How to find IP address of user connecting to GlobalProtect VPN

FelixO — Tue, 12 Jul 2022 13:25:02 GMT

Hi,

can someone tell me how to find the home IP address of a user who has connected to GlobalProtect?

I want to be able to audit GlobalProtect connections to ensure that they are coming from the actual home network of the user rather than from the IP address of an attacker.

Thanks

Re: How to find IP address of user connecting to GlobalProtect VPN

BPry — Tue, 12 Jul 2022 20:02:54 GMT

@FelixO,

On the GP logs on the firewall, you'll find a field for public_ip that will give you this information. If you're planning on looking at this information, I'd highly recommend building out a script and using the API to validate this information for those that connect.

Personally, I would make this expanded a bit. Verify that the IPs connecting to your network are coming from where you expect them, sending alerts if it's from a location that you wouldn't expect. I'd personally not automatically block identified addresses, you'll have people connecting from random locations if they use a consumer VPN and connect to your Portal or gateway.

I'd have a second script, or the same one, that pays vastly more attention to the recorded machinename of connected clients. If that machine name changes I send alerts to relevant people to verify the endpoint and the user connecting. I find this information is better at identifying abnormal connections than simply paying attention to the IP that the user is connecting from; once you add in the required exceptions for expected locations it's easy to see ways someone with phished credentials or malicious intentions could bypass your other checks.

topic Re: How to find IP address of user connecting to GlobalProtect VPN in General Topics

How to find IP address of user connecting to GlobalProtect VPN

Re: How to find IP address of user connecting to GlobalProtect VPN