https://live.paloaltonetworks.com/t5/general-topics/how-to-set-2fa-to-local-superuser/m-p/524882#M108576 <P>Hello,</P> <P>Correct, the builtin or local accounts to the firewall are all stored on the firewall and do not use external means for authentication. Best option is to use the 'Minimum Password Complexity' and set the settings fairly high and tight. Here are the settings for the STIG, but the password lengths should be over 30 and randomly generated along with rotated.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="OtakarKlier_0-1671736924169.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/46360iE37699E7F3826841/image-size/medium?v=v2&amp;px=400" role="button" title="OtakarKlier_0-1671736924169.png" alt="OtakarKlier_0-1671736924169.png" /></span></P> <P>&nbsp;</P> <P>If you utilize the password change, make sure you do it prior to it needing to be changed or you could get locked out of it! Also if you use API passwords, these will also change when the passwords are changes/rotated.</P> <P>&nbsp;</P> <P>Regards,</P> Thu, 22 Dec 2022 19:23:06 GMT OtakarKlier 2022-12-22T19:23:06Z https://live.paloaltonetworks.com/t5/general-topics/how-to-set-2fa-to-local-superuser/m-p/524847#M108568 <P style="font-weight: 400;">Prerequisites</P> <P style="font-weight: 400;">Currently,&nbsp; user has two admin accounts.</P> <OL style="font-weight: 400;"> <LI>Default local admin account(Superuser)</LI> <LI>New local admin account synchronized with Cisco Duo(Superuser)</LI> </OL> <P style="font-weight: 400;">End user has to consider how to treat “Default local admin account”.</P> <P style="font-weight: 400;">As a result of consideration, the following items are the options to deal with it:</P> <P style="font-weight: 400;">Option1: To make “Default local admin account” synchronized with some authenticator like Duo or enhance the login security of this account in some way.</P> <P style="font-weight: 400;">Option2: To delete “Default local admin account”</P> <P style="font-weight: 400;">&nbsp;</P> <P style="font-weight: 400;">■Verification (Done)</P> <P style="font-weight: 400;">Option1:Paloalto claims that a local superuser account is not assigned&nbsp;to any form of external authentication service other than just password authentication on the firewall.</P> <P style="font-weight: 400;">This is to ensure that users can still access the firewall, in the event where the network or the authentication server goes down, and this will be the only local account to access the firewall.</P> <P style="font-weight: 400;">⇒It means that it is impossible to make “Default local admin account” synchronized with multi-factor authenticator.</P> <P style="font-weight: 400;">&nbsp;</P> <P style="font-weight: 400;">Option2:He tried to delete “Default local admin account” but it could not be carried out with the message “At least, one local Superuser needs to be defined in Administrators”.</P> <P style="font-weight: 400;">&nbsp;</P> <P style="font-weight: 400;">■What is the checking point in this issue to Paloalto？</P> <P style="font-weight: 400;">Regarding Option 1, Please confirm more to Paloalto if there are other ways to enhance authentication and security for this option 1.</P> <P style="font-weight: 400;">&nbsp;</P> Thu, 22 Dec 2022 10:03:03 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-set-2fa-to-local-superuser/m-p/524847#M108568 Purushotham 2022-12-22T10:03:03Z https://live.paloaltonetworks.com/t5/general-topics/how-to-set-2fa-to-local-superuser/m-p/524882#M108576 <P>Hello,</P> <P>Correct, the builtin or local accounts to the firewall are all stored on the firewall and do not use external means for authentication. Best option is to use the 'Minimum Password Complexity' and set the settings fairly high and tight. Here are the settings for the STIG, but the password lengths should be over 30 and randomly generated along with rotated.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="OtakarKlier_0-1671736924169.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/46360iE37699E7F3826841/image-size/medium?v=v2&amp;px=400" role="button" title="OtakarKlier_0-1671736924169.png" alt="OtakarKlier_0-1671736924169.png" /></span></P> <P>&nbsp;</P> <P>If you utilize the password change, make sure you do it prior to it needing to be changed or you could get locked out of it! Also if you use API passwords, these will also change when the passwords are changes/rotated.</P> <P>&nbsp;</P> <P>Regards,</P> Thu, 22 Dec 2022 19:23:06 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-set-2fa-to-local-superuser/m-p/524882#M108576 OtakarKlier 2022-12-22T19:23:06Z