Blocking Brute Force Attack on GlobalProtect Portal Page

by schaganti on ‎10-16-2013 09:23 PM - edited on ‎09-01-2015 04:24 AM by (12,892 Views)

Overview

This document describes the steps to configure a security policy to block brute force attacks on the GlobalProtect Portal page.

 

Steps

  1. Create a vulnerability profile. Go Object > Security Profiles > Vulnerability Protection.
  2. Click the "Edit" Icon under the Threat Name column to open the Edit Time Attribute dialog.
    Adjust the number of instances detected from the child signature that is being triggered and adjust the time window to trigger the defined action. The child signature "Palo Alto Networks Firewall VPN Login Authentication Attempt" with ID 32256 is looking for "x-private-pan-sslvpn: auth-failed" from the http response header. The default is 10 hits within a 60-second time window. The screenshot below shows an example of a configured vulnerability profile. When creating the profile, search for the vulnerability ID 40017 in the search bar and check the enable box.
    Screen+Shot+2015-01-13+at+4.52.05+PM.png
  3. Set the action to block-ip. With this option a block time can be configured and tracked by IP source or source and destination.
    block time.png
  4. Create a security policy to apply this profile.
  5. While creating a security policy, add the IP address of the portal under Destination Address and select the vulnerability profile created in step 1 above.vul3.png

 

Follow these steps to test if it is working.

  1. This is how the GlobalProtect Portal page appears when users try to authenticate for the first time:
    vul4.png
  2. Log into the portal using random user names and passwords. The firewall processes incorrect login attempts for the first 9 times. The following screenshot shows the GlobalProtect Portal page during the 9 unsuccessful attempts:
    vul5.png
  3. After the 9th unsuccessful attempt, the user will not be authenticated even with the correct credentials. The GlobalProtect Portal appears as follows after the 9th unsuccessful attempt:
    vul6.png
    Brute Force Authentication Attempt is identified as the vulnerability threat. This can be seen in the threat logs. Go to Monitor > Logs > Threat.
    Screen Shot 2015-01-15 at 5.35.30 PM.png
  4. If block-ip action was configured, check the block-list on the CLI with command:
    debug dataplane show dos block-table
    Screen Shot 2015-01-15 at 5.05.53 PM.png

 

New sessions are set to DISCARD with a tracker stage firewall "mitigation block ip" and end-reason "threat".

Screen Shot 2015-01-13 at 5.05.30 PM.png

Global counters show drop counts under the name "flow_dos_drop_ip_blocked", and description "Packets dropped: Flagged for blocking and under block duration by other modules".

Screen Shot 2015-01-13 at 5.06.01 PM.png

 

owner: schaganti

Comments
by luancb
on ‎07-11-2015 10:48 PM

Hi Schaganti,

How to block multi times auhthentication with same one SSLVPN account ? I want 1 user can only authentication 1 times in the same time. Can custom Vulnerbility Signature ?

Thanks

by shganesh
on ‎09-16-2015 07:36 AM

Very nice DOC!

Ignite 2018, Amsterdam, Netherlands
Ask Questions Get Answers Join the Live Community
Contributors