I've recreated the credential locally on firewall so PAM can manage individually per server. Using parent account called "bastion", i tried to reset password for child account called "config.manager.arief". It failed. Resetting the password manually worked using bastion. Here's the log during password reset:
Host Name: 10.102.228.1
Device Name: FW-OCS-BJB-01
IP Address: 10.102.228.1
Descriptor 1: <null>
Descriptor 2: <null>
'}, {targetApplication = 'Name: FW-OCS-BJB-01
Policy ID: 0
Target Server ID: 2203
Type: PaloAlto
'}, {log = 'com.cloakware.cspm.server.plugin.ScriptProcessorImpl$Log@5baabf50'}, {result = 'Error Code: -1
Error Details: null
Error Message: null
Exception: null
Stack Trace: null
Is success: false
Warning Message: null
'}, {defaultPromptPaloAltoController = '(?si).*(@PA-)'}, {pwType = 'USER'}, {newAccount = 'TargetAccountImpl[ID=44626]{
UserName=config.manager.arief, TargetApplicationID=4599Name: FW-OCS-BJB-01
Policy ID: 0
Target Server ID: 2203
Type: PaloAlto
, Owner User Id=-1,
Access Type=null, PVP ID=1000, synchronized, verified,
LastVerified=Mon Dec 16 10:05:58 UTC 2019, LastUsed=Mon Dec 16 08:51:00 UTC 2019, privileged, Aliases=null, Cache allowed, Behavior=1, Duration=30,
Attributes[Count=8]{
AttributeImpl[0]{null:0 descriptor1=,
CreateUser=null (1970-01-01 00:00:00.000), UpdateUser=null (1970-01-01 00:00:00.000), Hash=null
},
AttributeImpl[0]{null:0 descriptor2=,
CreateUser=null (1970-01-01 00:00:00.000), UpdateUser=null (1970-01-01 00:00:00.000), Hash=null
},
AttributeImpl[0]{null:0 discoveryAllowed=false,
CreateUser=null (1970-01-01 00:00:00.000), UpdateUser=null (1970-01-01 00:00:00.000), Hash=null
},
AttributeImpl[0]{null:0 discoveryGlobal=false,
CreateUser=null (1970-01-01 00:00:00.000), UpdateUser=null (1970-01-01 00:00:00.000), Hash=null
},
AttributeImpl[0]{null:0 extensionType=PaloAlto,
CreateUser=null (1970-01-01 00:00:00.000), UpdateUser=null (1970-01-01 00:00:00.000), Hash=null
},
AttributeImpl[0]{null:0 otherAccount=44625,
CreateUser=null (1970-01-01 00:00:00.000), UpdateUser=null (1970-01-01 00:00:00.000), Hash=null
},
AttributeImpl[0]{null:0 pwType=user,
CreateUser=null (1970-01-01 00:00:00.000), UpdateUser=null (1970-01-01 00:00:00.000), Hash=null
},
AttributeImpl[0]{null:0 useOtherAccountToChangePassword=true,
CreateUser=null (1970-01-01 00:00:00.000), UpdateUser=null (1970-01-01 00:00:00.000), Hash=null
}
},
CreateUser=Jorghy (2019-12-16 08:49:59.000), UpdateUser=Jorghy (2019-12-16 10:05:58.000), Hash=ffh8ROYdV/LsWuu8GMRGEVn8MiU=
}'}, {oldAccount = 'TargetAccountImpl[ID=44626]{
UserName=config.manager.arief, TargetApplicationID=4599Name: FW-OCS-BJB-01
Policy ID: 0
Target Server ID: 2203
Type: PaloAlto
, Owner User Id=-1,
Access Type=null, PVP ID=1000, synchronized, verified,
LastVerified=Mon Dec 16 10:05:58 UTC 2019, LastUsed=Mon Dec 16 08:51:00 UTC 2019, privileged, Aliases=null, Cache allowed, Behavior=1, Duration=30,
Attributes[Count=8]{
AttributeImpl[0]{null:0 descriptor1=,
CreateUser=null (1970-01-01 00:00:00.000), UpdateUser=null (1970-01-01 00:00:00.000), Hash=null
},
AttributeImpl[0]{null:0 descriptor2=,
CreateUser=null (1970-01-01 00:00:00.000), UpdateUser=null (1970-01-01 00:00:00.000), Hash=null
},
AttributeImpl[0]{null:0 discoveryAllowed=false,
CreateUser=null (1970-01-01 00:00:00.000), UpdateUser=null (1970-01-01 00:00:00.000), Hash=null
},
AttributeImpl[0]{null:0 discoveryGlobal=false,
CreateUser=null (1970-01-01 00:00:00.000), UpdateUser=null (1970-01-01 00:00:00.000), Hash=null
},
AttributeImpl[0]{null:0 extensionType=PaloAlto,
CreateUser=null (1970-01-01 00:00:00.000), UpdateUser=null (1970-01-01 00:00:00.000), Hash=null
},
AttributeImpl[0]{null:0 otherAccount=44625,
CreateUser=null (1970-01-01 00:00:00.000), UpdateUser=null (1970-01-01 00:00:00.000), Hash=null
},
AttributeImpl[0]{null:0 pwType=user,
CreateUser=null (1970-01-01 00:00:00.000), UpdateUser=null (1970-01-01 00:00:00.000), Hash=null
},
AttributeImpl[0]{null:0 useOtherAccountToChangePassword=true,
CreateUser=null (1970-01-01 00:00:00.000), UpdateUser=null (1970-01-01 00:00:00.000), Hash=null
}
},
CreateUser=Jorghy (2019-12-16 08:49:59.000), UpdateUser=Jorghy (2019-12-16 10:05:58.000), Hash=ffh8ROYdV/LsWuu8GMRGEVn8MiU=
}'}, {useOtherAccountToChangePassword = 'true'}, {verifyThroughOtherAccount = 'false'}, {otherAccount = 'TargetAccountImpl[ID=44625]{
UserName=bastion, TargetApplicationID=4599, Owner User Id=-1,
Access Type=null, PVP ID=1002, synchronized, verified,
LastVerified=Mon Dec 16 09:44:46 UTC 2019, LastUsed=Mon Dec 16 09:44:52 UTC 2019, privileged, Aliases=null, Cache allowed, Behavior=1, Duration=30,
Attributes[Count=8]{
AttributeImpl[769615]{c.cw.m.ac:44625 descriptor1=,
CreateUser=Jorghy (2019-12-16 08:47:38.000), UpdateUser=Jorghy (2019-12-16 09:44:46.000), Hash=wU0dBaxopO+ipc2H3hnZpWuOvug=
},
AttributeImpl[769613]{c.cw.m.ac:44625 descriptor2=,
CreateUser=Jorghy (2019-12-16 08:47:38.000), UpdateUser=Jorghy (2019-12-16 09:44:46.000), Hash=wU0dBaxopO+ipc2H3hnZpWuOvug=
},
AttributeImpl[769617]{c.cw.m.ac:44625 discoveryAllowed=false,
CreateUser=Jorghy (2019-12-16 08:47:38.000), UpdateUser=Jorghy (2019-12-16 09:44:46.000), Hash=wU0dBaxopO+ipc2H3hnZpWuOvug=
},
AttributeImpl[769614]{c.cw.m.ac:44625 discoveryGlobal=false,
CreateUser=Jorghy (2019-12-16 08:47:38.000), UpdateUser=Jorghy (2019-12-16 09:44:46.000), Hash=wU0dBaxopO+ipc2H3hnZpWuOvug=
},
AttributeImpl[769616]{c.cw.m.ac:44625 extensionType=PaloAlto,
CreateUser=Jorghy (2019-12-16 08:47:38.000), UpdateUser=Jorghy (2019-12-16 09:44:46.000), Hash=wU0dBaxopO+ipc2H3hnZpWuOvug=
},
AttributeImpl[769612]{c.cw.m.ac:44625 otherAccount=,
CreateUser=Jorghy (2019-12-16 08:47:38.000), UpdateUser=Jorghy (2019-12-16 09:44:46.000), Hash=wU0dBaxopO+ipc2H3hnZpWuOvug=
},
AttributeImpl[769611]{c.cw.m.ac:44625 pwType=privileged,
CreateUser=Jorghy (2019-12-16 08:47:38.000), UpdateUser=Jorghy (2019-12-16 09:44:46.000), Hash=wU0dBaxopO+ipc2H3hnZpWuOvug=
},
AttributeImpl[769618]{c.cw.m.ac:44625 useOtherAccountToChangePassword=false,
CreateUser=Jorghy (2019-12-16 08:47:38.000), UpdateUser=Jorghy (2019-12-16 09:44:46.000), Hash=wU0dBaxopO+ipc2H3hnZpWuOvug=
}
},
CreateUser=Jorghy (2019-12-16 08:47:38.000), UpdateUser=Jorghy (2019-12-16 09:44:46.000), Hash=wU0dBaxopO+ipc2H3hnZpWuOvug=
}'}, {accountToUseForAuthentication = 'TargetAccountImpl[ID=44625]{
UserName=bastion, TargetApplicationID=4599, Owner User Id=-1,
Access Type=null, PVP ID=1002, synchronized, verified,
LastVerified=Mon Dec 16 09:44:46 UTC 2019, LastUsed=Mon Dec 16 09:44:52 UTC 2019, privileged, Aliases=null, Cache allowed, Behavior=1, Duration=30,
Attributes[Count=8]{
AttributeImpl[769615]{c.cw.m.ac:44625 descriptor1=,
CreateUser=Jorghy (2019-12-16 08:47:38.000), UpdateUser=Jorghy (2019-12-16 09:44:46.000), Hash=wU0dBaxopO+ipc2H3hnZpWuOvug=
},
AttributeImpl[769613]{c.cw.m.ac:44625 descriptor2=,
CreateUser=Jorghy (2019-12-16 08:47:38.000), UpdateUser=Jorghy (2019-12-16 09:44:46.000), Hash=wU0dBaxopO+ipc2H3hnZpWuOvug=
},
AttributeImpl[769617]{c.cw.m.ac:44625 discoveryAllowed=false,
CreateUser=Jorghy (2019-12-16 08:47:38.000), UpdateUser=Jorghy (2019-12-16 09:44:46.000), Hash=wU0dBaxopO+ipc2H3hnZpWuOvug=
},
AttributeImpl[769614]{c.cw.m.ac:44625 discoveryGlobal=false,
CreateUser=Jorghy (2019-12-16 08:47:38.000), UpdateUser=Jorghy (2019-12-16 09:44:46.000), Hash=wU0dBaxopO+ipc2H3hnZpWuOvug=
},
AttributeImpl[769616]{c.cw.m.ac:44625 extensionType=PaloAlto,
CreateUser=Jorghy (2019-12-16 08:47:38.000), UpdateUser=Jorghy (2019-12-16 09:44:46.000), Hash=wU0dBaxopO+ipc2H3hnZpWuOvug=
},
AttributeImpl[769612]{c.cw.m.ac:44625 otherAccount=,
CreateUser=Jorghy (2019-12-16 08:47:38.000), UpdateUser=Jorghy (2019-12-16 09:44:46.000), Hash=wU0dBaxopO+ipc2H3hnZpWuOvug=
},
AttributeImpl[769611]{c.cw.m.ac:44625 pwType=privileged,
CreateUser=Jorghy (2019-12-16 08:47:38.000), UpdateUser=Jorghy (2019-12-16 09:44:46.000), Hash=wU0dBaxopO+ipc2H3hnZpWuOvug=
},
AttributeImpl[769618]{c.cw.m.ac:44625 useOtherAccountToChangePassword=false,
CreateUser=Jorghy (2019-12-16 08:47:38.000), UpdateUser=Jorghy (2019-12-16 09:44:46.000), Hash=wU0dBaxopO+ipc2H3hnZpWuOvug=
}
},
CreateUser=Jorghy (2019-12-16 08:47:38.000), UpdateUser=Jorghy (2019-12-16 09:44:46.000), Hash=wU0dBaxopO+ipc2H3hnZpWuOvug=
}'}, {accountToVerify = 'TargetAccountImpl[ID=44626]{
UserName=config.manager.arief, TargetApplicationID=4599Name: FW-OCS-BJB-01
Policy ID: 0
Target Server ID: 2203
Type: PaloAlto
, Owner User Id=-1,
Access Type=null, PVP ID=1000, synchronized, verified,
LastVerified=Mon Dec 16 10:05:58 UTC 2019, LastUsed=Mon Dec 16 08:51:00 UTC 2019, privileged, Aliases=null, Cache allowed, Behavior=1, Duration=30,
Attributes[Count=8]{
AttributeImpl[0]{null:0 descriptor1=,
CreateUser=null (1970-01-01 00:00:00.000), UpdateUser=null (1970-01-01 00:00:00.000), Hash=null
},
AttributeImpl[0]{null:0 descriptor2=,
CreateUser=null (1970-01-01 00:00:00.000), UpdateUser=null (1970-01-01 00:00:00.000), Hash=null
},
AttributeImpl[0]{null:0 discoveryAllowed=false,
CreateUser=null (1970-01-01 00:00:00.000), UpdateUser=null (1970-01-01 00:00:00.000), Hash=null
},
AttributeImpl[0]{null:0 discoveryGlobal=false,
CreateUser=null (1970-01-01 00:00:00.000), UpdateUser=null (1970-01-01 00:00:00.000), Hash=null
},
AttributeImpl[0]{null:0 extensionType=PaloAlto,
CreateUser=null (1970-01-01 00:00:00.000), UpdateUser=null (1970-01-01 00:00:00.000), Hash=null
},
AttributeImpl[0]{null:0 otherAccount=44625,
CreateUser=null (1970-01-01 00:00:00.000), UpdateUser=null (1970-01-01 00:00:00.000), Hash=null
},
AttributeImpl[0]{null:0 pwType=user,
