Provide Granular Access to the Network Tab
Focus
Focus

Provide Granular Access to the Network Tab

Table of Contents

Provide Granular Access to the Network Tab

When deciding whether to allow access to the Network tab as a whole, determine whether the administrator will have network administration responsibilities, including GlobalProtect administration. If not, the administrator probably does not need access to the tab.
You can also define access to the Network tab at the node level. By enabling access to a specific node, you give the administrator the privilege to view, add, and delete the corresponding network configurations. Giving read-only access allows the administrator to view the already-defined configuration, but not create or delete any. Disabling a node prevents the administrator from seeing the node in the web interface.
A number of Routing access levels are visible and apply only when Advanced Routing is enabled for the device, in which case logical routers replace virtual routers.
Access Level
Description
Enable
Read Only
Disable
Interfaces
Specifies whether the administrator can view, add, or delete interface configurations.
Yes
Yes
Yes
Zones
Specifies whether the administrator can view, add, or delete zones.
Yes
Yes
Yes
VLANs
Specifies whether the administrator can view, add, or delete VLANs.
Yes
Yes
Yes
Virtual Wires
Specifies whether the administrator can view, add, or delete virtual wires.
Yes
Yes
Yes
Virtual Routers
Specifies whether the administrator can view, add, modify or delete virtual routers.
Yes
Yes
Yes
Routing
(Advanced Routing Engine) Specifies whether the administrator can view, add, modify or delete any of the routing fields for an Advanced Routing Engine.
Yes
Yes
Yes
Logical Routers
(Advanced Routing Engine) Specifies whether the administrator can view, add, modify or delete logical routers.
Yes
Yes
Yes
Routing Profiles
(Advanced Routing Engine) Specifies whether the administrator can view, add, modify or delete routing profiles.
Yes
Yes
Yes
BGP
(Advanced Routing Engine) Specifies whether the administrator can view, add, modify or delete BGP routing profiles.
Yes
Yes
Yes
BFD
(Advanced Routing Engine) Specifies whether the administrator can view, add, modify or delete BFD routing profiles.
Yes
S
Yes
Yes
OSPF
(Advanced Routing Engine) Specifies whether the administrator can view, add, modify or delete OSPFv2 routing profiles.
Yes
Yes
Yes
OSPFv3
(Advanced Routing Engine) Specifies whether the administrator can view, add, modify or delete OSPFv3 routing profiles.
Yes
Yes
Yes
RIPv2
(Advanced Routing Engine) Specifies whether the administrator can view, add, modify or delete RIPv2 routing profiles.
Yes
Yes
Yes
Filters
(Advanced Routing Engine) Specifies whether the administrator can view, add, modify or delete filters.
Yes
Yes
Yes
Multicast
(Advanced Routing Engine) Specifies whether the administrator can view, add, modify or delete IPv4 multicast routing profiles.
Yes
Yes
Yes
IPSec Tunnels
Specifies whether the administrator can view, add, modify, or delete IPSec Tunnel configurations.
Yes
Yes
Yes
GRE Tunnels
Specifies whether the administrator can view, add, modify, or delete GRE Tunnel configurations.
Yes
Yes
Yes
DHCP
Specifies whether the administrator can view, add, modify, or delete DHCP server and DHCP relay configurations.
Yes
Yes
Yes
DNS Proxy
Specifies whether the administrator can view, add, modify, or delete DNS proxy configurations.
Yes
Yes
Yes
GlobalProtect
Specifies whether the administrator can view, add, modify GlobalProtect portal and gateway configurations. You can disable access to the GlobalProtect functions entirely, or you can enable the GlobalProtect privilege and then restrict the role to either the portal or gateway configuration areas.
Yes
No
Yes
Portals
Specifies whether the administrator can view, add, modify, or delete GlobalProtect portal configurations.
Yes
Yes
Yes
Gateways
Specifies whether the administrator can view, add, modify, or delete GlobalProtect gateway configurations.
Yes
Yes
Yes
MDM
Specifies whether the administrator can view, add, modify, or delete GlobalProtect MDM server configurations.
Yes
Yes
Yes
Device Block List
Specifies whether the administrator can view, add, modify, or delete device block lists.
Yes
Yes
Yes
Clientless Apps
Specifies whether the administrator can view, add, modify, or delete GlobalProtect Clientless VPN applications.
Yes
Yes
Yes
Clientless App Groups
Specifies whether the administrator can view, add, modify, or delete GlobalProtect Clientless VPN application groups.
Yes
Yes
Yes
QoS
Specifies whether the administrator can view, add, modify, or delete QoS configurations.
Yes
Yes
Yes
LLDP
Specifies whether the administrator can view add, modify, or delete LLDP configurations.
Yes
Yes
Yes
Network Profiles
Sets the default state to enable or disable for all of the Network settings described below.
Yes
No
Yes
GlobalProtect IPSec Crypto
