Existing login session timeout after configuring new local admin without commit

Existing login session timeout after configuring new local admin without commit

3715
Created On 08/08/23 15:48 PM - Last Modified 09/04/24 21:34 PM


Symptom


  • Import backup device state (without any new local admin added) into a spare/RMA firewall.
  • Adding a local (temporary) admin credentials (ex: admin1/password1) without any commit.
  • Existing webui/cli session will timeout and will not allow re-login with same credentials (ex: admin/password).
YYYY/MM/DD HH:MM:SS info     general        general 0  Session for user admin via Web from 10.20.30.201 timed out


Environment


  • Palo Alto Firewalls
  • PAN-OS 9.1 and above
  • Device state import
  • Configuring new (temporary) local admin

Cause


  • Local users are updated immediately once a new local admin is created without a need of commit.
  • If the imported device state does not have any local admin (only contains admins configured from Panorama Template), this will cause user unable to log back in using previous credentials as previous local admin(s) was removed from device state import. 

Resolution


  1. After importing device state, Do not create any temporary local admin to prevent unexpected existing login session timeout.
  2. Perform regular commit after device state import.
  3. The admin user configured in the imported device state can be used to login now.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000Xg0vCAC&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language