I'm a PA noob who has recently just transitioned to a team that has a pretty heavy backlog. sorting through it, I see another team has requested that we remove local admin accounts from our firewalls. to my knowledge, the only local accounts on any of the FWs is the default account, with all admins authenticating using AD.
I understand the possible security risks of having a local admin, but not having any backup to networked AAA services sounds really dumb to me. some vendors won't even permit you to run without local credentials.
does PanOS even permit you to run without a local admin, default or otherwise?
is there any difference between a VM and dedicated appliance? we run both.
any answers or documentation you could provide would be much appreciated.
Why would you ever want to remove any local admin account from your firewalls? If your AAA servers are down you couldn't login, if you made a mistake and severed communication to the box you couldn't login, the upstream network is down you can't login. Sounds like an incompetent security department not thinking through the actual repercussions of what they're requesting.
Regardless, you can't actually do this in PAN-OS. You need at least one superuser account active in the administrators group to prevent people from doing exactly what your other group is asking.
you're preaching to the choir, as long as your physical security is in place, and you've safeguarded local admin credentials, a local admin is part of good BCP/DRP design. I had to shake my head a little on that one. do you have access to any documentation that I can reference?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!