How to set 2FA to local superuser

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

How to set 2FA to local superuser

L2 Linker


Currently,  user has two admin accounts.

  1. Default local admin account(Superuser)
  2. New local admin account synchronized with Cisco Duo(Superuser)

End user has to consider how to treat “Default local admin account”.

As a result of consideration, the following items are the options to deal with it:

Option1: To make “Default local admin account” synchronized with some authenticator like Duo or enhance the login security of this account in some way.

Option2: To delete “Default local admin account”


■Verification (Done)

Option1:Paloalto claims that a local superuser account is not assigned to any form of external authentication service other than just password authentication on the firewall.

This is to ensure that users can still access the firewall, in the event where the network or the authentication server goes down, and this will be the only local account to access the firewall.

⇒It means that it is impossible to make “Default local admin account” synchronized with multi-factor authenticator.


Option2:He tried to delete “Default local admin account” but it could not be carried out with the message “At least, one local Superuser needs to be defined in Administrators”.


■What is the checking point in this issue to Paloalto?

Regarding Option 1, Please confirm more to Paloalto if there are other ways to enhance authentication and security for this option 1.



Cyber Elite
Cyber Elite


Correct, the builtin or local accounts to the firewall are all stored on the firewall and do not use external means for authentication. Best option is to use the 'Minimum Password Complexity' and set the settings fairly high and tight. Here are the settings for the STIG, but the password lengths should be over 30 and randomly generated along with rotated.



If you utilize the password change, make sure you do it prior to it needing to be changed or you could get locked out of it! Also if you use API passwords, these will also change when the passwords are changes/rotated.



  • 1 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!