Provide Granular Access to the Monitor Tab

In some cases you might want to enable the administrator to view some but not all areas of the Monitor tab. For example, you might want to restrict operations administrators to the Config and System logs only, because they do not contain sensitive user data. Although this section of the administrator role definition specifies what areas of the Monitor tab the administrator can see, you can also couple privileges in this section with privacy privileges, such as disabling the ability to see usernames in logs and reports. One thing to keep in mind, however, is that any system-generated reports will still show usernames and IP addresses even if you disable that functionality in the role. For this reason, if you do not want the administrator to see any of the private user information, disable access to the specific reports as detailed in the following table.
The following table lists the Monitor tab access levels and the administrator roles for which they are available.
Device Group and Template roles can see log data only for the device groups that are within the access domains assigned to those roles.
Access Level
Description
Administrator Role Availability
Enable
Read Only
Disable
Monitor
Enables or disables access to the Monitor tab. If disabled, the administrator will not see this tab or any of the associated logs or reports.
Firewall: Yes
Panorama: Yes
Device Group/Template: Yes
Yes
No
Yes
Logs
Enables or disables access to all log files. You can also leave this privilege enabled and then disable specific logs that you do not want the administrator to see. Keep in mind that if you want to protect the privacy of your users while still providing access to one or more of the logs, you can disable the PrivacyShow Full IP Addresses option and/or the Show User Names In Logs And Reports option.
Firewall: Yes
Panorama: Yes
Device Group/Template: Yes
Yes
No
Yes
Traffic
Specifies whether the administrator can see the traffic logs.
Firewall: Yes
Panorama: Yes
Device Group/Template: Yes
Yes
No
Yes
Threat
Specifies whether the administrator can see the threat logs.
Firewall: Yes
Panorama: Yes
Device Group/Template: Yes
Yes
No
Yes
URL Filtering
Specifies whether the administrator can see the URL filtering logs.
Firewall: Yes
Panorama: Yes
Device Group/Template: Yes
Yes
No
Yes
WildFire Submissions
Specifies whether the administrator can see the WildFire logs. These logs are only available if you have a WildFire subscription.
Firewall: Yes
Panorama: Yes
Device Group/Template: Yes
Yes
No
Yes
Data Filtering
Specifies whether the administrator can see the data filtering logs.
Firewall: Yes
Panorama: Yes
Device Group/Template: Yes
Yes
No
Yes
HIP Match
Specifies whether the administrator can see the HIP Match logs. HIP Match logs are available only if you have a GlobalProtect license (subscription).
Firewall: Yes
Panorama: Yes
Device Group/Template: Yes
Yes
No
Yes
User-ID
Specifies whether the administrator can see the User-ID logs.
Firewall: Yes
Panorama: Yes
Device Group/Template: Yes
Yes
No
Yes
Tunnel Inspection
Specifies whether the administrator can see the Tunnel Inspection logs.
Firewall: Yes
Panorama: Yes
Device Group/Template: Yes
Yes
No
Yes
Configuration
Specifies whether the administrator can see the configuration logs.
Firewall: Yes
Panorama: Yes
Device Group/Template: No
Yes
No
Yes
System
Specifies whether the administrator can see the system logs.
Firewall: Yes
Panorama: Yes
Device Group/Template: No
Yes
No
Yes
Alarms
Specifies whether the administrator can see system-generated alarms.
Firewall: Yes
Panorama: Yes
Device Group/Template: Yes
Yes
No
Yes
Authentication
Specifies whether the administrator can see the Authentication logs.
Firewall: Yes
Panorama: Yes
Device Group/Template: No
Yes
No
Yes
Automated Correlation Engine
Enables or disables access to the correlation objects and correlated event logs generated on the firewall.
Firewall: Yes
Panorama: Yes
Device Group/Template: Yes
Yes
No
Yes
Correlation Objects
Specifies whether the administrator can view and enable/disable the correlation objects.
Firewall: Yes
Panorama: Yes
Device Group/Template: Yes
Yes
No
Yes
Correlated Events
Specifies whether the administrator
Firewall: Yes
Panorama: Yes
Device Group/Template: Yes
Yes
No
Yes
Packet Capture
Specifies whether the administrator can see packet captures (pcaps) from the Monitor tab. Keep in mind that packet captures are raw flow data and as such may contain user IP addresses. Disabling the Show Full IP Addresses privileges will not obfuscate the IP address in the pcap and you should therefore disable the Packet Capture privilege if you are concerned about user privacy.
Firewall: Yes
Panorama: No
Device Group/Template: No
Yes
Yes
Yes
App Scope
Specifies whether the administrator can see the App Scope visibility and analysis tools. Enabling App Scope enables access to all of the App Scope charts.
Firewall: Yes
Panorama: Yes
Device Group/Template: Yes
Yes
No
Yes
Session Browser
Specifies whether the administrator can browse and filter current running sessions on the firewall. Keep in mind that the session browser shows raw flow data and as such may contain user IP addresses. Disabling the Show Full IP Addresses privileges will not obfuscate the IP address in the session browser and you should therefore disable the Session Browser privilege if you are concerned about user privacy.
Firewall: Yes
Panorama: No
Device Group/Template: No
Yes
No
Yes
Block IP List
Specifies whether the administrator can view the block list (Enable or Read Only) and delete entries from the list (Enable). If you disable the setting, the administrator won’t be able to view or delete entries from the block list.
Firewall: Yes
Panorama: under Context Switch UI: Yes
Template: Yes
Yes
Yes
Yes
Botnet
Specifies whether the administrator can generate and view botnet analysis reports or view botnet reports in read-only mode. Disabling the Show Full IP Addresses privileges will not obfuscate the IP address in scheduled botnet reports and you should therefore disable the Botnet privilege if you are concerned about user privacy.
Firewall: Yes
Panorama: No
Device Group/Template: No
Yes
Yes
Yes
PDF Reports
Enables or disables access to all PDF reports. You can also leave this privilege enabled and then disable specific PDF reports that you do not want the administrator to see. Keep in mind that if you want to protect the privacy of your users while still providing access to one or more of the reports, you can disable the PrivacyShow Full IP Addresses option and/or the Show User Names In Logs And Reports option.
Firewall: Yes
Panorama: Yes
Device Group/Template: Yes
Yes
No
Yes
Manage PDF Summary
Specifies whether the administrator can view, add or delete PDF summary report definitions. With read-only access, the administrator can see PDF summary report definitions, but not add or delete them. If you disable this option, the administrator can neither view the report definitions nor add/delete them.
Firewall: Yes
Panorama: Yes
Device Group/Template: Yes
Yes
Yes
Yes
PDF Summary Reports
Specifies whether the administrator can see the generated PDF Summary reports in MonitorReports. If you disable this option, the PDF Summary Reports category will not display in the Reports node.
Firewall: Yes
Panorama: Yes
Device Group/Template: Yes
Yes
No
Yes
User Activity Report
Specifies whether the administrator can view, add or delete User Activity report definitions and download the reports. With read-only access, the administrator can see User Activity report definitions, but not add, delete, or download them. If you disable this option, the administrator cannot see this category of PDF report.
Firewall: Yes
Panorama: Yes
Device Group/Template: Yes
Yes
Yes
Yes
SaaS Application Usage Report
Specifies whether the administrator can view, add or delete a SaaS application usage report. With read-only access, the administrator can see the SaaS application usage report definitions, but cannot add or delete them. If you disable this option, the administrator can neither view the report definitions nor add or delete them.
Firewall: Yes
Panorama: Yes
Device Group/Template: Yes
Yes
Yes
Yes
Report Groups
Specifies whether the administrator can view, add or delete report group definitions. With read-only access, the administrator can see report group definitions, but not add or delete them. If you disable this option, the administrator cannot see this category of PDF report.
Firewall: Yes
Panorama: Yes
Device Group/Template: Yes
Yes
Yes
Yes
Email Scheduler
Specifies whether the administrator can schedule report groups for email. Because the generated reports that get emailed may contain sensitive user data that is not removed by disabling the PrivacyShow Full IP Addresses option and/or the Show User Names In Logs And Reports options and because they may also show log data to which the administrator does not have access, you should disable the Email Scheduler option if you have user privacy requirements.
