Yesterday we noticed a line in the Monitor tab that made concerns:
But none of the administrator changed the password for user admin.
When checked the logs if this user has logged in on Monitor tab, there was no login with this username admin in front of this password change.
Could a commit or other system auto-commit make this log line?
Thanks in advance.
Device tab (or Panorama tab if using it) > Config Audit
At the bottom, compare the most recent config version before and after that log entry. If the password was changed, you should see an entry like:
If the phash value is the same, the password didn't actually change. If the password did change, then you'll need to take a closer look at the logs under Monitor > Configuration. The user who changed the password may have been logged in for quite a while or even via serial console. If you've got a console server connected to the device, check its logs as well to see who may have logged in.
@BPry @gwesson thanks for your reply.
The only admin password entry I can see in the ‘config audit’ was when I changed the password after we became aware of the log entry.
In the Configuration monitor logs there are no other entries for admin password change beside the one I did. To me it looks like a “false” entry, but why?
I notice that another admin have a configuration entry at the exact time as the admin password log entry:
Could this have somehow triggered the entry about the admin password change?
Generally an admin changing something wouldn't trigger a password change notice unless they modified the master key, in which case the phash value would change and you could see the notice as the password did change as far as the firewall is concerned.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!