CreateUser=null (1970-01-01 00:00:00.000), UpdateUser=null (1970-01-01 00:00:00.000), Hash=null
},
AttributeImpl[0]{null:0 useOtherAccountToChangePassword=true,
CreateUser=null (1970-01-01 00:00:00.000), UpdateUser=null (1970-01-01 00:00:00.000), Hash=null
}
},
CreateUser=Jorghy (2019-12-16 08:49:59.000), UpdateUser=Jorghy (2019-12-16 10:05:58.000), Hash=ffh8ROYdV/LsWuu8GMRGEVn8MiU=
}'}, {userNameEntryPrompt = '(?si).*?login:.*?'}, {passwordEntryPrompt = '(?si)(.*?password(\sfor|\sagain|:).*?)'}, {passwordConfirmationPrompt = '(?si)(.*?password(\sfor|\sagain|:).*?)'}, {passwordChangePrompt = '(?si).*?change your password.*?'}, {patternMatchingCommand = 'grep'}, {changeFilePermissionsCommand = 'chmod'}, {changePasswordCommand = 'set password'}, {elevatePrivilegeCommand = 'sudo'}, {echoCommand = 'echo'}, {policyManagementCommand = 'pwdadm'}, {whoAmICommand = 'whoami'}, {exitStatusOfLastCommand = '$?'}, {substituteUserCommand = 'su'}, {systemInfoCommand = 'uname'}, {useOtherPrivilegedAccount = 'false'}, {protocol = '{name= 'SSH2_PASSWORD_AUTH'; defaultPort= '22'}'}, {protocolToUseForAuthentication = '{name= 'SSH2_PASSWORD_AUTH'; defaultPort= '22'}'}, {passwordChangeMethod = 'passwordChangeMethod.doNotUseSudoToChangePassword'}, {unixVariant = 'unixVariant.GENERIC'}, {ciscoVariant = 'ciscoVariant.IOS_12_4'}, {connectionInfo = '{hostName= '10.102.228.1'; protocol= '{name= 'SSH2_PASSWORD_AUTH'; defaultPort= '22'}'; connectionTimeout= '60000'; channelTimeout= '5000'; isChannelDebugEnabled= 'false', events= '[CHANNEL_IS_OPEN]'; settings= '{StrictHostKeyChecking=no, PreferredAuthentications=password, MaxAuthTries=1}'}'}, {events = '[CHANNEL_IS_OPEN]'}, {channel = 'com.cloakware.cspm.server.plugin.EnhancedCSPMClientChannel@5cdcba52'}, {timeout = '5000'}}
Dec 16, 2019 10:14:07 AM com.cloakware.cspm.server.plugin.ScriptProcessorImpl debug
INFO: start executing the modified Palo Alto Manager credentials verification script
Dec 16, 2019 10:14:07 AM com.cloakware.cspm.server.app.impl.lu a
INFO: ViewAccountPasswordCmd.invoke, start
Dec 16, 2019 10:14:08 AM com.cloakware.cspm.server.app.au a
INFO: Account password is being SSO'd, but policy has change on SSO disabled
Dec 16, 2019 10:14:08 AM com.cloakware.cspm.server.app.impl.lu a
INFO: ViewAccountPassword.invoke, end:true
Dec 16, 2019 10:14:08 AM com.cloakware.cspm.server.plugin.CSPMClientChannel readUntil
INFO: received data '
Number of failed attempts since last successful login: 0
bastion@FW-OCS-BJB-01(active)> ' MATCHES the pattern '.*(@..*>).*
Dec 16, 2019 10:14:08 AM com.cloakware.cspm.server.plugin.BeanShellScriptProcessorImpl executeScript
INFO: stopping script processor
Dec 16, 2019 10:14:08 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: Disconnecting from 10.102.228.1 port 22
Dec 16, 2019 10:14:08 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: Caught an exception, leaving main loop due to Socket closed
Dec 16, 2019 10:14:08 AM com.cloakware.cspm.server.app.impl.a$a a
INFO: jq.persistChildEvents Master EID=1268, TYPE=updateTargetAccountPassword generated 0 child events of type=notifyAccountUpdateEvent for any clients authorized by target alias, not target group (duplicates=0).
Dec 16, 2019 10:14:08 AM com.cloakware.cspm.server.app.impl.a$a a
INFO: jq.persistChildEvents Master EID=1268, TYPE=updateTargetAccountPassword generated 0 child events of type=notifyScriptAuthDeleteEvent for any clients authorized by target group, not target alias (duplicates=0).
Dec 16, 2019 10:14:08 AM com.cloakware.cspm.server.security.n a
INFO: HANDLE END: RSID=0 TYPE=updateTargetAccountPassword EID=1268 CMD=notifyAccountPasswordUpdateEvent AGE=-391ms STATUS=4 FAILEDATTEMPTS=0 TIME=2.264666ms
Dec 16, 2019 10:14:08 AM com.cloakware.cspm.server.security.k c
INFO: EventProcessor.processMasterEvents time=6ms (Q=2ms/P=4ms) eventsTotal=1 eventsProcessed=1 eventsProcessedRate=10000.0/m eventsProcessedSucceededDone=1 eventsProcessedFailedNotDone=0 eventsProcessedFailedDone=0]
Dec 16, 2019 10:14:08 AM com.ca.pam.CSRFFilter doFilter
INFO: Cross-Site Request Forgery (CSRF) check pass for Host: 10.49.5.164 and for HTTP Referer: https://10.49.5.164/cspm/app/feature/app.jsp?managementConsole=0&pamClient=true
Dec 16, 2019 10:14:11 AM com.ca.pam.CSRFFilter doFilter
INFO: Running Cross-Site Request Forgery (CSRF) check for URL: /cspm/rest/targetAccounts/44626
Dec 16, 2019 10:14:11 AM com.ca.pam.CSRFFilter doFilter
INFO: Cross-Site Request Forgery (CSRF) check pass for Host: 10.49.5.164 and for HTTP Referer: https://10.49.5.164/cspm/app/feature/app.jsp?managementConsole=0&pamClient=true
Dec 16, 2019 10:14:12 AM com.ca.pam.CSRFFilter doFilter
INFO: Running Cross-Site Request Forgery (CSRF) check for URL: /cspm/rest/passwordViewPolicies/1000
Dec 16, 2019 10:14:12 AM com.ca.pam.CSRFFilter doFilter
INFO: Cross-Site Request Forgery (CSRF) check pass for Host: 10.49.5.164 and for HTTP Referer: https://10.49.5.164/cspm/app/feature/app.jsp?managementConsole=0&pamClient=true
Dec 16, 2019 10:14:12 AM com.ca.pam.CSRFFilter doFilter
INFO: Running Cross-Site Request Forgery (CSRF) check for URL: /cspm/rest/targetAccounts/44625
Dec 16, 2019 10:14:12 AM com.cloakware.cspm.server.dao.impl.DataSourceManager$c run
INFO: DataSourceManagerHeartbeat.run Database cspm1=10.49.5.23 is still active and alive ['ACTIVE_AND_ALIVE' => 'ACTIVE_AND_ALIVE']. Time=0.88821ms [Total=513.2401ms, Count=540, Average=0.9504447ms, Min=0.379861ms, Max=34.733425ms].
Dec 16, 2019 10:14:12 AM com.ca.pam.CSRFFilter doFilter
INFO: Cross-Site Request Forgery (CSRF) check pass for Host: 10.49.5.164 and for HTTP Referer: https://10.49.5.164/cspm/app/feature/app.jsp?managementConsole=0&pamClient=true
Dec 16, 2019 10:14:12 AM com.cloakware.cspm.server.dao.impl.DataSourceManager$c run
INFO: DataSourceManagerHeartbeat.run Database cspm2=10.49.5.24 is still active and alive ['ACTIVE_AND_ALIVE' => 'ACTIVE_AND_ALIVE']. Time=1.204757ms [Total=623.54395ms, Count=540, Average=1.154711ms, Min=0.505451ms, Max=13.508001ms].
