Changing the local administrator's password changes the configuration. The password hash is part of the configuration. If the user decides to diff the configuration the phash field has changed. The password change takes effect immediately, but on each commit, linux passwords are updated from the phash value. Users can change passwords and have them take effect in templates or HA.
Resolution
Overview
With the 'Automatically Acquire Commit Lock' option checked, changing the password of a local administrator without a commit operation triggers a commit lock. See the following example.
Steps
Create a local administrator, a superuser. Username: abc Password: abc
Make sure the 'Automatically Acquire Commit Lock' option is checked under GUI: Device > Setup > Management > General Settings.
Commit the configuration.
Login into the device with an administrator other than ''abc.'' Login using admin/admin for credentials.
Change the password for username 'abc' to xyz and click OK, but do not commit.
Open a different browser and log into the firewall using these credentials: username: abc password: xyz <<< new password
Note: The administrator will be able to successfully login using the new password 'xyz'.
Follow the steps below to remove the commit lock:
Click on the lock icon:
In the window that appears, select "admin" and click on "remove lock" at the bottom and then click on "OK"