topic Global Protect Authentication Destination is 0.0.0.0 in General Topics https://live.paloaltonetworks.com/t5/general-topics/global-protect-authentication-destination-is-0-0-0-0/m-p/557132#M113063 <DIV class="lia-quilt-row lia-quilt-row-message-main"> <DIV class="lia-quilt-column lia-quilt-column-24 lia-quilt-column-single lia-quilt-column-message-main-content"> <DIV class="lia-quilt-column-alley lia-quilt-column-alley-single"> <DIV id="bodyDisplay_1" class="lia-message-body lia-component-message-view-widget-body lia-component-body-signature-highlight-escalation lia-component-message-view-widget-body-signature-highlight-escalation"> <DIV class="lia-message-body-content"> <P>Hi,</P> <P>I have a SIEM use case for VPN login failures followed by success to the same user after 5 failures.</P> <P>When I check the event, I could see the source is external IP as expected and destination is 0.0.0.0 and with our internal VPN gateway IP alternatively.</P> <P>Here I am getting confusion should I consider the destination IP 0.0.0.0 also or we can ignore it for failures.</P> <P>&nbsp;</P> <P>Thanks</P> </DIV> </DIV> </DIV> </DIV> </DIV> <DIV class="lia-quilt-row lia-quilt-row-message-footer"> <DIV class="lia-quilt-column lia-quilt-column-16 lia-quilt-column-right lia-quilt-column-message-footer-right"> <DIV class="lia-quilt-column-alley lia-quilt-column-alley-right"> <DIV id="inlineMessageReplyContainer_1" class="lia-inline-message-reply-container lia-component-messages-widget-reply-inline-button"> <DIV id="replyWrapper_1" class="lia-inline-message-reply-wrapper"> <DIV id="messageActions_1" class="lia-message-actions"> <DIV class="lia-button-group"><SPAN class="lia-button-wrapper lia-button-wrapper-secondary"><A id="link_21" class="lia-button lia-button-secondary reply-action-link lia-action-reply iconClass lia-button-slim" href="https://live.paloaltonetworks.com/t5/globalprotect-discussions/vpn-login-failures/m-p/556193" target="_blank">Reply</A></SPAN></DIV> </DIV> <DIV class="lia-inline-message-reply-placeholder">&nbsp;</DIV> </DIV> </DIV> </DIV> </DIV> </DIV> <DIV class="lia-quilt-row lia-quilt-row-message-moderation">&nbsp;</DIV> Fri, 08 Sep 2023 07:00:22 GMT Arunkumar27 2023-09-08T07:00:22Z Global Protect Authentication Destination is 0.0.0.0 https://live.paloaltonetworks.com/t5/general-topics/global-protect-authentication-destination-is-0-0-0-0/m-p/557132#M113063 <DIV class="lia-quilt-row lia-quilt-row-message-main"> <DIV class="lia-quilt-column lia-quilt-column-24 lia-quilt-column-single lia-quilt-column-message-main-content"> <DIV class="lia-quilt-column-alley lia-quilt-column-alley-single"> <DIV id="bodyDisplay_1" class="lia-message-body lia-component-message-view-widget-body lia-component-body-signature-highlight-escalation lia-component-message-view-widget-body-signature-highlight-escalation"> <DIV class="lia-message-body-content"> <P>Hi,</P> <P>I have a SIEM use case for VPN login failures followed by success to the same user after 5 failures.</P> <P>When I check the event, I could see the source is external IP as expected and destination is 0.0.0.0 and with our internal VPN gateway IP alternatively.</P> <P>Here I am getting confusion should I consider the destination IP 0.0.0.0 also or we can ignore it for failures.</P> <P>&nbsp;</P> <P>Thanks</P> </DIV> </DIV> </DIV> </DIV> </DIV> <DIV class="lia-quilt-row lia-quilt-row-message-footer"> <DIV class="lia-quilt-column lia-quilt-column-16 lia-quilt-column-right lia-quilt-column-message-footer-right"> <DIV class="lia-quilt-column-alley lia-quilt-column-alley-right"> <DIV id="inlineMessageReplyContainer_1" class="lia-inline-message-reply-container lia-component-messages-widget-reply-inline-button"> <DIV id="replyWrapper_1" class="lia-inline-message-reply-wrapper"> <DIV id="messageActions_1" class="lia-message-actions"> <DIV class="lia-button-group"><SPAN class="lia-button-wrapper lia-button-wrapper-secondary"><A id="link_21" class="lia-button lia-button-secondary reply-action-link lia-action-reply iconClass lia-button-slim" href="https://live.paloaltonetworks.com/t5/globalprotect-discussions/vpn-login-failures/m-p/556193" target="_blank">Reply</A></SPAN></DIV> </DIV> <DIV class="lia-inline-message-reply-placeholder">&nbsp;</DIV> </DIV> </DIV> </DIV> </DIV> </DIV> <DIV class="lia-quilt-row lia-quilt-row-message-moderation">&nbsp;</DIV> Fri, 08 Sep 2023 07:00:22 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-authentication-destination-is-0-0-0-0/m-p/557132#M113063 Arunkumar27 2023-09-08T07:00:22Z Re: Global Protect Authentication Destination is 0.0.0.0 https://live.paloaltonetworks.com/t5/general-topics/global-protect-authentication-destination-is-0-0-0-0/m-p/557334#M113090 <P>i'm not sure i'm visualizing your logs correctly, but i'm assuming the logs that contain 0.0.0.0 do not have a destination IP as they are system/auth logs indicating a failure rather than a connection</P> <P>&nbsp;</P> <P>can you add (cleaned up) screenshots?</P> Mon, 11 Sep 2023 10:58:02 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-authentication-destination-is-0-0-0-0/m-p/557334#M113090 reaper 2023-09-11T10:58:02Z