We created a target account for application type 'Palo Alto', Account password has been rotated using other Master account. 

Verify Credentials using other account is failing, where as own account verification succeeds.

PAM supports two types of users on Palo Alto devices:

1) Account type "User" - These are accounts that cannot log in from outside, but can have their password updated by a privileged account. The password cannot be verified, only changed.

2) Account type "Privileged" - These accounts can logon and the password can be verified. They can update their own password, and the password of type User accounts.

Release : 3.4

Component : PRIVILEGED ACCESS MANAGEMENT

This is a product limitation. Currently the Palo Alto target connector does not allow a privileged account to be configured to verify its own password, but have it updated by another privileged account. An idea should be raised on the Ideas page to have PAM product management consider adding this functionality in future releases.