1. Home
  2. Web App Vulnerabilities
  3. How to remediate – Palo Alto Networks PAN-OS Firewall/Panorama WebUI Default Cred…
Searching...

How to remediate – Palo Alto Networks PAN-OS Firewall/Panorama WebUI Default Cred…

Contents

1. Introduction

The Palo Alto Networks PAN-OS Firewall/Panorama WebUI uses default credentials for the ‘admin’ account. This allows an unauthenticated attacker to gain administrative access to the web interface, potentially compromising the entire firewall and any connected systems. This impacts confidentiality, integrity, and availability of network resources.

2. Technical Explanation

The vulnerability occurs because the PAN-OS Firewall / Panorama WebUI ships with a pre-configured ‘admin’ user account secured with a default password. An attacker can simply attempt to log in using these credentials without any prior authentication. This is a common misconfiguration that attackers actively scan for.

  • Root cause: The use of hardcoded, well-known default credentials on the administrative web interface.
  • Exploit mechanism: An attacker attempts login with the default ‘admin’ username and password via the WebUI. Successful authentication grants full administrative control. For example, an attacker could use a simple HTTP request to the login page with the default credentials.
  • Scope: Palo Alto Networks PAN-OS Firewalls and Panorama versions where the default admin account is not changed.

3. Detection and Assessment

  • Quick checks: Access the WebUI login page and observe if it prompts for username/password without any prior configuration warnings.
  • Scanning: Nessus plugin ID 428c8b63 can identify this vulnerability, but results should be verified manually.
  • Logs and evidence: Review firewall logs for successful logins using the ‘admin’ account from unexpected source IP addresses. Look for event IDs related to authentication attempts on the WebUI interface.
# No command available as this is a web UI check. Access the PAN-OS Firewall/Panorama WebUI and attempt login with default credentials.

4. Solution / Remediation Steps

Secure the ‘admin’ user account with a strong, unique password. Follow these steps to fix the issue.

4.1 Preparation

  • No services need to be stopped for this change.
  • Roll back plan: Restore from the pre-change snapshot if issues occur during password modification. A change window may be required depending on your organisation’s policies.

4.2 Implementation

  1. Step 1: Log in to the PAN-OS Firewall / Panorama WebUI as an administrator.
  2. Step 2: Navigate to Device > Administrators.
  3. Step 3: Select the ‘admin’ user account.
  4. Step 4: Change the password to a strong, unique value that meets your organisation’s complexity requirements.
  5. Step 5: Confirm the new password.
  6. Step 6: Commit the changes.

4.3 Config or Code Example

Before

# Default admin account configuration (example - actual config is managed via UI)
admin: {
  password: "changeme" 
}

After

# Secure admin account configuration (example - actual config is managed via UI)
admin: {
  password: "YourStrongPasswordHere" 
}

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help prevent this issue. Least privilege reduces the impact of compromise, and safe defaults minimise initial exposure.

  • Practice 1: Implement least privilege by limiting administrative access only to those who require it.
  • Practice 2: Enforce strong password policies across all systems, including firewalls.

4.5 Automation (Optional)

No suitable automation script is available for this vulnerability due to the UI-based nature of the change.

5. Verification / Validation

  • Post-fix check: Attempt to log in to the WebUI using the default ‘admin’ username and password. The login should fail.
  • Re-test: Re-run the detection steps from Section 3; Nessus plugin ID 428c8b63 should no longer report the vulnerability.
  • Smoke test: Verify that you can still access firewall management features, such as policy viewing and rule modification, using your new administrator credentials.
  • Monitoring: Monitor firewall logs for failed login attempts with the ‘admin’ account to detect potential brute-force attacks.
# No command available - attempt login via WebUI with default credentials; should fail.

6. Preventive Measures and Monitoring

Update your security baseline to include a check for default credentials on administrative interfaces. Consider adding checks in your deployment pipelines to prevent this issue from recurring.

  • Baselines: Update your firewall security baseline or CIS control checklist to require changing the default ‘admin’ password during initial setup.
  • Asset and patch process: Review firewall configurations regularly as part of a vulnerability management program, at least every 30 days.

7. Risks, Side Effects, and Roll Back

Changing the ‘admin’ password should not cause any service disruption. However, losing the new password could require a factory reset.

  • Risk or side effect 1: Forgetting the new password may necessitate a firewall reset, leading to configuration loss.
  • Roll back: Restore from the pre-change snapshot taken in Section 4.1 if issues occur during password modification.

8. References and Resources

Updated on December 27, 2025

Was this article helpful?

Yes No

Related Articles