Re: Four eyes principle in FMC

mario.jost · ‎12-13-2020

We have the rquirement from our management to use a four eyes principle (Admin1 makes a rule change, Admin2 has to approve in order for it to be deployed) so mistakes like one admin brings down the whole company with one misconfiguration can be avoided. We did not see any feature in FMC that would support such a thing. As far as I can see, we have to develop the rule management on an external plattform that supports the four eyes principle and then implements the rule after approval via the API to the FMC. Is there any such feature hidden in FMC? Is such a feature on the roadmap?

balaji.bandi · ‎12-14-2020

I saw this kind of feature sometime back in Prime or ACS cant remember. Not sure is this FMC has ability but good question.

How about role base access example :

1. Engineer want to deploy FW rules for the business requirement

2, Engineer write down the steps - ask for approval make change control.

3. Seniors review that change and approve it.,

4. if big change like topology change - Senior or SME do the work

5 if standard change which was proven working, Engineer can do

using FMC and Serice-now you can do bit of programming integration.

4.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Marvin Rhoads · ‎12-15-2020

You can create custom roles in FMC.

As shown in the example in the configuration guide (linked below), your use case is quite common in larger organization - one user/role may modify policy but it requires a different user/role to deploy policy.

Reference:

https://www.cisco.com/c/en/us/td/docs/security/firepower/670/configuration/guide/fpmc-config-guide-v67/user_accounts_fmc.html#id_63885

mario.jost · ‎12-15-2020

Thanks for your answers but they dont provide the solution we are looking for. This requires to always be the same admin that edits the rules, and always the same admin to approve them. Caviat: This lets the admin that approves or deploys the rules, to change the configuration without asking for someone elses approval. The true 4-eyes-principle does not let anyone change a configuration wihtout someone else approving on it. So from my example, i want everyone in the team able to edit rules, and i want everyone to be able to approve, but NOT do both together. So one day, Admin1 changes something on the configuration and Admin2 has to approve. The next day, Admin2 changes something on the configuraion and Admin1 has to approve it in order to be deployed... Hope the explanation came across more clearly.

Marvin Rhoads · ‎12-16-2020

I think I understand your request. It could be done if you create two separate logins for each the team members. Such as:

1. Their current login - create rights only

2. A new login - deploy rights.

Of course it still won't prevent a given user from logging in with their regular account and creating and then logging in with their deployment account and deploying. (But no role-based access control (RBAC) scheme could do that as far as I know.) It would be an audited event though.

This is not unlike in Windows best practices where we may have an ADM account for use in times when we have to operate with elevated privileges.