Admins authenticating to Panorama are using AD credentials. The same admin accounts are created on each managed firewall as Superusers. The issue we are having is with Admins committing changes as local overrides (unknowingly/accidentally). I am trying to prevent the admins from being able to commit a local override. I created a user as Super-Admin on Panorama and the same username as a "Read only Admin" on a managed firewall. When logging in directly to the firewall, the admin is unable to make changes, however when logging into the firewall through Panorama context menu the RO user is still able to commit local overrides. "show admins" shows the RO user account that I created as the connected user (not Panorama-"readonlyadmin")
What is the best way to accomplish this (other than training the admins)?
Actually this is not possible. If an admin has superuser permission then it is possible to change anything. If you really want to achieve that all configuration is done in panorama you need to block the admins on the firewall/context switch - or allow only a very limited number of admins to do so and they need to be trained to only use panorama for the configuration. If this is not sufficient, you could contact your system engineer from paloalto to create a feature request for this.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!