Why Do I See The User "panorama" Logged in As An Admin On The Local Firewall?
Question
Why do I see the user "panorama" Logged in as an admin on the local firewall?
Environment
-
Firewalls managed by Panorama
OR
- Firewall with Log Forwarding to CDL (Not Panorama Managed)
Answer
There are two different scenarios a user called "panorama" can be seen logged in on the local firewall, when the user is not configured:
Scenario 1: After Panorama related activities on the firewall- WebUI "Logged in Admins" widget
-
Command Line:
admin@Lab34-206-PA-3260> show admins
Admin From Client Session-start Idle-for
--------------------------------------------------------------------------
Panorama-admin 10.46.48.22 Panorama 03/31 17:39:45 00:00:30s
admin 10.101.5.204 Web 03/31 17:22:15 00:17:59s
admin 10.193.205.26 CLI 03/31 17:39:22 00:00:00s
admin 10.193.205.26 Web 03/31 17:37:45 00:02:25s
admin 10.193.205.26 CLI 03/31 17:38:41 00:00:26s
panorama 10.46.48.22 Panorama 03/31 17:39:44 00:00:30s <<< Client
Scenario 2: Firewall forwarding logs directly to Cortex Data Lake (CDL) and isn't being managed by Panorama.
-
When the firewall is configured to forward logs to Cortex Data Lake, a secure connection is initiated which uses an onboarding key as described in the following document Onboard Firewalls to Cortex Data Lake.
-
Once the session is initiated, the firewall sends a message to register with CDL. This results in the login activity as seen below. This is not a new session and it is an internal communication using the already established session with the CDL.