So recently we (as in voluntold lol) decided to get rid of our dedicated Cisco L3 devices and move the L1 (VMWire) only FW's into L3 as a "cost saving measure". Won't get into how much I hate this but the decision has been made. Also this entire thing is managed via Panorama so don't need "do local FW overrides of templates". Also virtual systems not an option in many cases as the majority are low end small site models (i.e. 800's and down) hence don't need to get into "spin up a virtual system and control it that way" discussions.
Anyways anybody have a config snippet they want to share for setting up the following two custom admin roles?
1) GP Admin - Needs access to the FW running GP (not all of them, just one), the ability to configure it all, maintain it, etc (via Panorama templates) but NOT anything else in Panorama or the FW.
2) Ditto but Network Engineer - I.e. needs access to the virtual routers, L2/L3 configs, interface configs, routing tables, etc but not stuff like admin database, authentication setup, security policy or objects, etc.
The built-in rolls are ill equipped for this and I know how do do via effective superuser via Device Templates/Admin a per FW / virtual system level but I'm looking for more fine tuned than that i.e. "Just every function GP needs and nothing more" or "Every function a network engineer would need to treat the PA like a L3 device but nothing more"
... View more