Palo Alto Devices

How to use PAM to provide Privileged Account and Session Management for your Palo Alto device including Password Rotation?

This article covers how to create an PAM record to manage your SSH enabled Palo Alto network device, including secure, password-less remote connections with recording and automated password reset and rotation.

Manage Palo Alto device

Creating an PAM record to Manage your Palo Alto device:

1. Login to PAM as a System Administrator.
2. Navigate to Administration > Records Types.
3. Locate the Palo Alto Networks record type in the list and click the Edit button to its right.
4. On the Palo Alto Networks type edit page, locate the Hidden parameter and disable/remove the checked option. Click the Save button.
5. Navigate to Records > All Records.
6. From the Add Record dropdown menu, select Palo Alto Networks.
7. Enter a Name (required) and a Description (optional).
8. Populate your Palo Alto Networks device values into the Host, Port, User and Password fields.
9. Click Save and Return to continue.

Your Palo Alto Networks device is now under management in PAM. You may use the Connect button to test connectivity and if you wish to implement a Password Reset policy, continue to the next section of this article.

Password for Palo Alto Networks device

Creating a policy to reset or rotate the Password for your Palo Alto Networks device:

1. Open your Palo Alto Networks record in PAM with a System Administrator or an account that has the Manage permission for Task Control.
2. Within this record, open the Manage menu and select the Tasks option.
3. By default, both the Check Status and Password Reset scripts will applied.
4. Next to the Password Reset script, click the Actions menu and select Edit Policy.
5. Choose your required Policy by selecting from the list of available events.
6. Click the Save button when finished.

Your password reset policy is now applied to the PAM record managing your Palo Alto Networks device.