https://live.paloaltonetworks.com/t5/next-generation-firewall/url-filtering-or-tightening-up-on-globalprotect-security-rule/m-p/1228292#M5870 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/108539">@inSync-MarkValpreda</a>,</P> <P>I would utilize app-id for this and do away with your any application and service rule that you have currently. Also note that if you're security profile is only accounting for 40017 you're missing 16 other signatures related to GlobalProtect. I don't much see a point in maintaining a profile specific to GlobalProtect and trying to manually specify IDs that should be active. </P> <P>&nbsp;</P> <P>Can you limit the sources that you're allowing to hit your portal/gateway? You can cut back exposure and scanning/probing by limiting to the regions that you actually need active; while this doesn't prevent a targeted attack by any means it at least cuts back on noise. </P> <P>&nbsp;</P> <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/108539">@inSync-MarkValpreda</a>&nbsp;wrote: <P>I do have my home IP address whitelisted on the interface management as a 'just in case' sort of thing....so I don't want to inadvertently kill that. Maybe put my emergency IP addresses into a different security group?</P> <HR /></BLOCKQUOTE> <P>Why? Do you have a static IP at your house or are you just relying on it staying the same?</P> <P>Personally this is never something that I would facilitate or allow any of my staff to implement. The risk analysis for this would never have the benefit of this outweigh the risk that is introduced. Things either wait until someone can be onsite and restore things properly, or you implement a proper out-of-band connection. </P> Tue, 06 May 2025 21:13:25 GMT BPry 2025-05-06T21:13:25Z https://live.paloaltonetworks.com/t5/next-generation-firewall/url-filtering-or-tightening-up-on-globalprotect-security-rule/m-p/1227990#M5861 <P>I have a security rule for my GlobalProtect, and want to see if I can make it even tighter....</P> <UL> <LI>Source <UL> <LI>Zone: untrust (outside)</LI> <LI>Address\User\Device: Any</LI> </UL> </LI> <LI>Destination <UL> <LI>Zone: untrust&nbsp;</LI> <LI>Address: IP of my interface/GlobalProtect IP</LI> <LI>Device: Any</LI> </UL> </LI> <LI>Application <UL> <LI>Any</LI> </UL> </LI> <LI>Service/URL <UL> <LI>GP-4501 (4501/udp)</LI> <LI>service-https</LI> <LI>Category: Any</LI> </UL> </LI> <LI>Actions <UL> <LI>Just a vulnerability group that blocks brute force (40017)&nbsp;</LI> </UL> </LI> </UL> <P>Thinking there is an opportunity to lock that down even more. Maybe with URL filtering? Maybe with applications? I am only seeing ipsec-esp-udp, ssl, and panos-global-protect as the biggest applications.&nbsp;</P> <P>&nbsp;</P> <P>I do have my home IP address whitelisted on the interface management as a 'just in case' sort of thing....so I don't want to inadvertently kill that. Maybe put my emergency IP addresses into a different security group?</P> <P>&nbsp;</P> <P>Thanks for any suggestions or criticisms!&nbsp;</P> Sat, 03 May 2025 15:14:21 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/url-filtering-or-tightening-up-on-globalprotect-security-rule/m-p/1227990#M5861 inSync-MarkValpreda 2025-05-03T15:14:21Z https://live.paloaltonetworks.com/t5/next-generation-firewall/url-filtering-or-tightening-up-on-globalprotect-security-rule/m-p/1228292#M5870 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/108539">@inSync-MarkValpreda</a>,</P> <P>I would utilize app-id for this and do away with your any application and service rule that you have currently. Also note that if you're security profile is only accounting for 40017 you're missing 16 other signatures related to GlobalProtect. I don't much see a point in maintaining a profile specific to GlobalProtect and trying to manually specify IDs that should be active. </P> <P>&nbsp;</P> <P>Can you limit the sources that you're allowing to hit your portal/gateway? You can cut back exposure and scanning/probing by limiting to the regions that you actually need active; while this doesn't prevent a targeted attack by any means it at least cuts back on noise. </P> <P>&nbsp;</P> <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/108539">@inSync-MarkValpreda</a>&nbsp;wrote: <P>I do have my home IP address whitelisted on the interface management as a 'just in case' sort of thing....so I don't want to inadvertently kill that. Maybe put my emergency IP addresses into a different security group?</P> <HR /></BLOCKQUOTE> <P>Why? Do you have a static IP at your house or are you just relying on it staying the same?</P> <P>Personally this is never something that I would facilitate or allow any of my staff to implement. The risk analysis for this would never have the benefit of this outweigh the risk that is introduced. Things either wait until someone can be onsite and restore things properly, or you implement a proper out-of-band connection. </P> Tue, 06 May 2025 21:13:25 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/url-filtering-or-tightening-up-on-globalprotect-security-rule/m-p/1228292#M5870 BPry 2025-05-06T21:13:25Z