Use the Administrator Login Activity Indicators to DetectAccount Misuse
Updated on
Mon Jul 01 15:32:01 UTC 2024
Focus
Download PDF
Updated on
Mon Jul 01 15:32:01 UTC 2024
Focus
- Home
- PAN-OS
- Firewall Administration
- Use the Web Interface
- Use the Administrator Login Activity Indicators to DetectAccount Misuse
Download PDF
Table of Contents
End-of-Life (EoL)
The last login time and failed login attemptsindicators provide a visual way to detect misuse of your administratoraccount on a Palo Alto Networks firewall or Panorama managementserver. Use the last login information to determine if someone elselogged in using your credentials and use the failed login attemptsindicator to determine if your account is being targeted in a brute-force attack.
View the login activity indicators to monitorrecent activity on your account.
Log in to the web interface on your firewallor Panorama management server.
View the last login details located at the bottomleft of the window and verify that the timestamp corresponds toyour last login.
Look for a caution symbol to the right of the lastlogin time information for failed login attempts.
The failed login indicator appears if one or more failedlogin attempts occurred using your account since the last successfullogin.
If you see the cautionsymbol, hover over it to display the number of failed login attempts.
Click the caution symbol to view the failed login attempts summary.Details include the admin account name, the reason for the login failure,the source IP address, and the date and time.
Afteryou successfully log in and then log out, the failed login counterresets to zero so you will see new failed login details, if any, thenext time you log in.
Locate hosts that are continually attempting to log into your firewall or Panorama management server.
Click the failed login caution symbol toview the failed login attempts summary.
Locate and record the source IP address of the hostthat attempted to log in. For example, the following figure showsmultiple failed login attempts from the IP address 192.168.2.10.
Work with your network administrator to locate theuser and host that is using the IP address that you identified.
If you cannot locate the system that is performing thebrute-force attack, consider renaming the account to prevent future attacks.
Take the following actions if you detect an account compromise.
Select
and viewthe configuration changes and commit history to determine if youraccount was used to make changes without your knowledge.Monitor
Logs
Configuration
Select
to compare thecurrent configuration and the configuration that was running justprior to the configuration you suspect was changed using your credentials.You can also do this using Panorama.Device
Config Audit
If your administrator account was used to createa new account, performing a configuration audit helps you detectchanges that are associated with any unauthorized accounts, as well.
Revert the configuration to a known good configurationif you see that logs were deleted or if you have difficulty determiningif improper changes were made using your account.
Before you commit to a previous configuration, review itto ensure that it contains the correct settings. For example, theconfiguration that you revert to may not contain recent changes,so apply those changes after you commit the backup configuration.
Use the following best practices to helpprevent brute-force attacks on privileged accounts.
Limitthe number of failed attempts allowed before the firewall locksa privileged account by setting the number of Failed Attempts andthe Lockout Time (min) in the authentication profile or in the Authentication Settingsfor the Management interface (
).Device
Setup
Management
Authentication Settings
UseInterface Management Profiles to Restrict Access.
Enforce complex passwords for privileged accounts.
"); adBlockNotification.append($( "Thanks for visiting https://docs.paloaltonetworks.com. To improve your experience when accessing content across our site, please add the domain to the allow list on your ad blocker application." )); let adBlockNotificationClose = $("x"); adBlockNotification.prepend(adBlockNotificationClose) $('body').append(adBlockNotification); setTimeout(function (e) { adBlockNotification.addClass('open'); }, 10); adBlockNotificationClose.on('click', function (e) { adBlockNotification.removeClass('open'); }) } }, 5000)
Recommended For You
{{ if(( raw.pantechdoctype != "techdocsAuthoredContentPage" && raw.objecttype != "Knowledge" && raw.pancommonsourcename != "TD pan.dev Docs")) { }} {{ if (raw.panbooktype) { }} {{ if (raw.panbooktype.indexOf('PANW Yellow Theme') != -1){ }}
{{ } else if (raw.panbooktype.indexOf('PANW Green Theme') != -1){ }}
{{ } else if (raw.panbooktype.indexOf('PANW Blue Theme') != -1){ }}
{{ } else { }}
{{ } }} {{ } else { }}
{{ } }} {{ } else { }} {{ if (raw.pantechdoctype == "pdf"){ }}
{{ } else if (raw.objecttype == "Knowledge") { }}
{{ } else if (raw.pancommonsourcename == "TD pan.dev Docs") { }}
{{ } else if (raw.pancommonsourcename == "LIVEcommunity Public") { }}
{{ } else { }}
{{ } }} {{ } }}
{{ if (raw.pancommonsourcename == "LIVEcommunity Public") { }}
{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
{{ } else { }}
{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
{{ } }}
{{ if (raw.pancommonsourcename != "TD pan.dev Docs"){ }} {{ if (raw.pandevdocsosversion){ }} {{ } else { }} {{ if ((_.size(raw.panosversion)>0) && !(_.isNull(raw.panconversationid )) && (!(_.isEmpty(raw.panconversationid ))) && !(_.isNull(raw.otherversions ))) { }} (See other versions) {{ } }} {{ } }} {{ } }}
{{ } }}{{ if (raw.pantechdoctype == "bookDetailPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "bookLandingPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "productLanding"){ }}
{{ } }}{{ if (raw.pantechdoctype == "techdocsAuthoredContentPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}