Restricting administrator editing rights in Firewall Policies example

You can restrict the editing rights of network administrators in your organization, as needed.

Company C is implementing a distributed network with multiple sites: one central office where most of the administrators work, and several branch offices in different countries. The branch offices mostly have IT staff with only limited networking experience, but who are still responsible for the day-to-day maintenance of the network infrastructure at their site. They must be able to, for example, add and remove Access rules for testing purposes without always contacting the main administrators.

The administrators decide to limit the permissions of the branch office IT staff so that they are not able to edit the policies of the firewalls at any of the other sites. The administrators:
  1. Create a Firewall Template Policy and select the predefined Firewall Template as the basis of the policy.

  2. Add rules to the Firewall Template Policy using Alias elements to cover the essential services that each of these sites has, such as the VPN connections to the central site.

    Using a common Firewall Template Policy for all branch offices also eliminates the need to make the same changes in several policies, easing the workload.

  3. Create a Firewall Policy based on the new Firewall Template Policy for each of the branch office sites.

    Although the same Firewall Policy might work for all sites, in this case the administrators decide against it. Separate policies are needed for the separation of editing rights. The policies are based on the same Firewall Template Policy, so rules can still be shared without duplicating them manually.

  4. Grant each Firewall Policy to the correct Firewall element.

    After this, only the correct policy can be installed on each firewall. No other policy is accepted.

  5. Create administrator accounts with restricted rights for the branch office administrators and grant the correct Firewall element and Firewall Policy to each administrator.
    • The branch office administrators are now restricted to editing one Firewall Policy and can install it on the correct firewall.
    • The branch office administrators are not allowed to edit the Firewall Template Policy the policy is based on. They also cannot install any other policies on any other firewalls.