GlobalProtect - Autoblock/kick users when vulnerability exploit is detected?

DougSirek107 — Thu, 02 Sep 2021 18:39:18 GMT

I'm curious if anyone has crafted either a vulnerability profile or security policy that would disconnect or auto-block a user if their a vulnerability exploit is attempted while they are connected via Globalprotect. We've set up event logging that can flag and email my team whenever a user starts displaying malicious or compromised behavior when connected via Globalprotect, but we'd like to take it a step further and auto-block and/or disconnect a suspicious user.

Thoughts?

Re: GlobalProtect - Autoblock/kick users when vulnerability exploit is detected?

BenKnorr2 — Fri, 03 Sep 2021 22:57:25 GMT

How about dynamic IP tagging based on info from threat logs? https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/use-auto-tagging-to-automate-security-actions.html

In a nutshell, you have a log forwarding profile that hits on whatever threats you want (medium and higher, etc.), and it can do several things: forwards to syslog/panorama/datalake, sends admin an email alert, sends SNMP trap, tags the IP. You will make an address group based on this tag and create a security rule that blocks this traffic, sends to an alert page, etc. The duration of block is determined in the log fwd profile.

topic GlobalProtect - Autoblock/kick users when vulnerability exploit is detected? in GlobalProtect Discussions

GlobalProtect - Autoblock/kick users when vulnerability exploit is detected?

Re: GlobalProtect - Autoblock/kick users when vulnerability exploit is detected?