https://live.paloaltonetworks.com/t5/advanced-threat-prevention/ssh-brute-force/m-p/576473#M2089 <P>Client connects to FTP server via SSH and starts downloading. After a while, connection stops. I see in the logs that there a multiple SSH login attempts and finally SSH Brute Force with reset-both action.&nbsp;</P> <P>What would be the reason?</P> Wed, 07 Feb 2024 15:58:31 GMT HyAz45 2024-02-07T15:58:31Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/ssh-brute-force/m-p/576473#M2089 <P>Client connects to FTP server via SSH and starts downloading. After a while, connection stops. I see in the logs that there a multiple SSH login attempts and finally SSH Brute Force with reset-both action.&nbsp;</P> <P>What would be the reason?</P> Wed, 07 Feb 2024 15:58:31 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/ssh-brute-force/m-p/576473#M2089 HyAz45 2024-02-07T15:58:31Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/ssh-brute-force/m-p/576575#M2090 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/299531">@HyAz45</a>&nbsp;</P> <P>This is happening because you have vulnerability protection profile configured on the security policy which is matching the traffic. This signature is triggered when there are multiple requests for this traffic constantly from same source to the same destination. If you are expecting all such requests as valid, then you can exclude specific source or destination IP from this signature. Refer <A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/customize-the-action-and-trigger-conditions-for-a-brute-force-signature" target="_self">this article</A> for more details.&nbsp;</P> <P>&nbsp;</P> <P>Hope it helps!</P> Thu, 08 Feb 2024 07:48:14 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/ssh-brute-force/m-p/576575#M2090 SutareMayur 2024-02-08T07:48:14Z