We are currently in the process of roling out a Privielged Account Security platform to mange and rotate passwords across all of our devices.
We have ran into a snag with the PAs because of the password sync when in HA...
Is there a way to disable the sync of passwords for local account allowing us to have independent passwords on each?
The difficulty we have is when the password for device A is updated it will automatically update device B, but our privielged account platform will now be inconsistent and will report report errors when it tries to verify the password for device B...
Any help would be apprciated.
local accounts are always synced to prevent mishaps, you could switch to 'remote' passwords (radius, ldap,... ) ?
the only possibility for different local accounts on each HA member is when you configure them via Panorama in different templates.
--> User A is configured in Template A which is assinged to Firewall A
--> User B is configured in Template B which is assigned to Firewall B
Maybe this is dumb but couldn't you just remove the passive device from your platform so that it only verified with the A device seeing as you know it'll be a mirror configuraiton on the B device? The passwords are sync'd specifically so you don't have to worry about them, any change you make on the active device will carry over to the passive so that you don't have to modify the password twice.
The workarounds have already been mentioned but it seems like kind of a weird policy to enact on a HA device.
The solution (/workaround) wasn't the only solution ...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!