topic Re: How to block the user in global protect if you enter the wrong user several times in GlobalProtect Discussions https://live.paloaltonetworks.com/t5/globalprotect-discussions/how-to-block-the-user-in-global-protect-if-you-enter-the-wrong/m-p/591705#M5555 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/192671">@Alpalo</a>,</P> <P>What are you using as a user directory and how are you authenticating the user? If your using something like Active Directory via RADIUS, you could implement this via an account lock-out policy upon a specified number of failed login attempts. Just be mindful that someone could utilize your gateway to lock out users in your environment. You can specify a lock-out duration so that you don't need to manually unlock the account if you wish as well.</P> <P>&nbsp;</P> <P>Likewise you could follow <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJ2CAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJ2CAK</A> to setup automatic IP blocking for a specified duration as well whenever the firewall itself detects a brute force attack.</P> <P>I'm partial to using the API to analyze this sort of activity because it allows more flexibility and custom response handling (like cross-comparing information sources to verify whether or not it's actually a user who's simply forgot their credentials). This has the added benefit of being able to quarantine the endpoint itself so that it can't login regardless of the IP address that it's attempting to login from once you want to restrict it programmatically.</P> Thu, 11 Jul 2024 13:43:29 GMT BPry 2024-07-11T13:43:29Z How to block the user in global protect if you enter the wrong user several times https://live.paloaltonetworks.com/t5/globalprotect-discussions/how-to-block-the-user-in-global-protect-if-you-enter-the-wrong/m-p/591328#M5537 <P>Hello everybody</P> <P>could someone help me with the following question</P> <P>How to block the user in global protect if you enter the wrong user several times?</P> <P>I would like to know if there is a way to block a user for a certain amount of time if you enter the wrong credentials, is it possible?</P> <P>Regards</P> Thu, 11 Jul 2024 10:09:36 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/how-to-block-the-user-in-global-protect-if-you-enter-the-wrong/m-p/591328#M5537 Alpalo 2024-07-11T10:09:36Z Re: How to block the user in global protect if you enter the wrong user several times https://live.paloaltonetworks.com/t5/globalprotect-discussions/how-to-block-the-user-in-global-protect-if-you-enter-the-wrong/m-p/591674#M5553 <P>Hi team</P> <P>Any idea?</P> <P>Regards</P> Thu, 11 Jul 2024 10:09:59 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/how-to-block-the-user-in-global-protect-if-you-enter-the-wrong/m-p/591674#M5553 Alpalo 2024-07-11T10:09:59Z Re: How to block the user in global protect if you enter the wrong user several times https://live.paloaltonetworks.com/t5/globalprotect-discussions/how-to-block-the-user-in-global-protect-if-you-enter-the-wrong/m-p/591705#M5555 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/192671">@Alpalo</a>,</P> <P>What are you using as a user directory and how are you authenticating the user? If your using something like Active Directory via RADIUS, you could implement this via an account lock-out policy upon a specified number of failed login attempts. Just be mindful that someone could utilize your gateway to lock out users in your environment. You can specify a lock-out duration so that you don't need to manually unlock the account if you wish as well.</P> <P>&nbsp;</P> <P>Likewise you could follow <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJ2CAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJ2CAK</A> to setup automatic IP blocking for a specified duration as well whenever the firewall itself detects a brute force attack.</P> <P>I'm partial to using the API to analyze this sort of activity because it allows more flexibility and custom response handling (like cross-comparing information sources to verify whether or not it's actually a user who's simply forgot their credentials). This has the added benefit of being able to quarantine the endpoint itself so that it can't login regardless of the IP address that it's attempting to login from once you want to restrict it programmatically.</P> Thu, 11 Jul 2024 13:43:29 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/how-to-block-the-user-in-global-protect-if-you-enter-the-wrong/m-p/591705#M5555 BPry 2024-07-11T13:43:29Z