Nominated Discussion - Automatically blocking IP's after a certain number of Global Protect pre-login failures?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Community Team Member
No ratings

This Nominated Discussion Article is based on the post "Automatically blocking IP's after a certain number of Global Protect pre-login failures? " by @pomologist and answered by Cyber Elite @BPry and @usanitary. Read on if you are curious about how protecting your GP from brute force attacks!

 

I've just recently started getting blasted with Global Protect portal pre-login failures, coming from a bunch of illegitimate IP's. They all fail because I use certificate authentication and the client cert is not present on the attacker's device.  I have have the NGF set up to email me every time this happens and I'm getting just blasted with emails. I only use Global Protect for remote management. 

 

See screenshot of some of the IP's attempting to gain access.  I keep blocking IP's but then the attacker uses new ones. 

 

Screenshot 2023-11-09 at 3.50.24 PM.png

 

My question is, is there a way to automatically block IP's after a certain number of Global Protect pre-login failures?

Automatic remediation of failed logins is something that I always script through the API. The easiest way to do that is creating a custom report on the firewall and using the API to collect the report on a scheduled basis. Have the script parse the IPs that are failing to login and add it to an EDL that you have configured to on the firewall and create a security rulebase entry to drop all traffic from any IP address located within the EDL.

 

I am new to scripting and the API.  Where do you go on the firewall for this?  I have found this type of traffic and would sure like to get it blocked a different way then manually blocking them one at a time.

Here's an article that describes the steps to configure a security policy to block brute force attacks (excessive number of login attempts in a sort period)  on the GlobalProtect Portal page without having to know any scripting:


Detecting Brute Force Attack on GlobalProtect Portal Page - Knowledge Base - Palo Alto Networks

 

Rate this article:
Comments
L0 Member

I also have the same issue. Is there a way PA automatically block the IP participating in Brute force attack?

L0 Member

To my knowledge this is the only semi-automatic way.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJ2CAK

  • 2830 Views
  • 2 comments
  • 0 Likes
Register or Sign-in
Labels
Article Dashboard
Version history
Last Updated:
‎01-25-2024 12:50 PM
Updated by: