Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Disable User

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Disable User

L2 Linker

Is it possible to disable a user (local account)? I don't see this option in the web gui, but thought it might be something that can be done using the cli. I need to be able to allow access for specific reasons at specific times and disable access when not needed. Changing the user's password each time is the only other option I can think of so far.

11 REPLIES 11

L4 Transporter

Sounds like you are looking for schedules?

 

You can setup a security policy that allows access and add a schedule to it so it is disabled (or enabled) at certain times. that way the policy is for that user/group of useres and will only allow or disallow the access during a certain window that you have defined.

 

Details: https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/objects/objects-schedule...

 

 

Hope this helps!

I think scheduling might help, but it's not really what I'm after. I need to be able to enable/disable a local user account to allow/deny login to the firewall to perform administration tasks.

To be clear, you want an administrator account that is disabled until it is needed for a particular task?  Another administrator (or api call, etc) would enable that account to allow the task to be completed then disable it when done?

 

I do not know of a settign to disable an account, but you may be able to create an Admin Role that does not allow any access, and assign that to "disable" the account as needed.

I think I have a solution. I created a bogus auth_profile with the domain set to a non-existant name and the allow list populated with only a non-matching bogus user. This seems to work.

Hi @mike406

 

Just keep this in mind: if you change something for an account that is already logged in - even if you delete the local account - this will not terminate the existing session. It only prevents new sessions.

This is no longer the case.  If you make a change to a local admin while they are logged in, they are forced to reauthenticate.

PCNSE, PCNSC, CyberForce

Cyber Elite
Cyber Elite

Hi Mike,

 

  1. You can create a local user (not a local administrator) under Device > Local User Database > Users.  That user has an Enable check box.
  2. Then create an authentication profile that points to the local users.
  3. Then create an admin with the same name and point it to the local authentication profile.

Then you can enable and disable at will.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Doesn't that force the user to use credentials stored in the DB rather than certificates?

PCNSE, PCNSC, CyberForce

Cyber Elite
Cyber Elite

Hi @Jason_Lieberman ,

 

I don't see anywhere where @mike406 talked about certificates.  He mentioned local passwords.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

L2 Linker

I wasn't trying to debate you.  I was just trying to get clarification.

PCNSE, PCNSC, CyberForce

Cyber Elite
Cyber Elite

Oh!  That's cool.

 

I was trying to figure out if it applied to the thread.

Help the community: Like helpful comments and mark solutions.
  • 6830 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!