Admin Role Profile | Description |
---|---|
|
|
|
|
Document:Panorama™ Administrator’s Guide
Role-Based Access Control
Last Updated:
Thu May 07 10:13:53 PDT 2020
Table of Contents
Search the Table of Contents
-
- About Panorama
- Panorama Platforms
- Centralized Configuration and Deployment Management
- Context Switch—Firewall or Panorama
- Templates and Template Stacks
- Device Groups
- Centralized Logging and Reporting
- Panorama Commit and Validation Operations
- Role-Based Access Control
- Panorama Recommended Deployments
- Plan Your Deployment
- Deploy Panorama: Task Overview
-
- Determine Panorama Log Storage Requirements
- Set Up the Panorama Virtual Appliance
- Setup Prerequisites for the Panorama Virtual Appliance
- Install the Panorama Virtual Appliance
- Perform Initial Configuration of the Panorama Virtual Appliance
- Expand Log Storage Capacity on the Panorama Virtual Appliance
- Increase CPUs and Memory on the Panorama Virtual Appliance
- Complete the Panorama Virtual Appliance Setup
- Set Up the M-Series Appliance
- Perform Initial Configuration of the M-Series Appliance
- Set up the M-Series Appliance as a Log Collector
- Increase Storage on the M-Series Appliance
- Register Panorama and Install Licenses
- Install Content and Software Updates for Panorama
- Transition to a Different Panorama Platform
- Migrate from a Panorama Virtual Appliance to an M-Series Appliance
- Migrate from an M-Series Appliance to a Panorama Virtual Appliance
- Migrate from an M-100 Appliance to an M-500 Appliance
- Access and Navigate Panorama Management Interfaces
- Log in to the Panorama Web Interface
- Navigate the Panorama Web Interface
- Log in to the Panorama CLI
- Set Up Administrative Access to Panorama
- Configure an Admin Role Profile
- Configure an Access Domain
- Configure Administrative Accounts and Authentication
- Configure an Administrative Account
- Configure an Administrator with Kerberos SSO, External, or Local Authentication
- Configure an Administrator with Certificate-Based Authentication for the Web Interface
- Configure an Administrator with SSH Key-Based Authentication for the CLI
- Configure RADIUS Vendor-Specific Attributes for Administrator Authentication
-
- Add a Firewall as a Managed Device
- Manage Device Groups
- Add a Device Group
- Create a Device Group Hierarchy
- Create Objects for Use in Shared or Device Group Policy
- Revert to Inherited Object Values
- Manage Unused Shared Objects
- Manage Precedence of Inherited Objects
- Move or Clone a Policy Rule or Object to a Different Device Group
- Select a URL Filtering Vendor on Panorama
- Push a Policy Rule to a Subset of Firewalls
- Manage the Rule Hierarchy
- Manage Templates and Template Stacks
- Template Capabilities and Exceptions
- Add a Template
- Configure a Template Stack
- Override a Template Setting
- Disable/Remove Template Settings
- Transition a Firewall to Panorama Management
- Use Case: Configure Firewalls Using Panorama
-
- Configure a Managed Collector
- Manage Collector Groups
- Configure a Collector Group
- Move a Log Collector to a Different Collector Group
- Remove a Firewall from a Collector Group
- Configure Log Forwarding to Panorama
- Verify Log Forwarding to Panorama
- Modify Log Forwarding and Buffering Defaults
- Configure Log Forwarding from Panorama to External Destinations
- Log Collection Deployments
- Deploy Panorama with Dedicated Log Collectors
- Deploy Panorama with Default Log Collectors
- Deploy Panorama Virtual Appliances with Local Log Collection
-
- Manage Licenses on Firewalls Using Panorama
- Deploy Updates to Firewalls and Log Collectors Using Panorama
- Supported Updates
- Schedule a Content Update Using Panorama
- Deploy an Update to Log Collectors when Panorama is Internet-connected
- Deploy an Update to Log Collectors when Panorama is not Internet-connected
- Deploy an Update to Firewalls when Panorama is Internet-connected
- Deploy an Update to Firewalls when Panorama is not Internet-connected
-
- Panorama HA Prerequisites
- Priority and Failover on Panorama in HA
- Failover Triggers
- Logging Considerations in Panorama HA
- Synchronization Between Panorama HA Peers
- Manage a Panorama HA Pair
- Set Up HA on Panorama
- Test Panorama HA Failover
- Switch Priority after Panorama Failover to Resume NFS Logging
- Restore the Primary Panorama to the Active State
-
- Preview, Validate, or Commit Configuration Changes
- Manage Panorama and Firewall Configuration Backups
- Schedule Export of Configuration Files
- Back Up Panorama and Firewall Configurations
- Restore a Panorama Configuration
- Configure the Maximum Number of Configuration Backups on Panorama
- Load a Configuration Backup on a Managed Firewall
- Compare Changes in Panorama Configurations
- Manage Locks for Restricting Configuration Changes
- Add Custom Logos to Panorama
- Use the Panorama Task Manager
- Manage Storage Quotas and Expiration Periods for Logs and Reports
- Monitor Panorama
- Reboot or Shut Down Panorama
- Configure Panorama Password Profiles and Complexity
-
- Troubleshoot Panorama System Issues
- Generate Diagnostic Files for Panorama
- Diagnose Panorama Suspended State
- Monitor the File System Integrity Check
- Manage Panorama Storage for Software and Content Updates
- Recover from Split Brain in Panorama HA Deployments
