topic Re: Disable User in General Topics

Disable User

mike406 — Wed, 28 Mar 2018 14:48:33 GMT

Is it possible to disable a user (local account)? I don't see this option in the web gui, but thought it might be something that can be done using the cli. I need to be able to allow access for specific reasons at specific times and disable access when not needed. Changing the user's password each time is the only other option I can think of so far.

Re: Disable User

hshawn — Wed, 28 Mar 2018 16:27:06 GMT

Sounds like you are looking for schedules?

You can setup a security policy that allows access and add a schedule to it so it is disabled (or enabled) at certain times. that way the policy is for that user/group of useres and will only allow or disallow the access during a certain window that you have defined.

Details: https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/objects/objects-schedules

Hope this helps!

Re: Disable User

mike406 — Thu, 29 Mar 2018 15:00:09 GMT

I think scheduling might help, but it's not really what I'm after. I need to be able to enable/disable a local user account to allow/deny login to the firewall to perform administration tasks.

Re: Disable User

JoeAndreini — Thu, 29 Mar 2018 15:14:08 GMT

To be clear, you want an administrator account that is disabled until it is needed for a particular task? Another administrator (or api call, etc) would enable that account to allow the task to be completed then disable it when done?

I do not know of a settign to disable an account, but you may be able to create an Admin Role that does not allow any access, and assign that to "disable" the account as needed.

Re: Disable User

mike406 — Thu, 29 Mar 2018 15:34:59 GMT

I think I have a solution. I created a bogus auth_profile with the domain set to a non-existant name and the allow list populated with only a non-matching bogus user. This seems to work.

Re: Disable User

Remo — Thu, 29 Mar 2018 15:46:57 GMT

Hi @mike406

Just keep this in mind: if you change something for an account that is already logged in - even if you delete the local account - this will not terminate the existing session. It only prevents new sessions.

Re: Disable User

Jason_Lieberman — Thu, 25 May 2023 14:28:27 GMT

This is no longer the case. If you make a change to a local admin while they are logged in, they are forced to reauthenticate.

Re: Disable User

TomYoung — Thu, 25 May 2023 20:43:30 GMT

Hi Mike,

You can create a local user (not a local administrator) under Device > Local User Database > Users. That user has an Enable check box.
Then create an authentication profile that points to the local users.
Then create an admin with the same name and point it to the local authentication profile.

Then you can enable and disable at will.

Thanks,

Tom

Re: Disable User

Jason_Lieberman — Thu, 25 May 2023 20:49:59 GMT

Doesn't that force the user to use credentials stored in the DB rather than certificates?

Re: Disable User

TomYoung — Thu, 25 May 2023 21:23:43 GMT

Hi @Jason_Lieberman ,

I don't see anywhere where @mike406 talked about certificates. He mentioned local passwords.

Thanks,

Tom

Re: Disable User

Jason_Lieberman — Thu, 25 May 2023 21:57:59 GMT

I wasn't trying to debate you. I was just trying to get clarification.

Re: Disable User

TomYoung — Thu, 25 May 2023 22:51:23 GMT

Oh! That's cool.

I was trying to figure out if it applied to the thread.