https://live.paloaltonetworks.com/t5/general-topics/unauthorized-access/m-p/261837#M74211 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/105432">@karthikeyanB</a>,</P><P>If you don't have the logs anymore and you aren't sending them off of the firewall then you essentially don't have anything to view what credentials were used to make those changes anymore. I would recommend you simply have anyone with credentials change them. Same thing goes with restoring the configuration or log files, if you weren't already sending them elsewhere you have nothing to restore from.&nbsp;</P><P>Just a few things I would really recommend you do to increase security:</P><UL><LI>Utilizes permitted-ips&nbsp;on the management interfaces to restrict management access to a few machines.&nbsp;</LI><LI>Assuming that the GUI was open to the internet, absolutely stop doing this. If&nbsp;<EM>required</EM> restrict it to one external IP address under your control.&nbsp;</LI><LI>Configure log forwarding so the logs aren't only on the firewall.</LI><LI>Configure log settings so you get alerted for any configuration change made to the device; and if that's to chatty for you at least configure an alert for when a commit is performed.&nbsp;</LI></UL> Tue, 21 May 2019 17:19:56 GMT BPry 2019-05-21T17:19:56Z https://live.paloaltonetworks.com/t5/general-topics/unauthorized-access/m-p/261726#M74204 <DIV class="x_MsoNormal">Hi All,</DIV><DIV class="x_MsoNormal">&nbsp;</DIV><DIV class="x_MsoNormal">we had an unauthorised access to our firewall, after the access all the logs in the firewall have been deleted and configurations have been changed and committed.&nbsp;</DIV><DIV class="x_MsoNormal">&nbsp;</DIV><DIV class="x_MsoNormal">we need to which credential are used to login the firewall.</DIV><DIV class="x_MsoNormal">&nbsp;</DIV><DIV class="x_MsoNormal">Now we found the ip address as well as what changes are they made.</DIV><DIV class="x_MsoNormal">&nbsp;</DIV><DIV class="x_MsoNormal">there is any other chance for restoring&nbsp; the deleted file.</DIV><DIV class="x_MsoNormal">&nbsp;</DIV><DIV class="x_MsoNormal">Regards</DIV><DIV class="x_MsoNormal">Karthikeyan&nbsp;</DIV> Tue, 21 May 2019 06:07:32 GMT https://live.paloaltonetworks.com/t5/general-topics/unauthorized-access/m-p/261726#M74204 karthikeyanB 2019-05-21T06:07:32Z https://live.paloaltonetworks.com/t5/general-topics/unauthorized-access/m-p/261837#M74211 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/105432">@karthikeyanB</a>,</P><P>If you don't have the logs anymore and you aren't sending them off of the firewall then you essentially don't have anything to view what credentials were used to make those changes anymore. I would recommend you simply have anyone with credentials change them. Same thing goes with restoring the configuration or log files, if you weren't already sending them elsewhere you have nothing to restore from.&nbsp;</P><P>Just a few things I would really recommend you do to increase security:</P><UL><LI>Utilizes permitted-ips&nbsp;on the management interfaces to restrict management access to a few machines.&nbsp;</LI><LI>Assuming that the GUI was open to the internet, absolutely stop doing this. If&nbsp;<EM>required</EM> restrict it to one external IP address under your control.&nbsp;</LI><LI>Configure log forwarding so the logs aren't only on the firewall.</LI><LI>Configure log settings so you get alerted for any configuration change made to the device; and if that's to chatty for you at least configure an alert for when a commit is performed.&nbsp;</LI></UL> Tue, 21 May 2019 17:19:56 GMT https://live.paloaltonetworks.com/t5/general-topics/unauthorized-access/m-p/261837#M74211 BPry 2019-05-21T17:19:56Z