topic Prevent same admin user making configuration change from different places (Web & CLI) at same time in General Topics

Prevent same admin user making configuration change from different places (Web & CLI) at same time

anthony_cheung — Wed, 25 Oct 2017 09:07:17 GMT

Hi,

I would like to know is there any way to prevent same admin user (say devAdmin) making configuration change from different places (Web & CLI) at same time?

Anthony Cheung

Re: Prevent same admin user making configuration change from different places (Web & CLI) at sam

OtakarKlier — Wed, 25 Oct 2017 21:57:23 GMT

Hello,

Yes the feature is called a commit lock. Its under the Device -> Setup -> Management -> General Settings. Click the sprocket and then check the box for "Automatically Acquire Commit Lock".

So once someone makes a setting change it locks the config until that person releases, commits it, or someone else releases it (if you allow for that).

Regards,

Re: Prevent same admin user making configuration change from different places (Web & CLI) at sam

OtakarKlier — Wed, 25 Oct 2017 22:09:26 GMT

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/firewall-administration/use-the-web-interface/manage-locks-for-restricting-configuration-changes

Re: Prevent same admin user making configuration change from different places (Web & CLI) at sam

anthony_cheung — Thu, 26 Oct 2017 02:29:12 GMT

Thanks for your reply. I have tried commit lock but it seems not work for my case.

My case is "same admin user using different methods at the same time". For example, I have an admin user which username is "adminA". I log in Web interface with "adminA" and at the same time "adminA" is logged in CLI. In this situation, if commit lock is acquired on CLI, I cannot acquire the lock in Web interface becuse "adminA" has acquired the lock. Nevertheless, "adminA" on Web interface can commit configuration changes even the changes are made in CLI.

Is there any way to resolve this situation?

Re: Prevent same admin user making configuration change from different places (Web & CLI) at sam

OtakarKlier — Thu, 26 Oct 2017 22:12:59 GMT

Hmm, interesting. That may be a TAC case.

Re: Prevent same admin user making configuration change from different places (Web & CLI) at sam

gwesson — Thu, 26 Oct 2017 22:19:10 GMT

In this instance, a case would not get a resolution. A feature request is needed.

It's an odd use case: if the same user is making changes in CLI and different changes in the GUI, that user should know that because it's the same user. I don't understand why you would want to prevent a user from administering the firewall in such a way.

@anthony_cheung, is your use case something you can expand on here? Why is this a problem?

Re: Prevent same admin user making configuration change from different places (Web & CLI) at sam

anthony_cheung — Mon, 30 Oct 2017 01:18:11 GMT

@gwesson, actually, I would like to use CLI and some shell script programming to do automatic password management task (e.g. periodic changing password). Nevertheless, I cannot find a way to block the actual admin user from logging in Web interface to do any other configuration jobs. That's why I raise the question.

Re: Prevent same admin user making configuration change from different places (Web & CLI) at sam

gwesson — Mon, 30 Oct 2017 16:25:56 GMT

I understand the use case, thanks for that.

The simplest thing would be to create an Admin Role that blocks all Web UI sections and allows superuser for CLI. Then create an Administrator and assign the admin role you created to that administrator.

That user would only have access to the CLI, though you may want to make it have access to XML API to take full advantage of it.

Your existing AdminA user would still have full access to CLI and UI, but because it's a different user name the config lock would work as provided by Otakar.Klier.