Admins authenticating to Panorama are using AD credentials. The same admin accounts are created on each managed firewall as Superusers. The issue we are having is with Admins committing changes as local overrides (unknowingly/accidentally). I am trying to prevent the admins from being able to commit a local override. I created a user as Super-Admin on Panorama and the same username as a "Read only Admin" on a managed firewall. When logging in directly to the firewall, the admin is unable to make changes, however when logging into the firewall through Panorama context menu the RO user is still able to commit local overrides. "show admins" shows the RO user account that I created as the connected user (not Panorama-"readonlyadmin") What is the best way to accomplish this (other than training the admins)?
... View more