Domain &gt; Add new Access Domain</P> <P>&nbsp;</P> <P>Then select Template where all Global Protest is configured, limit Device Context to Firewalls where Global Protect configuration is pushed. Below is an example:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PavelK_0-1634559483749.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/37058i37C3B2784D5B26AD/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="PavelK_0-1634559483749.png" alt="PavelK_0-1634559483749.png" /></span></P> <P>&nbsp;</P> <P>Then navigate to Panorama &gt; Admin Roles &gt; Add new Admin Role and limit Device Group &amp; Template only to Global Protect configuration. Below is an example:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PavelK_6-1634560634099.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/37064i9895E76A6D7D7B4E/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="PavelK_6-1634560634099.png" alt="PavelK_6-1634560634099.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Then link Global Protest Access Domain and Admin Role together in the account. Below is an example:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PavelK_5-1634560592759.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/37063iD405A0BCB722CD08/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="PavelK_5-1634560592759.png" alt="PavelK_5-1634560592759.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Once the admin assigned to Global Protect role logs is, he will be able to see and manage only corresponding configuration:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PavelK_3-1634560105205.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/37061i401F8424948027E6/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="PavelK_3-1634560105205.png" alt="PavelK_3-1634560105205.png" /></span></P> <P>&nbsp;</P> <P>Exactly the same configuration can be replicated for Network Administrator role by changing setting in Access Domain and under Admin Role.</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel</P> Mon, 18 Oct 2021 12:39:44 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/custom-admin-template-examples-for-gp-admin-and-network-engineer/m-p/441571#M484 PavelK 2021-10-18T12:39:44Z