This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

HA Panorama Active/Standby deployment - Read only access only to standby Panorama´s Server

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

HA Panorama Active/Standby deployment - Read only access only to standby Panorama´s Server

BondonI
L0 Member

‎09-28-2023 11:44 AM

Hi all, 

 

I have an environment with a lot of people wanting to get live traffic logs and policy rules for troubleshooting purposes, audit, etc., so we are thinking about to get all the read only admins connected only to the Standby web GUI and not to the active one and I´m not finding a way to get this done. We want to prevent this active panorama server connections to avoid resources overload on the active server do to many read only admins pushing traffic logs and policies at the same time, delaying the real administration tasks.   

 

As the standby is also getting all traffic logs and policy rules, we would like to give the read only admins access only to it.

 

Does someone knows if there is a way to accomplish this? 

 

Thanks in advance! 

0 Likes Likes
2 REPLIES 2

reaper
Cyber Elite
Cyber Elite

‎10-03-2023 02:16 AM

you could start simply by drafting a user policy for the admins, directing them to only connect to panorama A or B, depending on their role, and adding a banner to the logon page reminding the admin they are logging on to the 'readonly' or the 'admin' panorama and should mind if this is the right one for them. 

 

the accounts are all synchronized across both panoramas, so it's not possible to have an account only on one panorama.

a few 'ideas'

-you could limit the source addresses allowed to connect to each panorama, or set up a jump host with only one panorama bookmarked in a locked down browser

-set the accounts to remote authentication via radius or tacacs+ and set a client IP (ip for panorama a or b) restriction policy on the authentication server (i.e. so a given username is only allowed to authenticate from the IP from panorama B)

 

before you tackle the technical solutions, consider if there a real need to block these admins or do you simply want a better 'spread'

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

BondonI
L0 Member
In response to reaper

‎10-04-2023 11:06 AM

Hi there, thanks a lot for your answer! 

 

Really appreciate your ideas! And yes, I really want to have them restricted to the standby Panorama server as we have a lot of admin users already, and don´t want all of them accessing the prod panorama as it´s affecting the overall performance of the platform. 

 

Thanks again!

0 Likes Likes
  • 797 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks