https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-bruteforce-limit-user-password-guessing/m-p/1205412#M6400 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/264421">@LukaKrizman</a>,</P> <P>This isn't a possibility in PAN-OS at the moment. PAN-OS will always attempt to authenticate the user provided and then validates that user against the allow list <EM>if </EM>the authentication was successful.</P> <P>&nbsp;</P> <P>You could automate blocking any IP address that attempts to login with an invalid username easily before waiting for a bruteforce to actually be identified. I'd personally have some logic to validate that the IP address isn't in the list of the current or previous users for the gateways prior to blocking it though; people have sausage fingers and you'd need a bit of logic to prevent blocking legitimate users who just mistype their username.</P> Sun, 26 Jan 2025 04:52:06 GMT BPry 2025-01-26T04:52:06Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-bruteforce-limit-user-password-guessing/m-p/1205314#M6392 <P>I now that this topics was discussed 100X times about GlobalProtect bruteforce.&nbsp;</P> <P>&nbsp;</P> <P>It is possible po setup GlobalProtect policy in a way, if a user is not part of any AD group, than no AD/LDAP authentication is beeing trigered to internal AD.&nbsp;</P> <P>&nbsp;</P> <P>We are seeing bruteforce attempt with non-existing AD users&nbsp; and we want to limit this.</P> <P>&nbsp;</P> <P>Br, Luka</P> Fri, 24 Jan 2025 09:23:52 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-bruteforce-limit-user-password-guessing/m-p/1205314#M6392 LukaKrizman 2025-01-24T09:23:52Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-bruteforce-limit-user-password-guessing/m-p/1205412#M6400 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/264421">@LukaKrizman</a>,</P> <P>This isn't a possibility in PAN-OS at the moment. PAN-OS will always attempt to authenticate the user provided and then validates that user against the allow list <EM>if </EM>the authentication was successful.</P> <P>&nbsp;</P> <P>You could automate blocking any IP address that attempts to login with an invalid username easily before waiting for a bruteforce to actually be identified. I'd personally have some logic to validate that the IP address isn't in the list of the current or previous users for the gateways prior to blocking it though; people have sausage fingers and you'd need a bit of logic to prevent blocking legitimate users who just mistype their username.</P> Sun, 26 Jan 2025 04:52:06 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-bruteforce-limit-user-password-guessing/m-p/1205412#M6400 BPry 2025-01-26T04:52:06Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-bruteforce-limit-user-password-guessing/m-p/1205459#M6403 <P>Is there any chance to push this feature into development? Does anybody knows how to report to PA to do it?</P> <P>&nbsp;</P> Mon, 27 Jan 2025 08:15:46 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-bruteforce-limit-user-password-guessing/m-p/1205459#M6403 LukaKrizman 2025-01-27T08:15:46Z