topic Re: Can 'admin' account be deleted? in General Topics

Can 'admin' account be deleted?

jcampbell01 — Fri, 13 Feb 2015 18:10:01 GMT

1) We have several PA-3020's running 6.0.1 in our organization with only a few admin user accounts which integrated with AD, so audit wants to know if we can delete the generic accounts like "admin" or "panorama"? Any negative implications to doing so?

2) We get a different list of users acccounts depending upon whether we use WebUI or CLI. The one difference is 'panorama' account shows in "show admins all" cli command, but not the GUI. Any need for concern here? what is that account's default password? We may want to check to ensure we don't have another access point into or Firewall environment.

Re: Can 'admin' account be deleted?

pulukas — Sat, 14 Feb 2015 13:19:43 GMT

We also use RADIUS for admin authentication and were informed you must have at least one local admin account. We were unable to find a way to delete this so asked about it. But I don't see this documented anywhere explicitly.

The panorama user you see cannot be used by humans, this is an automated account for the use by Panorama to make changes on the local device. This is created in the background when you join a device to Panorama and used by the system to perform the necessary configuration and commits from Panorama to the device.

Re: Can 'admin' account be deleted?

mmmccorkle — Sat, 14 Feb 2015 20:22:11 GMT

Jcampbell01,

In addition to what was mentioned above, last time I checked, we are unable to remove these default accounts.

Thanks!

Please do not forget to mark and 'Helpful' or 'Correct' replies.

Re: Can 'admin' account be deleted?

emr_1 — Mon, 16 Feb 2015 05:58:28 GMT

If you want to delete "admin", please create new admin, for example "admin2".

Then log-out from "admin", and log-in with new account.

You can delete "admin" by "admin2".

Please be careful, you should prepare at least one superuser account just in case.

Re: Re: Can 'admin' account be deleted?

jcampbell01 — Mon, 16 Feb 2015 15:27:38 GMT

Thanks for reply. I see several local accounts with superuser rights on our PA3020 (HA pair). From what I can tell, these are ‘local’ accounts, but use LDAP to authenticate when used to login to the PA (WebUI, SSH or XML API). I’m the IT Auditor, not the IT Firewall administrator, so I only have “superreader” privileges and have to enter my AD credentials to login into the webGUI. I am simply trying to understand why the generic ‘admin’ account is there. If password is only known/used by one person, then any accountability for its use would be known and understood. Looking to find out what is possible and what others are doing with regard to securing administrative access to their Palo Alto’s.

Let's say we delete the local 'admin' account and our AD server goes down. Then I understand NO ONE would be able to login to administer the FW and edit the setup to point it to a new AD server (of course we would have much bigger issues on our hands as well). And no one would be able to access our network resources thru the PA based on User-ID based policies tied to AD user groups (again... a big problem). I'll have to check and see if our 3rd party support provider may be using this account.

As to the second part of my question about the existance of an account called: panorama. Your response suggests that it's existance implies our PA is setup and feeding data to Panorama or was at one point in time. It wasn't my understanding we are were using Panorama at our company, to it may be a legacy account. Is it possible to to remove/delete this non-human account?

Anything else to add, let me know...

Thanks,

Joe

Re: Can 'admin' account be deleted?

pchouhan — Wed, 17 Jun 2026 08:28:33 GMT

Hi jcampbell01,

>> It is a security best practice and recommended to replace and delete the default 'admin' account on your Palo Alto Networks firewall or Panorama device. This is because the username "admin" is widely known, making it a common target for unauthorised access attempts.

>> Provided that the necessary precautions are taken, deleting the default 'admin' account generally has no adverse operational impact on GUI or CLI access, existing configurations, scheduled tasks, or system processes.

>> The system requires at least one local superuser account for recovery purposes. This is crucial in scenarios such as authentication failures, network outages, or certificate expiry, where external authentication services might be unavailable. Attempting to delete the 'admin' user if it is the only local superuser account will result in an error.

>> Certain sensitive system-level operations (e.g., shutdown, reboot, maintenance, recovery) are intentionally reserved for locally authenticated Superuser accounts to ensure device recoverability and availability independent of external identity services.

>> After deleting the default 'admin' account, you might observe frequent "Authorisation failed for user admin via Web from 127.0.0.1: Invalid user" messages in the system logs. These messages are cosmetic and do not indicate an operational impact or security vulnerability.

>> If you encounter the above, to prevent these specific log messages, an alternative to outright deletion is to create a custom role with no permissions, re-create the 'admin' user, and assign that restrictive role to it.

Re: Can 'admin' account be deleted?

reaper — Wed, 17 Jun 2026 09:12:43 GMT

you can absolutely delete the default account, just don't try to delete it while you're logged in with it

1. make a new superuser admin account

2. commit

3. log out and log in with the new superuser, delete the 'admin' account