Palo Alto verify failure using other Account

book

Article ID: 222825

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

We created a target account for application type 'Palo Alto', Account password has been rotated using other Master account. 

Verify Credentials using other account is failing, where as own account verification succeeds.

Cause

PAM supports two types of users on Palo Alto devices:

1) Account type "User" - These are accounts that cannot log in from outside, but can have their password updated by a privileged account. The password cannot be verified, only changed.

2) Account type "Privileged" - These accounts can logon and the password can be verified. They can update their own password, and the password of type User accounts.

Environment

Release : 3.4

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

This is a product limitation. Currently the Palo Alto target connector does not allow a privileged account to be configured to verify its own password, but have it updated by another privileged account. An idea should be raised on the Ideas page to have PAM product management consider adding this functionality in future releases.