Nominated Discussion - Automatically blocking IP's after a certain number of Global Protect pre-login failures?

I've just recently started getting blasted with Global Protect portal pre-login failures, coming from a bunch of illegitimate IP's. They all fail because I use certificate authentication and the client cert is not present on the attacker's device.  I have have the NGF set up to email me every time this happens and I'm getting just blasted with emails. I only use Global Protect for remote management. 

 

See screenshot of some of the IP's attempting to gain access.  I keep blocking IP's but then the attacker uses new ones. 

 

 

My question is, is there a way to automatically block IP's after a certain number of Global Protect pre-login failures?

Automatic remediation of failed logins is something that I always script through the API. The easiest way to do that is creating a custom report on the firewall and using the API to collect the report on a scheduled basis. Have the script parse the IPs that are failing to login and add it to an EDL that you have configured to on the firewall and create a security rulebase entry to drop all traffic from any IP address located within the EDL.

I am new to scripting and the API.  Where do you go on the firewall for this?  I have found this type of traffic and would sure like to get it blocked a different way then manually blocking them one at a time.

Here's an article that describes the steps to configure a security policy to block brute force attacks (excessive number of login attempts in a sort period)  on the GlobalProtect Portal page without having to know any scripting:

Detecting Brute Force Attack on GlobalProtect Portal Page - Knowledge Base - Palo Alto Networks