<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Deny authorization request for '_telemtryuser' in General Topics</title>
    <link>https://live.paloaltonetworks.com/t5/general-topics/deny-authorization-request-for-telemtryuser/m-p/1258515#M126714</link>
    <description>&lt;P&gt;&lt;SPAN&gt;The other night I got a system alert email with the following message (truncated for obvious reasons):&lt;BR /&gt;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;SPAN&gt;type: SYSTEM&lt;BR /&gt;subtype: general&lt;BR /&gt;&lt;/SPAN&gt;&lt;SPAN&gt;module: general&lt;/SPAN&gt;&lt;BR /&gt;&lt;SPAN&gt;severity: high&lt;/SPAN&gt;&lt;BR /&gt;&lt;SPAN&gt;opaque: Deny the authorization request for the admin user thru CLI, '__telemetryuser' from 'Console or telnet'&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;BR /&gt;I found the article regarding the existence of _telemetryuser (&lt;A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000fyZnKAI" target="_blank"&gt;https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000fyZnKAI&lt;/A&gt;). However I'm confused as to why this account needs the&amp;nbsp;&lt;STRONG&gt;Device Administrator&lt;/STRONG&gt; role and not something more restrictive such as &lt;STRONG&gt;Device Administrator (Read-Only)&lt;BR /&gt;&lt;BR /&gt;&lt;/STRONG&gt;From what I've also gathered is that many people have been able to remove the account with little to no impact to their own environment but I'm weary to remove it from my firewalls. Does anyone know how this account is utilized to send the telemetry data back to Palo Alto Networks? How are its credentials secured? I feel like this account is just a potential vector for bad actors.&lt;/P&gt;</description>
    <pubDate>Wed, 08 Jul 2026 15:54:45 GMT</pubDate>
    <dc:creator>P.Betts</dc:creator>
    <dc:date>2026-07-08T15:54:45Z</dc:date>
    <item>
      <title>Deny authorization request for '_telemtryuser'</title>
      <link>https://live.paloaltonetworks.com/t5/general-topics/deny-authorization-request-for-telemtryuser/m-p/1258515#M126714</link>
      <description>&lt;P&gt;&lt;SPAN&gt;The other night I got a system alert email with the following message (truncated for obvious reasons):&lt;BR /&gt;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;SPAN&gt;type: SYSTEM&lt;BR /&gt;subtype: general&lt;BR /&gt;&lt;/SPAN&gt;&lt;SPAN&gt;module: general&lt;/SPAN&gt;&lt;BR /&gt;&lt;SPAN&gt;severity: high&lt;/SPAN&gt;&lt;BR /&gt;&lt;SPAN&gt;opaque: Deny the authorization request for the admin user thru CLI, '__telemetryuser' from 'Console or telnet'&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;BR /&gt;I found the article regarding the existence of _telemetryuser (&lt;A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000fyZnKAI" target="_blank"&gt;https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000fyZnKAI&lt;/A&gt;). However I'm confused as to why this account needs the&amp;nbsp;&lt;STRONG&gt;Device Administrator&lt;/STRONG&gt; role and not something more restrictive such as &lt;STRONG&gt;Device Administrator (Read-Only)&lt;BR /&gt;&lt;BR /&gt;&lt;/STRONG&gt;From what I've also gathered is that many people have been able to remove the account with little to no impact to their own environment but I'm weary to remove it from my firewalls. Does anyone know how this account is utilized to send the telemetry data back to Palo Alto Networks? How are its credentials secured? I feel like this account is just a potential vector for bad actors.&lt;/P&gt;</description>
      <pubDate>Wed, 08 Jul 2026 15:54:45 GMT</pubDate>
      <guid>https://live.paloaltonetworks.com/t5/general-topics/deny-authorization-request-for-telemtryuser/m-p/1258515#M126714</guid>
      <dc:creator>P.Betts</dc:creator>
      <dc:date>2026-07-08T15:54:45Z</dc:date>
    </item>
    <item>
      <title>Re: Deny authorization request for '_telemtryuser'</title>
      <link>https://live.paloaltonetworks.com/t5/general-topics/deny-authorization-request-for-telemtryuser/m-p/1258525#M126719</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/877180215"&gt;@P.Betts&lt;/a&gt;&amp;nbsp;,&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P class="PDq2pG_selectionAnchorContainer" data-end="486" data-start="114"&gt;The way Telemetry works is that the internal account executes specific CLI commands and accesses internal data sources, such as log files, before aggregating the data that gets sent to Palo Alto Networks. That is why it needs more than read-only access. It needs the required privileges to kick off the Telemetry collection process and gather the needed diagnostic output.&lt;/P&gt;
&lt;P class="PDq2pG_selectionAnchorContainer" data-end="486" data-start="114"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P data-end="793" data-start="488"&gt;If you do not care about Telemetry, then yes, you can disable it. However, if Telemetry is still enabled, the telemetry admin account will be recreated during the next reboot or autocommit. If you disable Telemetry and then remove the account, you should not have to worry about it being recreated.&lt;/P&gt;
&lt;P data-end="938" data-start="795"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P data-is-only-node="" data-is-last-node="" data-end="1139" data-start="940"&gt;The account is internal and dedicated solely to telemetry collection, not general administrative access. Also, the telemetry data itself does not collect PII, identifiable IP addresses, or usernames.&lt;/P&gt;</description>
      <pubDate>Wed, 08 Jul 2026 18:43:04 GMT</pubDate>
      <guid>https://live.paloaltonetworks.com/t5/general-topics/deny-authorization-request-for-telemtryuser/m-p/1258525#M126719</guid>
      <dc:creator>JayGolf</dc:creator>
      <dc:date>2026-07-08T18:43:04Z</dc:date>
    </item>
  </channel>
</rss>

