Possible to stop local account passwords syncing when in HA

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Possible to stop local account passwords syncing when in HA

L0 Member

Hi All, 

 

We are currently in the process of roling out a Privielged Account Security platform to mange and rotate passwords across all of our devices. 

 

We have ran into a snag with the PAs because of the password sync when in HA...

 

Is there a way to disable the sync of passwords for local account allowing us to have independent passwords on each? 

 

The difficulty we have is when the password for device A is updated it will automatically update device B, but our privielged account platform will now be inconsistent and will report report errors when it tries to verify the password for device B...

 

Any help would be apprciated. 

4 REPLIES 4

Cyber Elite
Cyber Elite

local accounts are always synced to prevent mishaps, you could switch to 'remote' passwords (radius, ldap,... ) ?

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

the only possibility for different local accounts on each HA member is when you configure them via Panorama in different templates.

 

--> User A is configured in Template A which is assinged to Firewall A

--> User B is configured in Template B which is assigned to Firewall B

Cyber Elite
Cyber Elite

@aldow93,

Maybe this is dumb but couldn't you just remove the passive device from your platform so that it only verified with the A device seeing as you know it'll be a mirror configuraiton on the B device? The passwords are sync'd specifically so you don't have to worry about them, any change you make on the active device will carry over to the passive so that you don't have to modify the password twice. 

The workarounds have already been mentioned but it seems like kind of a weird policy to enact on a HA device. 

L7 Applicator

The solution (/workaround) wasn't the only solution ...

  • if you comoletely manage the firewalls from panorama, you could disable the config sync completely and you then will be able to configure the local accounts independently on each firewall because panorama makes sure that the config on both nodes is in sync (as long as you properly configured templates and device groups)
  • If you expose the WebAPI or the CLI on a dataplane interface only for your account-management-server you could also treat every cluster as one device. Similar to the proposed solution of @BPry, but not exactly the same
  • 4364 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!