https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-embargo-rules/m-p/1219335#M6433 <P>Hi!</P> <P>&nbsp;</P> <P>Been trying the Embargo Rule for Geo Location restrictions in for Global Protect in Prisma Cloud. This works prefect to exclude the countries you do not want logins from.</P> <P>&nbsp;</P> <P>What I would like to know is if someone been able to use similar rules to add EDLs or Palo Alto Built in EDLs in the same type of rule. I cannot find any information on a solution, but some finding suggested it should work.</P> <P>&nbsp;</P> <P>An even better way would be to be able to add a Dynamic Group to the rule dropping every attempt by non-authorized users. Or users with a domain prefix. All bad attempts on my GP are by single names like "Adminp", "john" and " user1".</P> <P>&nbsp;</P> <P>This is part of my work to minimize bad login attempts in Global Protect. We use SAML and 2factor authentication so it's not that I am concerned about. It just looks bad and would be in Palo Alto's interest to minimize the insane number of logins in Prisma Access.</P> <P>&nbsp;</P> <P>Br</P> <P>Jonas</P> Tue, 04 Feb 2025 14:55:28 GMT Jonas_thell 2025-02-04T14:55:28Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-embargo-rules/m-p/1219335#M6433 <P>Hi!</P> <P>&nbsp;</P> <P>Been trying the Embargo Rule for Geo Location restrictions in for Global Protect in Prisma Cloud. This works prefect to exclude the countries you do not want logins from.</P> <P>&nbsp;</P> <P>What I would like to know is if someone been able to use similar rules to add EDLs or Palo Alto Built in EDLs in the same type of rule. I cannot find any information on a solution, but some finding suggested it should work.</P> <P>&nbsp;</P> <P>An even better way would be to be able to add a Dynamic Group to the rule dropping every attempt by non-authorized users. Or users with a domain prefix. All bad attempts on my GP are by single names like "Adminp", "john" and " user1".</P> <P>&nbsp;</P> <P>This is part of my work to minimize bad login attempts in Global Protect. We use SAML and 2factor authentication so it's not that I am concerned about. It just looks bad and would be in Palo Alto's interest to minimize the insane number of logins in Prisma Access.</P> <P>&nbsp;</P> <P>Br</P> <P>Jonas</P> Tue, 04 Feb 2025 14:55:28 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-embargo-rules/m-p/1219335#M6433 Jonas_thell 2025-02-04T14:55:28Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-embargo-rules/m-p/1228039#M6742 <P>Hi</P> <P>&nbsp;</P> <P>I have literally just been looking at this myself this morning, there is a KB article here&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000010z7SCAQ" target="_blank">Brute force attacks seen on Prisma Access portal from specific ... - Knowledge Base - Palo Alto Networks</A>&nbsp;that I am sure you have seen but does say that you can use pre-defined and custom EDL's in the embargo rules, my only concern with using GEO blocking for embargo rules is that a simple VPN would potentially (after some trial and error on the part of the attacker I guess) subvert them, SAML is a really good way to go and I have implemented certificate requirement as well to the portal, I still get the same amount of logs just that they all say "certificate not present" or words to that effect in the logs.</P> <P>As a test I created the rule suggested in the link to the Embargo Rule Creation with my own public IP as the source to see what I could reach after implementing the steps in the documentation, it did indeed block my access to the portal, so I would assume that the documentation is all good and you can use EDL's&nbsp;</P> <P>Probably the best way would be to publish an EDL created from some logic from log forwarding then consume that to block repeated attempts, this is where you could write the logic you suggest as repeated attempts from addresses over time or even some regex to ensure that only usernames with the expected format would not trigger the block.</P> <P>Hope that Helps!</P> Mon, 05 May 2025 08:26:23 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-embargo-rules/m-p/1228039#M6742 laurence64 2025-05-05T08:26:23Z