Dec 16, 2019 10:14:14 AM com.ca.pam.CSRFFilter doFilter
INFO: Running Cross-Site Request Forgery (CSRF) check for URL: /cspm/rest/targetAccounts/verifyPassword/44626
Dec 16, 2019 10:14:14 AM com.cloakware.cspm.server.app.impl.ls c
INFO: VerifyAccountPasswordCmd.invoke, start
Dec 16, 2019 10:14:14 AM com.cloakware.cspm.common.LegacyUtil getPasswordChangeMethod
INFO: Failed to determine the password change method since the Target Account does not have the attribute 'passwordChangeMethod' or the legacy attributes 'isRootAccount' and/or 'requirePasswordForSudo'; the default value of 'DO_NOT_USE_SUDO' will be assumed.
Dec 16, 2019 10:14:14 AM com.cloakware.cspm.server.plugin.SSHConnector connect
INFO: connecting to 10.102.228.1:22
Dec 16, 2019 10:14:14 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: Connecting to 10.102.228.1 port 22
Dec 16, 2019 10:14:14 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: Connection established
Dec 16, 2019 10:14:15 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: Remote version string: SSH-2.0-OpenSSH_12.1
Dec 16, 2019 10:14:15 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: Local version string: SSH-2.0-JSCH-0.1.53
Dec 16, 2019 10:14:15 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: CheckCiphers: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256
Dec 16, 2019 10:14:15 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: CheckKexes: diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
Dec 16, 2019 10:14:15 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: CheckSignatures: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
Dec 16, 2019 10:14:15 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: SSH_MSG_KEXINIT sent
Dec 16, 2019 10:14:15 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: SSH_MSG_KEXINIT received
Dec 16, 2019 10:14:15 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: kex: server: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
Dec 16, 2019 10:14:15 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: kex: server: ssh-rsa
Dec 16, 2019 10:14:15 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: kex: server: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
Dec 16, 2019 10:14:15 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: kex: server: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
Dec 16, 2019 10:14:15 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: kex: server: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
Dec 16, 2019 10:14:15 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: kex: server: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
Dec 16, 2019 10:14:15 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: kex: server: none,zlib@openssh.com
Dec 16, 2019 10:14:15 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: kex: server: none,zlib@openssh.com
Dec 16, 2019 10:14:15 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: kex: server:
Dec 16, 2019 10:14:15 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: kex: server:
Dec 16, 2019 10:14:15 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: kex: client: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
Dec 16, 2019 10:14:15 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: kex: client: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
Dec 16, 2019 10:14:15 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
Dec 16, 2019 10:14:15 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
Dec 16, 2019 10:14:15 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
Dec 16, 2019 10:14:15 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
Dec 16, 2019 10:14:15 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: kex: client: none
Dec 16, 2019 10:14:15 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: kex: client: none
Dec 16, 2019 10:14:15 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: kex: client:
Dec 16, 2019 10:14:15 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: kex: client:
Dec 16, 2019 10:14:15 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: kex: server->client aes128-ctr hmac-md5 none
Dec 16, 2019 10:14:15 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: kex: client->server aes128-ctr hmac-md5 none
Dec 16, 2019 10:14:15 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: SSH_MSG_KEX_ECDH_INIT sent
Dec 16, 2019 10:14:15 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: expecting SSH_MSG_KEX_ECDH_REPLY
Dec 16, 2019 10:14:15 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: ssh_rsa_verify: signature true
Dec 16, 2019 10:14:15 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: Permanently added '10.102.228.1' (RSA) to the list of known hosts.
Dec 16, 2019 10:14:15 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: SSH_MSG_NEWKEYS sent
Dec 16, 2019 10:14:15 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: SSH_MSG_NEWKEYS received
Dec 16, 2019 10:14:15 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: SSH_MSG_SERVICE_REQUEST sent
Dec 16, 2019 10:14:15 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: SSH_MSG_SERVICE_ACCEPT received
Dec 16, 2019 10:14:15 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: Authentications that can continue: password
Dec 16, 2019 10:14:15 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: Next authentication method: password
Dec 16, 2019 10:14:15 AM com.cloakware.cspm.server.plugin.SSHUserInfoImpl promptPassword
INFO: jsch: password prompt: 'Password for config.manager.arief@10.102.228.1'
Dec 16, 2019 10:14:17 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: Login trials exceeds 1
Dec 16, 2019 10:14:17 AM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: Disconnecting from 10.102.228.1 port 22
Dec 16, 2019 10:14:17 AM com.cloakware.cspm.server.app.impl.ls c
WARNING: **** ACCOUNT VERIFICATION FAILED: targetAccount ID: 44626' due to 'Error Code: 15212
Error Details: null
Error Message: PAM-CM-1341: Failed to establish a communications channel to the remote host.
