Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Palo Alto Networks PAN-OS Settings

🗓️ 21 Feb 2013 00:00:00Reported by TenableType 
nessus
 nessus🔗 www.tenable.com👁 25 Views

Set Palo Alto authentication settings to perform authenticated compliance checks. This script initializes the credentials used for Palo Alto Firewall. To set the credentials, edit your scan policy and go to the 'Credentials' section

Code
#TRUSTED 2dd78d936dad13fda5df1fc58347398e51fffb642d4db9bae005ef372313a2402cc89d332d44b7fde0804c9b7adc6674e5947cea2c0f4f977bf214b263b5a18c477e4606c4a04b76862a280dcc153b38e3810d46630676ee80c6eff2e21c238ca0477da19f22671ae4ed05a7fe2da7c3d4d0151620625eaf8762f625d6a9a620f18db3b369bb4b8907c3064a5f049c1e379c80d80e35a7a024b8df382e6e75f4f794c4d8384c994f819aa48b1e5148737db0679c71d1d0ef0b6e350d2c4e0b145f547137538504574625da5075371c7fbcd01fb00cfb70e786c7a37442ac9312b754ae22d55fc9923b99488daff70c077314492b520df85ea5fce7dcd297540581e18d4d4fc775d07c586e61add98ed816d49af6977cc76abb57f892174fc51e168516f92167309c1cc529e8ac33d76c72adb284997477fa9f3178ec42c45afde50979c4d7bff997a339163840bf50c6f78e2e5ab24118b78ba42453601380a3a0a32aaeff940f48ee3ae3dcd825b49c7e1b9e9a7e2d218f08a249d67d68d74befc27001fa327c11f9a9a5e12f0f1c353f0f2187e8c2bbe9c477176509c35728d48ccf3785523bc9486a81f2831008cd31cb3741a1f9c1ed0c03ccc3075d366b4a4325b94194a324016cb07e47e3d879a1085f72e3e11a22430308b4cdc04c4994af120d9c497d9bfde18974368ac238f428f2126210475f8e9b5d51ee3d9da6
#TRUST-RSA-SHA256 21caaec63ee2a77782ddb9ccb1c481f0d78f7088e64f1aa06a4537acdd1325aa2926dd931bbe8c64fd4b8e2bed4ef9d8b3dabcc827c2da54b91bf64af6fbd9c8950dacda9feece5ab22af90cd630168e0e457f363def85fa46e670308e1e593fbe45cf3aa8fc3dae05028384e940c7b178bdfb72029ba08dc51beb1a4a201c4c34dd31e02672349c60a92708bb2a21a29e2dc9465c263e5720b2dfdef63f4a8234fc4bb0dfd3c67a485c7ceb27563b50b2228e96b58a9d5041f11908f3a0251f6fa90cc06070209fae214e3833fd15cd88f3b336536cbb44afbafbe332bea81fffe69fac94ee8996fc115e257d4a5ec6f9a98be8863fd8526ef8f910b514f44058077179f57eb272dd7c1ae5c4cd4c64fea4d9a8557714608a30996326f4670261001f938a229a0863e1289db6e357a6016d61f76129ef81b0fb6a9b456c23007841dddf24c181418cd0009b05dfef8cd8c975ed40712c576862b4b4654e444513b33cabfbb61c3d761a81c92971f43e09384f160fc71976e71a1efaf56e92968a35fd0e4e0c0e0de673defa68aae86180456dfaaa0e0552f025091f8d1dbbda01a5567d0d1aa1f468bca1eb40e48ef5fbd23c4b6e723205e4be4c36ed198bbb8b676c358e08a7e755cc2d5c1f4a80de620747ebee1f0d659d26b0e1e714880f0dd415e315c3b92d77ac8527cb585b40af51ebc4b55229035c0d41e5f70114b3
###
# (C) Tenable Network Security, Inc.
#
# This script is released under one of the Tenable Script Licenses and may not
# be used from within scripts released under another license without the
# authorization from Tenable Network Security Inc.
#
# @NOGPL@
#
###
if (!defined_func("nasl_level") || nasl_level() < 5000) exit(0, "Nessus older than 5.x");

include("compat.inc");

if (description)
{
  script_id(64286);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/01/12");

  script_name(english:"Palo Alto Networks PAN-OS Settings");
  script_summary(english:"Set Palo Alto authentication settings to perform authenticated compliance checks.");

  script_set_attribute(attribute:"synopsis", value:
"This plugin configures the Palo Alto settings.");
  script_set_attribute(attribute:"description", value:
"This script initializes the credentials used for Palo Alto Firewall. 

