https://live.paloaltonetworks.com/t5/general-topics/prevent-brute-force-attacks/m-p/997299#M122472 <P>Hello,</P> <P>In addition to this, I recommend implmenting Zone Protection profiles.</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clm9CAC" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clm9CAC</A></P> <P>Regards,</P> Mon, 09 Dec 2024 22:49:11 GMT OtakarKlier 2024-12-09T22:49:11Z https://live.paloaltonetworks.com/t5/general-topics/prevent-brute-force-attacks/m-p/997032#M122432 <P>Hello Everyone</P> <P>&nbsp;</P> <P>I am looking for suggestions on how we could protect our GlobalProtect VPN. We have been seeing people trying to perform brute-force attacks on random user accounts daily. We do have MFA set up, but is there any automation we could implement with Palo Alto Firewall to automatically block IP addresses after a certain number of failed attempts?"<BR /><BR /><BR /></P> Fri, 06 Dec 2024 20:45:03 GMT https://live.paloaltonetworks.com/t5/general-topics/prevent-brute-force-attacks/m-p/997032#M122432 dshastri 2024-12-06T20:45:03Z https://live.paloaltonetworks.com/t5/general-topics/prevent-brute-force-attacks/m-p/997044#M122433 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/512113409">@dshastri</a> ,</P> <P>&nbsp;</P> <P>Here is a great place to start.&nbsp; <A href="https://www.packetswitch.co.uk/how-to-protect-globalprotect-portal-from-brute-force-attack/" target="_blank">https://www.packetswitch.co.uk/how-to-protect-globalprotect-portal-from-brute-force-attack/</A></P> <P>&nbsp;</P> <P>I have used all of these methods.&nbsp; They will significantly decrease the amount you are getting.</P> <P>&nbsp;</P> <P>The 4th one is a vulnerability signature that does mostly what you ask.&nbsp; I found it to not be as effective since most of my hackers were low and slow.&nbsp; The signature only detects login attempts and not failures.&nbsp; So, you can't tune it too tight or valid users may be blocked.</P> <P>&nbsp;</P> <P>GP can still be used without the portal page enabled.&nbsp; (You actually can still download software by going to <A href="https://your.domain.com/global-protect/getsoftwarepage.esp," target="_blank">https://your.domain.com/global-protect/getsoftwarepage.esp,</A> but that's another story.)</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Fri, 06 Dec 2024 23:00:26 GMT https://live.paloaltonetworks.com/t5/general-topics/prevent-brute-force-attacks/m-p/997044#M122433 TomYoung 2024-12-06T23:00:26Z https://live.paloaltonetworks.com/t5/general-topics/prevent-brute-force-attacks/m-p/997299#M122472 <P>Hello,</P> <P>In addition to this, I recommend implmenting Zone Protection profiles.</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clm9CAC" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clm9CAC</A></P> <P>Regards,</P> Mon, 09 Dec 2024 22:49:11 GMT https://live.paloaltonetworks.com/t5/general-topics/prevent-brute-force-attacks/m-p/997299#M122472 OtakarKlier 2024-12-09T22:49:11Z https://live.paloaltonetworks.com/t5/general-topics/prevent-brute-force-attacks/m-p/997761#M122500 <P>Thank You TomYoung the only thing I am missing from the documentation was&nbsp;Blacklist IPs Using a Vulnerability Profile. Do you know if Palo Alto has a pre authentication check where if the user doesn't exist on the group, it drops the connection?&nbsp;</P> Wed, 11 Dec 2024 14:28:20 GMT https://live.paloaltonetworks.com/t5/general-topics/prevent-brute-force-attacks/m-p/997761#M122500 dshastri 2024-12-11T14:28:20Z https://live.paloaltonetworks.com/t5/general-topics/prevent-brute-force-attacks/m-p/998548#M122562 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/512113409">@dshastri</a> ,</P> <P>&nbsp;</P> <P>The NGFW does not know the user until authentication.&nbsp; There is no pre-authentication check as far as I know.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Mon, 16 Dec 2024 20:26:33 GMT https://live.paloaltonetworks.com/t5/general-topics/prevent-brute-force-attacks/m-p/998548#M122562 TomYoung 2024-12-16T20:26:33Z https://live.paloaltonetworks.com/t5/general-topics/prevent-brute-force-attacks/m-p/1236118#M124967 <P>You need to implement rate limiter as if source IP addresses try the login page you don't need to check if the response was ok.</P> <P>&nbsp;</P> <P>See my article :</P> <P>&nbsp;</P> <P><A href="https://live.paloaltonetworks.com/t5/general-articles/how-to-write-palo-alto-networks-custom-vulnerability-and/ta-p/1228494" target="_blank">How to Write Palo Alto Networks Custom Vulnerability and Application Signatures with Examples | Palo Alto Networks</A></P> Sun, 17 Aug 2025 17:06:52 GMT https://live.paloaltonetworks.com/t5/general-topics/prevent-brute-force-attacks/m-p/1236118#M124967 nikoolayy1 2025-08-17T17:06:52Z https://live.paloaltonetworks.com/t5/general-topics/prevent-brute-force-attacks/m-p/1236355#M124989 <P>Here is an updated article with multiple methods.</P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000010zEJCAY&amp;lang=en_US" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000010zEJCAY&amp;lang=en_US</A></P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Wed, 20 Aug 2025 15:40:38 GMT https://live.paloaltonetworks.com/t5/general-topics/prevent-brute-force-attacks/m-p/1236355#M124989 TomYoung 2025-08-20T15:40:38Z