Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Restrict multiple simultaneous FWSM administrators per Context?

Is it possible to have multiple firewall administrators logged into a FWSM, across multiple contexts, but to ONLY allow one administrator per context with WRITE access/privileges? I want to prevent having multiple administrators working within the same context simultaneously, both with write privileges.

The aim is to ONLY have ONE administrator making changes to a context at a time… Is this possible?

2 REPLIES
Bronze

Re: Restrict multiple simultaneous FWSM administrators per Conte

The FWSM provides system administrator access in multiple context mode as well as access for individual context administrators.

The admin context is just like any other context, except that when you log in to the admin context, then you have system administrator rights and can access the system and all other contexts. The admin context is not restricted in any way, and can be used as a regular context. But, because logging into the admin context grants you administrator privileges over all contexts, you can possibly need to restrict access to the admin context to appropriate users. The admin context must reside on Flash memory, and not remotely.

If your system is already in multiple context mode, or if you convert from single mode, the admin context is created automatically as a file on the internal Flash memory called admin.cfg. This context is named admin. If you do not want to use admin.cfg as the admin context, you can change the admin context.

The sections in the below URL describe logging in as a system administrator or as a a context administrator:

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809bfce4.shtml#man

New Member

Re: Restrict multiple simultaneous FWSM administrators per Conte

Hi There, thanks for your response.

Let me explain further…

Authentication to our FWSM's is controlled using Cisco ACS - TACACS.

Administrators logging into any of the FWSM's, must authenticate against TACACS. All FWSM administrators have write privileges/access. No local authentication is allowed. We are in a situation where we have 15 or so FWSM administrators.

So at any one time, we can have multiple FWSM administrators with write privileges logged into the SAME context, making different simultaneous changes…

This is what I am trying to prevent. Multiple administrators logged into the same FWSM context, both making different changes at the same time…

Kind of like Checkpoint where there is ONLY ever 1 administrator logged in and making changes at any one time…

215
Views
0
Helpful
2
Replies
CreatePlease to create content