02-04-2025 10:38 AM
Howdy All!
We are in need of finding a way to give a help desk individual limited access to the CLI to run a Python script to clear addresses from the DoS Blocked-Table. The 2 commands it is running is the
What I have found so far at a high level is either full, read, or none. Any thoughts or ideas please feel free to respond.
Thank you in advance!
Ed
02-05-2025 07:00 AM
@edroche3rd wrote:
Howdy All!
We are in need of finding a way to give a help desk individual limited access to the CLI to run a Python script to clear addresses from the DoS Blocked-Table. The 2 commands it is running is the
- debug dataplane show dos block-table
- debug dataplane reset dos zone <zone> block-table source <ip address>
What I have found so far at a high level is either full, read, or none. Any thoughts or ideas please feel free to respond.
Thank you in advance!
Ed
This isn't too difficult of a task, but you'd need to create and use a TACAS+ authentication method. Using TACACS+ you can specify what commands can be executed. However you'd first need a TACACS+ device capable auth server, like ISE or Clearpass. If you have either of these things, then the request is simple. Without it I don't think Palo has an built in RBAC capability to do what you're asking.
02-05-2025 07:24 AM
Perhaps not as granular, but could you not also setup XML API access for a specific account?
@edroche3rd for reference, here is some additional documentation:
02-05-2025 02:30 PM
I don't think you'll find an "easy" way to do this. Either you grant that permission via TACACS+ as @Brandon_Wertz mentioned or create a script to do it that you would then give your helpdesk staff the ability to run.The XML API permissions themselves are a bit more restrictive, but you would still be granting them the ability to issue any operational request. Since we're talking about debug commands here, none of the built-in capability solely through PAN is going to really fit the bill.
I'd kind of question if DoS is tuned properly if this is something that is being ran into enough that it's not a rare enough occurrence that helpdesk is seeking to do it themselves. If you're seeing regular violations of your limits, they may just be set a bit too low if they're regularly being surpassed by "real" clients.
I'll just caution that doing this "properly" to not over provision access and limiting the ability to just this simple task isn't without issue. The TACACS+ method is going to provide the most amount of flexibility in allowing exactly what you want them to do outside of taking the time to script it and have the helpdesk run the script from a secure platform. I personally wouldn't want to give the ability to run operational commands directly to helpdesk staff; there's quite a bit of risk in those credentials getting out to more people.
02-06-2025 09:44 AM
Hi All!
Thank you for sharing your ideas and thoughts.
@Brandon_Wertz we do have a ISE device that we use for our Cisco devices currently. I wasn't sure if ISE would work with other manufactures but to be able to restrict to specific commands makes this the ideal way.
@nohash4u I did go looking down the API rabbit hole but was unable to find the proper command to view and clear the table.
@BPry We have the script created already and the permission part is the last step. We have tuned it at this point as well and not seeing as many as we were when first implementing. Since we already have an ISE device this will definitely be the best way to go.
Thanks again for the replies they were much appriciated.
Ed
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
