INC_GLOBALPROTECT_GW_USER_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
Focus
Focus
Prisma Access

INC_GLOBALPROTECT_GW_USER_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION

Table of Contents

INC_GLOBALPROTECT_GW_USER_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION

Learn about the INC_GLOBALPROTECT_GW_USER_AUTH_TIMEOUT_FAILURES_COUNT_EXCEEDED_ABOVE_ BASELINE_PER_PA_LOCATION incident.

Synopsis

Gateway authentication timeout failures are higher than twice the baseline for location <location-name>.
Incident Codeā€”INC_GLOBALPROTECT_GW_USER_AUTH_TIMEOUT_FAILURES_COUNT_EXCEEDED_ABOVE_ BASELINE_PER_PA_LOCATION

Required License

AI-Powered ADEM

Details

Description
Raise condition
The incident is raised for a location when the average authentication timeouts are more than twice the baseline for 45 minutes.
Clear condition
The incident is cleared for a location when the average authentication timeouts are less than twice the baseline for 45 minutes.

Correlated Alerts

  • AL_GLOBALPROTECT_GW_USER_AUTH_SUCCESS_COUNT_DROPPED_BELOW_BASELINE_ PER_PA_LOCATION
  • AL_GLOBALPROTECT_GW_USER_AUTH_TIMEOUT_FAILURES_COUNT_EXCEEDED_ABOVE_ BASELINE_PER_PA_LOCATION
  • AL_GLOBALPROTECT_USER_COUNT_DROPPED_BELOW_BASELINE_ACROSS_PER_PA_LOCATION

Remediation

Check your authentication service availability on those services.
  • For on-premise authentication services (such as LDAP, Radius, or Kerberos), you can review audit logs for incoming user requests or login errors. If there is a lapse in incoming requests, take packet captures on the relevant network path.
  • For public authentication services (such as SAML or cloud LDAP or Radius services), review audit logs provided by your authentication service. If there is a lapse in incoming requests, check with your authentication provider for any ongoing outages.