Nominated Discussion - Automatically blocking IP's after a certain number of Global Protect pre-login failures?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Community Team Member
No ratings

This Nominated Discussion Article is based on the post "Automatically blocking IP's after a certain number of Global Protect pre-login failures? " by @pomologist and answered by Cyber Elite @BPry and @usanitary. Read on if you are curious about how protecting your GP from brute force attacks!

 

I've just recently started getting blasted with Global Protect portal pre-login failures, coming from a bunch of illegitimate IP's. They all fail because I use certificate authentication and the client cert is not present on the attacker's device.  I have have the NGF set up to email me every time this happens and I'm getting just blasted with emails. I only use Global Protect for remote management. 

 

See screenshot of some of the IP's attempting to gain access.  I keep blocking IP's but then the attacker uses new ones. 

 

Screenshot 2023-11-09 at 3.50.24 PM.png

 

My question is, is there a way to automatically block IP's after a certain number of Global Protect pre-login failures?

Automatic remediation of failed logins is something that I always script through the API. The easiest way to do that is creating a custom report on the firewall and using the API to collect the report on a scheduled basis. Have the script parse the IPs that are failing to login and add it to an EDL that you have configured to on the firewall and create a security rulebase entry to drop all traffic from any IP address located within the EDL.

 

I am new to scripting and the API.  Where do you go on the firewall for this?  I have found this type of traffic and would sure like to get it blocked a different way then manually blocking them one at a time.

Here's an article that describes the steps to configure a security policy to block brute force attacks (excessive number of login attempts in a sort period)  on the GlobalProtect Portal page without having to know any scripting:


Detecting Brute Force Attack on GlobalProtect Portal Page - Knowledge Base - Palo Alto Networks

 

Rate this article:
Comments
L0 Member

I also have the same issue. Is there a way PA automatically block the IP participating in Brute force attack?

L0 Member

To my knowledge this is the only semi-automatic way.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJ2CAK

L6 Presenter

Why not use Auto Tagging to tag the users/source ip based on the logs and by adding them to Dynamic User Group (DUG)  and block them? It can be combined with the brute force signature as to trigger from it's log!

 

Use Auto-Tagging to Automate Security Actions

 

Policy Object: Dynamic User Groups

 

Use Dynamic User Groups in Policy

  • 3533 Views
  • 3 comments
  • 0 Likes
Register or Sign-in
Labels
Article Dashboard
Version history
Last Updated:
‎01-25-2024 12:50 PM
Updated by: