Hmm, how were you able to alter the PHASH if you could not log into the Panorama?
Live CD or mount the vmdk to another Linux VM you happen to have running.
What XML files are you referring to and where are they located?
On the pancfg volume (sda5) any xml file you can find with phash value in it. I assume that I really only had to edit one, but it was just easier to find them all. It is the same file you get when you export the config.
We are glad you were able to resolve the issue.
Editing the Panorama install files directly is a dangerous practice that is not supported or recommended. I would suggest talking to support before going down this avenue in the future. It is unfortunate we were unable to resolve this in your first call.
The admin could have been locked based on too many invalid login attempts. This can happen if the failed attempts limit is hit which can be set under Panorama > Setup > Authentication Settings the lockout period can also be set. To unlock the admins you can go to Panorama > Administrators and click the unlock link.
Ehm... if the admin is locked out from the Panorama - how do you expect the admin to then reach Panorama -> Administrators, or am I missing something here? ;-)
It seems rare to only have a single user on the Panorama so the suggestion was an assumption that multiple admins existed.
Without multiple admins it sounds like a factory reset is the best option.
It seems like a few precautions may have made the failure recoverable. Eg. have unique admins for each person managing the security device, do not configure a failed attempt lockout with only one admin, configure a lockout time if you configure a failed attempt lockout and especially with only one admin, use scheduled config export to back up the Panorama config so it can be restored if a failure occurs, etc
I did have multiple admins, none were able to log in. Failed attempts and lockout time were/are not configured. I agree with the precautions, and followed all but the scheduled export. I am working on setting that up now since I could have started with a new appliance and pushed my configuration to it. I also agree that is a better plan than what I resorted to.
Along time ago (PAN-OS 2) I was having problems with a config, one of the Palo Alto Engineers was able to login as root on my 2050 and alter the running-config file. That's interesting if that same functionality doesn't exist in Panorama.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!