This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

GlobalProtect Portal brute-force attempts

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GlobalProtect Portal brute-force attempts

raji_toor
L4 Transporter

‎04-24-2019 02:41 PM

How can i block IP trying to brute-force GP portal website. Below is a screenshot taken from system logs.

We are not using ssl decryption.

 

image.png

1 person had this problem.
0 Likes Likes
3 REPLIES 3

BPry
Cyber Elite
Cyber Elite

‎04-24-2019 07:13 PM - edited ‎04-24-2019 07:15 PM

@raji_toor,

Just build out a security policy blocking access for that IP address, or if you don't want to deny it across the board utilize the 'negate-source' feature and specify this IP address in the security policy allowing access to your portal.

 

I'd recommend that you utilize something like MineMeld going forward so you can build a Blocklist dynamically and build out an associated deny security policy to block access on your firewall quickly and without committing the configuration.  

 

You might also want to look into configuring DoS policies and a DoS rule to take care of these things automatically and make it so you get alerts when something like this happens going forward. This is an extremely underutilized, but very powerful, feature on the firewalls. 

0 Likes Likes

raji_toor
L4 Transporter
In response to BPry

‎04-26-2019 08:17 AM

@BPry Thanks for the syggestions. Since we have users all over i cannot block by IP.

 

Minemeld option seems interesting and we already have it running. From what i understand Minemeld would fetch the IP's from logs and pull them into blocklist. If that is correct can you link me to an article how to do this.

0 Likes Likes

BPry
Cyber Elite
Cyber Elite
In response to raji_toor

‎04-26-2019 09:51 PM

@raji_toor,

I personally utilize our SIEM and the available MineMeld API to dynamically add indicators from the DoS logs pushed to the SIEM from the firewall. I'm not sure if MineMeld itself can read the log files from the firewall or not; however that would be possible through AutoFocus. 

I'm not sure what you mean by "Since we have users all over i cannnot block by IP"? Surely your organization would allow you to block a Public IP that is attempting to brute-force access to a VPN with internal access correct? 

0 Likes Likes
  • 3882 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks