Failed login attempts-paloaltonetworks-panos
Vendor: paloaltonetworks
OS: panos
Description:
Indeni will alert if allowed login attempts is set to 0 (default) or greater that 5.
Remediation Steps:
Set the number of failed login attempts (range is 1 to 5) that the device allows for the web interface and CLI before locking out the administrator account. If you set the Failed Attempts to a value other than 0 but leave the Lockout Time at 0, the Failed Attempts is ignored and the user is never locked out. https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/device/device-setup-management
How does this work?
This alert uses the Palo Alto Networks API interface to parse through the configured management setting and verify the number of failed attemtps is configured to a value lower than or equal to 5.
Why is this important?
A failed attempt to login may be made out of human error and can be corrected in couple attempts. If we have this value more than few attempts then we may allow malicious system to try to login with repeated attempts until success to gain access into the firewall and control the device.
Without Indeni how would you find this?
Login to the device’s web interface and click on “Device” -> “Management” -> “Authentication Settings” and check the configured “Failed Attempts” value
panos-failed-attempts
Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/parsers/src/panw/panos/admin-failed-attempts/admin-failed-attempts.ind.yaml
PanwFailedAttemptsRule
Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/paloaltonetworks/PanwFailedAttemptsRule.scala