https://live.paloaltonetworks.com/t5/next-generation-firewall/system-alert-opaque-failed-authentication-for-user-reason-user/m-p/548456#M1462 <P>Hi,</P> <P>I've been receiving many system alerts with the message:</P> <P>&nbsp;</P> <P>opaque: failed authentication for user ''. Reason: User is not in allowlist. auth profile '', vsys 'vsys1', From" "Public IP"</P> <P>&nbsp;</P> <P>eventid: auth-fail</P> <P>&nbsp;</P> <P>It looks like these public IP's are trying to access our internal network by coming through Global Protect App. Coming from many different random user names and public IP addresses. It seems that the Palo Alto firewall sends the credentials to the Active Directly Server and tharts when it fails.</P> <P>Is there a way to prevent all these attempts without even having it go to the AD server?</P> <P>&nbsp;</P> <P>Thanks.</P> Thu, 06 Jul 2023 18:16:41 GMT roma 2023-07-06T18:16:41Z https://live.paloaltonetworks.com/t5/next-generation-firewall/system-alert-opaque-failed-authentication-for-user-reason-user/m-p/548456#M1462 <P>Hi,</P> <P>I've been receiving many system alerts with the message:</P> <P>&nbsp;</P> <P>opaque: failed authentication for user ''. Reason: User is not in allowlist. auth profile '', vsys 'vsys1', From" "Public IP"</P> <P>&nbsp;</P> <P>eventid: auth-fail</P> <P>&nbsp;</P> <P>It looks like these public IP's are trying to access our internal network by coming through Global Protect App. Coming from many different random user names and public IP addresses. It seems that the Palo Alto firewall sends the credentials to the Active Directly Server and tharts when it fails.</P> <P>Is there a way to prevent all these attempts without even having it go to the AD server?</P> <P>&nbsp;</P> <P>Thanks.</P> Thu, 06 Jul 2023 18:16:41 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/system-alert-opaque-failed-authentication-for-user-reason-user/m-p/548456#M1462 roma 2023-07-06T18:16:41Z https://live.paloaltonetworks.com/t5/next-generation-firewall/system-alert-opaque-failed-authentication-for-user-reason-user/m-p/548520#M1463 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/116207">@roma</a> ,</P> <P>The error message you receive actually tell the opposite - "Reason: User is not in allowlist"</P> <P>When you configure your Authentication Profile, there is a tab to specify list of users or user groups that are allowed to authenticate with that profile.</P> <P>Firewall will first take the provide username and compare it with this allow list. If it doesn't match any of the allowed users/user groups, FW will deny user authentication, <U>without</U> even sending the credentials to AD for validation</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="aleksandarastardzhiev_0-1688719447341.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/51397i2CA6DE310B431429/image-size/medium?v=v2&amp;px=400" role="button" title="aleksandarastardzhiev_0-1688719447341.png" alt="aleksandarastardzhiev_0-1688719447341.png" /></span></P> <P><A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/device/device-authentication-profile/configure-an-authentication-profile" target="_blank">https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/device/device-authentication-profile/configure-an-authentication-profile</A> </P> <P>&nbsp;</P> Fri, 07 Jul 2023 08:44:25 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/system-alert-opaque-failed-authentication-for-user-reason-user/m-p/548520#M1463 aleksandar.astardzhiev 2023-07-07T08:44:25Z