This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

are you permitted to remove all local admin accounts pan-OS 9.1 or higher?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

are you permitted to remove all local admin accounts pan-OS 9.1 or higher?

S_Hiebert
L1 Bithead

‎02-09-2022 12:09 PM

hello all,

I'm a PA noob who has recently just transitioned to a team that has a pretty heavy backlog. sorting through it, I see another team has requested that we remove local admin accounts from our firewalls. to my knowledge, the only local accounts on any of the FWs is the default account, with all admins authenticating using AD. 

I understand the possible security risks of having a local admin, but not having any backup to networked AAA services sounds really dumb to me. some vendors won't even permit you to run without local credentials. 
does PanOS even permit you to run without a local admin, default or otherwise? 

is there any difference between a VM and dedicated appliance? we run both. 

 

any answers or documentation you could provide would be much appreciated. 

You cant believe everything you see on the internet- Benjamin Franklin
2 REPLIES 2

BPry
Cyber Elite
Cyber Elite

‎02-09-2022 07:28 PM

@S_Hiebert,

Why would you ever want to remove any local admin account from your firewalls? If your AAA servers are down you couldn't login, if you made a mistake and severed communication to the box you couldn't login, the upstream network is down you can't login. Sounds like an incompetent security department not thinking through the actual repercussions of what they're requesting.

Regardless, you can't actually do this in PAN-OS. You need at least one superuser account active in the administrators group to prevent people from doing exactly what your other group is asking. 

S_Hiebert
L1 Bithead

‎02-10-2022 07:02 AM

you're preaching to the choir, as long as your physical security is in place, and you've safeguarded local admin credentials, a local admin is part of good BCP/DRP design. I had to shake my head a little on that one. do you have access to any documentation that I can reference? 

You cant believe everything you see on the internet- Benjamin Franklin
0 Likes Likes
  • 2057 Views
  • 2 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks