INC_GLOBALPROTECT_GW_USER_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
Focus
Focus
Prisma Access

INC_GLOBALPROTECT_GW_USER_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS

Table of Contents

INC_GLOBALPROTECT_GW_USER_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS

Learn about the INC_GLOBALPROTECT_GW_USER_AUTH_TIMEOUT_FAILURES_COUNT_EXCEEDED_ABOVE_ BASELINE_ALL_PA_LOCATIONS incident.

Synopsis

Gateway authentication timeout failures are higher than twice the baseline for all Prisma Access locations.
Incident Codeā€”INC_GLOBALPROTECT_GW_USER_AUTH_TIMEOUT_FAILURES_COUNT_EXCEEDED_ABOVE_ BASELINE_ALL_PA_LOCATIONS

Required License

AI-Powered ADEM

Details

Description
Raise condition
The incident is raised at the tenant, when the average authentication timeouts are more than twice the baseline in 45 minutes.
Clear condition
The incident is cleared at the tenant, when the average authentication timeouts are less than twice the baseline in 45 minutes.

Correlated Alerts

  • AL_GLOBALPROTECT_GW_USER_AUTH_SUCCESS_COUNT_DROPPED_BELOW_BASELINE_ ALL_PA_LOCATIONS
  • AL_GLOBALPROTECT_GW_USER_AUTH_SUCCESS_COUNT_DROPPED_BELOW_BASELINE_ PER_PA_LOCATION
  • AL_GLOBALPROTECT_GW_USER_AUTH_TIMEOUT_FAILURES_COUNT_EXCEEDED_ABOVE_ BASELINE_ALL_PA_LOCATIONS
  • AL_GLOBALPROTECT_GW_USER_AUTH_TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
  • AL_GLOBALPROTECT_USER_COUNT_DROPPED_BELOW_BASELINE_ACROSS_PER_PA_LOCATION
  • AL_GLOBALPROTECT_USER_COUNT_DROPPED_BELOW_BASELINE_ALL_PA_LOCATIONS

Remediation

Check your authentication service availability on those services.
  • For on-premise authentication services (such as LDAP, Radius, or Kerberos), you can review audit logs for incoming user requests or login errors. If there is a lapse in incoming requests, take packet captures on the relevant network path.
  • For public authentication services (such as SAML or cloud LDAP or Radius services), review audit logs provided by your authentication service. If there is a lapse in incoming requests, check with your authentication provider for any ongoing outages.