topic Re: Disable Admin Accounts in General Topics

Disable Admin Accounts

mark_dy — Fri, 06 Jun 2014 18:03:00 GMT

Is there a way to disable FW admin accounts? Let's say we have a situation where we have consultants who come on site and we only want to enable their access for certain periods of time and then disable them after the engagement is complete. Is this possible?

I tried creating a custom role with no access, but it wouldn't let me commit.

PANOS 5.0.x

Thanks!

Re: Disable Admin Accounts

jcostello — Fri, 06 Jun 2014 18:26:19 GMT

A couple of options as its not possible to disable an account on the PA itself

Change the password on the account after the consultants leave
Configure either Kerberos or LDAP authentication for the account and disable the account there

I typically recommend number two since it does not require a commit on the firewall to change the password.

Re: Disable Admin Accounts

jcostello — Fri, 06 Jun 2014 19:39:58 GMT

Meant to include the link to this article in my prior response

Using LDAP to Authenticate to the WebUI

RADIUS can also be used for WebUI authentication

Configuring Read-only Admin Access with RADIUS Running on Win2008 and Cisco ACS 5.2

Configuring Administrator Authentication with Windows 2008 RADIUS Server (NPS/IAS)

How to define Access Domains for Administrators

Re: Disable Admin Accounts

jwolach — Mon, 09 Jun 2014 12:36:41 GMT

There's also a third option if you don't want to create an account in AD for your contractor.

Create a local user on the FW (see screenshot) and add that local user to the Administrators list with the role you want them to have. When the contractor's engagement is complete, just uncheck the Enable box under the local user account (see screenshot).

Re: Disable Admin Accounts

jcostello — Mon, 09 Jun 2014 13:29:13 GMT

That still requires a commit on the Palo Alto to disable the account