https://live.paloaltonetworks.com/t5/globalprotect-discussions/vpn-login-failures/m-p/556334#M4354 <P>Hi,</P> <P>I have a SIEM use case for VPN login failures followed by success to the same user after 5 failures.</P> <P>When I check the event, I could see the source is external IP as expected and destination is 0.0.0.0 and with our internal VPN gateway IP alternatively.</P> <P>Here I am getting confusion should I consider the destination IP 0.0.0.0 also or we can ignore it for failures.</P> <P>&nbsp;</P> <P>Thanks</P> Mon, 04 Sep 2023 06:24:50 GMT Arunkumar27 2023-09-04T06:24:50Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/vpn-login-failures/m-p/555968#M4341 <P>Hi,</P> <P>I received two kinds of events when I tried to connect VPN.&nbsp; Which event I can consider as a threat.</P> <P>I have excluded the username pre-logon from monitoring but for the destination 0.0.0.0 is receiving.</P> <P>&nbsp;</P> <P>Why destination IP show 0.0.0.0? Can I ignore it?</P> <P>&nbsp;</P> <P><STRONG>Destination IP as 0.0.0.0</STRONG></P> <P>&nbsp;</P> <P>&lt;14&gt;Aug 31 10:00:24 PA-FW1 1,2023/08/31 10:00:24,016301009873,GLOBALPROTECT,0,2562,2023/08/31 10:00:24,vsys1,portal-auth,login,ldap,,Arun,IN,DELT100344,157.38.38.164,0.0.0.0,0.0.0.0,0.0.0.0,285fef3b-21ea-41ba-b85c-7d5964db38d9,FTTVXB2,5.0.10,Windows,"Microsoft Windows 10 Enterprise , 64-bit",1,,Authentication failed: Invalid username or password,,failure,,0,pre-logon,18,SSL-VPN-PROTAL,7269186445733142702,0x8000000000000000,2023-08-31T10:00:24.120+05:30,,,,,,97,0,0,0,,FW1-PA-FW-SEC,1</P> <P>&nbsp;</P> <P><STRONG>Destination IP is our server address:</STRONG></P> <P>&nbsp;</P> <P>&lt;12&gt;Aug 31 10:00:24 PA-FW1 LEEF:2.0|Palo Alto Networks|PAN-OS Syslog Integration|10.2.3-h4|auth-fail|x7C|ReceiveTime=2023/08/31 10:00:24|SerialNumber=016301009873|cat=SYSTEM|Subtype=auth|devTime=Aug 31 2023 04:30:24 GMT|VirtualSystem=|Filename=FW1SSLVPN|Module=general|sev=3|Severity=medium|msg="failed authentication for user 'Arun'. Reason: Invalid username/password. auth profile 'FW1SSLVPN', vsys 'vsys1', server profile 'AB-AD_PROFILE', server address 'x.x.21.1', From: 157.38.38.164."|sequence=7269186445733173709|ActionFlags=0x8000000000000000|DeviceGroupHierarchyL1=0|DeviceGroupHierarchyL2=0|DeviceGroupHierarchyL3=0|DeviceGroupHierarchyL4=0|vSrcName=|DeviceName=PA-FW1</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Thanks</P> Thu, 31 Aug 2023 07:22:45 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/vpn-login-failures/m-p/555968#M4341 Arunkumar27 2023-08-31T07:22:45Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/vpn-login-failures/m-p/556193#M4349 <P>I don't understand your case, but if use Pre-Logon include routes because these routes try communicate with LDAP, if otherwise, if have profiles SAML, check if the pool IP address can access to the Internet. I had a customer environment similar at you, but the Pre-Logon have include routes to the LDAP, and the second session in the gateway have a SAML profile. This maybe works but it's neccesary deploy with anysome integration.</P> Fri, 01 Sep 2023 18:58:59 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/vpn-login-failures/m-p/556193#M4349 felipeorozco 2023-09-01T18:58:59Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/vpn-login-failures/m-p/556334#M4354 <P>Hi,</P> <P>I have a SIEM use case for VPN login failures followed by success to the same user after 5 failures.</P> <P>When I check the event, I could see the source is external IP as expected and destination is 0.0.0.0 and with our internal VPN gateway IP alternatively.</P> <P>Here I am getting confusion should I consider the destination IP 0.0.0.0 also or we can ignore it for failures.</P> <P>&nbsp;</P> <P>Thanks</P> Mon, 04 Sep 2023 06:24:50 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/vpn-login-failures/m-p/556334#M4354 Arunkumar27 2023-09-04T06:24:50Z