Thanks for your reply and thoughts.
I will see if there's a secure way to automate the admin-task of pulling the most recent XML configs from the firewalls into Expedition. That ability + using the RBAC setup inside Expedition sounds like it might accomplish what we're aiming for.
... View more
I would like to have our InfoSec team use Expedition to audit/report/track changes on our firewalls. What's the best way to set them up so they can use Expedition, but not have any rights to modify or push changes to Panorama or the firewalls? Expedition v. 1.1.35.
I've setup a Panorama user with XML API rights, but have found the user requires at least the "Operational Requests" and "Configuration" roles in order to download the firewall config files for analysis. Per this page, the "Configuration" role can also modify Panorama and the firewall configs, which we don't want to allow. https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-web-interface-help/panorama-web-interface/panorama-admin-roles#
Maybe there's a way within Expedition to limit this type of access? Or a different set of RBAC roles? Ideally, I'd be able to give InfoSec a Panorama read-only API key and they'd be admins/super-users in Expedition, as they will be the ones primarily using the tool.
Thanks in advance for any suggestions.
... View more