- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
08-13-2013 05:14 AM
Does anyone know if there is a way to create admins in Panorama for specific subdomains AND restrict their access to only the logs for the firewalls in that subdomain? I want to give access to users for only their FW logs and not let them see all of the other FW logs. So far my testing has resulted in this not being possible, but wanted to see if anyone figured out a way that i just missed.
Thanks!
08-13-2013 05:39 AM
If by subdomains, do you mean how to restrict access for the admins to see logs on the firewalls in a specific device groups?
Refer the below document, that explains how to restrict manageable firewall access to admins
https://live.paloaltonetworks.com/docs/DOC-3106
You can restrict access to a device groups or to individual firewalls themselves. The doc shows device groups. The below snapshot shows restricting the admin to firewalls.
You can then select an admin role profile, and limit the access to only the logs as shown below:
And use this admin role profile under the admin.
Hope this helps.
BR,
Karthik
08-13-2013 08:08 AM
This will work if you want to restrict log access when context switch occurs while the admin is logged in locally to a device though Panorama.
The other request to restrict access without a context switch while inside the Panorama Monitor tab is a current feature request. We are tracking this request as we move forward to plan future releases. Please follow up with your SE to add to the FR if you have not already.
08-13-2013 08:14 AM
Your last comments regarding Panorama Monitor tab (not contect switching) are exactly where i was going with my question. I don't believe we have submitted that request, but I will now. Thanks for the reply.
08-13-2013 08:35 AM
Hi,
If for you sub domain is device group, previous answer are ok but if per device you can have many domain, you have to go through custom report. With query, if users are authenticated or maybe per subnet, you can create the right report for the right person 🙂
Hope help.
V.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!