04-07-2019 08:25 PM
Hello,
We are using PANOS 8.1.7 and GP 4.1.8.
We have multi Vsys and one of our VSYS administrator account cannot access GP protect agent split tunnel setup.
It is greyed out.
Is this an account limit or something wrong?
04-15-2019 03:53 PM
Hi @Remo
PA TAC assisted us to confirm that this is an expected behaviour.
++ As superuser admin, configured global protect portal and gateway.
++ Also created another vsysadmin.
++ Logged in as the vsysadmin, and was unable to modify Gateway config, specifically anything related to network was grayed out.
++ According to documents:
vsysadmin—Has access to specific virtual systems on the firewall to create and manage specific aspects of virtual systems.
A vsysadmin doesn’t have access to network interfaces, VLANs, virtual wires, virtual routers, IPSec tunnels, DHCP, DNS Proxy, QoS, LLDP, or network profiles.
Person with vsysadmin permission can commit configurations for only the virtual systems assigned to them.
++ As such, any GP config related to above will just be read-only for the vsys admin. This is expected behavior.
++ Reference: https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/virtual-systems/virtual-systems-overview/a...
04-15-2019 12:56 PM
Hmn ... does your vsys administrator have the permission to change this? Do you have other administrators with thw same permission where this is possible to change?
04-15-2019 03:53 PM
Hi @Remo
PA TAC assisted us to confirm that this is an expected behaviour.
++ As superuser admin, configured global protect portal and gateway.
++ Also created another vsysadmin.
++ Logged in as the vsysadmin, and was unable to modify Gateway config, specifically anything related to network was grayed out.
++ According to documents:
vsysadmin—Has access to specific virtual systems on the firewall to create and manage specific aspects of virtual systems.
A vsysadmin doesn’t have access to network interfaces, VLANs, virtual wires, virtual routers, IPSec tunnels, DHCP, DNS Proxy, QoS, LLDP, or network profiles.
Person with vsysadmin permission can commit configurations for only the virtual systems assigned to them.
++ As such, any GP config related to above will just be read-only for the vsys admin. This is expected behavior.
++ Reference: https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/virtual-systems/virtual-systems-overview/a...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
