GlobalProtect Portal brute-force attempts

Reply
L4 Transporter

GlobalProtect Portal brute-force attempts

How can i block IP trying to brute-force GP portal website. Below is a screenshot taken from system logs.

We are not using ssl decryption.

 

image.png

Cyber Elite

@raji_toor,

Just build out a security policy blocking access for that IP address, or if you don't want to deny it across the board utilize the 'negate-source' feature and specify this IP address in the security policy allowing access to your portal.

 

I'd recommend that you utilize something like MineMeld going forward so you can build a Blocklist dynamically and build out an associated deny security policy to block access on your firewall quickly and without committing the configuration.  

 

You might also want to look into configuring DoS policies and a DoS rule to take care of these things automatically and make it so you get alerts when something like this happens going forward. This is an extremely underutilized, but very powerful, feature on the firewalls. 

L4 Transporter

@BPry Thanks for the syggestions. Since we have users all over i cannot block by IP.

 

Minemeld option seems interesting and we already have it running. From what i understand Minemeld would fetch the IP's from logs and pull them into blocklist. If that is correct can you link me to an article how to do this.

Cyber Elite

@raji_toor,

I personally utilize our SIEM and the available MineMeld API to dynamically add indicators from the DoS logs pushed to the SIEM from the firewall. I'm not sure if MineMeld itself can read the log files from the firewall or not; however that would be possible through AutoFocus. 

I'm not sure what you mean by "Since we have users all over i cannnot block by IP"? Surely your organization would allow you to block a Public IP that is attempting to brute-force access to a VPN with internal access correct? 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!