How to audit Admin account password changes of Local DB accounts.

How to audit Admin account password changes of Local DB accounts.

570
Created On 10/06/22 04:58 AM - Last Modified 05/23/25 21:12 PM


Objective


When an administrator would like to know follows about Firewall admin account of Local DB, this article may help an administrator.

  • When Admin account password was changed?
  • Which Admin account changed an Admin account password?
  • Which Admin account password was changed?

Environment


  • Next Generation Firewall
  • PAN-OS 10.1
  • PAN-OS 10.2

Procedure


  1. Go to Monitor > Logs > Configuration.
  2. Apply the filter "after-change-preview contains phash".

image.png

  1. In the example shown in the above logs:
    1. Admin account name "mgr" changed the password of account name "test2" at 17:50:02 on 9/29.
    2. Admin account name "mgr" changed the password of account name "test" at 17:34:10 on 9/29.
    3. Admin account name "admin" changed the password of account name "test2" at 17:24:59 on 9/29.
 

Additional Information


When the admin account owner changes his own password, Configuration log does not log entries about it.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sZQbCAM&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail