Threats on port 80 for globalprotect external interface?

Reply
L2 Linker

Threats on port 80 for globalprotect external interface?

We have been getting more and more threat alerts for our outside interface, that hosts our GlobalProtect portal/gateway, and in every alert its because the destination port is 80.

 

Ive checked and if you browse to our portal on http it redirects to the https page, also it appears we don't specifically have a rule allowing or denying port 80/http.

 

One idea i have, is putting a security rule in to allow SSL and panos-global-protect applications for anyone external going to our outside interface, then following it up with a deny any rule underneath it to stop port 80 (and anything else). My concerns by doing this is may kill our VPN....

 

I was wondering how do others deal the threat alerts on their outside interface for port 80?

 

Thanks

L7 Applicator

Re: Threats on port 80 for globalprotect external interface?

Hello,

Have you setup Zone Protection profiles yet? I would say these are your first step in a line of defense. Also anything external is going to get probed constantly. With the zone protection profiles you can automatically block certain IP's based on their threats.

 

https://docs.paloaltonetworks.com/best-practices/8-1/dos-and-zone-protection-best-practices/dos-and-...

 

Regards,

L2 Linker

Re: Threats on port 80 for globalprotect external interface?

Does your rule allowing the connection to your gateway allow port 80 traffic. Since the outside interface is on the same zone as the gateway address, your default intrazone rule will allow it. My solution is only allowing ssl, panos-global-protect and panos-web-interface. (I think that panos-web-interface is for the portal, if you are using that same connection as the portal address.) Then a rule right below that to drop all traffic to that gateway address, not just port 80. This covers everything else that the Internet might be trying to do to your outside port.

I have to say, I am fairly new to the GP side, but that is what I have seen working well in my config so far.

Learn at least one new thing every day.
L2 Linker

Re: Threats on port 80 for globalprotect external interface?

it appears not! i will have a look at your link

L2 Linker

Re: Threats on port 80 for globalprotect external interface?

Hi 

 

We dont specifically have a rule allowing or denying the gateway traffic so that was the confusing thing

L2 Linker

Re: Threats on port 80 for globalprotect external interface?

@CRDF18 That initially got me too. After looking at the logs and seeing that the traffic accessing the gateway was in the same zone, I went in and created the intrazone rule to block everything other than the specific applications needed, including removing ping access to the gateway. That cut down on a lot of probing traffic. I still think that there are benefits to the Zone Protection Profiles, because you are still open to the Internet, but at least the basic "probe and test" traffic is gone. Next step for me is the Zone Protection Profiles, those take a bit more work to get setup correctly.

Learn at least one new thing every day.
L2 Linker

Re: Threats on port 80 for globalprotect external interface?

I think i will have to do the something similar. I need to apply zone protection profile and also create one allow intrazone rule with the likes of panos applications but also with other applications such as ipsec-esp-udp for our VPN tunnels and then follow it up with a deny rule

L2 Linker

Re: Threats on port 80 for globalprotect external interface?

FYI

 

The zone protection profile didnt do much and the 2 rules i put in to allow approved applications (panos-web-interface, panos-global-protect etc) then a deny rule just under the allow rule for applications like ping, telnet and web-browsing. 

 

It seemed like this may have increased the amount of alerts i was getting, so today i disabled the allow rule and then created a separate rule, under the deny applications rule, to deny any application but only for port 80, this was because in our threat logs the alerts for outside to outside were for port 80 but it was saying the incomplete application. 

 

I have tested VPN gateway and portal access and all seems to be OK, so i will give it a few days to see if it has cut down on the alerts/attempts. Ive already seen a lot of things being blocked thanks to the deny on port 80 so i am feeling confident on this.

 

Thanks for your help

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!