https://live.paloaltonetworks.com/t5/general-topics/ha-panorama-active-standby-deployment-read-only-access-only-to/m-p/560570#M113626 <P>Hi there, thanks a lot for your answer!&nbsp;</P> <P>&nbsp;</P> <P>Really appreciate your ideas! And yes, I really want to have them restricted to the standby Panorama server as we have a lot of admin users already, and don´t want all of them accessing the prod panorama as it´s affecting the overall performance of the platform.&nbsp;</P> <P>&nbsp;</P> <P>Thanks again!</P> Wed, 04 Oct 2023 18:06:23 GMT BondonI 2023-10-04T18:06:23Z https://live.paloaltonetworks.com/t5/general-topics/ha-panorama-active-standby-deployment-read-only-access-only-to/m-p/559920#M113545 <P>Hi all,&nbsp;</P> <P>&nbsp;</P> <P>I have an environment with a lot of people wanting to get live traffic logs and policy rules for troubleshooting purposes, audit, etc., so we are thinking about to get all the read only admins connected only to the Standby web GUI and not to the active one and I´m not finding a way to get this done. We want to prevent this active panorama server connections to avoid resources overload on the active server do to many read only admins pushing traffic logs and policies at the same time, delaying the real administration tasks.&nbsp; &nbsp;</P> <P>&nbsp;</P> <P>As the standby is also getting all traffic logs and policy rules, we would like to give the read only admins access only to it.</P> <P>&nbsp;</P> <P>Does someone knows if there is a way to accomplish this?&nbsp;</P> <P>&nbsp;</P> <P>Thanks in advance!&nbsp;</P> Thu, 28 Sep 2023 18:44:05 GMT https://live.paloaltonetworks.com/t5/general-topics/ha-panorama-active-standby-deployment-read-only-access-only-to/m-p/559920#M113545 BondonI 2023-09-28T18:44:05Z https://live.paloaltonetworks.com/t5/general-topics/ha-panorama-active-standby-deployment-read-only-access-only-to/m-p/560337#M113591 <P>you could start simply by drafting a user policy for the admins, directing them to only connect to panorama A or B, depending on their role, and adding a banner to the logon page reminding the admin they are logging on to the 'readonly' or the 'admin' panorama and should mind if this is the right one for them.&nbsp;</P> <P>&nbsp;</P> <P>the accounts are all synchronized across both panoramas, so it's not possible to have an account only on one panorama.</P> <P>a few 'ideas'</P> <P>-you could limit the source addresses allowed to connect to each panorama, or set up a jump host with only one panorama bookmarked in a locked down browser</P> <P>-set the accounts to remote authentication via radius or tacacs+ and set a client IP (ip for panorama a or b) restriction policy on the authentication server (i.e. so a given username is only allowed to authenticate from the IP from panorama B)</P> <P>&nbsp;</P> <P>before you tackle the technical solutions, consider if there a real need to block these admins or do you simply want a better 'spread'</P> Tue, 03 Oct 2023 09:16:18 GMT https://live.paloaltonetworks.com/t5/general-topics/ha-panorama-active-standby-deployment-read-only-access-only-to/m-p/560337#M113591 reaper 2023-10-03T09:16:18Z https://live.paloaltonetworks.com/t5/general-topics/ha-panorama-active-standby-deployment-read-only-access-only-to/m-p/560570#M113626 <P>Hi there, thanks a lot for your answer!&nbsp;</P> <P>&nbsp;</P> <P>Really appreciate your ideas! And yes, I really want to have them restricted to the standby Panorama server as we have a lot of admin users already, and don´t want all of them accessing the prod panorama as it´s affecting the overall performance of the platform.&nbsp;</P> <P>&nbsp;</P> <P>Thanks again!</P> Wed, 04 Oct 2023 18:06:23 GMT https://live.paloaltonetworks.com/t5/general-topics/ha-panorama-active-standby-deployment-read-only-access-only-to/m-p/560570#M113626 BondonI 2023-10-04T18:06:23Z