https://live.paloaltonetworks.com/t5/general-articles/nominated-discussion-automatically-blocking-ip-s-after-a-certain/ta-p/574451 <P><SPAN>This Nominated Discussion Article is based on the post "</SPAN><STRONG><A title="Automatically blocking IP's after a certain number of Global Protect pre-login failures? " href="https://live.paloaltonetworks.com/t5/general-topics/automatically-blocking-ip-s-after-a-certain-number-of-global/m-p/565062" target="_blank" rel="noopener">Automatically blocking IP's after a certain number of Global Protect pre-login failures? </A></STRONG><SPAN>" by&nbsp;<STRONG><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/176255">@pomologist</a></STRONG> and answered by Cyber Elite&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a> and <STRONG><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7011">@MikeGill</a></STRONG>. Read on if you are curious about how protecting your GP from brute force attacks!</SPAN></P> <P>&nbsp;</P> <DIV class="lia-message-template-content-zone"> <BLOCKQUOTE> <P>I've just recently started getting blasted with Global Protect portal pre-login failures, coming from a bunch of illegitimate IP's. They all fail because I use certificate authentication and the client cert is not present on the attacker's device. &nbsp;I have have the NGF set up to email me every time this happens and I'm getting just blasted with emails. I only use Global Protect for remote management.&nbsp;</P> <P>&nbsp;</P> <P>See screenshot of some of the IP's attempting to gain access. &nbsp;I keep blocking IP's but then the attacker uses new ones.&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Screenshot 2023-11-09 at 3.50.24 PM.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56868iA2C65C276BBF852B/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2023-11-09 at 3.50.24 PM.png" alt="Screenshot 2023-11-09 at 3.50.24 PM.png" /></span></P> <P>&nbsp;</P> <P>My question is, is there a way to automatically block IP's after a certain number of Global Protect pre-login failures?</P> </BLOCKQUOTE> <P>Automatic remediation of failed logins is something that I always script through the API. The easiest way to do that is creating a custom report on the firewall and using the API to collect the report on a scheduled basis. Have the script parse the IPs that are failing to login and add it to an EDL that you have configured to on the firewall and create a security rulebase entry to drop all traffic from any IP address located within the EDL.</P> <P>&nbsp;</P> <BLOCKQUOTE> <P>I am new to scripting and the API.&nbsp; Where do you go on the firewall for this?&nbsp; I have found this type of traffic and would sure like to get it blocked a different way then manually blocking them one at a time.</P> </BLOCKQUOTE> <P>Here's an article that&nbsp;<SPAN><SPAN class="richTextArea slds-text-longform tile__title red-txt">describes the steps to configure a security policy to block brute force attacks (excessive number of login attempts in a sort period)&nbsp; on the GlobalProtect Portal page </SPAN></SPAN>without having to know any scripting:</P> <P><BR /><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJ2CAK" target="_blank" rel="noopener">Detecting Brute Force Attack on GlobalProtect Portal Page - Knowledge Base - Palo Alto Networks</A></P> <P>&nbsp;</P> </DIV> Tue, 26 Nov 2024 23:38:25 GMT kiwi 2024-11-26T23:38:25Z https://live.paloaltonetworks.com/t5/general-articles/nominated-discussion-automatically-blocking-ip-s-after-a-certain/ta-p/574451 <P>A Nominated Discussion&nbsp;<SPAN>on implementing automatic safeguards for GlobalProtect against brute force attacks.</SPAN></P> Tue, 26 Nov 2024 23:38:25 GMT https://live.paloaltonetworks.com/t5/general-articles/nominated-discussion-automatically-blocking-ip-s-after-a-certain/ta-p/574451 kiwi 2024-11-26T23:38:25Z https://live.paloaltonetworks.com/t5/general-articles/nominated-discussion-automatically-blocking-ip-s-after-a-certain/tac-p/593243#M737 <P>I also have the same issue. Is there a way PA automatically block the IP participating in Brute force attack?</P> Sun, 28 Jul 2024 11:48:48 GMT https://live.paloaltonetworks.com/t5/general-articles/nominated-discussion-automatically-blocking-ip-s-after-a-certain/tac-p/593243#M737 B.ZafarIqbal 2024-07-28T11:48:48Z https://live.paloaltonetworks.com/t5/general-articles/nominated-discussion-automatically-blocking-ip-s-after-a-certain/tac-p/593267#M738 <P>To my knowledge this is the only semi-automatic way.</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJ2CAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJ2CAK</A></P> Mon, 29 Jul 2024 05:55:16 GMT https://live.paloaltonetworks.com/t5/general-articles/nominated-discussion-automatically-blocking-ip-s-after-a-certain/tac-p/593267#M738 Andrian 2024-07-29T05:55:16Z https://live.paloaltonetworks.com/t5/general-articles/nominated-discussion-automatically-blocking-ip-s-after-a-certain/tac-p/639367#M759 <DIV dir="ltr"> <P>Why not use Auto Tagging to tag the users/source ip based on the logs and by adding them to Dynamic User Group (DUG)&nbsp; and block them? It can be combined with the brute force signature as to trigger from it's log!</P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/use-auto-tagging-to-automate-security-actions" target="_blank" rel="noopener" data-saferedirecturl="https://www.google.com/url?q=https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/use-auto-tagging-to-automate-security-actions&amp;source=gmail&amp;ust=1732185061613000&amp;usg=AOvVaw1CXtUEcoLFi_fjUvUzFJpU">Use Auto-Tagging to Automate Security Actions</A></P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/network-security/security-policy/administration/objects/dynamic-user-groups" target="_blank" rel="noopener" data-saferedirecturl="https://www.google.com/url?q=https://docs.paloaltonetworks.com/network-security/security-policy/administration/objects/dynamic-user-groups&amp;source=gmail&amp;ust=1732185061613000&amp;usg=AOvVaw3lriya0iq0ZgROJlyU53vq">Policy Object: Dynamic User Groups</A></P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/use-dynamic-user-groups-in-policy" target="_blank" rel="noopener" data-saferedirecturl="https://www.google.com/url?q=https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/use-dynamic-user-groups-in-policy&amp;source=gmail&amp;ust=1732185061613000&amp;usg=AOvVaw2N5WpWk78lfQK0EEqPwxn7">Use Dynamic User Groups in Policy</A></P> </DIV> Wed, 20 Nov 2024 10:35:49 GMT https://live.paloaltonetworks.com/t5/general-articles/nominated-discussion-automatically-blocking-ip-s-after-a-certain/tac-p/639367#M759 nikoolayy1 2024-11-20T10:35:49Z https://live.paloaltonetworks.com/t5/general-articles/nominated-discussion-automatically-blocking-ip-s-after-a-certain/tac-p/998794#M769 <P>Configuring the vulnerability protection profile exclusion for global protect and set the action to IP-block is the best way to do this.</P> Wed, 18 Dec 2024 14:52:02 GMT https://live.paloaltonetworks.com/t5/general-articles/nominated-discussion-automatically-blocking-ip-s-after-a-certain/tac-p/998794#M769 JonGross 2024-12-18T14:52:02Z