OS-specific Access Level
Last updated on March 20, 2025
The following table summarizes the minimum privilege level account type needed for collection and whether the exact set of commands permitted on the account can be controlled by TACACS server for each supported firewall platform.
| Vendor | Software/OS Version | Device Type | Minimum privilege level required (Account Type/Role) | TACACS Support |
|---|---|---|---|---|
| A10 | Thunder, ax3030, virtual A10 | a10_acos_ssh | Privilege level 0 (read-only user) | Yes (Role-based, commands cannot be defined) |
| Arista | EOS 4.14, 4.15, 4.18 | arista_eos_ssh | Privilege level 15 | Yes |
| Aruba | ArubaOS, Version 7.4.1.11 | aruba_switch_ssh | User role: Read-only | Yes (Role-based) |
| Aruba | EdgeConnect SD-WAN (former Silverpeak) | silver_peak_orchestrator_api, silver_peak_edgeconnect_ssh | User role: Admin or Monitor | Yes (Role-based) |
| Avi | Tested on 8.1.5 Avi version | avi_controller_ssh | Special role was created | Yes |
| Bluecoat | bluecoat_ssh | No | ||
| Checkpoint | Gaia R67+ | checkpoint_ssh | User with adminRole or role with 'Expert mode' feature enabled in R/W mode | Yes (Role-based command control) |
| Cisco | IOS/IOS-XE | cisco_ios_ssh, cisco_ios_xe_ssh | Privilege level 5 | Yes |
| Cisco | IOS-XR | cisco_ios_xr_ssh | Privilege level 15 | Yes |
| Cisco | ASA | cisco_asa_ssh | Privilege level 5 | Yes |
| Cisco | NX-OS | cisco_nxos_ssh | Privilege level 15 | Yes |
| Cisco | ACI | cisco_apic_ssh, cisco_nxos_aci_ssh | Admin role with read privilege type and security domain all | Yes |
| Cisco | Meraki MX 18.107 | meraki_api | - | No |
| Citrix | Netscaler 12.0 | netscaler_ssh | Superuser | Yes |
| Cumulus | Tested on 3.5 and 4.0 versions | cumulus_ssh | Privilege level 0 (collector commands access) | Yes |
| F5 | BIGIP 9.4.8-12.1.2 | f5_ssh | User with Guest role (read-only access) | Yes (Role-based) |
| Forcepoint | Forcepoint | forcepoint_https_api, forcepoint_ssh | API: Operator role (All Domains). SSH: Predefined root user | No |
| Fortinet | FortiGate-3600C v5.2.4,build0688,150811 (GA) | fortinet_ssh | User with access to the diagnose command access, super_admin profile | Yes |
| HP | Comware | hp_comware_ssh | Privilege level 1 | Yes |
| HP | Provision | hp_provision_ssh | Privilege level 1 | Yes |
| Juniper | Session Smart Router (former 128T SD-WAN) | 128t_conductor, 128t_router | User access level (config-read capability) for all routers. | No |
| Palo-Alto | PAN-OS 9.0 | panos_ssh | Devicereader | No |
| Palo-Alto | PAN-OS 8.0 | panos_ssh | Superuser | No |
| Palo-Alto | Prisma SD-WAN (former Cloudgenix) | prisma_sdwan_ssh, prisma_sdwan_api | User role: read-only | No |
| Riverbed | RiOS | riverbed_steelhead_ssh | - | Yes |
| VCenter | 6., 7., 8.* | vcenter_api | Read-only | No |
| Versa | Versa SD-WAN | versa_director_ssh, versa_flexvnf_ssh | Versa supports RBAC when logging into director node, however since we collect from each node separately via SSH, the role Versa-Role attribute is ignored. | Yes |