- Troubleshoot Log Storage and Connection Issues
- Verify Panorama Port Usage
- Resolve Zero Log Storage for a Collector Group
- Replace a Failed Disk on an M-Series Appliance
- Replace the Virtual Disk on an ESXi Server
- Replace the Virtual Disk on vCloud Air
- Migrate Logs to a New M-Series Appliance in Log Collector Mode
- Migrate Logs to a New M-Series Appliance in Panorama Mode
- Migrate Log Collectors after Failure/RMA of Non-HA Panorama
- Regenerate Metadata for M-Series Appliance RAID Pairs
- Replace an RMA Firewall
- Troubleshoot Commit Failures
- Troubleshoot Registration or Serial Number Errors
- Troubleshoot Reporting Errors
- View Task Success or Failure Status
Role-based access control (RBAC) enables you to define the privileges and responsibilities of administrative users (administrators). Every administrator must have a user account that specifies a role and authentication method.
Administrative Roles
define access to specific configuration settings, logs, and reports within Panorama and firewall contexts. For Device Group and Template administrators, you can map roles to
Access Domains , which define access to specific device groups, templates, and firewalls (through context switching). By combining each access domain with a role, you can enforce the separation of information among the functional or regional areas of your organization. For example, you can limit an administrator to monitoring activities for data center firewalls but allow that administrator to set policies for test lab firewalls. By default, every Panorama appliance (virtual appliance or M-Series appliance) has a predefined administrative account (admin) that provides full read-write access (superuser access) to all functional areas and to all device groups, templates, and firewalls. For each administrator, you can define the minimum password complexity, a password profile, and an authentication profile that determines how Panorama verifies user access credentials.
You configure administrator accounts based on the security requirements of your organization, any existing authentication services with which to integrate, and the required administrative roles. A role defines the type of system access that is available to an administrator. You can define and restrict access as broadly or granularly as required, depending on the security requirements of your organization. For example, you might decide that a data center administrator can have access to all device and networking configurations, but a security administrator can control only security policy definitions, while other key individuals can have limited CLI or XML API access. The role types are:
An authentication profile specifies the authentication service that validates the credentials of an administrator during login and defines how Panorama accesses the service. If you create a local administrator account on Panorama, you can authenticate the administrator to the local database, use an external service (RADIUS, TACACS+, LDAP, or Kerberos server), or use Kerberos single sign-on (SSO). If you use an external service, you must
configure a server profile
before you
Configure an Admin Role Profile . If you want to use an external service for both account administration (instead of creating local accounts) and for authentication, you must
Configure RADIUS Vendor-Specific Attributes for Administrator Authentication .
Some environments have multiple databases for different users and user groups. To authenticate to multiple authentication sources (for example, local database and LDAP),
configure an authentication sequence . An authentication sequence is a ranked order of authentication profiles that an administrator is matched against when logging in. Panorama checks against the local database first, and then checks each profile in sequence until the administrator is successfully authenticated. The administrator is denied access to Panorama only if authentication fails for all the profiles defined in the authentication sequence.
Access domains control administrative access to specific device groups (to manage policies and objects) and templates (to manage network and device settings), and also control the ability to switch context to the web interface of managed firewalls. Access domains apply only to administrators with Device Group and Template roles. By combining access domains with
Administrative Roles , you can enforce the separation of information among the functional or regional areas of your organization.
You can manage access domains locally or by using RADIUS Vendor-Specific Attributes (VSAs). To use RADIUS VSAs, your network requires an existing RADIUS server and you must
configure a RADIUS server profile
to define how Panorama accesses the server. On the RADIUS server, you define a VSA attribute number and value for each administrator. The value defined must match the access domain configured on Panorama. When an administrator tries to log in to Panorama, Panorama queries the RADIUS server for the administrator access domain and attribute number. Based on the response from the RADIUS server, the administrator is authorized for access and is restricted to the firewalls, virtual systems, device groups, and templates that are assigned to the access domain.