topic Re: GlobalProtect Portal brute-force attempts in General Topics

GlobalProtect Portal brute-force attempts

raji_toor — Wed, 24 Apr 2019 21:41:31 GMT

How can i block IP trying to brute-force GP portal website. Below is a screenshot taken from system logs.

We are not using ssl decryption.

Re: GlobalProtect Portal brute-force attempts

BPry — Thu, 25 Apr 2019 02:15:17 GMT

Just build out a security policy blocking access for that IP address, or if you don't want to deny it across the board utilize the 'negate-source' feature and specify this IP address in the security policy allowing access to your portal.

I'd recommend that you utilize something like MineMeld going forward so you can build a Blocklist dynamically and build out an associated deny security policy to block access on your firewall quickly and without committing the configuration.

You might also want to look into configuring DoS policies and a DoS rule to take care of these things automatically and make it so you get alerts when something like this happens going forward. This is an extremely underutilized, but very powerful, feature on the firewalls.

Re: GlobalProtect Portal brute-force attempts

raji_toor — Fri, 26 Apr 2019 15:17:07 GMT

@BPry Thanks for the syggestions. Since we have users all over i cannot block by IP.

Minemeld option seems interesting and we already have it running. From what i understand Minemeld would fetch the IP's from logs and pull them into blocklist. If that is correct can you link me to an article how to do this.

Re: GlobalProtect Portal brute-force attempts

BPry — Sat, 27 Apr 2019 04:51:30 GMT

@raji_toor,

I personally utilize our SIEM and the available MineMeld API to dynamically add indicators from the DoS logs pushed to the SIEM from the firewall. I'm not sure if MineMeld itself can read the log files from the firewall or not; however that would be possible through AutoFocus.

I'm not sure what you mean by "Since we have users all over i cannnot block by IP"? Surely your organization would allow you to block a Public IP that is attempting to brute-force access to a VPN with internal access correct?