https://live.paloaltonetworks.com/t5/next-generation-firewall/distributed-vpn-attack/m-p/588654#M3255 <P>Hello,</P> <P>Also setup zone protection profiles to help with DoS type activity. Also only allow traffic from the countries you trust. Setup security policies to block traffic from the Palo Alto External Dynamic lists. Send Telemetry back to Palo Alto and this will help everyone else, etc.</P> <P>&nbsp;</P> <P>Regards,</P> Mon, 03 Jun 2024 21:56:30 GMT OtakarKlier 2024-06-03T21:56:30Z https://live.paloaltonetworks.com/t5/next-generation-firewall/distributed-vpn-attack/m-p/588261#M3238 <P>Recently we experience distributed VPN dictionary attack on our Palo Alto Global Protect from different countries, ISPs and hundreds of IP addresses. Since we have MFA the attack was unsuccessful so far but I want to stop it somehow. The malicious actor seems to adopt the attack to our protection measures. Originally it was addressing our GlobalProtect Portal so disabling it helped for a while but yesterday they changed the way and now I can see in logs authentication failures again.</P> <P>I’m looking for advise about more sophisticated protection against these attacks. I can see in logs that the malicious actor is using:</P> <UL> <LI>client_os Linux or Ubuntu but not Windows which we have. We change OS to Windows in Gateway configuration hoping it will stop the attack at least for a while.</LI> <LI>Client_ver is Browser or empty</LI> </UL> <P>Can somebody advise if we can apply better protection somehow?</P> <P>Also, I would like to set different rule based protection to Global Protect Portal and Global Protect VPN client. In other words, Access to the Portal should be limited to one country only but the VPN should be accessible from anywhere. Is it possible?</P> Wed, 29 May 2024 13:25:51 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/distributed-vpn-attack/m-p/588261#M3238 Piotr_Kowalczyk 2024-05-29T13:25:51Z https://live.paloaltonetworks.com/t5/next-generation-firewall/distributed-vpn-attack/m-p/588650#M3252 <P>Hello,&nbsp;</P> <P>&nbsp;</P> <P>Assuming you have a vulnerability profile applied on your GP interface, is it triggering the brute force vulnerability? You can make various changes to this ID to fit your needs. Where you can set the action to block IP.&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Claw4609_0-1717447411661.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/60160i3779C3A961271950/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Claw4609_0-1717447411661.png" alt="Claw4609_0-1717447411661.png" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Claw4609_1-1717447411663.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/60159iDA948A18D637D7E8/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Claw4609_1-1717447411663.png" alt="Claw4609_1-1717447411663.png" /></span></P> <P>&nbsp;</P> <P>For the second piece are you looking at protecting a separate clientless vpn page or the main portal itself? Clients grab their configurations from the portal so you wouldnt be able to block access to the portal.&nbsp;</P> Mon, 03 Jun 2024 20:45:40 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/distributed-vpn-attack/m-p/588650#M3252 Claw4609 2024-06-03T20:45:40Z https://live.paloaltonetworks.com/t5/next-generation-firewall/distributed-vpn-attack/m-p/588654#M3255 <P>Hello,</P> <P>Also setup zone protection profiles to help with DoS type activity. Also only allow traffic from the countries you trust. Setup security policies to block traffic from the Palo Alto External Dynamic lists. Send Telemetry back to Palo Alto and this will help everyone else, etc.</P> <P>&nbsp;</P> <P>Regards,</P> Mon, 03 Jun 2024 21:56:30 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/distributed-vpn-attack/m-p/588654#M3255 OtakarKlier 2024-06-03T21:56:30Z https://live.paloaltonetworks.com/t5/next-generation-firewall/distributed-vpn-attack/m-p/588743#M3263 Thank you! Tue, 04 Jun 2024 16:03:36 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/distributed-vpn-attack/m-p/588743#M3263 Piotr_Kowalczyk 2024-06-04T16:03:36Z https://live.paloaltonetworks.com/t5/next-generation-firewall/distributed-vpn-attack/m-p/588744#M3264 <P>Hello,</P> <P>No worries and let us know if you need anything else.</P> <P>&nbsp;</P> <P>Cheers!</P> Tue, 04 Jun 2024 16:09:14 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/distributed-vpn-attack/m-p/588744#M3264 OtakarKlier 2024-06-04T16:09:14Z