- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
12-22-2022 02:03 AM
Prerequisites
Currently, user has two admin accounts.
End user has to consider how to treat “Default local admin account”.
As a result of consideration, the following items are the options to deal with it:
Option1: To make “Default local admin account” synchronized with some authenticator like Duo or enhance the login security of this account in some way.
Option2: To delete “Default local admin account”
■Verification (Done)
Option1:Paloalto claims that a local superuser account is not assigned to any form of external authentication service other than just password authentication on the firewall.
This is to ensure that users can still access the firewall, in the event where the network or the authentication server goes down, and this will be the only local account to access the firewall.
⇒It means that it is impossible to make “Default local admin account” synchronized with multi-factor authenticator.
Option2:He tried to delete “Default local admin account” but it could not be carried out with the message “At least, one local Superuser needs to be defined in Administrators”.
■What is the checking point in this issue to Paloalto?
Regarding Option 1, Please confirm more to Paloalto if there are other ways to enhance authentication and security for this option 1.
12-22-2022 11:23 AM
Hello,
Correct, the builtin or local accounts to the firewall are all stored on the firewall and do not use external means for authentication. Best option is to use the 'Minimum Password Complexity' and set the settings fairly high and tight. Here are the settings for the STIG, but the password lengths should be over 30 and randomly generated along with rotated.
If you utilize the password change, make sure you do it prior to it needing to be changed or you could get locked out of it! Also if you use API passwords, these will also change when the passwords are changes/rotated.
Regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!