How to determine the user who made configuration changes when Config Audit says 'Committed by Description'
17982
Created On 11/27/20 08:50 AM - Last Modified 11/05/21 02:33 AM
Symptom
- Some config changes are seen on one of the High Availability Active/Passive device (Let's refer to it as Peer A).
- Config Audit (GUI: Device > Config Audit) show that the changes were committed by 'Description' username:
Environment
Palo Alto Firewalls in High Availability Active/Passive configuration
- PAN-OS 8.1 and above
- 'HA config sync' is enabled on the cluster.
- 'HA config sync' status shows 'In sync' on both devices right after the dubious commit is observed:
Cause
High Availability 'Config sync' issued by one device on the HA cluster (Peer B) will push the changes to the peer device and a local commit will be performed on the receiving firewall (Peer A).
The username associated with this commit will be 'Description' instead of an actual User/Administrator declared on the firewall.
Resolution
In order to find out the user who initiated a 'Config sync' using Peer B (and ultimately caused the commit on Peer A), the System logs (GUI: Monitor > Logs > System) on the Peer B device should be searched around the time of commit that was observed on Peer A.
The logs related to 'HA' will show the actual username of the responsible User/Administrator:
Additional Information
- The 'High Availability config sync' could be issued by a device without any user intervention due to various reasons e.g. one of the firewalls in the cluster restarted, config reversal on one device, etc.
- As a good practice recommendation, if the need arises, the manual config sync should be issued from the Active device to ensure that the correct and latest configurations are copied to the Passive firewall (not vice versa).
- The HA config sync mechanism does not take care of syncing configurations that are pushed/managed from a Panorama device.
- Additional Article: Who made changes to the configuration