topic Block access to countries outside the GlobalProtect VPN in Next-Generation Firewall Discussions

Block access to countries outside the GlobalProtect VPN

ccortijo — Tue, 26 Dec 2023 09:38:38 GMT

Good morning, reviewing the GlobalProtect logs I see brute force attacks from outside my country Spain.

I have tried to create security policies that prevent these attempts but none have matched.

In the portal configuration (external) I have tried to put Spain as high priority and the others as None but the FW does not give me that option.

I attach images of the attempts

Any ideas?

Thank you.

Re: Block access to countries outside the GlobalProtect VPN

joergsch1 — Tue, 26 Dec 2023 10:29:23 GMT

The setting on the portal is used by the clients once authenticated (which is too late on your issue).

You might need to address this on the security policy which grants access to the portal (and gateway). Instead of granting "any" (or all public IPs, ...), you need to use the region "ES (Spain)" in the security policy.

Re: Block access to countries outside the GlobalProtect VPN

ccortijo — Tue, 26 Dec 2023 12:08:11 GMT

Hello,

Thanks for responding, I have a policy applied but it doesn't seem to apply.

I attach images of the GlobalProtect configuration, NAT and security policies

Re: Block access to countries outside the GlobalProtect VPN

joergsch1 — Tue, 26 Dec 2023 12:56:50 GMT

Without the column titles these are hard to read (are the titles translated to Spanish as well?).

If I understand your setting correct, then you are blocking access from sources other than Spain to the portal if the application is panos-global-protect.

Can you check the log entries of the brute-force access (check for application, zones, port, rule name)? The detected application might be ssl or something different. If that's the case, then your rule does not match.

Re: Block access to countries outside the GlobalProtect VPN

TomYoung — Tue, 26 Dec 2023 23:52:56 GMT

Hi @ccortijo ,

Traffic from the untrust zone to the interface in the same untrust zone is allowed by the intrazone-default rule. The easiest way to solve your problem is to create a drop rule (which will be above intrazone-default) that will drop all countries you do not want.

Rule Type: intrazone

Source Zone: Untrust

Source Address: List you countries you want to allow and check Negate.

Destination Address: Portal IP (could also be any if you want to block for all public IP addresses)

Application: Any

Service/URL Category: Any

Action: Drop

You can choose not to log if you don't want the clutter, but you may need to enable for troubleshooting.

You can also stop 99% of the brute force attacks by disabling the portal login page.

Thanks,

Tom

Re: Block access to countries outside the GlobalProtect VPN

ccortijo — Wed, 27 Dec 2023 07:11:51 GMT

Thank you very much for the help and the idea!

I monitored a traffic log from a malicious IP that was performing brute force attacks and saw what parameters were necessary to make my policy match.

It worked!

Re: Block access to countries outside the GlobalProtect VPN

ccortijo — Wed, 27 Dec 2023 07:12:36 GMT

Thank you very much for the help!

It worked!

Re: Block access to countries outside the GlobalProtect VPN

B.Alimov — Mon, 29 Jul 2024 22:48:26 GMT

Hello Tom,

I have same situation Global Protect portal is configured on WAN interface, but what ever security policy I made to block to GP Web page it is not working, I tried your advice creating intrazone policy to block specifically to tcp/443 port but it is not catching this policy.

Where I'm having mistake on configuration I'm puzzled right now.