Failed login attempts-paloaltonetworks-panos

Failed login attempts-paloaltonetworks-panos
0

Failed login attempts-paloaltonetworks-panos

Vendor: paloaltonetworks

OS: panos

Description:
Indeni will alert if allowed login attempts is set to 0 (default) or greater that 5.

Remediation Steps:
Set the number of failed login attempts (range is 1 to 5) that the device allows for the web interface and CLI before locking out the administrator account. If you set the Failed Attempts to a value other than 0 but leave the Lockout Time at 0, the Failed Attempts is ignored and the user is never locked out. https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/device/device-setup-management

How does this work?
This alert uses the Palo Alto Networks API interface to parse through the configured management setting and verify the number of failed attemtps is configured to a value lower than or equal to 5.

Why is this important?
A failed attempt to login may be made out of human error and can be corrected in couple attempts. If we have this value more than few attempts then we may allow malicious system to try to login with repeated attempts until success to gain access into the firewall and control the device.

Without Indeni how would you find this?
Login to the device’s web interface and click on “Device” -> “Management” -> “Authentication Settings” and check the configured “Failed Attempts” value

panos-failed-attempts

name: panos-failed-attempts
description: Ensure failed-attempts is set to a value lower than or equal to 5
type: monitoring
monitoring_interval: 60 minutes
requires:
    vendor: paloaltonetworks
    os.name: panos
comments:
    admin-failed-attempts:
        why: |
            A failed attempt to login may be made out of human error and can be corrected in couple attempts. If we have this value more than few attempts then we may allow malicious system to try to login with repeated attempts until success to gain access into the firewall and control the device.
        how: |
            This alert uses the Palo Alto Networks API interface to parse through the configured management setting and verify the number of failed attemtps is configured to a value lower than or equal to 5.
        can-with-snmp: false
        can-with-syslog: false
steps:
-   run:
        type: HTTP
        command: /api/?type=config&action=get&xpath=/config/devices/entry/deviceconfig/setting/management/admin-lockout&key=${api-key}
    parse:
        type: XML
        file: admin-failed-attempts.parser.1.xml.yaml

PanwFailedAttemptsRule

Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/paloaltonetworks/PanwFailedAttemptsRule.scala