08-27-2019 08:21 AM - edited 08-27-2019 08:25 AM
I would like to have our InfoSec team use Expedition to audit/report/track changes on our firewalls. What's the best way to set them up so they can use Expedition, but not have any rights to modify or push changes to Panorama or the firewalls? Expedition v. 1.1.35.
I've setup a Panorama user with XML API rights, but have found the user requires at least the "Operational Requests" and "Configuration" roles in order to download the firewall config files for analysis. Per this page, the "Configuration" role can also modify Panorama and the firewall configs, which we don't want to allow. https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-web-interface-help/panorama-web-interface/panora...
Maybe there's a way within Expedition to limit this type of access? Or a different set of RBAC roles? Ideally, I'd be able to give InfoSec a Panorama read-only API key and they'd be admins/super-users in Expedition, as they will be the ones primarily using the tool.
Thanks in advance for any suggestions.
09-09-2019 03:08 AM
The best would be to have the limitations based on the API keys, so that Panorama won't allow changes to be pushed using that API key.
That said, Expedition has some internal controls to set limitations on user roles.
How can you use them?
Create a user for those auditors with the "viewer" role assigned within the project.
When retreiving the API keys from panorama, specify that the keys are only for "admin". Notice that then, the "viewer" users won't have an API key assigned.
So, your auditors will be able to see the config in Expedition, but won't have credentials to make a push.
Notice that you would require an "admin" user to pull the config.
09-10-2019 02:14 PM
Thanks for your reply and thoughts.
I will see if there's a secure way to automate the admin-task of pulling the most recent XML configs from the firewalls into Expedition. That ability + using the RBAC setup inside Expedition sounds like it might accomplish what we're aiming for.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!