topic Re: Limited CLI Rights in General Topics

Limited CLI Rights

edroche3rd — Tue, 04 Feb 2025 18:38:14 GMT

Howdy All!

We are in need of finding a way to give a help desk individual limited access to the CLI to run a Python script to clear addresses from the DoS Blocked-Table. The 2 commands it is running is the

debug dataplane show dos block-table
debug dataplane reset dos zone <zone> block-table source <ip address>

What I have found so far at a high level is either full, read, or none. Any thoughts or ideas please feel free to respond.

Thank you in advance!

Re: Limited CLI Rights

Brandon_Wertz — Wed, 05 Feb 2025 15:00:32 GMT

@edroche3rd wrote:

Howdy All!

We are in need of finding a way to give a help desk individual limited access to the CLI to run a Python script to clear addresses from the DoS Blocked-Table. The 2 commands it is running is the

debug dataplane show dos block-table

debug dataplane reset dos zone <zone> block-table source <ip address>

What I have found so far at a high level is either full, read, or none. Any thoughts or ideas please feel free to respond.

Thank you in advance!

Ed

This isn't too difficult of a task, but you'd need to create and use a TACAS+ authentication method. Using TACACS+ you can specify what commands can be executed. However you'd first need a TACACS+ device capable auth server, like ISE or Clearpass. If you have either of these things, then the request is simple. Without it I don't think Palo has an built in RBAC capability to do what you're asking.

Re: Limited CLI Rights

nohash4u — Wed, 05 Feb 2025 15:24:49 GMT

Perhaps not as granular, but could you not also setup XML API access for a specific account?

@edroche3rd for reference, here is some additional documentation:

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/firewall-administration/manage-firewall-administrators/configure-an-admin-role-profile#id168f0789-fa2d-49f7-bd3a-8b37b306ad42

Re: Limited CLI Rights

BPry — Wed, 05 Feb 2025 22:30:44 GMT

@edroche3rd,

I don't think you'll find an "easy" way to do this. Either you grant that permission via TACACS+ as @Brandon_Wertz mentioned or create a script to do it that you would then give your helpdesk staff the ability to run.The XML API permissions themselves are a bit more restrictive, but you would still be granting them the ability to issue any operational request. Since we're talking about debug commands here, none of the built-in capability solely through PAN is going to really fit the bill.

I'd kind of question if DoS is tuned properly if this is something that is being ran into enough that it's not a rare enough occurrence that helpdesk is seeking to do it themselves. If you're seeing regular violations of your limits, they may just be set a bit too low if they're regularly being surpassed by "real" clients.

I'll just caution that doing this "properly" to not over provision access and limiting the ability to just this simple task isn't without issue. The TACACS+ method is going to provide the most amount of flexibility in allowing exactly what you want them to do outside of taking the time to script it and have the helpdesk run the script from a secure platform. I personally wouldn't want to give the ability to run operational commands directly to helpdesk staff; there's quite a bit of risk in those credentials getting out to more people.

Re: Limited CLI Rights

edroche3rd — Thu, 06 Feb 2025 17:44:34 GMT

Hi All!

Thank you for sharing your ideas and thoughts.

@Brandon_Wertz we do have a ISE device that we use for our Cisco devices currently. I wasn't sure if ISE would work with other manufactures but to be able to restrict to specific commands makes this the ideal way.

@nohash4u I did go looking down the API rabbit hole but was unable to find the proper command to view and clear the table.

@BPry We have the script created already and the permission part is the last step. We have tuned it at this point as well and not seeing as many as we were when first implementing. Since we already have an ISE device this will definitely be the best way to go.

Thanks again for the replies they were much appriciated.