Controls access to the Network ProfilesGlobalProtect IPSec Crypto node.
If you disable this privilege, the administrator will not see that node, or configure algorithms for authentication and encryption in VPN tunnels between a GlobalProtect gateway and clients.
If you set the privilege to read-only, the administrator can view existing GlobalProtect IPSec Crypto profiles but cannot add or edit them.
Yes
Yes
Yes
IKE Gateways
Controls access to the Network ProfilesIKE Gateways node. If you disable this privilege, the administrator will not see the IKE Gateways node or define gateways that include the configuration information necessary to perform IKE protocol negotiation with peer gateway.
If the privilege state is set to read-only, you can view the currently configured IKE Gateways but cannot add or edit gateways.
Yes
Yes
Yes
IPSec Crypto
Controls access to the Network ProfilesIPSec Crypto node. If you disable this privilege, the administrator will not see the Network ProfilesIPSec Crypto node or specify protocols and algorithms for identification, authentication, and encryption in VPN tunnels based on IPSec SA negotiation.
If the privilege state is set to read-only, you can view the currently configured IPSec Crypto configuration but cannot add or edit a configuration.
Yes
Yes
Yes
IKE Crypto
Controls how devices exchange information to ensure secure communication. Specify the protocols and algorithms for identification, authentication, and encryption in VPN tunnels based on IPsec SA negotiation (IKEv1 Phase-1).
Yes
Yes
Yes
Monitor
Controls access to the Network ProfilesMonitor node. If you disable this privilege, the administrator will not see the Network ProfilesMonitor node or be able to create or edit a monitor profile that is used to monitor IPSec tunnels and monitor a next-hop device for policy-based forwarding (PBF) rules.
If the privilege state is set to read-only, you can view the currently configured monitor profile configuration but cannot add or edit a configuration.
Yes
Yes
Yes
Interface Mgmt
Controls access to the Network ProfilesInterface Mgmt node. If you disable this privilege, the administrator will not see the Network ProfilesInterface Mgmt node or be able to specify the protocols that are used to manage the firewall.
If the privilege state is set to read-only, you can view the currently configured Interface management profile configuration but cannot add or edit a configuration.
Yes
Yes
Yes
Zone Protection
Controls access to the Network ProfilesZone Protection node. If you disable this privilege, the administrator will not see the Network ProfilesZone Protection node or be able to configure a profile that determines how the firewall responds to attacks from specified security zones.
If the privilege state is set to read-only, you can view the currently configured Zone Protection profile configuration but cannot add or edit a configuration.
Yes
Yes
Yes
QoS Profile
Controls access to the Network ProfilesQoS node. If you disable this privilege, the administrator will not see the Network ProfilesQoS node or be able to configure a QoS profile that determines how QoS traffic classes are treated.
If the privilege state is set to read-only, you can view the currently configured QoS profile configuration but cannot add or edit a configuration.
Yes
Yes
Yes
LLDP Profile
Controls access to the Network ProfilesLLDP node. If you disable this privilege, the administrator will not see the Network ProfilesLLDP node or be able to configure an LLDP profile that controls whether the interfaces on the firewall can participate in the Link Layer Discovery Protocol.
If the privilege state is set to read-only, you can view the currently configured LLDP profile configuration but cannot add or edit a configuration.
Yes
Yes
Yes
BFD Profile
Controls access to the Network ProfilesBFD Profile node. If you disable this privilege, the administrator will not see the Network ProfilesBFD Profile node or be able to configure a BFD profile. A Bidirectional Forwarding Detection (BFD) profile allows you to configure BFD settings to apply to one or more static routes or routing protocols. Thus, BFD detects a failed link or BFD peer and allows an extremely fast failover.
If the privilege state is set to read-only, you can view the currently configured BFD profile but cannot add or edit a BFD profile.
Yes
Yes
Yes
SD-WAN Interface Profile
Controls access to the SD-WAN Interface Profile node. If you disable this privilege, the administrator will not see the SD-WAN Interface Profile node or be able to configure an SD-WAN Interface Profile. An SD-WAN Interface Profile defines the characteristics of ISP connections and specifies the link speed and how frequently the firewall monitors the link.
If the privilege state is set to read-only, you can view the currently configured SD-WAN Interface Profile but cannot add or edit one.
Yes
Yes
Yes