05-20-2022 05:19 AM
Access Panorama to firewall Gui context and CLI context
Hello, good morning, I reiterate, thank you again for the information, help and support. Please support the following topic:
Currently, with the account that logs me into Panorama, as long as I have access and permissions to all contexts, I was able to change the context to enter the firewall locally and for traceability of changes and settings, the user is added Panorama.User, when you make changes, modifications, commit etc on the equipment.
OK now the issue is the following, how can I do the same thing I do in the GUI ( Context change ), but this time by CLI ? is there any option for it. In other words, to avoid having to use a local admin user, for example, in the firewall, to log in SSH/CLI, is there this option and simply change the context/CLI? Or do I have to log in directly via CLI/SSH to each firewall? To log in, do I have to have a local user in the destination firewall? Or as this firewall is being managed and administered by PANORAMA, can I use the "Same Panorama user" that is, a valid PANORAMA user, to log in directly via CLI/SSH to the firewall or must I have a local user?
Please your support to review this issue, since I can not find documentation that refers to this topic.
Thank you very much, I remain attentive cordial greetings.
05-21-2022 06:50 AM
Thank you for the post @Metgatz
the context change in Panorama is only for GUI. I am not aware of any similar feature that would have the same function for CLI. If you do not prefer to use local account to ssh to every Firewall, then perhaps a workaround could be to use TACACS+ or RADIUS accounts. You can use a Panorama Template to push the authentication profile to all Firewalls. Here is a KB for reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMYmCAO&lang=en_US%E2%80%A...
Kind Regards
Pavel
05-21-2022 06:50 AM
Thank you for the post @Metgatz
the context change in Panorama is only for GUI. I am not aware of any similar feature that would have the same function for CLI. If you do not prefer to use local account to ssh to every Firewall, then perhaps a workaround could be to use TACACS+ or RADIUS accounts. You can use a Panorama Template to push the authentication profile to all Firewalls. Here is a KB for reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMYmCAO&lang=en_US%E2%80%A...
Kind Regards
Pavel
05-21-2022 10:00 AM
@PavelK Excellent, thanks you very much for your clarification.
06-23-2022 03:47 PM
In some cases the firewalls are connecting to panorama from behind a firewall, NAT, or proxy and are not reachable directly. Since not all the troubleshooting capabilities are available via the GUI, it is necessary to login via SSH, and it would be really helpful if the admin could SSH into Panorama and reverse there way back to a Firewall, Log Collector, or PeerPanorama's CLI.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
