https://live.paloaltonetworks.com/t5/general-topics/reset-both-for-client-sftp-server/m-p/560239#M113579 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/221132">@RiveraMarco</a>,</P> <P>Whatever vulnerability profile is assigned to the security policy matching that traffic can be updated with an exception if you feel like that's the right course of action. Ideally you would build out a specific entry for that traffic and assign it it's own profile if you proceed with that exception.</P> Mon, 02 Oct 2023 14:49:36 GMT BPry 2023-10-02T14:49:36Z https://live.paloaltonetworks.com/t5/general-topics/reset-both-for-client-sftp-server/m-p/560034#M113555 <P>I have been noticing lots of traffic between an internal client to one of our Sftp server where the log states</P> <P>SSH User Authentication Brute Force on Port 22&nbsp; - Action Reset-Both.&nbsp; We have checked the client and has the correct credentials for the destination.&nbsp; What else should I check?&nbsp; The logs on the sftp server do not indicate any errors.</P> Fri, 29 Sep 2023 13:12:20 GMT https://live.paloaltonetworks.com/t5/general-topics/reset-both-for-client-sftp-server/m-p/560034#M113555 RiveraMarco 2023-09-29T13:12:20Z https://live.paloaltonetworks.com/t5/general-topics/reset-both-for-client-sftp-server/m-p/560035#M113556 <P>Maybe you are transferring small files and client logs into SFTP server every time to transfer file.</P> <P>By default&nbsp;<SPAN>SSH User Authentication Brute Force matches if there are more than 20 login events during 60 second period.</SPAN></P> Fri, 29 Sep 2023 13:26:22 GMT https://live.paloaltonetworks.com/t5/general-topics/reset-both-for-client-sftp-server/m-p/560035#M113556 Raido_Rattameister 2023-09-29T13:26:22Z https://live.paloaltonetworks.com/t5/general-topics/reset-both-for-client-sftp-server/m-p/560041#M113557 <P>Your explanation sounds reasonable.&nbsp; How should we address this so we don't see the traffic?</P> Fri, 29 Sep 2023 14:03:49 GMT https://live.paloaltonetworks.com/t5/general-topics/reset-both-for-client-sftp-server/m-p/560041#M113557 RiveraMarco 2023-09-29T14:03:49Z https://live.paloaltonetworks.com/t5/general-topics/reset-both-for-client-sftp-server/m-p/560239#M113579 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/221132">@RiveraMarco</a>,</P> <P>Whatever vulnerability profile is assigned to the security policy matching that traffic can be updated with an exception if you feel like that's the right course of action. Ideally you would build out a specific entry for that traffic and assign it it's own profile if you proceed with that exception.</P> Mon, 02 Oct 2023 14:49:36 GMT https://live.paloaltonetworks.com/t5/general-topics/reset-both-for-client-sftp-server/m-p/560239#M113579 BPry 2023-10-02T14:49:36Z