- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-08-2026 08:54 AM
The other night I got a system alert email with the following message (truncated for obvious reasons):
type: SYSTEM
subtype: general
module: general
severity: high
opaque: Deny the authorization request for the admin user thru CLI, '__telemetryuser' from 'Console or telnet'
I found the article regarding the existence of _telemetryuser (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000fyZnKAI). However I'm confused as to why this account needs the Device Administrator role and not something more restrictive such as Device Administrator (Read-Only)
From what I've also gathered is that many people have been able to remove the account with little to no impact to their own environment but I'm weary to remove it from my firewalls. Does anyone know how this account is utilized to send the telemetry data back to Palo Alto Networks? How are its credentials secured? I feel like this account is just a potential vector for bad actors.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!

