06-16-2015 08:08 AM
This question is for administration of PANORAMA and PALOALTO.
I want to know, if is possible to create a custom admin role with a specific filter. For example, If I make a admin role for vsys or device group and check Monitor-Logs-Threats I want to that the users of this role only can view the logs of virus and wildfire, and the other threats the can not view.
Is possible to custom at this level?
Thanks
Angel R
06-20-2015 03:23 AM
Panorama cannot distinguish vsys level users and as of PanOS 6.1 you do not have the option to restrict users by device group. I've not used PanOS 7 to see if they are added.
This would be a feature request you could discuss with your sales engineer. If there is an existing request you can vote for it if this is new he can create a feature request and give you the number. Once you have the FR number post it on the forums to encourage others to vote too.
06-26-2015 07:07 AM
Hi Steven,
This is true. But in PANORAMA, if you first add an Access Domain where you select only a Device Group in mode read that is the same of the Vsys of PALO ALTO, and later you add an Admin Role where you only select Monitor - Log - Threats and Privacy - Show Full IP Address. This 2 object can be used when you create an administrator user of type "Device Group adn Template Admin".
Then when this user open the GUI Console, only will see the Threat Log on the label Monitor.
Now , I am trying to customize this display for this special administrator user. For example, that only can be view application smtp, and other query is deny. Also, if is possible that the area filter it was blocked or gray. I like too to customize the columns, moving the order for all the users.
From CLI, to this users I have add a preference of a query:
set mgt-config users VIEWER1_SMTP preferences saved-log-query threat Wildfire_SMTP query "( subtype eq wildfire-virus ) and ( app eq smtp )"
This configuration i have add in multiple similar users VIEWER2, VIEWER3....
But i dont know if is possible to make more customization using CLI with the command SET. Because preference dont give me more values or the admin role dont show me more options for customizations. I think that if I really need all this, I will to have a resquest of a feature as you say me.
This is the information with the config outpout in mode set:
show mgt-config users VIEWER1_SMTP
set mgt-config users VIEWER1_SMTP permissions role-based custom dg-template-profiles RO_DG_INTERNET profile INTERNET
set mgt-config users VIEWER1_SMTP authentication-profile Auth-AD
set mgt-config users VIEWER1_SMTP preferences saved-log-query threat Wildfire_SMTP query "( subtype eq wildfire-virus ) and ( app eq smtp )"
show shared admin-role INTERNET
set shared admin-role INTERNET role device-group webui monitor logs threat enable
set shared admin-role INTERNET role device-group webui privacy show-full-ip-addresses enable
set shared admin-role INTERNET role device-group webui privacy show-user-names-in-logs-and-reports enable
set shared admin-role INTERNET role device-group contextswitch
show mgt-config access-domain
set mgt-config access-domain RO_DG_INTERNET device-groups DG_INTERNET
show readonly dg-meta-data dginfo DG_INTERNET
set readonly dg-meta-data dginfo DG_INTERNET dg-id 11
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
