Is possible create a custom admin role with a specific filter?

aromero — Tue, 16 Jun 2015 15:08:00 GMT

This question is for administration of PANORAMA and PALOALTO.

I want to know, if is possible to create a custom admin role with a specific filter. For example, If I make a admin role for vsys or device group and check Monitor-Logs-Threats I want to that the users of this role only can view the logs of virus and wildfire, and the other threats the can not view.

Is possible to custom at this level?

Thanks

Angel R

Re: Is possible create a custom admin role with a specific filter?

pulukas — Sat, 20 Jun 2015 10:23:34 GMT

Panorama cannot distinguish vsys level users and as of PanOS 6.1 you do not have the option to restrict users by device group. I've not used PanOS 7 to see if they are added.

This would be a feature request you could discuss with your sales engineer. If there is an existing request you can vote for it if this is new he can create a feature request and give you the number. Once you have the FR number post it on the forums to encourage others to vote too.

Re: Is possible create a custom admin role with a specific filter?

aromero — Fri, 26 Jun 2015 14:07:07 GMT

Hi Steven,

This is true. But in PANORAMA, if you first add an Access Domain where you select only a Device Group in mode read that is the same of the Vsys of PALO ALTO, and later you add an Admin Role where you only select Monitor - Log - Threats and Privacy - Show Full IP Address. This 2 object can be used when you create an administrator user of type "Device Group adn Template Admin".

Then when this user open the GUI Console, only will see the Threat Log on the label Monitor.

Now , I am trying to customize this display for this special administrator user. For example, that only can be view application smtp, and other query is deny. Also, if is possible that the area filter it was blocked or gray. I like too to customize the columns, moving the order for all the users.

From CLI, to this users I have add a preference of a query:

set mgt-config users VIEWER1_SMTP preferences saved-log-query threat Wildfire_SMTP query "( subtype eq wildfire-virus ) and ( app eq smtp )"

This configuration i have add in multiple similar users VIEWER2, VIEWER3....

But i dont know if is possible to make more customization using CLI with the command SET. Because preference dont give me more values or the admin role dont show me more options for customizations. I think that if I really need all this, I will to have a resquest of a feature as you say me.

This is the information with the config outpout in mode set:

show mgt-config users VIEWER1_SMTP

set mgt-config users VIEWER1_SMTP permissions role-based custom dg-template-profiles RO_DG_INTERNET profile INTERNET

set mgt-config users VIEWER1_SMTP authentication-profile Auth-AD

set mgt-config users VIEWER1_SMTP preferences saved-log-query threat Wildfire_SMTP query "( subtype eq wildfire-virus ) and ( app eq smtp )"

show shared admin-role INTERNET

set shared admin-role INTERNET role device-group webui monitor logs threat enable

set shared admin-role INTERNET role device-group webui privacy show-full-ip-addresses enable

set shared admin-role INTERNET role device-group webui privacy show-user-names-in-logs-and-reports enable

set shared admin-role INTERNET role device-group contextswitch

show mgt-config access-domain

set mgt-config access-domain RO_DG_INTERNET device-groups DG_INTERNET

show readonly dg-meta-data dginfo DG_INTERNET

set readonly dg-meta-data dginfo DG_INTERNET dg-id 11

topic Is possible create a custom admin role with a specific filter? in General Topics

Is possible create a custom admin role with a specific filter?

Re: Is possible create a custom admin role with a specific filter?

Re: Is possible create a custom admin role with a specific filter?