Required device permissions
Relevant for: AFA Administrators
This topic describes items required for each device type in order for AFA to collect data and support other features. Some items are only required for specific AFA features.
Baseline configuration compliance
For baseline configuration compliance support, AFA connects via SSH to the device and executes the commands in the specified baseline configuration profile.
The required permissions depend on the profile used, as AFA requires permission to read/execute all commands listed in the profile.
Device requirements reference by brand
Check requirements for the following device brands:
- Arista device requirements
- AWS requirements
- Azure requirements
- Check Point device requirements
- Cisco device requirements
- F5 device requirements
- Fortinet device requirements
- Juniper device requirements
- Palo Alto device requirements
- Symantec BlueCoat SGOS device requirements
- TopSec device requirements
- VMware NSX device requirements
- WatchGuard device requirements
Note:
Support for the Forcepoint brands (Sidewinder, StoneGate) and Hillstone was deprecated in ASMS version A30.00.
If you had defined these devices in an earlier version of ASMS, these devices are still available to you, with all the existing capabilities, but you cannot add new ones after upgrading.
We recommend backing up device data before or after upgrading and then removing these devices from AFA. Make sure to download any report zip files for the device before deleting.
For more details, see
Check Point device requirements
See Check Point device permissions.
Cisco device requirements
|
Cisco ASA |
For details, see Device permissions. |
|
Cisco Firewalls via CSM |
Requires enabling the CSM API service. To enable this, in the CSM management application, click Tools > Security Manager Administration > API, and check the Enable API Service setting. |
|
Cisco IOS |
For details, see Device permissions. |
|
Cisco Nexus |
For details, see Device permissions. |
|
Cisco ACI |
For details, see Device permissions. |
|
Cisco ISE |
For details, see Early availability features. |
|
Cisco Firepower |
For details, see Device permissions. |
Arista device requirements
For details, see Device permissions.
Juniper device requirements
|
Juniper Netscreen |
For details, see Device requirements. |
|
Juniper SRX |
For details, see Device permissions. |
|
Juniper NSM |
For details, see Device permissions |
|
Junos Space Security Director |
For details, see Device permissions. |
|
Juniper M/E Routers |
For details, see Device requirements. |
Fortinet device requirements
For more details, see Add Fortinet devices.
Palo Alto device requirements
For details, see Add Palo Alto Networks devices.
F5 device requirements
|
F5 BIG-IP LTM Only |
For details, see Device permissions. |
|
F5 BIG-IP LTM and AFM |
For details, see Device permissions. |
Symantec BlueCoat SGOS device requirements
The user must be able to enter “enable” mode.
For retrieving routing data from the device, SNMP access is required.
WatchGuard device requirements
Read Only permissions are sufficient.
Routing is based on SNMP.
- For default usernames and passwords see https://knowledge.algosec.com/skn/tu/e5269.
- For further SNMP details, see https://knowledge.algosec.com/skn/tu/e5178.
TopSec device requirements
For further SNMP details, see https://knowledge.algosec.com/skn/tu/e5178.
VMware NSX device requirements
For details, see Device permissions.
AWS requirements
For details, see Device access requirements for AWS
Azure requirements
For details, see Device requirements for Azure.
Yes 
No 
