How to Recover Password if User has One Admin Superuser Account
- Go into the Maintenance mode and export the log files to an SCP or a TFTP server
- The exported file will be in the form of a tar file (for example: 009401000552_maint_logs.tar)
- Untar the file that has been exported and open
- Go to the Management folder and click on saved-configs. There will be a "techsupport-saved-currcfg" file and rename it as "recovered_config.xml." The "techsupport-saved-currcfg" file will have the current configuration.
- Import and load this configuration into a test device and make sure it is not malformed
- Factory reset the device (see: How to Factory Reset a Palo Alto Networks Device)
- Import the "recovered_config.xml" and load it to the device
- Create a new superuser admin account
- Commit the changes
- Login to the Palo Alto Networks firewall with the new admin account and change the password
Note: On the Palo Alto Networks firewall, a factory reset is required for password recovery.
If the firewall is connected to Panorama, then access the managed firewall through the Context switch from Panorama, create a new administrator account and commit the changes.