topic Re: how to configure/Restrict Prisma Management Access in Prisma Access Discussions

how to configure/Restrict Prisma Management Access

Ariq_Aziz — Mon, 11 Sep 2023 00:45:16 GMT

We are deploying Prisma Access. Deployment is on progress. From the security logs we can see that we are hitting some brute force attacks. We are using Cloud managed Prisma Access. Not the Panaroma managed.

How do we configure the Management Access Policy? I want to whitelist our selective IP addresses. Ho do we do this in Prisma ?

Note: I have tried this Document but I cant find Trusted IP feature in my portal.
Trusted IP Addresses on Prisma Cloud (paloaltonetworks.com)

Thanks

Re: how to configure/Restrict Prisma Management Access

reaper — Mon, 11 Sep 2023 10:51:06 GMT

yeah that article is for prisma cloud so won't apply to prisma access

I am wondering: you say you're seeing brute force in the traffic log, but you are using prisma access cloud managed, which lives on the palo alto HUB portal (which you can't see in your security logs because this portal is maintained by Palo Alto and not your tenant) can you clarify what you're seeing exactly?

are you seeing brute force attacks against your (GP) Portal/gateways maybe?

the attacks, are they coming from a certain country you would be able to block off? you could use an embargo rule to block everyone from there connecting to you : https://docs.paloaltonetworks.com/prisma-access/administration/prisma-access-advanced-deployments/block-incoming-connections-from-specific-countries

next, are you using LDAP for authentication? you could switch to SAML which also offloads the authentication to your IdP, and can apply conditional access etc

Make sure to add an any any deny rule at the end of your security policy, and only create security rules for the access needed (always use zones, be as specific as possible).

hope this helps, feel free to post additional information if my reply was not helpful

Re: how to configure/Restrict Prisma Management Access

Ariq_Aziz — Mon, 11 Sep 2023 22:53:43 GMT

Hi Reaper

Yes, Sorry my post was not clear in words. Yes, I was getting Brute Force in my Global Protect Portal as we are using Prisma Access. I have created Geo Block policy as you recommended.

We have SAML ,MFA. However , GEO Block Policy the best First layer of defense. And We created deny any any at the bottom before the default rules. Thanks for adding up those.

I often mixed up Prisma cloud and Prisma access !! Thanks again for pointing that out. Ha Ha.

Re: how to configure/Restrict Prisma Management Access

znazir — Sun, 24 Sep 2023 07:15:12 GMT

Hi Ariq,
Are you still seeing those logs, I believe some of the logs you see in traffic logs are the gcp /aws ip running health check kinda stuff, just want to be sure you are not referring to those logs when you implemented GEO-Block Do you still see those logs?