This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Has anyone gotten around being locked out of Panorama?

cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Has anyone gotten around being locked out of Panorama?

Go to solution
hkp
Not applicable

‎03-14-2013 09:24 AM

It appears that my passwords no longer work to get logged into Panorama.  It did have an unexpected shutdown and now I cannot login.  I found this: but it has been a few days since I restarted again.

Any other suggestions?

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
hkp
Not applicable

‎03-19-2013 07:41 AM

Well, support wasn't much help.  I was told to use the default admin username and password.  That did not work.

I was able to change the admin password by changing the phash value for the admin user in every xml file I could find.  Probably not a supported way of doing things, but I got back in.

If a panorama password recovery tool doesn't exist, maybe PaloAlto can try this and give me some credit.  Smiley Wink

View solution in original post

16 REPLIES 16

Go to solution
mharding
L4 Transporter

‎03-14-2013 09:32 AM

What version is your Panorama VM running?

0 Likes Likes

Go to solution
hkp
Not applicable
In response to mharding

‎03-14-2013 09:36 AM

5.0.2

I should have included it.

0 Likes Likes

Go to solution
mharding
L4 Transporter

‎03-14-2013 09:54 AM

Are you setup with just local accounts or are you also using authentication through RADIUS/Kerberos/LDAP?

0 Likes Likes

Go to solution
hkp
Not applicable
In response to mharding

‎03-14-2013 10:59 AM

Just local accounts.

0 Likes Likes

Go to solution
mharding
L4 Transporter
In response to hkp

‎03-14-2013 12:14 PM

This would be the first time I've heard of local accounts being locked out. Are you able to log in at the console?

At any rate, I would report this to Palo Alto Support.

Go to solution
hkp
Not applicable
In response to mharding

‎03-19-2013 07:28 AM

Thanks for help.

0 Likes Likes

Go to solution
hkp
Not applicable

‎03-19-2013 07:41 AM

Well, support wasn't much help.  I was told to use the default admin username and password.  That did not work.

I was able to change the admin password by changing the phash value for the admin user in every xml file I could find.  Probably not a supported way of doing things, but I got back in.

If a panorama password recovery tool doesn't exist, maybe PaloAlto can try this and give me some credit.  Smiley Wink

Go to solution
mschuricht
L4 Transporter
In response to hkp

‎03-19-2013 09:46 AM

Hmm, how were you able to alter the PHASH if you could not log into the Panorama?

0 Likes Likes

Go to solution
Quinton
L3 Networker
In response to hkp

‎03-19-2013 10:08 AM

What XML files are you referring to and where are they located?

0 Likes Likes

Go to solution
hkp
Not applicable
In response to mschuricht

‎03-19-2013 10:39 AM 

mschuricht wrote:




Hmm, how were you able to alter the PHASH if you could not log into the Panorama?

Live CD or mount the vmdk to another Linux VM you happen to have running.

0 Likes Likes

Go to solution
hkp
Not applicable
In response to Quinton

‎03-19-2013 10:47 AM 

quinton wrote:




What XML files are you referring to and where are they located?

On the pancfg volume (sda5) any xml file you can find with phash value in it.  I assume that I really only had to edit one, but it was just easier to find them all.  It is the same file you get when you export the config.

0 Likes Likes

Go to solution
mschuricht
L4 Transporter
In response to hkp

‎03-19-2013 11:09 AM

We are glad you were able to resolve the issue.

Editing the Panorama install files directly is a dangerous practice that is not supported or recommended. I would suggest talking to support before going down this avenue in the future. It is unfortunate we were unable to resolve this in your first call.

The admin could have been locked based on too many invalid login attempts. This can happen if the failed attempts limit is hit which can be set under Panorama > Setup > Authentication Settings the lockout period can also be set. To unlock the admins you can go to Panorama > Administrators and click the unlock link.

0 Likes Likes

Go to solution
mikand
L6 Presenter
In response to mschuricht

‎03-19-2013 11:31 AM

Ehm... if the admin is locked out from the Panorama - how do you expect the admin to then reach Panorama -> Administrators, or am I missing something here? 😉

0 Likes Likes

Go to solution
mschuricht
L4 Transporter
In response to mikand

‎03-19-2013 12:34 PM

It seems rare to only have a single user on the Panorama so the suggestion was an assumption that multiple admins existed.

Without multiple admins it sounds like a factory reset is the best option.

It seems like a few precautions may have made the failure recoverable. Eg. have unique admins for each person managing the security device, do not configure a failed attempt lockout with only one admin, configure a lockout time if you configure a failed attempt lockout and especially with only one admin, use scheduled config export to back up the Panorama config so it can be restored if a failure occurs, etc

0 Likes Likes
  • 1 accepted solution
  • 10872 Views
  • 16 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks