Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
09-17-2021 01:20 PM
Just setup TACACS authentication using Cisco ISE as our TACACS server. We can successfully login with our AD accounts, but when I look in the TACACS logs on ISE, I see a ton of "INVALID" attempts from external IPs. Is the normal/expected? Is there a way to just limit TACACS to our internal network?
09-20-2021 01:26 PM
It looks like I may have resolved my own issue. Under Authentication Profile, someone had "all" listed in the allow list. I removed "all" and added the specific admins that will administer the firewall. Once committed, the ISE logs stopped filling up. Thanks for chiming in everyone!
09-17-2021 01:43 PM
Hello @ErikMarschang, you can limit the permitted IPs to the management interface to an RFC 1918 address. Device>Setup>Interfaces>Management>Permitted IP Addresses.
09-18-2021 06:43 PM
He @ErikMarschang ,
That is not normal or expected. If you setup TACACS+ for authentication into your NGFW, you should only see requests from the management interface of the NGFW.
Maybe you have a security rule allowing TACACS+ from the outside? You could check the traffic logs.
Thanks,
Tom
09-20-2021 04:46 AM - edited 09-20-2021 05:10 AM
Thank you confirming that its not normal. That was my initial thought, but I am fairly new to the Palo NGFWs. I will check the logs and see what I can find.
09-20-2021 05:14 AM
I was looking in the logs on the Palo. I dont see anything in the Palo traffic logs regarding TACACS. So maybe the attempts arent coming from the outside... When I look ISE TACACS live logs, its full of "username INVALID". Its almost like something from the Palo is constantly trying to login via TACACS... Not sure exactly, im still digging in.
09-20-2021 01:21 PM
Hello,
Also make sure your external interface does not allow logings from IP's you dont have listed. Something like:
I only allow ssh connections to my untrusted interface from the secondary data center. And in the secondary data center firewall I only allow SSH connections to the untrust interfaces from the primary data center.
This example is just in case you lose the internal management for other device failures.
Cheers!
09-20-2021 01:26 PM
It looks like I may have resolved my own issue. Under Authentication Profile, someone had "all" listed in the allow list. I removed "all" and added the specific admins that will administer the firewall. Once committed, the ISE logs stopped filling up. Thanks for chiming in everyone!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
