Configuring Device Group Administrator Access for Specific Vsys from Panorama using Access Domains

Configuring Device Group Administrator Access for Specific Vsys from Panorama using Access Domains

28897
Created On 09/25/18 17:15 PM - Last Modified 06/07/23 07:52 AM


Resolution


Access domains allow restricting access for administrator accounts to specific Vsys(on Firewall) and specific Device Group, Templates and Context Switch (on Panorama).

 

When you are managing a Vsys-enabled firewall from Panorama, you might want to create Panorama Administrators, allowing access to only particular Vsys on the Managed Firewall.

 

In that case, you must have the target Vsys bound to a unique Device Group. You cannot control per Vsys Administration for Panorama administrators if Multiple Vsys from the firewall are part of same Device Group.

 

Steps:

 

  1. Create Specific Device Groups for Specific Vsys under:

    Screen Shot 2016-04-07 at 9.09.08 am.pngManaged Multi-VSYS Firewall Screen Shot 2016-04-07 at 9.10.58 am.png Screen Shot 2016-04-07 at 9.15.08 am.png
  2. Create Access Domain for Managing Vsys1 Device Group and corresponding context switch Screen Shot 2016-04-07 at 9.16.15 am.png Screen Shot 2016-04-07 at 9.16.39 am.png
  3. Create Administrator for Administrator Type "Device Group and Template Admin" and bind the access domain created above:Screen Shot 2016-04-07 at 9.24.48 am.png
  4. Do a Panorama commit and log in using the Vsys1Admin user accountScreen Shot 2016-04-07 at 9.26.15 am.png
  5. Verify that you are able to access only Device Group 1, and do context switch to Vsys1 of the firewall: Screen Shot 2016-04-07 at 9.26.55 am.pngScreen Shot 2016-04-07 at 9.27.14 am.pngScreen Shot 2016-04-07 at 9.27.27 am.png

 

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClETCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language