can someone tell me how to find the home IP address of a user who has connected to GlobalProtect?
I want to be able to audit GlobalProtect connections to ensure that they are coming from the actual home network of the user rather than from the IP address of an attacker.
On the GP logs on the firewall, you'll find a field for public_ip that will give you this information. If you're planning on looking at this information, I'd highly recommend building out a script and using the API to validate this information for those that connect.
Personally, I would make this expanded a bit. Verify that the IPs connecting to your network are coming from where you expect them, sending alerts if it's from a location that you wouldn't expect. I'd personally not automatically block identified addresses, you'll have people connecting from random locations if they use a consumer VPN and connect to your Portal or gateway.
I'd have a second script, or the same one, that pays vastly more attention to the recorded machinename of connected clients. If that machine name changes I send alerts to relevant people to verify the endpoint and the user connecting. I find this information is better at identifying abnormal connections than simply paying attention to the IP that the user is connecting from; once you add in the required exceptions for expected locations it's easy to see ways someone with phished credentials or malicious intentions could bypass your other checks.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!