08-08-2017 04:11 AM
Hi All,
I have a situation where someone tried to access Palo Alto and failed to login as the authentication was not granted. Any idea where i can go and see what was the source IP and location etc. A bit of forensics.
Any suggestions most welcome.
Imran
(Brighton)
08-08-2017 04:30 AM
PA-3020 shows failed auths in /Monitor/System.
Event = auth-fail
this shows the ip address of the failed auth.
08-08-2017 04:35 AM
Except for console logins, there obviously is no IP address
08-16-2017 02:51 AM
so how would you find the source IP ? Any comments please feel free
08-16-2017 05:17 AM - edited 08-16-2017 05:17 AM
Hi,
It says from:
You can only see this info if the attempts were initiated to the mgmt interface. If the user was trying to get access over the data-plane interface, then check intra-zone traffic (if logging is enabled) filtering based on the destination Palo ip address as well as destination port 443.
08-16-2017 06:32 AM
you will also get auth-fail logs if the attempt was made on a dataplane management profile 🙂
08-16-2017 06:36 AM
Nice! I thought system log just includes mgmt interface attempts
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
