https://live.paloaltonetworks.com/t5/general-topics/panorama-restrict-firewall-log-access/m-p/4026#M2974 <HTML><HEAD></HEAD><BODY><P>If by subdomains, do you mean how to restrict access for the admins to see logs on&nbsp; the firewalls in a specific device groups? </P><P></P><P>Refer the below document, that explains how to restrict manageable firewall access to admins</P><P></P><P><A _jive_internal="true" class="active_link" href="https://live.paloaltonetworks.com/docs/DOC-3106">https://live.paloaltonetworks.com/docs/DOC-3106</A></P><P></P><P>You can restrict access to a device groups or to individual firewalls themselves. The doc shows device groups. The below snapshot shows restricting the admin to firewalls.</P><P><IMG alt="panorama access.JPG" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/7659_panorama access.JPG" width="450" /></P><P></P><P>You can then select an admin role profile, and limit the access to only the logs as shown below:</P><P><IMG alt="panorama access-2.JPG" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/7660_panorama access-2.JPG" width="450" /></P><P></P><P>And use this admin role profile under the admin.</P><P></P><P></P><P>Hope this helps.</P><P></P><P>BR,</P><P>Karthik </P></BODY></HTML> Tue, 13 Aug 2013 12:39:39 GMT kprakash 2013-08-13T12:39:39Z https://live.paloaltonetworks.com/t5/general-topics/panorama-restrict-firewall-log-access/m-p/4025#M2973 <HTML><HEAD></HEAD><BODY><P>Does anyone know if there is a way to create admins in Panorama for specific subdomains AND restrict their access to only the logs for the firewalls in that subdomain? I want to give access to users for only their FW logs and not let them see all of the other FW logs. So far my testing has resulted in this not being possible, but wanted to see if anyone figured out a way that i just missed.</P><P></P><P>Thanks!</P></BODY></HTML> Tue, 13 Aug 2013 12:14:32 GMT https://live.paloaltonetworks.com/t5/general-topics/panorama-restrict-firewall-log-access/m-p/4025#M2973 chrisp 2013-08-13T12:14:32Z https://live.paloaltonetworks.com/t5/general-topics/panorama-restrict-firewall-log-access/m-p/4026#M2974 <HTML><HEAD></HEAD><BODY><P>If by subdomains, do you mean how to restrict access for the admins to see logs on&nbsp; the firewalls in a specific device groups? </P><P></P><P>Refer the below document, that explains how to restrict manageable firewall access to admins</P><P></P><P><A _jive_internal="true" class="active_link" href="https://live.paloaltonetworks.com/docs/DOC-3106">https://live.paloaltonetworks.com/docs/DOC-3106</A></P><P></P><P>You can restrict access to a device groups or to individual firewalls themselves. The doc shows device groups. The below snapshot shows restricting the admin to firewalls.</P><P><IMG alt="panorama access.JPG" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/7659_panorama access.JPG" width="450" /></P><P></P><P>You can then select an admin role profile, and limit the access to only the logs as shown below:</P><P><IMG alt="panorama access-2.JPG" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/7660_panorama access-2.JPG" width="450" /></P><P></P><P>And use this admin role profile under the admin.</P><P></P><P></P><P>Hope this helps.</P><P></P><P>BR,</P><P>Karthik </P></BODY></HTML> Tue, 13 Aug 2013 12:39:39 GMT https://live.paloaltonetworks.com/t5/general-topics/panorama-restrict-firewall-log-access/m-p/4026#M2974 kprakash 2013-08-13T12:39:39Z https://live.paloaltonetworks.com/t5/general-topics/panorama-restrict-firewall-log-access/m-p/4027#M2975 <HTML><HEAD></HEAD><BODY><P>This will work if you want to restrict log access when context switch occurs while the admin is logged in locally to a device though Panorama.</P><P></P><P>The other request to restrict access without a context switch while inside the Panorama Monitor tab is a current feature request. We are tracking this request as we move forward to plan future releases. Please follow up with your SE to add to the FR if you have not already.</P></BODY></HTML> Tue, 13 Aug 2013 15:08:22 GMT https://live.paloaltonetworks.com/t5/general-topics/panorama-restrict-firewall-log-access/m-p/4027#M2975 mschuricht 2013-08-13T15:08:22Z https://live.paloaltonetworks.com/t5/general-topics/panorama-restrict-firewall-log-access/m-p/4028#M2976 <HTML><HEAD></HEAD><BODY><P>Your last comments regarding Panorama Monitor tab (not contect switching) are exactly where i was going with my question. I don't believe we have submitted that request, but I will now. <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /> Thanks for the reply.</P></BODY></HTML> Tue, 13 Aug 2013 15:14:57 GMT https://live.paloaltonetworks.com/t5/general-topics/panorama-restrict-firewall-log-access/m-p/4028#M2976 chrisp 2013-08-13T15:14:57Z https://live.paloaltonetworks.com/t5/general-topics/panorama-restrict-firewall-log-access/m-p/4029#M2977 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>If for you sub domain is device group, previous answer are ok but if per device you can have many domain, you have to go through custom report. With query, if users are authenticated or maybe per subnet, you can create the right report for the right person <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>Hope help.</P><P></P><P>V.</P></BODY></HTML> Tue, 13 Aug 2013 15:35:07 GMT https://live.paloaltonetworks.com/t5/general-topics/panorama-restrict-firewall-log-access/m-p/4029#M2977 VinceM 2013-08-13T15:35:07Z