07-06-2023 11:16 AM
Hi,
I've been receiving many system alerts with the message:
opaque: failed authentication for user ''. Reason: User is not in allowlist. auth profile '', vsys 'vsys1', From" "Public IP"
eventid: auth-fail
It looks like these public IP's are trying to access our internal network by coming through Global Protect App. Coming from many different random user names and public IP addresses. It seems that the Palo Alto firewall sends the credentials to the Active Directly Server and tharts when it fails.
Is there a way to prevent all these attempts without even having it go to the AD server?
Thanks.
07-07-2023 01:44 AM
Hi @roma ,
The error message you receive actually tell the opposite - "Reason: User is not in allowlist"
When you configure your Authentication Profile, there is a tab to specify list of users or user groups that are allowed to authenticate with that profile.
Firewall will first take the provide username and compare it with this allow list. If it doesn't match any of the allowed users/user groups, FW will deny user authentication, without even sending the credentials to AD for validation
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
