How to find IP address of user connecting to GlobalProtect VPN

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to find IP address of user connecting to GlobalProtect VPN

L0 Member

Hi, 

can someone tell me how to find the home IP address of a user who has connected to GlobalProtect?


I want to be able to audit GlobalProtect connections to ensure that they are coming from the actual home network of the user rather than from the IP address of an attacker.

 

Thanks

1 REPLY 1

Cyber Elite
Cyber Elite

@FelixO,

On the GP logs on the firewall, you'll find a field for public_ip that will give you this information. If you're planning on looking at this information, I'd highly recommend building out a script and using the API to validate this information for those that connect. 

 

Personally, I would make this expanded a bit. Verify that the IPs connecting to your network are coming from where you expect them, sending alerts if it's from a location that you wouldn't expect. I'd personally not automatically block identified addresses, you'll have people connecting from random locations if they use a consumer VPN and connect to your Portal or gateway. 

I'd have a second script, or the same one, that pays vastly more attention to the recorded machinename of connected clients. If that machine name changes I send alerts to relevant people to verify the endpoint and the user connecting. I find this information is better at identifying abnormal connections than simply paying attention to the IP that the user is connecting from; once you add in the required exceptions for expected locations it's easy to see ways someone with phished credentials or malicious intentions could bypass your other checks. 

  • 7694 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!