Indeni connects to Palo Alto Network Devices (Log Collector excepted) via PAN-OS XML API/HTTPS and SSH. We recommend assigning the Dynamic role of Superuser or Superuser (read-only) to the Indeni user, with standard session timeouts configured. This leverages Palo Alto Networks’ fixed privileges and is a a scalable option for future automation scripts to be successfully utilized by the Indeni system.
In the event that a Custom role need to be defined, it is preferred to include privileges that allow for flexibility and growth when Indeni’s Knowledge scripts expand to include more enhanced functionality. However, the following are minimum access requirements and must be enabled within the profile.
WebUI: No minimum requirements (all disabled)
XML API: Operational Request
Command Line: devicereader
If you need assistance creating a user on your Palo Alto Networks device, please refer to Palo Alto’s website.
Indeni recommends that credentials set for Palo Alto Network devices are left with the default privilege of Superuser (Read-Only), and dynamic-based control. Indeni is read-only and does not make any changes to the device’s configurations or policies.
The reason we recommend the above role configuration for the user is because as the product continues to expand its knowledge base, the Indeni credentials will need enough flexibility to facilitate any new scripts that may require access to API and SSH commands; which are otherwise strictly defined with custom roles.
Configuring Custom Roles
Should internal policies require that Indeni utilize the minimum available privileges required to collect and analyze data from the devices, we recommend to follow the guidance below in terms of creating custom credentials:
The the enabled/disabled options should be set as follows:
Web UI – Disable All
XML API – Operational Requests
Command Line: “devicereader”