- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
This Nominated Discussion Article is based on the post "Automatically blocking IP's after a certain number of Global Protect pre-login failures? " by @pomologist and answered by Cyber Elite @BPry and @usanitary. Read on if you are curious about how protecting your GP from brute force attacks!
I've just recently started getting blasted with Global Protect portal pre-login failures, coming from a bunch of illegitimate IP's. They all fail because I use certificate authentication and the client cert is not present on the attacker's device. I have have the NGF set up to email me every time this happens and I'm getting just blasted with emails. I only use Global Protect for remote management.
See screenshot of some of the IP's attempting to gain access. I keep blocking IP's but then the attacker uses new ones.
My question is, is there a way to automatically block IP's after a certain number of Global Protect pre-login failures?
Automatic remediation of failed logins is something that I always script through the API. The easiest way to do that is creating a custom report on the firewall and using the API to collect the report on a scheduled basis. Have the script parse the IPs that are failing to login and add it to an EDL that you have configured to on the firewall and create a security rulebase entry to drop all traffic from any IP address located within the EDL.
I am new to scripting and the API. Where do you go on the firewall for this? I have found this type of traffic and would sure like to get it blocked a different way then manually blocking them one at a time.
Here's an article that describes the steps to configure a security policy to block brute force attacks (excessive number of login attempts in a sort period) on the GlobalProtect Portal page without having to know any scripting:
Detecting Brute Force Attack on GlobalProtect Portal Page - Knowledge Base - Palo Alto Networks
I also have the same issue. Is there a way PA automatically block the IP participating in Brute force attack?
To my knowledge this is the only semi-automatic way.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJ2CAK
Why not use Auto Tagging to tag the users/source ip based on the logs and by adding them to Dynamic User Group (DUG) and block them? It can be combined with the brute force signature as to trigger from it's log!
Use Auto-Tagging to Automate Security Actions
Policy Object: Dynamic User Groups