1) We have several PA-3020's running 6.0.1 in our organization with only a few admin user accounts which integrated with AD, so audit wants to know if we can delete the generic accounts like "admin" or "panorama"? Any negative implications to doing so?
2) We get a different list of users acccounts depending upon whether we use WebUI or CLI. The one difference is 'panorama' account shows in "show admins all" cli command, but not the GUI. Any need for concern here? what is that account's default password? We may want to check to ensure we don't have another access point into or Firewall environment.
We also use RADIUS for admin authentication and were informed you must have at least one local admin account. We were unable to find a way to delete this so asked about it. But I don't see this documented anywhere explicitly.
The panorama user you see cannot be used by humans, this is an automated account for the use by Panorama to make changes on the local device. This is created in the background when you join a device to Panorama and used by the system to perform the necessary configuration and commits from Panorama to the device.
Thanks for reply. I see several local accounts with superuser rights on our PA3020 (HA pair). From what I can tell, these are ‘local’ accounts, but use LDAP to authenticate when used to login to the PA (WebUI, SSH or XML API). I’m the IT Auditor, not the IT Firewall administrator, so I only have “superreader” privileges and have to enter my AD credentials to login into the webGUI. I am simply trying to understand why the generic ‘admin’ account is there. If password is only known/used by one person, then any accountability for its use would be known and understood. Looking to find out what is possible and what others are doing with regard to securing administrative access to their Palo Alto’s.
Let's say we delete the local 'admin' account and our AD server goes down. Then I understand NO ONE would be able to login to administer the FW and edit the setup to point it to a new AD server (of course we would have much bigger issues on our hands as well). And no one would be able to access our network resources thru the PA based on User-ID based policies tied to AD user groups (again... a big problem). I'll have to check and see if our 3rd party support provider may be using this account.
As to the second part of my question about the existance of an account called: panorama. Your response suggests that it's existance implies our PA is setup and feeding data to Panorama or was at one point in time. It wasn't my understanding we are were using Panorama at our company, to it may be a legacy account. Is it possible to to remove/delete this non-human account?
Anything else to add, let me know...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!