How to Determine Who Made a Change in the Configuration
Objective
When configuration changes are being made to the Firewall, administrators normally preview the changes before commit. The administrator may observe different changes to the configuration not done by them.
This normally occurs when multiple administrators are logged making changes. Some administrators prefer to make changes to the configuration with the intention of a commit during the maintenance window.
This article explains how to determine which administrator has made changes when multiple administrators are logged in before committing the configuration.
Environment
- PAN-OS 8.1 and above.
- Palo Alto Firewall.
- Changes have been made to the configuration but not yet committed.
Procedure
The example below describes the procedure to be followed. In this scenario, two changes were made (one from the user iladmin and another by the admin user). The changes have not been committed.
- From the WebGUI, go to Device > Config Audit
- At the bottom of the screen, choose the running config, candidate config, and the number of lines in the context. Refer to this article for the difference between running and candidate configuration.
- Click Go
- Review the right side to see who made the changes and the time frame the change was made, as shown below:
Note: Make sure each administrator connects to the Palo Alto Networks firewall using their own credentials so it is easy to find which user belongs to which person. It is also helpful to use an external method for authentication/authorization, such as LDAP or RADIUS.
Additional Information
One can also compare different versions of the configuration instead of selecting "running configuration" and "candidate configuration". This comparison just displays who committed the configuration and not individual changes done by each administrator.