Exception: com.cloakware.cspm.server.plugin.NetConnectorException: PAM-CM-1341: Failed to establish a communications channel to the remote host.
Stack Trace: com.cloakware.cspm.server.plugin.NetConnectorException: PAM-CM-1341: Failed to establish a communications channel to the remote host.
at com.cloakware.cspm.server.plugin.SSHConnector.connect(SSHConnector.java:152)
at com.cloakware.cspm.server.plugin.SSHConnector.connect(SSHConnector.java:73)
at com.cloakware.cspm.server.plugin.ChannelBeanShellScriptProcessorImpl.getConnectedChannel(ChannelBeanShellScriptProcessorImpl.java:401)
at com.cloakware.cspm.server.plugin.ChannelBeanShellScriptProcessorImpl.<init>(ChannelBeanShellScriptProcessorImpl.java:88)
at com.cloakware.cspm.server.plugin.ChannelBeanShellScriptProcessorImpl.<init>(ChannelBeanShellScriptProcessorImpl.java:111)
at com.cloakware.cspm.server.plugin.targetmanager.PaloAltoSSHTargetManager.verifyCredentials(PaloAltoSSHTargetManager.java:88)
at com.cloakware.cspm.server.app.TargetManager.run(SourceFile:672)
Caused by: com.jcraft.jsch.JSchException: Auth fail
at com.jcraft.jsch.Session.connect(Session.java:512)
at com.jcraft.jsch.Session.connect(Session.java:183)
at com.cloakware.cspm.server.plugin.SSHConnector.connect(SSHConnector.java:122)
... 6 more
Is success: false
Warning Message: null
Original Message:
Sent: 12-16-2019 02:42 AM
From: Jorghy Misnan
Subject: Palo Alto Firewall Connector Script
OK, the script worked if i run it againts Palo Alto management center, but not on individual firewall devices.
Original Message:
Sent: 12-12-2019 11:48 PM
From: Jorghy Misnan
Subject: Palo Alto Firewall Connector Script
Thanks Ralf. I'll let you know if it works.
Original Message:
Sent: 12-12-2019 11:38 PM
From: Ralf Prigl
Subject: Palo Alto Firewall Connector Script
done
Original Message:
Sent: 12-12-2019 10:14 PM
From: Jorghy Misnan
Subject: Palo Alto Firewall Connector Script
Can you email it to me?
Original Message:
Sent: 12-12-2019 09:02 AM
From: Ralf Prigl
Subject: Palo Alto Firewall Connector Script
Hi Jorghy, We send command "set mgt-config users View.Access password" to change the password of user "View.Access", but the server rejects that with error "Server error : set failed, may need to override template object View.Access first". This appears to be a permission issue on your server. If the server cannot be reconfigured to not require an override command first, then you would need to use a custom script. You could open a support case to request a copy of the default script that can then be adjusted to meet your particular needs. I don't want to attach it here as it is version sensitive.
Original Message:
Sent: 12-12-2019 01:27 AM
From: Jorghy Misnan
Subject: Palo Alto Firewall Connector Script
Super.Admin@FW-OCS-BJB-01(active)> configureEntering configuration mode[edit] Super.Admin@FW-OCS-BJB-01(active)#' CONTAINS the case-insensitive string '#'Dec 12, 2019 6:25:02 AM com.cloakware.cspm.server.plugin.CSPMClientChannel writeINFO: sent data 'set mgt-config users View.Access password'Dec 12, 2019 6:25:03 AM com.cloakware.cspm.server.plugin.CSPMClientChannel readUntilINFO: received data ' set [KSuper.Admin@FW-OCS-BJB-01(active)# set mgt-config [KSuper.Admin@FW-OCS-BJB-01(active)# set mgt-config users [KSuper.Admin@FW-OCS-BJB-01(active)# set mgt-config users View.Access [KSuper.Admin@FW-OCS-BJB-01(active)# set mgt-config users View.Access passwordEnter password' CONTAINS the case-insensitive string 'Enter password'Dec 12, 2019 6:25:03 AM com.cloakware.cspm.server.plugin.CSPMClientChannel writeINFO: sent data '<not logged>'Dec 12, 2019 6:25:03 AM com.cloakware.cspm.server.plugin.CSPMClientChannel readUntilINFO: received data ' : Confirm password' CONTAINS the case-insensitive string 'Confirm password'Dec 12, 2019 6:25:03 AM com.cloakware.cspm.server.plugin.CSPMClientChannel writeINFO: sent data '<not logged>'Dec 12, 2019 6:25:04 AM com.cloakware.cspm.server.plugin.CSPMClientChannel readUntilINFO: received data ' : [?1h=[24;1H[KServer error : set failed, may need to override template object View.Access first[24;1H[K[?1l>[edit]' CONTAINS the case-insensitive string '[edit]'Dec 12, 2019 6:25:04 AM com.cloakware.cspm.server.plugin.CSPMClientChannel writeINFO: sent data 'commit'Dec 12, 2019 6:25:05 AM com.cloakware.cspm.server.security.crypto.f aINFO: ServerKeyUpdateThread.processObjects Re-encrypted 0 total objects of class 'c.cw.m.us' in 220msec (0.0/sec)Dec 12, 2019 6:25:05 AM com.cloakware.cspm.server.security.crypto.f aINFO: ServerKeyUpdateThread.processObjects Re-encrypted 0 total objects of class 'c.cw.m.ac' in 38msec (0.0/sec)Dec 12, 2019 6:25:05 AM com.cloakware.cspm.server.security.crypto.f aINFO: ServerKeyUpdateThread.processObjects Re-encrypted 0 total objects of class 'c.cw.m.rs' in 2msec (0.0/sec)Dec 12, 2019 6:25:05 AM com.cloakware.cspm.server.security.crypto.f aINFO: ServerKeyUpdateThread.processObjects Re-encrypted 0 total objects of class 'c.cw.m.ach' in 3msec (0.0/sec)Dec 12, 2019 6:25:07 AM com.cloakware.cspm.server.dao.impl.DataSourceManager$c runINFO: DataSourceManagerHeartbeat.run Database cspm1=10.49.5.23 is still active and alive ['ACTIVE_AND_ALIVE' => 'ACTIVE_AND_ALIVE']. Time=0.864306ms [Total=6808.8623ms, Count=8463, Average=0.80454475ms, Min=0.388135ms, Max=44.814476ms].Dec 12, 2019 6:25:09 AM com.cloakware.cspm.server.plugin.CSPMClientChannel readUntilINFO: received data ' Super.Admin@FW-OCS-BJB-01(active)# commit[?1h=[24;1H[K[24;1H[K[?1l>There are no changes to commit.[edit] Super.Admin@FW-OCS-BJB-01(active)# ' does NOT CONTAIN the case-insensitive string 'Configuration committed successfully'Dec 12, 2019 6:25:09 AM com.cloakware.cspm.server.plugin.BeanShellScriptProcessorImpl executeScriptINFO: stopping script processor
Original Message:
Sent: 12-11-2019 11:45 PM
From: Ralf Prigl
Subject: Palo Alto Firewall Connector Script
What do you see in the tomcat log in INFO mode?
Original Message:
Sent: 12-11-2019 09:57 PM
From: Jorghy Misnan
Subject: Palo Alto Firewall Connector Script
Hi Ralf, i'm talking about privileged accounts for Palo Alto. I have one privileged account with admin rights who will do the reset password for another account. I've tried using the Verify script you mentioned and it worked. The only thing that still didn't worked are the Update.
Original Message:
Sent: 12-11-2019 10:33 AM
From: Ralf Prigl
Subject: Palo Alto Firewall Connector Script
The Verify script problem is discussed in https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=115191, and the solution is provided there.
Original Message:
Sent: 12-11-2019 10:29 AM
From: Ralf Prigl
Subject: Palo Alto Firewall Connector Script
Hi Jorghy, Can you provide more details? Are you concerned with User accounts or Privileged accounts? Verify only works for Privileged accounts. Updates should work for both. There was an issue with the regex expression used to detect the command prompt. This would affect Verify of Privileged accounts. It has been changed in PAM 3.3. A custom verify script was provided to another customer. But first we'd need to know your exact use case and what problem you are running into. You should see what the script is trying to do and what it is tripping over when you set the tomcat log level to INFO.
Original Message:
Sent: 12-11-2019 04:04 AM
From: Jorghy Misnan
Subject: Palo Alto Firewall Connector Script
CA PAM v3.2.6
Need assistance to manage account for Palo Alto Firewall devices. Out of the box update and verify script for Palo Alto didn't work. Please share any verify and update script for Palo Alto firewall if you happen to have similiar experience, thank you.
------------------------------
Regards,
Jorghy M.
------------------------------