Firewall: Yes
Panorama: Yes
Device Group/Template: Yes
Yes
Yes
Yes
Manage Custom Reports
Enables or disables access to all custom report functionality. You can also leave this privilege enabled and then disable specific custom report categories that you do not want the administrator to be able to access. Keep in mind that if you want to protect the privacy of your users while still providing access to one or more of the reports, you can disable the PrivacyShow Full IP Addresses option and/or the Show User Names In Logs And Reports option.
Reports that are scheduled to run rather than run on demand will show IP address and user information. In this case, be sure to restrict access to the corresponding report areas. In addition, the custom report feature does not restrict the ability to generate reports that contain log data contained in logs that are excluded from the administrator role.
Firewall: Yes
Panorama: Yes
Device Group/Template: Yes
Yes
No
Yes
Application Statistics
Specifies whether the administrator can create a custom report that includes data from the application statistics database.
Firewall: Yes
Panorama: Yes
Device Group/Template: Yes
Yes
No
Yes
Data Filtering Log
Specifies whether the administrator can create a custom report that includes data from the Data Filtering logs.
Firewall: Yes
Panorama: Yes
Device Group/Template: Yes
Yes
No
Yes
Threat Log
Specifies whether the administrator can create a custom report that includes data from the Threat logs.
Firewall: Yes
Panorama: Yes
Device Group/Template: Yes
Yes
No
Yes
Threat Summary
Specifies whether the administrator can create a custom report that includes data from the Threat Summary database.
Firewall: Yes
Panorama: Yes
Device Group/Template: Yes
Yes
No
Yes
Traffic Log
Specifies whether the administrator can create a custom report that includes data from the Traffic logs.
Firewall: Yes
Panorama: Yes
Device Group/Template: Yes
Yes
No
Yes
Traffic Summary
Specifies whether the administrator can create a custom report that includes data from the Traffic Summary database.
Firewall: Yes
Panorama: Yes
Device Group/Template: Yes
Yes
No
Yes
URL Log
Specifies whether the administrator can create a custom report that includes data from the URL Filtering logs.
Firewall: Yes
Panorama: Yes
Device Group/Template: Yes
Yes
No
Yes
Hipmatch
Specifies whether the administrator can create a custom report that includes data from the HIP Match logs.
Firewall: Yes
Panorama: Yes
Device Group/Template: Yes
Yes
No
Yes
WildFire Log
Specifies whether the administrator can create a custom report that includes data from the WildFire logs.
Firewall: Yes
Panorama: Yes
Device Group/Template: Yes
Yes
No
Yes
Userid
Specifies whether the administrator can create a custom report that includes data from the User-ID logs.
Firewall: Yes
Panorama: Yes
Device Group/Template: Yes
Yes
No
Yes
Auth
Specifies whether the administrator can create a custom report that includes data from the Authentication logs.
Firewall: Yes
Panorama: Yes
Device Group/Template: Yes
Yes
No
Yes
View Scheduled Custom Reports
Specifies whether the administrator can view a custom report that has been scheduled to generate.
Firewall: Yes
Panorama: Yes
Device Group/Template: Yes
Yes
No
Yes
View Predefined Application Reports
Specifies whether the administrator can view Application Reports. Privacy privileges do not impact reports available on the MonitorReports node and you should therefore disable access to the reports if you have user privacy requirements.
Firewall: Yes
Panorama: Yes
Device Group/Template: Yes
Yes
No
Yes
View Predefined Threat Reports
Specifies whether the administrator can view Threat Reports. Privacy privileges do not impact reports available on the MonitorReports node and you should therefore disable access to the reports if you have user privacy requirements.
Firewall: Yes
Panorama: Yes
Device Group/Template: Yes
Yes
No
Yes
View Predefined URL Filtering Reports
Specifies whether the administrator can view URL Filtering Reports. Privacy privileges do not impact reports available on the MonitorReports node and you should therefore disable access to the reports if you have user privacy requirements.
Firewall: Yes
Panorama: Yes
Device Group/Template: Yes
Yes
No
Yes
View Predefined Traffic Reports
Specifies whether the administrator can view Traffic Reports. Privacy privileges do not impact reports available on the MonitorReports node and you should therefore disable access to the reports if you have user privacy requirements.
Firewall: Yes
Panorama: Yes
Device Group/Template: Yes
Yes
No
Yes

Related Documentation