Maintain Administrative Access Best Practices

When administrative personnel change, update access so that people who no longer administrate firewalls and Panorama cannot access the management interface and network and so that new administrators have the appropriate access with the appropriate RBAC configuration.
Remove people who no longer administrate the firewall or Panorama from user groups that have management interface access permissions.
Remove the IP addresses of people who no longer administrate the firewall or Panorama device from Security policy allow rules for management interface access.
If you created best practice Admin Role Profiles, if an administrator no longer manages the device, review the profile that administrator used to determine if the profile needs to be modified or deleted:
Verify if any other administrators use the profile. Do not delete the profile if other administrators use it for access or you may disrupt service or inadvertently change access.
Do you need to modify the profile? If other administrators use the profile, changes may inadvertently allow or deny access to those administrators.
If no other administrators use the profile, should you delete it or do you need it for a new administrator who will have the same responsibilities as the previous administrator?
If people no longer manage any devices in your management network, remove their management network access.
Add new administrators to the appropriate user group, add their IP addresses to the Security policy allow rules for management access, and configure RBAC privileges that allow access only to the portions of the device that they manage.
When services or API access for management tools changes, update Security policy rules that allow access accordingly.
Similar to changes in administrative personnel, in firewall and Panorama Security policy and for access to the management network, ensure that you:
Remove access privileges for services and tools that you no longer use.
Add access privileges for new services and tools using the most granular policy to permit only the necessary connection (principle of least privilege access).
Monitor System logs for administrators to identify abnormal account activity, especially for administrators with roles that permit changing key areas such as management access, administrative users, or Security policy.
Configure Log Forwarding for specific log events and types. Use a method that notifies administrators of events so that they can take action in a timely manner. Abnormal activity may indicate a compromised administrator account. Look for activity such as:
An excessive number of login attempts.
Repeated login attempts at unusual times of day for the administrator.
Login attempts from unusual IP addresses or locations.
Creation of new user accounts (ensure that the new account is legitimate).
Addition of new users to groups (ensure that the addition is legitimate).
Unexpected password changes.
Policy and permission changes (Security policy, users, Security profiles, Admin Role Profiles, etc.).
Unscheduled commits.
On the
Dashboard
, use the administrator login activity indicators to detect account misuse.
These activity indicators enable you to quickly view the last login details of administrators and locate hosts that attempt to log into the firewall or Panorama management server.