Access Panorama to Firewalls GUI switch-context and CLI-SSH switch-context

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Access Panorama to Firewalls GUI switch-context and CLI-SSH switch-context

L4 Transporter

Access Panorama to firewall Gui context and CLI context

 

Hello, good morning, I reiterate, thank you again for the information, help and support. Please support the following topic:

Currently, with the account that logs me into Panorama, as long as I have access and permissions to all contexts, I was able to change the context to enter the firewall locally and for traceability of changes and settings, the user is added Panorama.User, when you make changes, modifications, commit etc on the equipment.

 

OK now the issue is the following, how can I do the same thing I do in the GUI ( Context change ), but this time by CLI ? is there any option for it. In other words, to avoid having to use a local admin user, for example, in the firewall, to log in SSH/CLI, is there this option and simply change the context/CLI? Or do I have to log in directly via CLI/SSH to each firewall? To log in, do I have to have a local user in the destination firewall? Or as this firewall is being managed and administered by PANORAMA, can I use the "Same Panorama user" that is, a valid PANORAMA user, to log in directly via CLI/SSH to the firewall or must I have a local user?

 

Please your support to review this issue, since I can not find documentation that refers to this topic.

 

Thank you very much, I remain attentive cordial greetings.

High Sticker
1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Thank you for the post @Metgatz

 

the context change in Panorama is only for GUI. I am not aware of any similar feature that would have the same function for CLI. If you do not prefer to use local account to ssh to every Firewall, then perhaps a workaround could be to use TACACS+ or RADIUS accounts. You can use a Panorama Template to push the authentication profile to all Firewalls. Here is a KB for reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMYmCAO&lang=en_US%E2%80%A...

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

Thank you for the post @Metgatz

 

the context change in Panorama is only for GUI. I am not aware of any similar feature that would have the same function for CLI. If you do not prefer to use local account to ssh to every Firewall, then perhaps a workaround could be to use TACACS+ or RADIUS accounts. You can use a Panorama Template to push the authentication profile to all Firewalls. Here is a KB for reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMYmCAO&lang=en_US%E2%80%A...

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

@PavelK Excellent, thanks you very much for your clarification. 

High Sticker

L1 Bithead

In some cases the firewalls are connecting to panorama from behind a firewall, NAT, or proxy and are not reachable directly. Since not all the troubleshooting capabilities are available via the GUI, it is necessary to login via SSH, and it would be really helpful if the admin could SSH into Panorama and reverse there way back to a Firewall, Log Collector, or PeerPanorama's CLI.

 

  • 1 accepted solution
  • 5205 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!