Page 1 of 1

[Implemented] Palo Alto acknowledge login banner

Posted: Sun Apr 24, 2022 4:43 pm
by bboy8012
Hi All,

Having a little issue with Unimus being able to login into my PAN firewalls because I have the login banner that needs to be accepted. I have Googled around and have not found anything. Can anyone provide a link or some guidance on how to get Unimus to be able to log in? Thanks

Re: Palo Alto acknowledge login banner

Posted: Tue Jul 26, 2022 6:30 pm
by Vik@Unimus
Hello,

Apologies for a late reply. The issue regarding this specific banner and the aforementioned need to acknowledge it via the "Force admins to acknowledge this banner" the in PAN OS, is a known issue. When this was reported to us a little while ago we did some remote troubleshooting, but it hasn't provide enough information as even though it seems like a trivial thing, it turned out to be more complex, so we need to troubleshoot on a physical device in our lab directly.
We got one PA router previously, but that device turned out to have some issues and ultimately stopped working, but we have currently another device on its way.

For now, the workaround is simple - having a banner is fine, but for the time being it will work only with "Force admins to acknowledge this banner" option disabled.

I have just added this thread to our internal ticket so when we have updates to share, I will update this thread.

Re: Palo Alto acknowledge login banner

Posted: Wed Nov 23, 2022 7:42 pm
by dhammel
Hello,

Just came accross this post - obviously this is not a acceptable workaround. Our firewall admins have force enabled this banner for a reason ofcourse. When working on firewalls accountability is top priority and as such all engineers working on our firewalls have to READ AND ACKNOWLEDGE the banner for auditing and (legal) accountability reasons. I do agree that this banner (on the Palo Alto side) should be enabled on a per user basis, but it isn't.

The login simply asks for 'yes' to be entere to continue - shouldn't be that hard to incorporate this in Unimus?

The firewall simply writes the following question:

Do you accept and acknowledge the statement above ? (yes/no) :

Unimus could treat this as enable password or as extra feature on the credentials page... Please expedite this feature!

Rgds

David Hammel (a paying unimus user)

Re: Palo Alto acknowledge login banner

Posted: Thu Nov 24, 2022 2:31 pm
by Vik@Unimus
Hello,

Actually, our team has already finished works on this last week and the support for the forced acknowledgement will be rolled out, starting with the upcoming release of 2.3.0-Beta1 (and onward, of course). As soon as that happens, I will update this thread.

Re: Palo Alto acknowledge login banner

Posted: Fri Dec 09, 2022 2:08 pm
by Vik@Unimus
Hello Everyone,

We have a new Unimus version 2.3.0-Beta1 live now, which contains the fix/support for PA's forced banner acknowledgment procedure. You can find more information in our Beta branch thread

viewtopic.php?f=4&t=1599

If you are running Unimus on Windows, then feel free to just download and run the installer.
In case Unimus is deployed on Linux, then unless you are running it already, I would first recommend upgrading to the latest stable version (https://unimus.net/download, currently 2.2.4), stopping Unimus service afterwards, downloading the new executable (.jar file) from the Beta download page and replacing the existing binary in /opt/unimus folder with the new one.

If you get a chance, give it a try and let us know if it worked as expected, or in case you encounter any other issue.