https://live.paloaltonetworks.com/t5/general-topics/vulnerability-wrong-action-palo/m-p/453186#M101327 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/85066">@BigPalo</a>&nbsp;, below are my opinions on your questions -</P> <P>&nbsp;</P> <P>why Palo is detecting a normal access as a vulnerability?</P> <P><EM>A- Palo Alto triggers this signature when there are multiple requests in specified time from same source to same destination. e.g. 20 attempts in 1 min then it will consider it as brute force. In this case the signature is triggered and actions set against it will be followed.</EM></P> <P>&nbsp;</P> <P>why Palo is not permitting this traffic if the action is alert?&nbsp;</P> <P><EM>A- I would ask you to verify the profile where you are looking the action against the profile mapped on the security policy. It may be the case that you are looking at wrong profile.</EM></P> <P>&nbsp;</P> Tue, 14 Dec 2021 14:07:29 GMT SutareMayur 2021-12-14T14:07:29Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-wrong-action-palo/m-p/453163#M101325 <P>Hi,</P><P>&nbsp;</P><P>We are having a weird issue in Palo. We have a FTP server and we can not access because Palo detects this vulnerability:&nbsp;</P><P><SPAN class="">Name: SSH User Authentication Brute Force Attempt</SPAN></P><P class="">Unique Threat ID: 40015</P><P class="">The Palo action is "alert" for this vulnerability but its being blocked "block-ip". I attach the screenshots:</P><P class="">&nbsp;</P><P class=""><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="pic1.JPG" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/38138iED70E7ED528ED9A6/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="pic1.JPG" alt="pic1.JPG" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="pic2.JPG" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/38139i4DA7B0B542651B05/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="pic2.JPG" alt="pic2.JPG" /></span></P><P class="">&nbsp;</P><P class="">why Palo is detecting a normal access as a vulnerability?</P><P class="">why Palo is not permitting this traffic if the action is alert?</P><P class="">&nbsp;</P><P class="">any idea?</P><P class="">&nbsp;</P><P class="">thanks</P> Tue, 14 Dec 2021 12:19:32 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-wrong-action-palo/m-p/453163#M101325 BigPalo 2021-12-14T12:19:32Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-wrong-action-palo/m-p/453186#M101327 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/85066">@BigPalo</a>&nbsp;, below are my opinions on your questions -</P> <P>&nbsp;</P> <P>why Palo is detecting a normal access as a vulnerability?</P> <P><EM>A- Palo Alto triggers this signature when there are multiple requests in specified time from same source to same destination. e.g. 20 attempts in 1 min then it will consider it as brute force. In this case the signature is triggered and actions set against it will be followed.</EM></P> <P>&nbsp;</P> <P>why Palo is not permitting this traffic if the action is alert?&nbsp;</P> <P><EM>A- I would ask you to verify the profile where you are looking the action against the profile mapped on the security policy. It may be the case that you are looking at wrong profile.</EM></P> <P>&nbsp;</P> Tue, 14 Dec 2021 14:07:29 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-wrong-action-palo/m-p/453186#M101327 SutareMayur 2021-12-14T14:07:29Z