Our org is using a Palo Alto Firewall/VPN and the Global Protect client. Our client's are using SAML based logins to authenticate to this VPN. We are pulling in Palo Alto's system log (which contains VPN authentication records) via a beat running as a syslog udp listener. Traffic and threat logs are going to a separate beat running Filebeat's panw module.
Looking at the Palo Alto's system log, I can see the originating IP and user name when there is a successful SAML login to the VPN via Global Protect. However, when there is an unsuccessful SAML based login I see nothing. I asked our Palo Alto admin, and he tells me saml doesn't return any information so there is nothing to log. I asked our ADFS admin, and confirmed SAML doesn't return anything on unsuccessful login and this is by design. Looking at the ADFS logs, I can see who tried to login and if the authentication failed, but not from where it originated.
I need to capture a login failed with this username from this IP, but neither system has all of the info needed. I feel like I'm missing some info someone is over-looking. The logical place would be the Palo Alto, I am wondering if something needs a change on its config. I was hoping someone here has encountered the scenario, and could offer suggestions on how to proceed. Thanks.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.