Nominated Discussion - Automatically blocking IP's after a certain number of Global Protect pre-login failures?

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.
Community Team Member
No ratings

This Nominated Discussion Article is based on the post "Automatically blocking IP's after a certain number of Global Protect pre-login failures? " by @RSteffens and answered by Cyber Elite @BPry and @usanitary. Read on if you are curious about how protecting your GP from brute force attacks!


I've just recently started getting blasted with Global Protect portal pre-login failures, coming from a bunch of illegitimate IP's. They all fail because I use certificate authentication and the client cert is not present on the attacker's device.  I have have the NGF set up to email me every time this happens and I'm getting just blasted with emails. I only use Global Protect for remote management. 


See screenshot of some of the IP's attempting to gain access.  I keep blocking IP's but then the attacker uses new ones. 


Screenshot 2023-11-09 at 3.50.24 PM.png


My question is, is there a way to automatically block IP's after a certain number of Global Protect pre-login failures?

Automatic remediation of failed logins is something that I always script through the API. The easiest way to do that is creating a custom report on the firewall and using the API to collect the report on a scheduled basis. Have the script parse the IPs that are failing to login and add it to an EDL that you have configured to on the firewall and create a security rulebase entry to drop all traffic from any IP address located within the EDL.


I am new to scripting and the API.  Where do you go on the firewall for this?  I have found this type of traffic and would sure like to get it blocked a different way then manually blocking them one at a time.

Here's an article that describes the steps to configure a security policy to block brute force attacks (excessive number of login attempts in a sort period)  on the GlobalProtect Portal page without having to know any scripting:

Detecting Brute Force Attack on GlobalProtect Portal Page - Knowledge Base - Palo Alto Networks


Rate this article:
Register or Sign-in
Article Dashboard
Version history
Last Updated:
‎01-25-2024 12:50 PM
Updated by: