Good day Team Members,
I have a very strange issue with a single PA-220 Active firewall that does not update a local admin user via the Panorama.
The Active Firewall uses the older password to log in locally , but the Passive updates the Password push via Panorama.
The FW PANOS is 10.1.6-h6. Its only this single firewall among all firewalls is having this strange issue
Rebooted the Firewall , same issue
Restarted the Management Plane , same issue
Used the cli set mgt-svrr (also removing the template overide ) to reset password , same issue
Any expert ideas are much appreciated
Regards
Kamlin
Good Day,
Upon upgrading the firewall from 10.1.6-h6 to 10.2.3-h2 this seems to have fixed the issue on the Active firewall , in the system logs we can it corrected the local user/administrator account..
Aslo we notcied a bug for Panorarama PANOS 10.2.3-h2 , unbale to dowload Panorama config bundle.. Palo Alto posted this below:
Exporting Panorama and devices config bundle fails with an error "Failed to redirect error to /var/log/pan/appweb3-panmodule.log (Permission denied) Attempt to redirect error to appweb3-panmodule.log." (paloaltonetworks.com)
Symptom
· Using: GUI: Panorama > Setup> Operations > Export Panorama and devices config bundle
· A new tab is launched (Chrome), and there is an error message is displayed on the newly launched tab
Failed to redirect error to /var/log/pan/appweb3-panmodule.log (Permission denied) Attempt to redirect error to appweb3-panmodule.log
· No file download of the bundle is triggered.
Environment
· Any Panorama
· PAN-OS 10.2
The "unable to download Panorama config bundle" is an easy fix, just reboot Panorama and then it will be fine. (Makes no sense, I know). Every time I upgrade Panorama, the issue comes back, then I remember I have to do another reboot.
This has been bugging me for a while now (issue still exists in 10.2.3-h2) but luckily the fix is easy.
Very strange! A force template values should fix that issue. Is the local firewall uncommitted (possible the admin password is still "stuck" in the candidate instead of running so it somehow overwrites the running each time you log on? (Passwords are the only things that are immediately transferred to the system when you change them (but are "volatile" until the configuration is pushed)
Is it the 'admin' account (or any other account that already existed before you pushed your first template)?
Any local accounts that exist before pushing an admin via panorama will retain their old password until you select "Force Template Values" from the Push Scope Selection when you push a config