Local Administrator Password Change Triggers a Commit Lock

21982

Created On 09/26/18 13:49 PM - Last Modified 06/15/23 21:24 PM

Device Management

Initial Configuration

Installation

QoS

Zone and DoS Protection

PAN-OS

Next-Generation Firewall

Environment

Palo Alto Firewall.
Any PAN-OS.

Cause

Changing the local administrator's password changes the configuration. The password hash is part of the configuration. If the user decides to diff the configuration the phash field has changed. The password change takes effect immediately, but on each commit, linux passwords are updated from the phash value. Users can change passwords and have them take effect in templates or HA.

Resolution

Overview

With the 'Automatically Acquire Commit Lock' option checked, changing the password of a local administrator without a commit operation triggers a commit lock. See the following example.

Steps

Create a local administrator, a superuser.
Username: abc
Password: abc
Make sure the 'Automatically Acquire Commit Lock' option is checked under GUI: Device > Setup > Management > General Settings.
Commit the configuration.
Login into the device with an administrator other than ''abc.'' Login using admin/admin for credentials.
Change the password for username 'abc' to xyz and click OK, but do not commit.
Open a different browser and log into the firewall using these credentials:
username: abc
password: xyz <<< new password

Note: The administrator will be able to successfully login using the new password 'xyz'.

Follow the steps below to remove the commit lock:

Click on the lock icon:
In the window that appears, select "admin" and click on "remove lock" at the bottom and then click on "OK"
Commit the changes.