Required device permissions
Relevant for: AFA Administrators
AFA requires certain permissions on devices in order to collect data and support other functionalities. The table below describes AFA's requirements for the user account used to connect to AFA for each brand, as well as any other device requirements. Some permissions are only required for specific AFA features.
This topic describes items required for each device type in order for AFA to collect data and support other features. Some items are only required for specific AFA features.
Baseline configuration compliance
For baseline configuration compliance support, AFA connects via SSH to the device and executes the commands in the specified baseline configuration profile.
The required permissions depend on the profile used, as AFA requires permission to read/execute all commands listed in the profile.
Device requirements reference by brand
Check requirements for the following device brands:
- Arista device requirements
- AWS requirements
- Azure requirements
- Check Point device requirements
- Cisco device requirements
- F5 device requirements
- Fortinet device requirements
- Juniper device requirements
- Palo Alto device requirements
- Symantec BlueCoat SGOS device requirements
- TopSec device requirements
- VMware NSX device requirements
- Zscaler device requirements
Note:
Support for the Forcepoint brands (Sidewinder, StoneGate) and Hillstone was deprecated in ASMS version A30.00. As of A32.20, AlgoSec no longer supports adding new Symantec Blue Coat As of A32.20 AlgoSec will no longer support adding new Symantec Blue Coat devices. Existing deployed Blue Coat devices will still be functional. devices.
If you had defined these devices in an earlier version of ASMS, these devices are still available to you, with all the existing capabilities, but you cannot add new ones.
We recommend backing up device data before or after upgrading and then removing these devices from AFA. Make sure to download any report zip files for the device before deleting.
For more details, see
Check Point device requirements
See Check Point device permissions.
Cisco device requirements
Cisco ASA |
For details, see Device permissions. |
Cisco Firewalls via CSM |
Requires enabling the CSM API service. To enable this, in the CSM management application, click Tools > Security Manager Administration > API, and check the Enable API Service setting. |
Cisco IOS |
For details, see Device permissions. |
Cisco Nexus |
For details, see Device permissions. |
Cisco ACI |
For details, see Device permissions. |
Cisco ISE |
For details, see Device permissions. |
Cisco Firepower |
For details, see Device permissions. |
Cisco Meraki | For details, see Device permissions. |
Arista device requirements
For details, see Device permissions.
Juniper device requirements
Juniper Netscreen |
For details, see Device requirements. |
Juniper SRX |
For details, see Device permissions. |
Juniper NSM |
For details, see Device permissions |
Junos Space Security Director |
For details, see Device permissions. |
Juniper M/E Routers |
For details, see Device requirements. |
Fortinet device requirements
For more details, see Add Fortinet devices.
Palo Alto device requirements
For details, see Add Palo Alto Networks devices.
F5 device requirements
F5 BIG-IP LTM Only |
For details, see Device permissions. |
F5 BIG-IP LTM and AFM |
For details, see Device permissions. |
Symantec BlueCoat SGOS device requirements
The user must be able to enter “enable” mode.
For retrieving routing data from the device, SNMP access is required.
TopSec device requirements
For further SNMP details, see https://knowledge.algosec.com/skn/tu/e5178.
VMware NSX device requirements
For details, see Device permissions.
Zscaler device requirements
For details, see Required user role permissions.
AWS requirements
For details, see Permissions required for AWS
Azure requirements
For details, see Permissions required for Azure.