https://live.paloaltonetworks.com/t5/globalprotect-discussions/help-i-have-a-hacker-trying-to-use-specific-users-to-get-into-my/m-p/561302#M4499 <P>The pattern is they try nonsense users such as "cisco" and I block their IP they come from, but they always come back. I am getting frequent attempts with various other users, but they seem to come back within an hour of me blocking their IPs.<BR /><BR />I need a rule that immediately blocks the user, potentially one that could add to a dynamic IP list discouraging return visits, BUT I'd be HAPPY if the user tries with "cisco" is rejected and the connection dropped. My Policy contains the users, but I'm afraid the timing is off since this isn't a "Connection" policy, but a reaction policy.&nbsp;</P> Wed, 11 Oct 2023 15:14:45 GMT AndrewBytes 2023-10-11T15:14:45Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/help-i-have-a-hacker-trying-to-use-specific-users-to-get-into-my/m-p/561302#M4499 <P>The pattern is they try nonsense users such as "cisco" and I block their IP they come from, but they always come back. I am getting frequent attempts with various other users, but they seem to come back within an hour of me blocking their IPs.<BR /><BR />I need a rule that immediately blocks the user, potentially one that could add to a dynamic IP list discouraging return visits, BUT I'd be HAPPY if the user tries with "cisco" is rejected and the connection dropped. My Policy contains the users, but I'm afraid the timing is off since this isn't a "Connection" policy, but a reaction policy.&nbsp;</P> Wed, 11 Oct 2023 15:14:45 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/help-i-have-a-hacker-trying-to-use-specific-users-to-get-into-my/m-p/561302#M4499 AndrewBytes 2023-10-11T15:14:45Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/help-i-have-a-hacker-trying-to-use-specific-users-to-get-into-my/m-p/561326#M4500 <P>Welcome to the club. 2FA and limiting login by geographic location is the only thing you can do, I believe.&nbsp;</P> <P>There's nothing like Fail2ban that will do what you're wanting.</P> Wed, 11 Oct 2023 18:55:34 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/help-i-have-a-hacker-trying-to-use-specific-users-to-get-into-my/m-p/561326#M4500 MNoble 2023-10-11T18:55:34Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/help-i-have-a-hacker-trying-to-use-specific-users-to-get-into-my/m-p/561361#M4502 <P>Hello <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/231619">@AndrewBytes</a> ,</P> <P>&nbsp;</P> <P>I have found that disabling the portal login page (under the General tab) has removed 99% of those attempts.&nbsp; You can re-enable it temporarily if someone needs to download the client.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Thu, 12 Oct 2023 11:01:49 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/help-i-have-a-hacker-trying-to-use-specific-users-to-get-into-my/m-p/561361#M4502 TomYoung 2023-10-12T11:01:49Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/help-i-have-a-hacker-trying-to-use-specific-users-to-get-into-my/m-p/561502#M4507 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/77347">@TomYoung</a>&nbsp;wrote:<BR /> <P>Hello <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/231619">@AndrewBytes</a> ,</P> <P>&nbsp;</P> <P>I have found that disabling the portal login page (under the General tab) has removed 99% of those attempts.&nbsp; You can re-enable it temporarily if someone needs to download the client.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> <HR /></BLOCKQUOTE> <P>I know I'm asking a dumb question, but this absolutely won't block the VPN client we have coming in?</P> <P>&nbsp;</P> <P>I am getting "scanned" a lot - I wanna get rid of those guys too - they make me grumpy!</P> Thu, 12 Oct 2023 17:08:59 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/help-i-have-a-hacker-trying-to-use-specific-users-to-get-into-my/m-p/561502#M4507 AndrewBytes 2023-10-12T17:08:59Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/help-i-have-a-hacker-trying-to-use-specific-users-to-get-into-my/m-p/561503#M4508 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/231619">@AndrewBytes</a> ,</P> <P>&nbsp;</P> <P>Correct.&nbsp; My portal login page is disabled, and GP works fine.</P> <P>&nbsp;</P> <P>The bots irritate me, too, or they did.&nbsp; <span class="lia-unicode-emoji" title=":grinning_face:">😀</span></P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Thu, 12 Oct 2023 17:13:11 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/help-i-have-a-hacker-trying-to-use-specific-users-to-get-into-my/m-p/561503#M4508 TomYoung 2023-10-12T17:13:11Z