https://live.paloaltonetworks.com/t5/general-topics/read-only-superuser-by-security-zone/m-p/381138#M89729 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/168907">@Robert-META</a> ,</P><P>&nbsp;</P><P>The only way to achive your goal, that I can think of is to use virtual systems (vsys). Unfortunately this come with some drawbacks:</P><P>&nbsp;- Massive change for the firewall to split the existing configuration.</P><P>&nbsp;- Each device come with "base license" for multity vsys, but if you need more vsys you need to purchase additional license</P><P>&nbsp;- Each model has different max number of vsys - This could be your deal breakers. Looking at your post I can imagine, that you have one single firewall with huge amount of sub-interfaces/zones for&nbsp; each school. If you want to create separate vsys for each district I am not sure that your device will be capable to handle so many. But it really depends on what model you are using. You can use "comparation tool" - <A href="https://www.paloaltonetworks.com/products/product-selection" target="_blank">Next-Generation Firewalls - Product Selection - Palo Alto Networks</A> (just compare your model with something random, this wil give you really nice formated table of the max capacity for your device) {I like to read it that way instead of searching datasheets}.</P><P>&nbsp;</P><P>&nbsp;</P><P>By the way while I was typing this I was thinking for another solution, but sure how doable is for you, because it will require lots of programming - use the API to read the policy. Since you only need to have read-only access, I can imagine you can do the following:</P><P>- Assign each school district unique tag</P><P>- Configure all objects and rules for specific district with that tag</P><P>- Using the API read the whole firewall config (at least what is relevant - rules, objects, zones, etc)</P><P>- With a bit of programming magic create web page that will visualise the data from the firewall API</P><P>- Using the tags you can create "filter" so each user will see only data that is associated with his district.</P><P>&nbsp;</P> Thu, 21 Jan 2021 08:01:03 GMT aleksandar.astardzhiev 2021-01-21T08:01:03Z https://live.paloaltonetworks.com/t5/general-topics/read-only-superuser-by-security-zone/m-p/381015#M89724 <P>Hello, I hope everyone is staying healthy.</P><P>&nbsp;</P><P>I work at a company that provides ISP services to public schools, each school district is divided in to separate security zones on our Palo and I am trying to see if a read-only user can be created that is able to only look at security and NAT rules for their assigned zone.&nbsp; I've been fiddling around in the OS and searching online but haven't been able to find any information to answer this.&nbsp; I know they can be setup to view all rules but I was hoping to narrow that down if possible.&nbsp; We are running on the latest OS 10.0.3.&nbsp; Thank you for any information you're able to provide.</P> Wed, 20 Jan 2021 16:31:11 GMT https://live.paloaltonetworks.com/t5/general-topics/read-only-superuser-by-security-zone/m-p/381015#M89724 Robert-META 2021-01-20T16:31:11Z https://live.paloaltonetworks.com/t5/general-topics/read-only-superuser-by-security-zone/m-p/381138#M89729 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/168907">@Robert-META</a> ,</P><P>&nbsp;</P><P>The only way to achive your goal, that I can think of is to use virtual systems (vsys). Unfortunately this come with some drawbacks:</P><P>&nbsp;- Massive change for the firewall to split the existing configuration.</P><P>&nbsp;- Each device come with "base license" for multity vsys, but if you need more vsys you need to purchase additional license</P><P>&nbsp;- Each model has different max number of vsys - This could be your deal breakers. Looking at your post I can imagine, that you have one single firewall with huge amount of sub-interfaces/zones for&nbsp; each school. If you want to create separate vsys for each district I am not sure that your device will be capable to handle so many. But it really depends on what model you are using. You can use "comparation tool" - <A href="https://www.paloaltonetworks.com/products/product-selection" target="_blank">Next-Generation Firewalls - Product Selection - Palo Alto Networks</A> (just compare your model with something random, this wil give you really nice formated table of the max capacity for your device) {I like to read it that way instead of searching datasheets}.</P><P>&nbsp;</P><P>&nbsp;</P><P>By the way while I was typing this I was thinking for another solution, but sure how doable is for you, because it will require lots of programming - use the API to read the policy. Since you only need to have read-only access, I can imagine you can do the following:</P><P>- Assign each school district unique tag</P><P>- Configure all objects and rules for specific district with that tag</P><P>- Using the API read the whole firewall config (at least what is relevant - rules, objects, zones, etc)</P><P>- With a bit of programming magic create web page that will visualise the data from the firewall API</P><P>- Using the tags you can create "filter" so each user will see only data that is associated with his district.</P><P>&nbsp;</P> Thu, 21 Jan 2021 08:01:03 GMT https://live.paloaltonetworks.com/t5/general-topics/read-only-superuser-by-security-zone/m-p/381138#M89729 aleksandar.astardzhiev 2021-01-21T08:01:03Z