Hidden Administrator accounts in Panorama

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Hidden Administrator accounts in Panorama

L1 Bithead

Hello everyone,

I just wanted to commit some changes to our panorama configuration and noticed, that a new user with the name "__vm_series" was added in the commit changes as a full panorama-admin. Curiously, that user was hidden in the web-gui under Panorama -> Administrators. This was among some changes around adding new firewalls, so my best guess is that this user was added automatically somewhere around that process. BTW: We're running Panorama on 10.2.5 with the vm-series plugin 3.0.5 installed.

 

Testing the impact of this discovery, I discarded the changes and created that user manually and sure enough, it isn't listed, but I can log it in on the web gui. For obvious reasons, having users with administrative access set up and working, but hidden is a serious problem in our security posture.

 

So, questions for the community and any PANW staff wandering by:

1. Is this whole thing documented somewhere? (I couldn't find anything)

2. What is this administrator used for?

3. Why is that administrator hidden?

4. Under which conditions are administrator accounts hidden from view? / What other hidden users are there?

5. How can we turn this behavior off?

 

Cheers

8 REPLIES 8

L1 Bithead

Do you only have local authentication enabled? No RADIUS, SAML, LDAP or kerberos authentication methods? Admins from external authentication won't be listed in the local admin list, but will show up in the logs. How are you logging in as the user if you don't know the password?

Hi, Jessica

Thank you for your reply!

 

All regular "People" accounts are using Radius, but they're all set up locally under "Panorama -> Administrators" and set with a Radius Authentication-Profile. I suspect you're referring to the default Authentication profile set up under "Panorama -> Setup -> Management -> Authentication Settings". If you set an authentication profile there, Panorama (or any PanOS device, really) authenticates anyone it doesn't locally know as long as that authentication succeeds. However, we don't use that. Every administrator that can login is set up under "Panorama -> Administrators".

 

The situation I'm investigating goes as far as me going to Panorama -> Administrators, clicking "Add", setting up that admin and upon hitting "Save", I see the new user for a split-second in the list before it just disappeared. It worked perfectly fine after committing the change and did show up in the running-config.xml when I downloaded and examined that, but the GUI did not show it. Consequently, it's also not that easy to delete it. I was able to simply revert my change, but if you were to find this long after, you'd have to download the running config, remove the user from the xml, upload the changed file and load-commit that.

L0 Member

I wonder if you got a response from Palo Alto about this system user. I'm seeing the same on our virtual appliance Panorama and we need to justify every user/admin that shows up in panorama. In my case, I see this admin show up when I perform "show admins all" from the CLI"

Yeah, so... I asked our account team about it and got absolutely nothing back.

So, I eventually ran this with psirt and also didn't hear anything back for months 😶.

 

Eventually, upon query, I got the following response from Psirt:

"The behavior you described in your report is intended: the `__vm_series` user is created and used by the vm_series plugin. The engineering team indicated that while the user is hidden from the web user interface, it should be visible via the command line interface ("show admins all" command). The engineering team was also able to confirm that when actions are taken by this user, such as in the scenario you described with replacing the password hash in the config file, a system log will be generated. Additionally, if the vm_series plugin modifies the configuration using this user, a configuration log will be generated.".

 

Hope that gives you some kind of closure.

L1 Bithead

Checking the CLI on my Panorama I see our expected local administrator user and the following accounts that don't show up in the UI:
admin
__cloud_services
__vm_series
__ztp
__cloudconnector
I'm going to guess that all accounts starting with __ are some sort of hidden service accounts. ZTP and Cloudconnector/Cloudservices are likely related to the Prisma services and data lake, as well as the ZTP functionality added around 9.1.4. I'd have to guess that the vm_series  is similar, possibly tied into the VM plugin functions for graceful shutdowns and such, but it would be nice if Palo had some information about these service users disclosed.

- Some sort of information about what functions/services these serve, verification they're expected, etc.
- Are they limited in any ways or are they full admin accounts?

- Are the passwords the same for the service on every Palo, or are they unique per system?
- Can they be logged into at all, or are they restricted from CLI or web authentication?

L0 Member

Thanks for providing that response @Markus_B , I couldn't seem to find any information on the account anywhere, so that's really helpful.

 

I agree with those points you raised @jessica-davis. Would be great to have information on service accounts that suddenly show up in reports after an upgrade or a new service is added.

 

Hi Jessica,

 

the little "playing around" I've done in our Panorama told me, that these are full admin accounts. I could even see the vm_series user appear and disappear when I installed and removed the VM-Series plugin.

As for what the password is, I haven't played around with it too much, but it was assigned automatically. Since Palo Alto says they're the coolest kid on the block, I assume that this password is also a strong and randomly chosen one. However, since it uses local credentials, the password hash is contained in any config export you make and you can absolutely change it on an exported config and re-import and load it into Panorama. That way I was able to give it a password that I know and could login as that user just fine.

Oh, and of course you can create that user BEFORE installing the VM-Series plugin. That'll get you there too. The __vm_series user should simply disappear from the GUI at that point.

  • 3258 Views
  • 8 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!