Expedition Read Only Panorama API User?

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Expedition Read Only Panorama API User?

L0 Member



I would like to have our InfoSec team use Expedition to audit/report/track changes on our firewalls. What's the best way to set them up so they can use Expedition, but not have any rights to modify or push changes to Panorama or the firewalls? Expedition v. 1.1.35.


I've setup a Panorama user with XML API rights, but have found the user requires at least the "Operational Requests" and "Configuration" roles in order to download the firewall config files for analysis. Per this page, the "Configuration" role can also modify Panorama and the firewall configs, which we don't want to allow. https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-web-interface-help/panorama-web-interface/panora...


Maybe there's a way within Expedition to limit this type of access? Or a different set of RBAC roles? Ideally, I'd be able to give InfoSec a Panorama read-only API key and they'd be admins/super-users in Expedition, as they will be the ones primarily using the tool.


Thanks in advance for any suggestions.


L5 Sessionator

The best would be to have the limitations based on the API keys, so that Panorama won't allow changes to be pushed using that API key.


That said, Expedition has some internal controls to set limitations on user roles.

How can you use them?
Create a user for those auditors with the "viewer" role assigned within the project.

When retreiving the API keys from panorama, specify that the keys are only for "admin". Notice that then, the "viewer" users won't have an API key assigned.

So, your auditors will be able to see the config in Expedition, but won't have credentials to make a push.

Notice that you would require an "admin" user to pull the config.

Thanks for your reply and thoughts.


I will see if there's a secure way to automate the admin-task of pulling the most recent XML configs from the firewalls into Expedition. That ability + using the RBAC setup inside Expedition sounds like it might accomplish what we're aiming for.



  • 2 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!