GP and auth fails

ghughes — Fri, 01 Aug 2025 20:01:20 GMT

Good afternoon!

My Global Protect has 2FA set up so I'm only somewhat concerned about the number of fake connections I'm getting in the auth logs. They're all being routed to the identity provider and are getting squashed. However, I'd like very much to stomp these connections earlier in the chain and save myself some bandwidth. I've noted that these bogies are often trying multiple usernames from the same IP address.

Is there a way to put these IPs on a timeout and silently drop any connection attempts for, say, a day or a week?

Thanks to all for looking!

Re: GP and auth fails

Mudhireddy — Sun, 03 Aug 2025 17:20:44 GMT

The best way to block GlobalProtect brute-force attempts at the firewall is to use a Vulnerability Protection Profile.

Create a Vulnerability Protection Profile: Go to Objects > Security Profiles > Vulnerability Protection.
Add a block-ip exception: Edit the profile and add an exception for signature ID 40017 ("Palo Alto Networks GlobalProtect Authentication Brute Force Attempt").
Configure the block: Set the action to block-ip and define the number of failed attempts, the time window, and the block duration (e.g., 604800 seconds for a week).
Apply the profile: Apply this new profile to the security policy that allows traffic to your GlobalProtect portal.

This will automatically and silently drop connections from a source IP after a set number of failed attempts, preventing them from ever reaching your identity provider.

topic GP and auth fails in GlobalProtect Discussions

GP and auth fails

Re: GP and auth fails