topic Re: Failed GlobalProtect login confusion in GlobalProtect Discussions

Failed GlobalProtect login confusion

DopedWafer — Mon, 18 Sep 2023 14:25:08 GMT

We're experiencing a very slow "brute force" login to our VPN but I'm having issues understanding how they're trying to log in.

We currently use okta. None of their failed attempts are showing up in okta but they are showing up in the GlobalProtect monitoring tab of the firewall. Where could they be trying to log in (and failing) to make these logs show up? I am not able to recreate it by failing to log in.

Re: Failed GlobalProtect login confusion

TomYoung — Mon, 18 Sep 2023 20:22:15 GMT

Hi @DopedWafer ,

Try logging into the portal web page with bad credentials.

Thanks,

Tom

Re: Failed GlobalProtect login confusion

DopedWafer — Mon, 18 Sep 2023 20:31:26 GMT

When I hit our VPN page we get redirected to the Okta login, failing our logins here does not log it on the palo alto side but only in Okta. Is there a different logon page they could be getting to? It's weird to me because their failed attempts only show up on the firewall and not okta.

Re: Failed GlobalProtect login confusion

TomYoung — Mon, 18 Sep 2023 20:33:35 GMT

Are you connecting to the portal page with a browser or GlobalProtect client?

Re: Failed GlobalProtect login confusion

DopedWafer — Mon, 18 Sep 2023 20:48:51 GMT

I am authenticating through the embedded browser in the globalprotect client which takes us to an okta log in.

Re: Failed GlobalProtect login confusion

TomYoung — Mon, 18 Sep 2023 20:56:44 GMT

Got it. Thank you.

Open a browser on your computer and browse to your GlobalProtect portal FQDN. e.g., https://xxx.yourdoamin.com.

Re: Failed GlobalProtect login confusion

DopedWafer — Mon, 18 Sep 2023 20:58:59 GMT

This also takes me to okta to authenticate, failing to log in here also does not get logged to the firewall, only the okta logs.

Re: Failed GlobalProtect login confusion

TomYoung — Mon, 18 Sep 2023 21:03:02 GMT

Thank you for testing.

I was getting LOTS of the slow, brute force logins, and disabling the portal web page stopped almost all of them.

I was expecting the failed attempt with the browser was causing it.

Thanks,

Tom

Re: Failed GlobalProtect login confusion

DopedWafer — Tue, 19 Sep 2023 14:26:59 GMT

Thanks, I disabled it and so far so good. Very bizarre to me that I could not recreate the failed login issues.

This brings up another question, with the portal page disable I'm not sure how to get the latest globalprotect client, normally users would navigate to the portal and log in to get it. Is there another way of getting it?

Re: Failed GlobalProtect login confusion

TomYoung — Tue, 19 Sep 2023 17:09:10 GMT

Hi @DopedWafer ,

Users that already have the GP client can be upgraded without the page enabled. For new GP users, you can temporarily enable the portal page, or you could push out the client through MS Intune, Jamf Pro, or similar software.

Thanks,

Tom

Re: Failed GlobalProtect login confusion

Steve_E — Thu, 19 Sep 2024 15:17:35 GMT

Hey @DopedWafer @TomYoung you can also access the Globalprotect client with the direct URL, such as https://portal[.]example[.]com/global-protect/getsoftwarepage[.]esp

Re: Failed GlobalProtect login confusion

TomYoung — Thu, 19 Sep 2024 15:30:35 GMT

Hi @Steve_E ,

You are correct! I learned also after I posted.

Thanks!

Tom

Re: Failed GlobalProtect login confusion

Adrian_Jensen — Thu, 19 Sep 2024 17:11:09 GMT

@DopedWafer wrote:

This also takes me to okta to authenticate, failing to log in here also does not get logged to the firewall, only the okta logs.

When you say you get redirected to Okta to authenticate, I assume you are running SAML authentication through Okta?

I see continuing slow brute-force login attempts on our Portal and Gateway interfaces (that require client cert and SAML authentication respectively). What I have found is that the login attempts are scripted and are just pushing POST login/password variables or sending a HTTP authentication header with user/password. So they ignore/don't understand the initial PA server response to provide a cert/SAML token and instead blindly pushes credentials. The error login therefore shows up on the PA and not your SAML provider as the script never redirects there.