09-02-2021 03:28 AM
Hi Guys,
I was able to integrate my FortiGate and Palo Alto firewalls to my ISE TACACS and it is working with the GUI. I would like to ask, if it possible also to restrict CLI commands using the command sets for the FortiGate and PA firewalls?
Thank you.
09-02-2021 04:51 AM
Hi @fatalXerror ,
worth the shot to check the following link: How to configure TACACS authentication against Cisco ISE.
Hope this helps !!!
09-02-2021 07:06 AM
It's going to depend on the other device. Either command accounting, or limiting the user via av-pair or the like back to the device. We limit F5 that way, but it's done on the F5, not bi ISE other than the user level sent back.
09-07-2021 03:11 AM
I have no experience with FortiGate, however, for Palo Alto you can define the Admin Roles as you with, and then you just reference their names on ISE TACACS Profiles custom attributes. For example, if you created two Admin Roles, one you called it RW-Admins, and another RO-Admins, then from ISE TACACS Profiles custom attributes, you can reference those two by creating two TACACS profiles, one for the RW and another for the RO. In both profiles you will use the MANDATORY Type, the VSA, in this case will be PaloAlto-Admin-Role and/or PaloAlto-Panorama-Admin-Role, and the value. The value is the Admin Roles Profiles you created, in this case would be RW-Admins and RO-Admins.
To restrict the CLI accesses, you will have a tab called Command Line in the Admin Role Profile. When you go there you can select one of the supported options:
None: No CLI access at all, this is the default I think.
superuser: Full access.
superreader: Read only access.
deviceadmin: Full access to all firewall settings with the exception for creating new accounts or vsys which are only allowed by a super users.
devicereader: Read only access to all the firewall settings except for the password profiles and the other admin accounts.
For Panorama it is very similar to the firewalls, however, Panorama wouldn't have the deviceadmin and the devicereader roles as those are more related to the firewalls. Panorama has also a role called panorama-admin which is very similar to the superuser role with the exception for creating, editing or deleting the Panorama admins and some restrictions when it comes to push and export configs.
You should also set the Admin Role Profile to read only for the UI, you can do that from the main tab which is called Web UI. Some of the menus won't support read only, in that case you can just suppress them if you want.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide