Is possible create a custom admin role with a specific filter?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Is possible create a custom admin role with a specific filter?

L1 Bithead

This question is for administration of PANORAMA and PALOALTO.

I want to know, if is possible to create a custom admin role with a specific filter. For example, If I make a admin role for vsys or device group and check Monitor-Logs-Threats I want to that the users of this role only can view the logs of virus and wildfire, and the other threats the can not view.

Is possible to custom at this level?

Thanks

Angel R

2 REPLIES 2

L7 Applicator

Panorama cannot distinguish vsys level users and as of PanOS 6.1 you do not have the option to restrict users by device group.  I've not used PanOS 7 to see if they are added.

This would be a feature request you could discuss with your sales engineer.  If there is an existing request you can vote for it if this is new he can create a feature request and give you the number.  Once you have the FR number post it on the forums to encourage others to vote too.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Hi Steven,

This is true. But in PANORAMA, if you first add an Access Domain where you select only a Device Group in mode read that is the same of the Vsys of PALO ALTO, and later you add an Admin Role where you only select Monitor - Log - Threats and Privacy -  Show Full IP Address. This 2 object can be used when you create an administrator user of type "Device Group adn Template Admin".

Then when this user open the GUI Console, only will see the Threat Log on the label Monitor.

Now , I am trying to customize this display for this special administrator user. For example, that only can be view application smtp, and other query is deny. Also, if is possible that the area filter it was blocked or gray. I like too to customize the columns, moving the order for all the users.

From CLI, to this users I have add a preference of a query:

set mgt-config users VIEWER1_SMTP preferences saved-log-query threat Wildfire_SMTP query "( subtype eq wildfire-virus ) and ( app eq smtp )"

This configuration i have add in multiple similar users VIEWER2, VIEWER3....

But i dont know if is possible to make more customization using CLI with the command SET. Because preference dont give me more values or the admin role dont show me more options for customizations. I think that if I really need all this, I will to have a resquest of a feature as you say me.

This is the information with the config outpout in mode set:

show mgt-config users VIEWER1_SMTP

set mgt-config users VIEWER1_SMTP permissions role-based custom dg-template-profiles RO_DG_INTERNET profile INTERNET

set mgt-config users VIEWER1_SMTP authentication-profile Auth-AD

set mgt-config users VIEWER1_SMTP preferences saved-log-query threat Wildfire_SMTP query "( subtype eq wildfire-virus ) and ( app eq smtp )"



show shared admin-role INTERNET

set shared admin-role INTERNET role device-group webui monitor logs threat enable

set shared admin-role INTERNET role device-group webui privacy show-full-ip-addresses enable

set shared admin-role INTERNET role device-group webui privacy show-user-names-in-logs-and-reports enable

set shared admin-role INTERNET role device-group contextswitch

show mgt-config access-domain

set mgt-config access-domain RO_DG_INTERNET device-groups DG_INTERNET

show readonly dg-meta-data dginfo DG_INTERNET

set readonly dg-meta-data dginfo DG_INTERNET dg-id 11


  • 2902 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!