To set the credentials, edit your scan policy and go to the
'Credentials' section.");
  script_set_attribute(attribute:"solution", value:"n/a");
  script_set_attribute(attribute:"risk_factor", value:"None");

  script_set_attribute(attribute:"plugin_publication_date", value:"2013/02/21");

  script_set_attribute(attribute:"plugin_type", value:"settings");
  script_end_attributes();

  script_family(english:"Settings");
  script_category(ACT_SETTINGS);
  script_copyright(english:"This script is Copyright (C) 2013-2026 Tenable Network Security, Inc.");

  script_add_preference(name:"Palo Alto Username : ", type:"entry", value:"");
  script_add_preference(name:"Palo Alto Password : ", type:"password", value:"");
  script_add_preference(name:"Palo Alto Port : ", type:"entry", value:"443");
  script_add_preference(name:"SSL : ", type:"checkbox", value:"yes");
  script_add_preference(name:"Verify SSL Certificate : ", type:"checkbox", value:"no");

  exit(0);
}

include ("pam_get_credentials.inc");
include("debug.inc");

# PAM vars
var pan_os_prefix = "";
var pan_os_postfix = " :";
var pan_os_pam_creds;

var username   = script_get_preference("Palo Alto Username : ");
var password   = NULL;
var port       = script_get_preference("Palo Alto Port : ");
# using `script_get_preference("SSL : ")`; and `script_get_preference("Verify SSL Certificate : ");` doesn't work here, because
# it may unintentionally pull the value for "Palo Alto Networks PAN-OS Settings[checkbox]:PAM SSL :" or "Palo Alto Networks PAN-OS Settings[checkbox]:PAM Verify SSL Certificate :"
# and we have to be able to set them to different things (i.e. verify PAM cert but don't verify PAN-OS cert)
var ssl        = get_preference("Palo Alto Networks PAN-OS Settings[checkbox]:SSL :");
var verify_ssl = get_preference("Palo Alto Networks PAN-OS Settings[checkbox]:Verify SSL Certificate :");

# Check authenticaton method for PAN-OS
var auth_method = script_get_preference("Palo Alto Authentication Method :");

# set auth_method to Password Entry if security center does not have support for PAM 
if (empty_or_null(auth_method))
{
  auth_method = "Password Entry";
}

# Check if using PAM for Palo Alto Method
if ("Password" >< auth_method)
{
  password   = script_get_preference("Palo Alto Password :");
}
else if("CyberArk" >< auth_method)
{
  pan_os_pam_creds = pamcreds::get_creds_from_pam(username:username, prefix:pan_os_prefix, postfix:pan_os_postfix, auth_method:auth_method);
  password = pan_os_pam_creds.password;
  username = pan_os_pam_creds.username;
}

# Log user input for debuging purposes
if(!empty_or_null(username) && !empty_or_null(password))
{
  dbg::detailed_log(msg:'\nPAN-OS Auth Method: ' + auth_method +
  '\nUsername: ' + username +
  '\nPort: ' + port +
  '\nSSL: ' + ssl +
  '\nVerify SSL: ' + verify_ssl,
  lvl:3, name:SCRIPT_NAME
  );
}

if (!username || !password)
  exit(0, "Palo Alto authentication is not configured.");

set_kb_item(name:"Secret/Palo_Alto/Firewall/Login",    value:username);
set_kb_item(name:"Secret/Palo_Alto/Firewall/Password", value:password);

if (!port) port = 443;

set_kb_item(name:"Host/Palo_Alto/Firewall/Port", value:port);

if (ssl && "yes" >< ssl)
  set_kb_item(name:"Host/Palo_Alto/Firewall/ssl", value:TRUE);
else
  set_kb_item(name:"Host/Palo_Alto/Firewall/ssl", value:FALSE);

if (verify_ssl && "yes" >< verify_ssl)
  set_kb_item(name:"Host/Palo_Alto/Firewall/verify_ssl", value:TRUE);
else
  set_kb_item(name:"Host/Palo_Alto/Firewall/verify_ssl", value:FALSE);

# For integration status
replace_kb_item(name:"Palo_Alto/cred_type", value:auth_method);

# If the superadmin credentials were supplied, ensure that they are
# added to SSH credentials as well.
if (username =~ "^admin$")
{
  ssh_inserted = FALSE;
  # Iterate through SSH credentials until you find an empty slot.
  # Look at primary creds first and set those if empty.
  if (isnull(get_kb_item("Secret/SSH/login")))
  {
    set_kb_item(name:"Secret/SSH/login", value:username);
    set_kb_item(name:"Secret/SSH/password", value:password);
    ssh_inserted = TRUE;
  }
  else if (isnull(get_kb_item("Secret/SSH/password")) && isnull(get_kb_item("Secret/SSH/privatekey")))
  {
    replace_kb_item(name:"Secret/SSH/login", value:username);
    set_kb_item(name:"Secret/SSH/password", value:password);
    ssh_inserted = TRUE;
  }
  else
  {
    for (i = 0; i < 5; i++)
    {
      if (isnull(get_kb_item(strcat("Secret/SSH/", i, "/login"))))
      {
        set_kb_item(name:strcat("Secret/SSH/", i, "/login"), value:username);
        set_kb_item(name:strcat("Secret/SSH/", i, "/password"), value:password);
        ssh_inserted = TRUE;
        break;
      }
    }
  }
  if (ssh_inserted) exit(0);
  else exit(0, "SSH credentials not inserted, no empty slot found.");
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
12 Jan 2026 00:00Current
5.4Medium risk
Vulners AI Score5.4
palo altoauthenticationcompliance checksscan policycredentialssslfirewall
25