Suspicious login attempt found on PA.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Suspicious login attempt found on PA.

L1 Bithead

Hi All,

I have a situation where someone tried to access Palo Alto and failed to login as the authentication was not granted. Any idea where i can go and see what was the source IP and location etc. A bit of forensics.

 

Any suggestions most welcome.

 

Imran

(Brighton)

 

 

7 REPLIES 7

L7 Applicator

PA-3020 shows failed auths in /Monitor/System.

 

Event = auth-fail

 

this shows the ip address of the failed auth.

L7 Applicator

this shows the source ip address of the failed auth.

Except for console logins, there obviously is no IP address

so how would you find the source IP ? Any comments please feel free

Hi,

 

It says from:

 

auth logs.PNG

 

You can only see this info if the attempts were initiated to the mgmt interface. If the user was trying to get access over the data-plane interface, then check intra-zone traffic (if logging is enabled) filtering based on the destination Palo ip address as well as destination port 443.

you will also get auth-fail logs if the attempt was made on a dataplane management profile 🙂

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Nice! I thought system log just includes mgmt interface attempts

  • 4257 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!