Has anyone gotten around being locked out of Panorama?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Has anyone gotten around being locked out of Panorama?

Not applicable

It appears that my passwords no longer work to get logged into Panorama.  It did have an unexpected shutdown and now I cannot login.  I found this: but it has been a few days since I restarted again.

Any other suggestions?

1 accepted solution

Accepted Solutions

Not applicable

Well, support wasn't much help.  I was told to use the default admin username and password.  That did not work.

I was able to change the admin password by changing the phash value for the admin user in every xml file I could find.  Probably not a supported way of doing things, but I got back in.

If a panorama password recovery tool doesn't exist, maybe PaloAlto can try this and give me some credit.  Smiley Wink

View solution in original post

16 REPLIES 16

L4 Transporter

What version is your Panorama VM running?

5.0.2

I should have included it.

L4 Transporter

Are you setup with just local accounts or are you also using authentication through RADIUS/Kerberos/LDAP?

Just local accounts.

This would be the first time I've heard of local accounts being locked out. Are you able to log in at the console?

At any rate, I would report this to Palo Alto Support.

Thanks for help.

Not applicable

Well, support wasn't much help.  I was told to use the default admin username and password.  That did not work.

I was able to change the admin password by changing the phash value for the admin user in every xml file I could find.  Probably not a supported way of doing things, but I got back in.

If a panorama password recovery tool doesn't exist, maybe PaloAlto can try this and give me some credit.  Smiley Wink

Hmm, how were you able to alter the PHASH if you could not log into the Panorama?

What XML files are you referring to and where are they located?

mschuricht wrote:

Hmm, how were you able to alter the PHASH if you could not log into the Panorama?

Live CD or mount the vmdk to another Linux VM you happen to have running.

quinton wrote:

What XML files are you referring to and where are they located?

On the pancfg volume (sda5) any xml file you can find with phash value in it.  I assume that I really only had to edit one, but it was just easier to find them all.  It is the same file you get when you export the config.

We are glad you were able to resolve the issue.

Editing the Panorama install files directly is a dangerous practice that is not supported or recommended. I would suggest talking to support before going down this avenue in the future. It is unfortunate we were unable to resolve this in your first call.

The admin could have been locked based on too many invalid login attempts. This can happen if the failed attempts limit is hit which can be set under Panorama > Setup > Authentication Settings the lockout period can also be set. To unlock the admins you can go to Panorama > Administrators and click the unlock link.

Ehm... if the admin is locked out from the Panorama - how do you expect the admin to then reach Panorama -> Administrators, or am I missing something here? 😉

It seems rare to only have a single user on the Panorama so the suggestion was an assumption that multiple admins existed.

Without multiple admins it sounds like a factory reset is the best option.

It seems like a few precautions may have made the failure recoverable. Eg. have unique admins for each person managing the security device, do not configure a failed attempt lockout with only one admin, configure a lockout time if you configure a failed attempt lockout and especially with only one admin, use scheduled config export to back up the Panorama config so it can be restored if a failure occurs, etc

  • 1 accepted solution
  • 9117 Views
  • 16 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!