https://live.paloaltonetworks.com/t5/general-topics/suspicious-login-attempt-found-on-pa/m-p/170489#M54050 <P>Except for console logins, there obviously is no IP address</P> Tue, 08 Aug 2017 11:35:48 GMT Remo 2017-08-08T11:35:48Z https://live.paloaltonetworks.com/t5/general-topics/suspicious-login-attempt-found-on-pa/m-p/170480#M54047 <P>Hi All,</P><P>I have a situation where someone tried to access Palo Alto and failed to login as the authentication was not granted. Any idea where i can go and see what was the source IP and location etc. A bit of forensics.</P><P>&nbsp;</P><P>Any suggestions most welcome.</P><P>&nbsp;</P><P>Imran</P><P>(Brighton)</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 08 Aug 2017 11:11:17 GMT https://live.paloaltonetworks.com/t5/general-topics/suspicious-login-attempt-found-on-pa/m-p/170480#M54047 imranshahid 2017-08-08T11:11:17Z https://live.paloaltonetworks.com/t5/general-topics/suspicious-login-attempt-found-on-pa/m-p/170487#M54048 <P>PA-3020 shows failed auths in /Monitor/System.</P><P>&nbsp;</P><P>Event = auth-fail</P><P>&nbsp;</P><P>this shows the ip address of the failed auth.</P> Tue, 08 Aug 2017 11:30:34 GMT https://live.paloaltonetworks.com/t5/general-topics/suspicious-login-attempt-found-on-pa/m-p/170487#M54048 Mick_Ball 2017-08-08T11:30:34Z https://live.paloaltonetworks.com/t5/general-topics/suspicious-login-attempt-found-on-pa/m-p/170488#M54049 <P>this shows the source ip address of the failed auth.</P> Tue, 08 Aug 2017 11:31:51 GMT https://live.paloaltonetworks.com/t5/general-topics/suspicious-login-attempt-found-on-pa/m-p/170488#M54049 Mick_Ball 2017-08-08T11:31:51Z https://live.paloaltonetworks.com/t5/general-topics/suspicious-login-attempt-found-on-pa/m-p/170489#M54050 <P>Except for console logins, there obviously is no IP address</P> Tue, 08 Aug 2017 11:35:48 GMT https://live.paloaltonetworks.com/t5/general-topics/suspicious-login-attempt-found-on-pa/m-p/170489#M54050 Remo 2017-08-08T11:35:48Z https://live.paloaltonetworks.com/t5/general-topics/suspicious-login-attempt-found-on-pa/m-p/171821#M54286 <P>so how would you find the source IP ? Any comments please feel free</P> Wed, 16 Aug 2017 09:51:08 GMT https://live.paloaltonetworks.com/t5/general-topics/suspicious-login-attempt-found-on-pa/m-p/171821#M54286 imranshahid 2017-08-16T09:51:08Z https://live.paloaltonetworks.com/t5/general-topics/suspicious-login-attempt-found-on-pa/m-p/171842#M54291 <P>Hi,</P><P>&nbsp;</P><P>It says from:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="auth logs.PNG" style="width: 797px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/10801iBB1F3180F788868F/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="auth logs.PNG" alt="auth logs.PNG" /></span></P><P>&nbsp;</P><P>You can only see this info if the attempts were initiated to the mgmt interface. If the&nbsp;user was trying to get access over the data-plane interface, then check intra-zone&nbsp;traffic (if logging is enabled) filtering based on the destination Palo&nbsp;ip address as well as destination port 443.</P> Wed, 16 Aug 2017 12:17:58 GMT https://live.paloaltonetworks.com/t5/general-topics/suspicious-login-attempt-found-on-pa/m-p/171842#M54291 TranceforLife 2017-08-16T12:17:58Z https://live.paloaltonetworks.com/t5/general-topics/suspicious-login-attempt-found-on-pa/m-p/171849#M54293 <P>you will also get auth-fail logs if the attempt was made on a dataplane management profile <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 16 Aug 2017 13:32:44 GMT https://live.paloaltonetworks.com/t5/general-topics/suspicious-login-attempt-found-on-pa/m-p/171849#M54293 reaper 2017-08-16T13:32:44Z https://live.paloaltonetworks.com/t5/general-topics/suspicious-login-attempt-found-on-pa/m-p/171850#M54294 <P>Nice! I thought system log just includes mgmt interface attempts</P> Wed, 16 Aug 2017 13:36:51 GMT https://live.paloaltonetworks.com/t5/general-topics/suspicious-login-attempt-found-on-pa/m-p/171850#M54294 TranceforLife 2017-08-16T13:36:51Z