Panorama - Restrict Firewall Log Access

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Panorama - Restrict Firewall Log Access

L3 Networker

Does anyone know if there is a way to create admins in Panorama for specific subdomains AND restrict their access to only the logs for the firewalls in that subdomain? I want to give access to users for only their FW logs and not let them see all of the other FW logs. So far my testing has resulted in this not being possible, but wanted to see if anyone figured out a way that i just missed.

Thanks!

4 REPLIES 4

L5 Sessionator

If by subdomains, do you mean how to restrict access for the admins to see logs on  the firewalls in a specific device groups?

Refer the below document, that explains how to restrict manageable firewall access to admins

https://live.paloaltonetworks.com/docs/DOC-3106

You can restrict access to a device groups or to individual firewalls themselves. The doc shows device groups. The below snapshot shows restricting the admin to firewalls.

panorama access.JPG

You can then select an admin role profile, and limit the access to only the logs as shown below:

panorama access-2.JPG

And use this admin role profile under the admin.

Hope this helps.

BR,

Karthik

This will work if you want to restrict log access when context switch occurs while the admin is logged in locally to a device though Panorama.

The other request to restrict access without a context switch while inside the Panorama Monitor tab is a current feature request. We are tracking this request as we move forward to plan future releases. Please follow up with your SE to add to the FR if you have not already.

Your last comments regarding Panorama Monitor tab (not contect switching) are exactly where i was going with my question. I don't believe we have submitted that request, but I will now. Smiley Happy Thanks for the reply.

L5 Sessionator

Hi,

If for you sub domain is device group, previous answer are ok but if per device you can have many domain, you have to go through custom report. With query, if users are authenticated or maybe per subnet, you can create the right report for the right person 🙂

Hope help.

V.

  • 3145 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!