topic Re: How could i drop"unknown RADIUS authentication protocol"? in General Topics

How could i drop"unknown RADIUS authentication protocol"?

R.Tudon — Sun, 02 Jun 2024 21:19:24 GMT

Hi!

Recently we were receiving in our environment alerts of failed authentications from different random IP's and random usernames, i was able to reduce them following the next article: Detecting Brute Force Attack on GlobalProtect Portal Page - Knowledge Base - Palo Alto Networks, and creating a dynamic list, adding tags with forward logs, dropping these attempts and blocking the IP's.

This reduced a loot, of this, but i keep getting some of them, i would like to tag also the "unknown RADIUS authentication protocol" but i don't see any similar in the log forwarding filters.

Any suggestions? Regards!

Re: How could i drop"unknown RADIUS authentication protocol"?

PavelK — Sun, 02 Jun 2024 22:44:14 GMT

Hello @R.Tudon

you should be able to use below string in the filter builder to filter these logs out:

( description contains 'unknown RADIUS authentication protocol' )

Kind Regards

Pavel

Re: How could i drop"unknown RADIUS authentication protocol"?

R.Tudon — Mon, 03 Jun 2024 17:10:23 GMT

I tried with all the different log types, but i get this error, should I've done other thing to make this filter work?

Regards!

Re: How could i drop"unknown RADIUS authentication protocol"?

BPry — Mon, 03 Jun 2024 19:23:24 GMT

@R.Tudon,

In your example it looks like you were trying to build it out for traffic, that's not where this would go. These are system events and you'd want to modify the filter for whatever log forwarding you have enabled for your system events.