How to recover the password if only one admin superuser account exists

Option One:

Steps

1. Go into the Maintenance mode and export the log files to an SCP or a TFTP server
2. The exported file will be in the form of a tar file (for example: 009401000552_maint_logs.tar)
3. Untar the file that has been exported and open
4. Go to the Management folder and click on saved-configs. There will be a "techsupport-saved-currcfg" file and rename it as "recovered_config.xml." The "techsupport-saved-currcfg" file will have the current configuration.
   
5. Import and load this configuration into a test device and make sure it is not malformed
6. Factory reset the device (see: How to Factory Reset a Palo Alto Networks Device )
7. Import the "recovered_config.xml" and load it to the device
8. Create a new superuser admin account
9. Commit the changes
10. Login to the Palo Alto Networks firewall with the new admin account and change the password

Note: On the Palo Alto Networks firewall, a factory reset is required for password recovery.

Option Two:

If the firewall is connected to Panorama, then access the managed firewall through the Context switch from Panorama, create a new administrator account and commit the changes.

owner: achalla