Looking to see if anyone has configured dashboards for Palo Alto Firewall inbound connection attempts. Not seeing the log data available in log search regarding “inbound” connections, just outbound. Am i missing something here…? Would be helpful in terms of sourcing malicious IP’s attempting VPN connections from the outside.
You need to forward the vpn logs to IDR to get ingress authentication logs for Palo Alto VPN (PAN FW: DEVICE → Log Settings → GlobalProtect → forward all logs per syslog to IDR collector).
After that you can create a dashboard and filter for stuff like failed/successfull logins and list the usernames, IPs or Source Countrys etc.