This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Expedition Read Only Panorama API User?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Expedition Read Only Panorama API User?

TylerDoyle
L0 Member

‎08-27-2019 08:21 AM - edited ‎08-27-2019 08:25 AM

Hello,

 

I would like to have our InfoSec team use Expedition to audit/report/track changes on our firewalls. What's the best way to set them up so they can use Expedition, but not have any rights to modify or push changes to Panorama or the firewalls? Expedition v. 1.1.35.

 

I've setup a Panorama user with XML API rights, but have found the user requires at least the "Operational Requests" and "Configuration" roles in order to download the firewall config files for analysis. Per this page, the "Configuration" role can also modify Panorama and the firewall configs, which we don't want to allow. https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-web-interface-help/panorama-web-interface/panora...

 

Maybe there's a way within Expedition to limit this type of access? Or a different set of RBAC roles? Ideally, I'd be able to give InfoSec a Panorama read-only API key and they'd be admins/super-users in Expedition, as they will be the ones primarily using the tool.

 

Thanks in advance for any suggestions.

2 people had this problem.
0 Likes Likes
2 REPLIES 2

dgildelaig
L5 Sessionator

‎09-09-2019 03:08 AM

The best would be to have the limitations based on the API keys, so that Panorama won't allow changes to be pushed using that API key.

 

That said, Expedition has some internal controls to set limitations on user roles.

How can you use them?
Create a user for those auditors with the "viewer" role assigned within the project.

When retreiving the API keys from panorama, specify that the keys are only for "admin". Notice that then, the "viewer" users won't have an API key assigned.

So, your auditors will be able to see the config in Expedition, but won't have credentials to make a push.

Notice that you would require an "admin" user to pull the config.

TylerDoyle
L0 Member
In response to dgildelaig

‎09-10-2019 02:14 PM

Thanks for your reply and thoughts.

 

I will see if there's a secure way to automate the admin-task of pulling the most recent XML configs from the firewalls into Expedition. That ability + using the RBAC setup inside Expedition sounds like it might accomplish what we're aiming for.

 

 

0 Likes Likes
  • 4093 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks