Disable User

Reply
Highlighted
L2 Linker

Disable User

Is it possible to disable a user (local account)? I don't see this option in the web gui, but thought it might be something that can be done using the cli. I need to be able to allow access for specific reasons at specific times and disable access when not needed. Changing the user's password each time is the only other option I can think of so far.

Tags (2)
L4 Transporter

Re: Disable User

Sounds like you are looking for schedules?

 

You can setup a security policy that allows access and add a schedule to it so it is disabled (or enabled) at certain times. that way the policy is for that user/group of useres and will only allow or disallow the access during a certain window that you have defined.

 

Details: https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/objects/objects-schedule...

 

 

Hope this helps!

L2 Linker

Re: Disable User

I think scheduling might help, but it's not really what I'm after. I need to be able to enable/disable a local user account to allow/deny login to the firewall to perform administration tasks.

L4 Transporter

Re: Disable User

To be clear, you want an administrator account that is disabled until it is needed for a particular task?  Another administrator (or api call, etc) would enable that account to allow the task to be completed then disable it when done?

 

I do not know of a settign to disable an account, but you may be able to create an Admin Role that does not allow any access, and assign that to "disable" the account as needed.

L2 Linker

Re: Disable User

I think I have a solution. I created a bogus auth_profile with the domain set to a non-existant name and the allow list populated with only a non-matching bogus user. This seems to work.

L7 Applicator

Re: Disable User

Hi @mike406

 

Just keep this in mind: if you change something for an account that is already logged in - even if you delete the local account - this will not terminate the existing session. It only prevents new sessions.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!