Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
402
Views
0
Helpful
2
Replies

Restrict multiple simultaneous FWSM administrators per Context?

cpresland
Level 1
Level 1

‎12-10-2008 02:28 AM - edited ‎03-11-2019 07:23 AM

Is it possible to have multiple firewall administrators logged into a FWSM, across multiple contexts, but to ONLY allow one administrator per context with WRITE access/privileges? I want to prevent having multiple administrators working within the same context simultaneously, both with write privileges.

The aim is to ONLY have ONE administrator making changes to a context at a time… Is this possible?

Labels:
0 Helpful
2 Replies 2

vmoopeung
Level 5
Level 5

‎12-16-2008 09:58 AM

The FWSM provides system administrator access in multiple context mode as well as access for individual context administrators.

The admin context is just like any other context, except that when you log in to the admin context, then you have system administrator rights and can access the system and all other contexts. The admin context is not restricted in any way, and can be used as a regular context. But, because logging into the admin context grants you administrator privileges over all contexts, you can possibly need to restrict access to the admin context to appropriate users. The admin context must reside on Flash memory, and not remotely.

If your system is already in multiple context mode, or if you convert from single mode, the admin context is created automatically as a file on the internal Flash memory called admin.cfg. This context is named admin. If you do not want to use admin.cfg as the admin context, you can change the admin context.

The sections in the below URL describe logging in as a system administrator or as a a context administrator:

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809bfce4.shtml#man

0 Helpful

cpresland
Level 1
Level 1
In response to vmoopeung

‎12-16-2008 10:33 AM

Hi There, thanks for your response.

Let me explain further…

Authentication to our FWSM's is controlled using Cisco ACS - TACACS.

Administrators logging into any of the FWSM's, must authenticate against TACACS. All FWSM administrators have write privileges/access. No local authentication is allowed. We are in a situation where we have 15 or so FWSM administrators.

So at any one time, we can have multiple FWSM administrators with write privileges logged into the SAME context, making different simultaneous changes…

This is what I am trying to prevent. Multiple administrators logged into the same FWSM context, both making different changes at the same time…

Kind of like Checkpoint where there is ONLY ever 1 administrator logged in and making changes at any one time…

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card