Required device permissions

Relevant for: AFA Administrators

AFA requires certain permissions on devices in order to collect data and support other functionalities. The table below describes AFA's requirements for the user account used to connect to AFA for each brand, as well as any other device requirements. Some permissions are only required for specific AFA features.

This topic describes items required for each device type in order for AFA to collect data and support other features. Some items are only required for specific AFA features.

Baseline configuration compliance

For baseline configuration compliance support, AFA connects via SSH to the device and executes the commands in the specified baseline configuration profile.

The required permissions depend on the profile used, as AFA requires permission to read/execute all commands listed in the profile.

Back to top

Device requirements reference by brand

Check requirements for the following device brands:

Note:

Support for the Forcepoint brands (Sidewinder, StoneGate) and Hillstone was deprecated in ASMS version A30.00.

If you had defined these devices in an earlier version of ASMS, these devices are still available to you, with all the existing capabilities, but you cannot add new ones after upgrading.

We recommend backing up device data before or after upgrading and then removing these devices from AFA. Make sure to download any report zip files for the device before deleting.

For more details, see View an earlier report for a specific device and the relevant AlgoPedia KB article.

Check Point device requirements

See Check Point device permissions.

Cisco device requirements

Cisco ASA

For details, see Device permissions.

Cisco Firewalls via CSM

Requires enabling the CSM API service.

To enable this, in the CSM management application, click Tools > Security Manager Administration > API, and check the Enable API Service setting.

Cisco IOS

For details, see Device permissions.

Cisco Nexus

For details, see Device permissions.

Cisco ACI

For details, see Device permissions.

Cisco ISE

For details, see Device permissions.

Cisco Firepower

For details, see Device permissions.

Arista device requirements

For details, see Device permissions.

Juniper device requirements

Juniper Netscreen

For details, see Device requirements.

Juniper SRX

For details, see Device permissions.

Juniper NSM

For details, see Device permissions

Junos Space Security Director

For details, see Device permissions.

Juniper M/E Routers

For details, see Device requirements.

Fortinet device requirements

For more details, see Add Fortinet devices.

Palo Alto device requirements

For details, see Add Palo Alto Networks devices.

F5 device requirements

F5 BIG-IP LTM Only

For details, see Device permissions.

F5 BIG-IP LTM and AFM

For details, see Device permissions.

Symantec BlueCoat SGOS device requirements

The user must be able to enter “enable” mode.

For retrieving routing data from the device, SNMP access is required.

WatchGuard device requirements

Read Only permissions are sufficient.

Routing is based on SNMP.

TopSec device requirements

For further SNMP details, see here (https://knowledge.algosec.com/skn/tu/e5178).

VMware NSX device requirements

For details, see Device permissions.

AWS requirements

For details, see Device access requirements for AWS

Azure requirements

For details, see Device requirements for Azure.

Back to top