About PankajDhobe

HI @Astardzhiev Thanks for you support.   I had raised the case with Palo Alto TAC. TAC engineer took the root access of firewall by using below commands   >debug tac-login challenge (Receive an output and TAC engineer coped it)   >debug tac-login response. (After that entered the response generated for above challenge )   After that deleted the user name from the password change database of both(active and passive) PA firewall.   Please, find the PA TAC call summery for more details.   ================================================= Thanks for your time on call. A quick recap of the zoom meeting : 1. Firewall was prompting for password change for TACACS user "ITsupport". In the past, you had the same local username on the firewall which is now deleted. 2. We took root access of the firewall and removed the below problematic usernames from lastpwchange & pwchangerequired SQL database. #Troubleshooting commands: [root@yyyy~]# sqlite3 /opt/pancfg/mgmt/global/db/loginhistory.db SQLite version 3.6.12 Enter ".help" for instructions Enter SQL statements terminated with a ";" sqlite> .schema CREATE TABLE gracelogin(name varchar, start datetime, count integer); CREATE TABLE lastpwchange(name varchar, dt datetime); CREATE TABLE loginhistory(name varchar, dt datetime, status integer, client varchar); CREATE TABLE pwchangerequired(name varchar, pwchanged integer); sqlite> sqlite> select * from lastpwchange; sqlite> delete from lastpwchange where name='xxxx'; sqlite> select * from pwchangerequired; sqlite> delete from pwchangerequiredwhere name='xxxx'; sqlite> .quit : [root@yyyy~]# exit logout 3. After the above changes we were able to log in to the Active firewall with "ITsupport" TACACS account. Repeated same process for passive firewall. Per your confirmation, this ticket will now be closed. It was my pleasure assisting you with this case. After that issue has been resolved Tacacs user was successfully able to login to the PA firewall.   ================================================ ... View more

Please, find answers to your questions;   - Have you configured authentication profile that is using the TACACS server? => Yes, we have configurd Authetication profile that is using TACACS Server   - Have you configured that auth profile to be used for admin access - Device -> Management -> Authentication Settings => Yes, we have configured Auth profile to be used for admin access.   - Or you have configured the users locally and each user is configured with tacacs auth profile? => No, we have not configured user locally with Tacacs auth profile attached.   - What VSA have you configured on your server? => As discussed with customer, VSA is not configured.    - Do you have duplication between local and tacacs usernames? => We had Tacacs user as "ITsupport" and local user  as "itsupport". But we have removed local user with same name still there is issue. ... View more

While configuring HIP object we have found that below mentioned Antivirus are not available for configuring in HIP object. Kindly check,   Kaspersky cloud security Seqrite endpoint security       ... View more

Configuration commited successfully when secondary was active.   But while pushing configuration to the device group, it was taking longer time. Stuck  at 50% for few device group and for some, commit was showing at 0% for 4 to 5 minutes, after that percentage started increasing. So total duration to push is in between 10 to 15 minutes   But when primary was active configuration was pushed within less time about 2 to 3 minutes.   If it is known issue, please let me share your suggestion.   ... View more